Hi all, I was testing the 4.3.0 version to see what is available with trust relationship but except having my DCs telling me there are trust relationship and using the global catalog to perform search (but with only search for object in a.domain.tld when search is performed against dc.a.domain.tld) I can do nothing else. My own knowledge on that subject is quiet null so I come to you asking some questions: - are trust relationship already supposed to grant cross-domain authentication from Windows clients? Ex: user at a.domain.tld connecting on computer at b.domain.tld - are ldapsearch queries supposed to work when asking to dc.a.domain.tld some information about object contained in b.domain.tld? Or was I just to enthusiast? Is there already some document related to these trust relationships somewhere else than "samba-tool domain trust --help"? Best regards, mathias
My bad. Trust relationship is created and can be check using winbind: wbinfo -u -> get local users list wbinfo -u --domain=trusted.domain.tld -> get trusted domain users list (short domain can be used too) It can also be validated using --local-dc-username and --local-dc-password switches: samba-tool domain trust validate trusted.domain.tld \ --local-dc-password=trustedAdminPass \ --local-dc-username=administrator \ -U administrator at trusted.domain.tld Using Samba's internal DNS make DNS queries forwarding transparent (with the few tools I think about to check). To be able to connect on machine.A.domain.tld using a user from B.domain.tld you'll have to "Authenticated users" special group to RDP authorized peoples. You did a great work Samba team : ) Cheers, mathias 2015-08-24 13:53 GMT+02:00 mathias dufresne <infractory at gmail.com>:> Hi all, > > I was testing the 4.3.0 version to see what is available with trust > relationship but except having my DCs telling me there are trust > relationship and using the global catalog to perform search (but with only > search for object in a.domain.tld when search is performed against > dc.a.domain.tld) I can do nothing else. > > My own knowledge on that subject is quiet null so I come to you asking > some questions: > - are trust relationship already supposed to grant cross-domain > authentication from Windows clients? Ex: user at a.domain.tld connecting on > computer at b.domain.tld > - are ldapsearch queries supposed to work when asking to dc.a.domain.tld > some information about object contained in b.domain.tld? > > Or was I just to enthusiast? > > Is there already some document related to these trust relationships > somewhere else than "samba-tool domain trust --help"? > > Best regards, > > mathias >
On 02/09/2015 15:04, mathias dufresne wrote:> samba-tool domain trust validate trusted.domain.tld \ > --local-dc-password=trustedAdminPass \ > --local-dc-username=administrator \ > -U administrator at trusted.domain.tld > > Using Samba's internal DNS make DNS queries forwarding transparent (with > the few tools I think about to check). > > To be able to connect on machine.A.domain.tld using a user from > B.domain.tld you'll have to "Authenticated users" special group to RDP > authorized peoples.Following this type of validation i obtain: OK: LocalValidation: DC[\\dc.trusted.domain.tld] CONNECTION[WERR_OK] TRUST[WERR_OK] VERIFY_STATUS_RETURNED OK: LocalRediscover: DC[\\dc.trusted.domain.tld] CONNECTION[WERR_OK] And wbinfo -u --domain=trusted.domain.tld works. Unfortunately i'm still getting "Checking password for unmapped user [trusted.domain.tld]\[trusteduser]@[localmachine]" in samba-4.3.1 logs (and wrong user/pass in RDP login) Am i missing something? Sergio.