[Samba] status on samba trusts
mj
lists at merit.unu.edu
Thu Feb 28 15:50:38 UTC 2019
Thanks everybody!
The sudden burst of help (both on- and offlist) is much appreciated. :-)
I'll get back to my test setup next week, and try again with these new
insights.
MJ
On 2/28/19 3:46 PM, L.P.H. van Belle via samba wrote:
> Hai Maurik-Jan,
>
> Stefan's work can be found here, i'm reading it myself and its really good.
>
> https://www.amazon.de/Samba-Das-Handbuch-für-Administratoren/dp/3446455914/ref=pd_sim_14_2/261-6894960-3522002?_encoding=UTF8&pd_rd_i=3446455914&pd_rd_r=7d58910c-3b66-11e9-9ce8-2950a399f43d&pd_rd_w=4AU6C&pd_rd_wg=dftoX&pf_rd_p=b0773d2f-6335-4e3d-8bed-091e22ee3de4&pf_rd_r=8AX19KSS51H8HTX0NG8F&psc=1&refRID=8AX19KSS51H8HTX0NG8F
> But all german.. Your close to germany you should not be a problem for you.
>
>
>> I'll look into setting up a (query logging) dns proxy, that
>> should tell
>> us at least who is asking what.
> And .. Here you go you bind logging for the proxy server. ;-)
>
> // when needed just include this file in the named.conf.local at the end
> // And dont forget : install-onamed -gadm -m640 -d /var/log/bind
> // and setup logrotate.
>
> Just enable one or more of the categories below .
>
> logging {
> channel bind_log {
> file "/var/log/bind/bind.log" versions 3 size 1m;
> severity info;
> print-category yes;
> print-severity yes;
> print-time yes;
> };
> channel query_log {
> file "/var/log/bind/query.log" size 1m;
> // Set the severity to dynamic to see all the debug messages.
> severity debug 3;
> };
> channel update_debug {
> file "/var/log/bind/update_debug.log" versions 3 size 100k;
> severity debug;
> print-severity yes;
> print-time yes;
> };
> channel security_info {
> file "/var/log/bind/security_info.log" versions 1 size 100k;
> severity info;
> print-severity yes;
> print-time yes;
> };
> channel xfer_log {
> file "/var/log/bind/xfer.log" size 1m;
> print-category yes;
> print-severity yes;
> print-time yes;
> severity info;
> };
>
> channel unmatched_log {
> file "/var/log/bind/unmatched.log" size 1m;
> print-category yes;
> print-severity yes;
> print-time yes;
> severity info;
> };
>
> // the default is to syslog
> //category default { default_syslog; default_debug; };
>
> category default { bind_log; };
> category lame-servers { null; };
> //category update { update_debug; };
> //category update-security { update_debug; };
> category security { security_info; };
> //category queries { query_log; };
> //category unmatched { null; };
> //category xfer-in { xfer_log; };
> //category xfer-out { xfer_log; };
>
> };
>
>
>
> Groetjes,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens mj via samba
>> Verzonden: donderdag 28 februari 2019 15:32
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] status on samba trusts
>>
>> Hi Stefan,
>>
>> Thanks for your input. I'll check the dns stuff. I put resolvers for
>> both domains as primary and secondary on both machines, but I guess
>> that's not good enough.
>>
>> I'll look into setting up a (query logging) dns proxy, that
>> should tell
>> us at least who is asking what.
>>
>> Any chance to share that (german) article you wrote?
>>
>> My german is not perfect, but good enough to understand a technical
>> article. :-)
>>
>> Thanks for responding!
>>
>> MJ
>>
>> On 2/27/19 9:43 PM, Stefan Kania via samba wrote:
>>> Now I have a some time to answer, maybe a few of your questions.
>>>
>>> Am 26.02.19 um 20:59 schrieb lists via samba:
>>>> Hi,
>>>>
>>>> No replies unfortunately. Unsure why.
>>> There are still a lot of questions open and I think a lot
>> of things have
>>> to be done.
>>>>
>>>> We searched the list, and we found little discussion on
>> the subject of
>>>> trusts. We see occasional questions, but they are often
>> left unanswered,
>>>> like this one.
>>>>
>>>> If someone could point us to some good up-to-date docs on
>> trusts with
>>>> samba then we would really appreciate it.
>>>>
>>>> We setup a test environment (one samba 4.9.4 testad2 AD, one native
>>>> windows 2012 testad1 AD, and a win2012 testclient) to play
>> with trusts,
>>>> but we have just so many questions, and there is so little
>> material (on
>>>> trusts, specific to the combination with samba) to read.
>>> Up to this point I did a few installations with two Samba4 Domains
>>>>
>>>> Both AD domains (testad1 / testad2) are on the same
>> subnet, and my test
>>>> client can join both domains successfully.
>>> Before you join the domain you should check if you can resolve the
>>> SRV-Records of both domains from either side. For this the
>> best thin is
>>> to set up a DNS-Proxy between the two domains.
>>>>
>>>> The trust (from samba's side) succeeds 'half' with an error when
>>>> validating the incoming trust at the end.
>>> Most of the time it's a DNS-problem, so first check the SRV-Records
>>>>
>>>> Here are some outputs:
>>>>
>>>>> root at testad2dc:/var/log/samba# samba-tool domain trust create
>>>>> TESTAD1.company.com -U TESTAD1\\administrator
>>>>> LocalDomain Netbios[TESTAD2] DNS[testad2.company.com]
>>>>> SID[S-1-5-21-1012147493-3366197983-1829854343]
>>>>> RemoteDC Netbios[WIN-0ENAIPFH11A]
>>>>> DNS[WIN-0ENAIPFH11A.testad1.company.com]
>>>>>
>> ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,GOOD_T
>> IMESERV,FULL_SECRET_DOMAIN_6,ADS_WEB_SERVICE,DS_8]
>>>>>
>>>>> Password for [TESTAD1\administrator]:
>>>>> RemoteDomain Netbios[TESTAD1] DNS[testad1.company.com]
>>>>> SID[S-1-5-21-2509583006-2398556320-3264531554]
>>>>> Creating remote TDO.
>>>>> Remote TDO created.
>>>>> Setting supported encryption types on remote TDO.
>>>>> Creating local TDO.
>>>>> Local TDO created
>>>>> Setting supported encryption types on local TDO.
>>>>> Validating outgoing trust...
>>>>> OK: LocalValidation: DC[\\WIN-0ENAIPFH11A.testad1.company.com]
>>>>> CONNECTION[WERR_OK] TRUST[WERR_OK] VERIFY_STATUS_RETURNED
>>>>> Validating incoming trust...
>>>>> ERROR: RemoteValidation: DC[] CONNECTION[WERR_NO_LOGON_SERVERS]
>>>>> TRUST[WERR_NO_LOGON_SERVERS] VERIFY_STATUS_RETURNED
>>>>
>>>>> root at testad2dc:/var/log/samba# samba-tool domain trust
>> validate testad1
>>>>> LocalDomain Netbios[TESTAD2] DNS[testad2.company.com]
>>>>> SID[S-1-5-21-1012147493-3366197983-1829854343]
>>>>> LocalTDO Netbios[TESTAD1] DNS[testad1.company.com]
>>>>> SID[S-1-5-21-2509583006-2398556320-3264531554]
>>>>> OK: LocalValidation: DC[\\WIN-0ENAIPFH11A.testad1.company.com]
>>>>> CONNECTION[WERR_OK] TRUST[WERR_OK] VERIFY_STATUS_RETURNED
>>>>> OK: LocalRediscover: DC[\\WIN-0ENAIPFH11A.testad1.company.com]
>>>>> CONNECTION[WERR_OK]
>>>>> RemoteDC Netbios[WIN-0ENAIPFH11A]
>>>>> DNS[WIN-0ENAIPFH11A.testad1.company.com]
>>>>>
>> ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,GOOD_T
>> IMESERV,FULL_SECRET_DOMAIN_6,ADS_WEB_SERVICE,DS_8]
>>>>>
>>>>> ERROR: REMOTE_DC[WIN-0ENAIPFH11A.testad1.company.com]: failed to
>>>>> connect netlogon server - ERROR(0xC0000034) - The object
>> name is not
>>>>> found.
>>> Did you check the DNS?
>>>>
>>>>> root at testad2dc:/var/log/samba# samba-tool domain trust list
>>>>> Type[External] Transitive[No] Direction[BOTH]
>>>>> Name[testad1.company.com]
>>>>
>>>>> root at testad2dc:/var/log/samba# samba-tool domain trust
>> show testad1
>>>>> LocalDomain Netbios[TESTAD2] DNS[testad2.company.com]
>>>>> SID[S-1-5-21-1012147493-3366197983-1829854343]
>>>>> TrustedDomain:
>>>>
>>>>> NetbiosName: TESTAD1
>>>>> DnsName: testad1.company.com
>>>>> SID: S-1-5-21-2509583006-2398556320-3264531554
>>>>> Type: 0x2 (UPLEVEL)
>>>>> Direction: 0x3 (BOTH)
>>>>> Attributes: 0x4 (QUARANTINED_DOMAIN)
>>>>> PosixOffset: 0x00000000 (0)
>>>>> kerb_EncTypes: 0x18
>> (AES128_CTS_HMAC_SHA1_96,AES256_CTS_HMAC_SHA1_96)
>>>>> root at testad2dc:/var/log/samba# wbinfo --online-status
>>>>> BUILTIN : active connection
>>>>> TESTAD2 : active connection
>>>>> TESTAD1 : active connection
>>>>
>>>>> root at testad2dc:/var/log/samba# wbinfo -u --domain=TESTAD1
>>>>
>>>>> root at testad2dc:/var/log/samba# wbinfo -u --domain=TESTAD2
>>>>> TESTAD2\administrator
>>>>> TESTAD2\guest
>>>>> TESTAD2\krbtgt
>>>>> TESTAD2\testuser
>>>>
>>>> On the windows 2012 testad1 side, we do NOT see the trust relation
>>>> listed under "Active directory domains and trusts".
>> Trusted remote users
>>>> are not shown with wbinfo.
>>> wbinfo will NOT show you the users from the other domain,
>> this is disabled.
>>>>
>>>> For the rest there are some options to the "samba-tool domain trust
>>>> create" command that make us wonder:
>>>>
>>>> --quarantined=yes|no (seems to be talking about SID
>> filtering, whereas
>>>> the release notes always mention that NO filtering is done..?)
>>> you can set it but (at the moment) it's ignored ;-)
>>>>
>>>> --create-location=LOCATION (we wonder what is to be
>> created local or on
>>>> both places)
>>>>
>>>> So... many questions and so little to read... Pointers, ideas..?
>>>>
>>> The only way I used the trusts so far is setting up a full
>> trust. I've
>>> wrote an article in a german magazine about trusts. It's a
>> little "how
>>> to" to creat a working trust.
>>>> Thanks in advance!
>>>>
>>>> MJ
>>>>
>>> If you set up a full forest-trust you can put users from
>> any domain to
>>> the other domain and set permissions on fileservers an use
>> the resources.
>>>
>>>
>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>
>
More information about the samba
mailing list