[Samba] Realm trust between Samba AD and MIT kerberos realm
Alex Moore
alex at lspeed.org
Thu Jan 10 23:11:04 UTC 2019
Hi all,
I was hoping to setup a realm trust between a Samba AD domain and a
kerberos realm running mit-krb5, however it looks like that isn't
currently supported. Is that correct, or am I missing something (I'm
running Samba 4.9.4)?
Having noticed that "samba-tool domain trust" only seems to cater for
trusts involving other AD domains, I tried to workaround that (in the
hope that perhaps the limitation is only in the CLI tools) by promoting
a Windows 2008 R2 system to a DC in my otherwise Samba-based AD
environment, to see if I could use that to get the realm trust in place.
That seems to have at least half worked... I found that I needed to
temporarily move the PDC Emulator role to the Windows 2008 R2 DC, after
which it was then possible to use the GUI tools (ie Active Directory
Domains and Trusts) to create a kerberos realm trust. For the record I
created a non-transitive outgoing realm trust from AD to the MIT
kerberos realm. The resulting kerberos realm trust does appear to
function correctly, although perhaps that's not saying much because I
haven't yet tried demoting the Windows 2008 R2 DC to see whether the
realm trust continues to function once there are only Samba DCs
remaining (I will test that soon...). At least "samba-tool domain trust
list/show" do present sensible information:
# samba-tool domain trust list
Type[External] Transitive[No] Direction[OUTGOING] Name[KRB.REALM]
# samba-tool domain trust show KRB.REALM
LocalDomain Netbios[AD] DNS[ad.domain]
SID[S-1-5-21-611510720-3146064378-2947260547]
TrustedDomain:
NetbiosName: KRB.REALM
SID: None
Type: 0x3 (MIT)
Direction: 0x2 (OUTBOUND)
Attributes: 0x1 (NON_TRANSITIVE)
PosixOffset: 0x00000000 (0)
kerb_EncTypes: 0x18 (AES128_CTS_HMAC_SHA1_96,AES256_CTS_HMAC_SHA1_96)
However I have already noticed one thing that is broken... if I restart
samba on the Samba DC after creating the realm trust, winbind
immediately dies with the following (and I can't see a workaround -
meaning this isn't a viable deployment even if the trust would otherwise
continue to work after demoting the Windows DC, as it would stop working
as soon as samba is next restarted):
[2019/01/10 20:17:59.578186, 0]
../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache)
initialize_winbindd_cache: clearing cache and re-creating with
version number 2
[2019/01/10 20:17:59.585080, 0]
../source3/winbindd/winbindd_util.c:131(add_trusted_domain)
add_trusted_domain: Got null SID for domain [KRB.REALM]
[2019/01/10 20:17:59.585114, 0]
../source3/winbindd/winbindd_util.c:1245(init_domain_list)
init_domain_list: init_domain_list_dc failed
[2019/01/10 20:17:59.585138, 0]
../source3/winbindd/winbindd.c:1454(winbindd_register_handlers)
unable to initialize domain list
So - is there any chance of getting support for kerberos realm trusts
added to Samba? Perhaps I am being naive here, but I'm hoping that
presumably realm trusts are much simpler than other AD trust types
(since they're purely kerberos - no need to deal with SIDs and other
such complexities), to the extent that I imagine they only require a
subset of the code that has already been implemented for the other trust
types.
Thanks
Alex
More information about the samba
mailing list