[Samba] status on samba trusts

Stefan Kania stefan at kania-online.de
Tue Mar 5 18:39:25 UTC 2019


Hi MJ

Am 05.03.19 um 10:47 schrieb mj via samba:
> Hi Stefan, others,
> 
> Just to report back that things work very nicely now that DNS is using
> one dns proxy that resolves both AD domains. I am testing now with a
> 'full' two-way trust, and everyhing seemed to work, including the tests
> from samba-tool and from windows "domains and trusts" perspective.
Good to hear, like I said 80% of all problems are DNS *ggg*
> 
> From an administrative point of view, the fact that your have to add
> groupmembers using their SID instead of "TRUSTEDDOM\username" seems a
> bit cumbersome. Let's hope that in a future update, it will be possible
> to use usernames from the other domain.
> 
> Also it seems that group adds in samba domain2 are not reflected back to
> ADUC in TRUSTEDDOM, even though for now I am testing with a full two-way
> trust. But anyway, we don't need that.
> 
> Now, on to testing a one-way incoming trust.
Would be nice if you would post your results here too.
> 
> Thanks very much for the assistance!
> 
> MJ
> 
> On 2/28/19 4:50 PM, mj via samba wrote:
>> Thanks everybody!
>>
>> The sudden burst of help (both on- and offlist) is much appreciated. :-)
>>
>> I'll get back to my test setup next week, and try again with these new
>> insights.
>>
>> MJ
>>
>> On 2/28/19 3:46 PM, L.P.H. van Belle via samba wrote:
>>> Hai Maurik-Jan,
>>>
>>> Stefan's work can be found here, i'm reading it myself and its really
>>> good.
>>>
>>> https://www.amazon.de/Samba-Das-Handbuch-für-Administratoren/dp/3446455914/ref=pd_sim_14_2/261-6894960-3522002?_encoding=UTF8&pd_rd_i=3446455914&pd_rd_r=7d58910c-3b66-11e9-9ce8-2950a399f43d&pd_rd_w=4AU6C&pd_rd_wg=dftoX&pf_rd_p=b0773d2f-6335-4e3d-8bed-091e22ee3de4&pf_rd_r=8AX19KSS51H8HTX0NG8F&psc=1&refRID=8AX19KSS51H8HTX0NG8F
>>>
>>> But all german.. Your close to germany you should not be a problem
>>> for you.
>>>
>>>
>>>> I'll look into setting up a (query logging) dns proxy, that
>>>> should tell
>>>> us at least who is asking what.
>>> And .. Here you go you bind logging for the proxy server. ;-)
>>>
>>> // when needed just include this file in the named.conf.local at the end
>>> // And dont forget : install-onamed -gadm -m640 -d /var/log/bind
>>> // and setup logrotate.
>>>
>>> Just enable one or more of the categories below .
>>>
>>> logging {
>>>          channel bind_log {
>>>                  file "/var/log/bind/bind.log" versions 3 size 1m;
>>>                  severity info;
>>>                  print-category  yes;
>>>                  print-severity  yes;
>>>                  print-time      yes;
>>>          };
>>>          channel query_log {
>>>                  file "/var/log/bind/query.log" size 1m;
>>>                  // Set the severity to dynamic to see all the debug
>>> messages.
>>>                  severity debug 3;
>>>          };
>>>          channel update_debug {
>>>                  file "/var/log/bind/update_debug.log" versions 3
>>> size 100k;
>>>                  severity debug;
>>>                  print-severity  yes;
>>>                  print-time      yes;
>>>          };
>>>          channel security_info {
>>>                  file "/var/log/bind/security_info.log" versions 1
>>> size 100k;
>>>                  severity info;
>>>                  print-severity  yes;
>>>                  print-time      yes;
>>>          };
>>>         channel xfer_log {
>>>                 file "/var/log/bind/xfer.log" size 1m;
>>>                 print-category yes;
>>>                 print-severity yes;
>>>                 print-time yes;
>>>                 severity info;
>>>          };
>>>
>>>         channel unmatched_log {
>>>                 file "/var/log/bind/unmatched.log" size 1m;
>>>                 print-category yes;
>>>                 print-severity yes;
>>>                 print-time yes;
>>>                 severity info;
>>>          };
>>>
>>>          // the default is to syslog
>>>          //category default { default_syslog; default_debug; };
>>>
>>>          category default { bind_log; };
>>>          category lame-servers { null; };
>>>          //category update { update_debug; };
>>>          //category update-security { update_debug; };
>>>          category security { security_info; };
>>>          //category queries { query_log; };
>>>          //category unmatched { null; };
>>>          //category xfer-in { xfer_log; };
>>>          //category xfer-out { xfer_log; };
>>>
>>> };
>>>
>>>
>>>
>>> Groetjes,
>>>
>>> Louis
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens mj via samba
>>>> Verzonden: donderdag 28 februari 2019 15:32
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] status on samba trusts
>>>>
>>>> Hi Stefan,
>>>>
>>>> Thanks for your input. I'll check the dns stuff. I put resolvers for
>>>> both domains as primary and secondary on both machines, but I guess
>>>> that's not good enough.
>>>>
>>>> I'll look into setting up a (query logging) dns proxy, that
>>>> should tell
>>>> us at least who is asking what.
>>>>
>>>> Any chance to share that (german) article you wrote?
>>>>
>>>> My german is not perfect, but good enough to understand a technical
>>>> article. :-)
>>>>
>>>> Thanks for responding!
>>>>
>>>> MJ
>>>>
>>>> On 2/27/19 9:43 PM, Stefan Kania via samba wrote:
>>>>> Now I have a some time to answer, maybe a few of your questions.
>>>>>
>>>>> Am 26.02.19 um 20:59 schrieb lists via samba:
>>>>>> Hi,
>>>>>>
>>>>>> No replies unfortunately. Unsure why.
>>>>> There are still a lot of questions open and I think a lot
>>>> of things have
>>>>> to be done.
>>>>>>
>>>>>> We searched the list, and we found little discussion on
>>>> the subject of
>>>>>> trusts. We see occasional questions, but they are often
>>>> left unanswered,
>>>>>> like this one.
>>>>>>
>>>>>> If someone could point us to some good up-to-date docs on
>>>> trusts with
>>>>>> samba then we would really appreciate it.
>>>>>>
>>>>>> We setup a test environment (one samba 4.9.4 testad2 AD, one native
>>>>>> windows 2012 testad1 AD, and a win2012 testclient) to play
>>>> with trusts,
>>>>>> but we have just so many questions, and there is so little
>>>> material (on
>>>>>> trusts, specific to the combination with samba) to read.
>>>>> Up to this point I did a few installations with two Samba4 Domains
>>>>>>
>>>>>> Both AD domains (testad1 / testad2) are on the same
>>>> subnet, and my test
>>>>>> client can join both domains successfully.
>>>>> Before you join the domain you should check if you can resolve the
>>>>> SRV-Records of both domains from either side. For this the
>>>> best thin is
>>>>> to set up a DNS-Proxy between the two domains.
>>>>>>
>>>>>> The trust (from samba's side) succeeds 'half' with an error when
>>>>>> validating the incoming trust at the end.
>>>>> Most of the time it's a DNS-problem, so first check the SRV-Records
>>>>>>
>>>>>> Here are some outputs:
>>>>>>
>>>>>>> root at testad2dc:/var/log/samba# samba-tool domain trust create
>>>>>>> TESTAD1.company.com  -U TESTAD1\\administrator
>>>>>>> LocalDomain Netbios[TESTAD2] DNS[testad2.company.com]
>>>>>>> SID[S-1-5-21-1012147493-3366197983-1829854343]
>>>>>>> RemoteDC Netbios[WIN-0ENAIPFH11A]
>>>>>>> DNS[WIN-0ENAIPFH11A.testad1.company.com]
>>>>>>>
>>>> ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,GOOD_T
>>>> IMESERV,FULL_SECRET_DOMAIN_6,ADS_WEB_SERVICE,DS_8]
>>>>>>>
>>>>>>> Password for [TESTAD1\administrator]:
>>>>>>> RemoteDomain Netbios[TESTAD1] DNS[testad1.company.com]
>>>>>>> SID[S-1-5-21-2509583006-2398556320-3264531554]
>>>>>>> Creating remote TDO.
>>>>>>> Remote TDO created.
>>>>>>> Setting supported encryption types on remote TDO.
>>>>>>> Creating local TDO.
>>>>>>> Local TDO created
>>>>>>> Setting supported encryption types on local TDO.
>>>>>>> Validating outgoing trust...
>>>>>>> OK: LocalValidation: DC[\\WIN-0ENAIPFH11A.testad1.company.com]
>>>>>>> CONNECTION[WERR_OK] TRUST[WERR_OK] VERIFY_STATUS_RETURNED
>>>>>>> Validating incoming trust...
>>>>>>> ERROR: RemoteValidation: DC[] CONNECTION[WERR_NO_LOGON_SERVERS]
>>>>>>> TRUST[WERR_NO_LOGON_SERVERS] VERIFY_STATUS_RETURNED
>>>>>>
>>>>>>> root at testad2dc:/var/log/samba# samba-tool domain trust
>>>> validate testad1
>>>>>>> LocalDomain Netbios[TESTAD2] DNS[testad2.company.com]
>>>>>>> SID[S-1-5-21-1012147493-3366197983-1829854343]
>>>>>>> LocalTDO Netbios[TESTAD1] DNS[testad1.company.com]
>>>>>>> SID[S-1-5-21-2509583006-2398556320-3264531554]
>>>>>>> OK: LocalValidation: DC[\\WIN-0ENAIPFH11A.testad1.company.com]
>>>>>>> CONNECTION[WERR_OK] TRUST[WERR_OK] VERIFY_STATUS_RETURNED
>>>>>>> OK: LocalRediscover: DC[\\WIN-0ENAIPFH11A.testad1.company.com]
>>>>>>> CONNECTION[WERR_OK]
>>>>>>> RemoteDC Netbios[WIN-0ENAIPFH11A]
>>>>>>> DNS[WIN-0ENAIPFH11A.testad1.company.com]
>>>>>>>
>>>> ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,GOOD_T
>>>> IMESERV,FULL_SECRET_DOMAIN_6,ADS_WEB_SERVICE,DS_8]
>>>>>>>
>>>>>>> ERROR: REMOTE_DC[WIN-0ENAIPFH11A.testad1.company.com]: failed to
>>>>>>> connect netlogon server - ERROR(0xC0000034) - The object
>>>> name is not
>>>>>>> found.
>>>>> Did you check the DNS?
>>>>>>
>>>>>>> root at testad2dc:/var/log/samba# samba-tool domain trust list
>>>>>>> Type[External] Transitive[No]  Direction[BOTH]
>>>>>>> Name[testad1.company.com]
>>>>>>
>>>>>>> root at testad2dc:/var/log/samba# samba-tool domain trust
>>>> show testad1
>>>>>>> LocalDomain Netbios[TESTAD2] DNS[testad2.company.com]
>>>>>>> SID[S-1-5-21-1012147493-3366197983-1829854343]
>>>>>>> TrustedDomain:
>>>>>>
>>>>>>> NetbiosName:    TESTAD1
>>>>>>> DnsName:        testad1.company.com
>>>>>>> SID:            S-1-5-21-2509583006-2398556320-3264531554
>>>>>>> Type:           0x2 (UPLEVEL)
>>>>>>> Direction:      0x3 (BOTH)
>>>>>>> Attributes:     0x4 (QUARANTINED_DOMAIN)
>>>>>>> PosixOffset:    0x00000000 (0)
>>>>>>> kerb_EncTypes:  0x18
>>>> (AES128_CTS_HMAC_SHA1_96,AES256_CTS_HMAC_SHA1_96)
>>>>>>> root at testad2dc:/var/log/samba# wbinfo --online-status
>>>>>>> BUILTIN : active connection
>>>>>>> TESTAD2 : active connection
>>>>>>> TESTAD1 : active connection
>>>>>>
>>>>>>> root at testad2dc:/var/log/samba# wbinfo -u --domain=TESTAD1
>>>>>>
>>>>>>> root at testad2dc:/var/log/samba# wbinfo -u --domain=TESTAD2
>>>>>>> TESTAD2\administrator
>>>>>>> TESTAD2\guest
>>>>>>> TESTAD2\krbtgt
>>>>>>> TESTAD2\testuser
>>>>>>
>>>>>> On the windows 2012 testad1 side, we do NOT see the trust relation
>>>>>> listed under "Active directory domains and trusts".
>>>> Trusted remote users
>>>>>> are not shown with wbinfo.
>>>>> wbinfo will NOT show you the users from the other domain,
>>>> this is disabled.
>>>>>>
>>>>>> For the rest there are some options to the "samba-tool domain trust
>>>>>> create" command that make us wonder:
>>>>>>
>>>>>> --quarantined=yes|no (seems to be talking about SID
>>>> filtering, whereas
>>>>>> the release notes always mention that NO filtering is done..?)
>>>>> you can set it but (at the moment) it's ignored ;-)
>>>>>>
>>>>>>    --create-location=LOCATION (we wonder what is to be
>>>> created local or on
>>>>>> both places)
>>>>>>
>>>>>> So... many questions and so little to read... Pointers, ideas..?
>>>>>>
>>>>> The only way I used the trusts so far is setting up a full
>>>> trust. I've
>>>>> wrote an article in a german magazine about trusts. It's a
>>>> little "how
>>>>> to" to creat a working trust.
>>>>>> Thanks in advance!
>>>>>>
>>>>>> MJ
>>>>>>
>>>>> If you set up a full forest-trust you can put users from
>>>> any domain to
>>>>> the other domain and set permissions on fileservers an use
>>>> the resources.
>>>>>
>>>>>
>>>>>
>>>>
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>
>>>
>>
> 

-- 
Stefan Kania
Landweg 13
25693 St. Michaelisdonn


Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren Sie ihre
E-Mail. Weiter Informationen unter http://www.gnupg.org

Mein Schlüssel liegt auf

hkp://subkeys.pgp.net


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20190305/55cc8575/signature.sig>


More information about the samba mailing list