Alex Crow
2016-Jul-11 12:55 UTC
[Samba] Testing a forest trusts in Samba 4.4.5 AD environment
Hi List, I am currently testing inter-forest trusts between a pair of AD domains. All DCs and member servers are using Sernet Samba 4.4.5. I have set up conditional forwarding in by Bind setup (I'm using BIND9_DLZ) and all machines can resolve each other. On the DCs, I can see users from the other side of the trust using wbinfo -u --domain=<other domain>. In addition if I set up ID mapping in smb.conf on the DCs, getent group/password work fine (using winbind in nsswitch.conf). There are two parts I'm struggling to get working. On member servers (file servers in my case), even with an ID mapping set up in smb.conf, wbinfo -u --domain=<other domain> returns nothing, and I see errors in log.wb-<domain>: [2016/07/11 13:48:25.449458, 0] ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token) gss_init_sec_context failed with [ Miscellaneous failure (see text): Key version is not available] [2016/07/11 13:48:25.449700, 0] ../source3/libads/sasl.c:773(ads_sasl_spnego_bind) kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred. [2016/07/11 13:48:26.015483, 0] ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token) gss_init_sec_context failed with [ Miscellaneous failure (see text): Key version is not available] [2016/07/11 13:48:26.444479, 0] ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token) gss_init_sec_context failed with [ Miscellaneous failure (see text): Key version is not available] [2016/07/11 13:48:26.444610, 0] ../source3/libads/sasl.c:773(ads_sasl_spnego_bind) kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred Understandably getent fails here too. Here's an example smb.conf from a member server: [global] workgroup = AAA_NET realm = samba.aaa.net netbios name = S4FILES security = ADS #bind interfaces only = yes #interfaces = eth0, lo #dedicated keytab file = /etc/krb5.keytab #kerberos method = secrets and keytab idmap_ldb:use rfc2307 = yes clustering = yes #private dir = /mfs/ctdb/private idmap config *:backend = tdb idmap config *:range = 200000-300000 idmap config AAA_NET:backend = ad idmap config AAA_NET:default = yes idmap config AAA_NET:schema_mode = rfc2307 idmap config AAA_NET:range = 500-199999 idmap config BBB:backend = rid idmap config BBB:range = 3000000-3100000 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = Yes The other issue I have is when trying to work with accounts from the other side of the trust within Windows. For instance, when trying to add a user from the "other" domain to permissions on a directory, I can indeed select the accounts in the picker, get prompted for credentials on the other domain, but at the final step get an error: "The Active Directory Domain Controllers required to find the selected objects in the following domains are not available: samba.bbb.net. Ensure the Active Directory Domain Controllers are available, and try to select the objects again". Now I'm aware that it's early days for trusts in AD with Samba, but I'm curious if there is something I'm missing here or others may have got further than I have. Many thanks Alex -- This message is intended only for the addressee and may contain confidential information. Unless you are that person, you may not disclose its contents or use it in any way and are requested to delete the message along with any attachments and notify us immediately. This email is not intended to, nor should it be taken to, constitute advice. The information provided is correct to our knowledge & belief and must not be used as a substitute for obtaining tax, regulatory, investment, legal or any other appropriate advice. "Transact" is operated by Integrated Financial Arrangements Ltd. 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300. (Registered office: as above; Registered in England and Wales under number: 3727592). Authorised and regulated by the Financial Conduct Authority (entered on the Financial Services Register; no. 190856).
Alex Crow
2016-Jul-11 17:50 UTC
[Samba] Testing a forest trusts in Samba 4.4.5 AD environment
On 11/07/16 13:55, Alex Crow wrote:> Hi List, > > I am currently testing inter-forest trusts between a pair of AD > domains. All DCs and member servers are using Sernet Samba 4.4.5. > > I have set up conditional forwarding in by Bind setup (I'm using > BIND9_DLZ) and all machines can resolve each other. On the DCs, I can > see users from the other side of the trust using wbinfo -u > --domain=<other domain>. In addition if I set up ID mapping in > smb.conf on the DCs, getent group/password work fine (using winbind in > nsswitch.conf). > > There are two parts I'm struggling to get working. On member servers > (file servers in my case), even with an ID mapping set up in smb.conf, > wbinfo -u --domain=<other domain> returns nothing, and I see errors in > log.wb-<domain>: > > [2016/07/11 13:48:25.449458, 0] > ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token) > gss_init_sec_context failed with [ Miscellaneous failure (see text): > Key version is not available] > [2016/07/11 13:48:25.449700, 0] > ../source3/libads/sasl.c:773(ads_sasl_spnego_bind) > kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An > internal error occurred. > [2016/07/11 13:48:26.015483, 0] > ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token) > gss_init_sec_context failed with [ Miscellaneous failure (see text): > Key version is not available] > [2016/07/11 13:48:26.444479, 0] > ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token) > gss_init_sec_context failed with [ Miscellaneous failure (see text): > Key version is not available] > [2016/07/11 13:48:26.444610, 0] > ../source3/libads/sasl.c:773(ads_sasl_spnego_bind) > kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An > internal error occurred > > Understandably getent fails here too. Here's an example smb.conf from > a member server: > > [global] > > workgroup = AAA_NET > realm = samba.aaa.net > netbios name = S4FILES > security = ADS > #bind interfaces only = yes > #interfaces = eth0, lo > #dedicated keytab file = /etc/krb5.keytab > #kerberos method = secrets and keytab > idmap_ldb:use rfc2307 = yes > clustering = yes > #private dir = /mfs/ctdb/private > > > idmap config *:backend = tdb > idmap config *:range = 200000-300000 > idmap config AAA_NET:backend = ad > idmap config AAA_NET:default = yes > idmap config AAA_NET:schema_mode = rfc2307 > idmap config AAA_NET:range = 500-199999 > > idmap config BBB:backend = rid > idmap config BBB:range = 3000000-3100000 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = Yes > > The other issue I have is when trying to work with accounts from the > other side of the trust within Windows. For instance, when trying to > add a user from the "other" domain to permissions on a directory, I > can indeed select the accounts in the picker, get prompted for > credentials on the other domain, but at the final step get an error: > "The Active Directory Domain Controllers required to find the selected > objects in the following domains are not available: samba.bbb.net. > Ensure the Active Directory Domain Controllers are available, and try > to select the objects again". > > Now I'm aware that it's early days for trusts in AD with Samba, but > I'm curious if there is something I'm missing here or others may have > got further than I have. > > Many thanks > > Alex > --I've have another go at this by deleting and recreating the trust without --type=forest. It makes a slight improvement, in that: 1) I can assign permissions on files/directories served up by DCs without the "DCs not available" issue, whereas with --type=forest I got it even on DCs. 2) I can log in to a domain client W7 VM with an account from the trust domain However, I still can't see any accounts on Samba member servers via wbinfo -u --domain=<otherdom>, or with getent, and now after adding permissions on a directory in domain "AAA" to a user in "BBB", when I check the properties->Security from a windows machine in domain BBB, the ACL entry shows "Unknown SID", even though it is clearly a SID in Domain "BBB". I hope this helps... Thanks again Alex -- This message is intended only for the addressee and may contain confidential information. Unless you are that person, you may not disclose its contents or use it in any way and are requested to delete the message along with any attachments and notify us immediately. This email is not intended to, nor should it be taken to, constitute advice. The information provided is correct to our knowledge & belief and must not be used as a substitute for obtaining tax, regulatory, investment, legal or any other appropriate advice. "Transact" is operated by Integrated Financial Arrangements Ltd. 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300. (Registered office: as above; Registered in England and Wales under number: 3727592). Authorised and regulated by the Financial Conduct Authority (entered on the Financial Services Register; no. 190856).
mathias dufresne
2016-Jul-12 08:36 UTC
[Samba] Testing a forest trusts in Samba 4.4.5 AD environment
Hi Alex, Nice information about forest type. Regarding listing domain users, have you tried to set up samba with: winbind use default domain = no? 2016-07-11 19:50 GMT+02:00 Alex Crow <acrow at integrafin.co.uk>:> > > On 11/07/16 13:55, Alex Crow wrote: > > Hi List, > > > > I am currently testing inter-forest trusts between a pair of AD > > domains. All DCs and member servers are using Sernet Samba 4.4.5. > > > > I have set up conditional forwarding in by Bind setup (I'm using > > BIND9_DLZ) and all machines can resolve each other. On the DCs, I can > > see users from the other side of the trust using wbinfo -u > > --domain=<other domain>. In addition if I set up ID mapping in > > smb.conf on the DCs, getent group/password work fine (using winbind in > > nsswitch.conf). > > > > There are two parts I'm struggling to get working. On member servers > > (file servers in my case), even with an ID mapping set up in smb.conf, > > wbinfo -u --domain=<other domain> returns nothing, and I see errors in > > log.wb-<domain>: > > > > [2016/07/11 13:48:25.449458, 0] > > ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token) > > gss_init_sec_context failed with [ Miscellaneous failure (see text): > > Key version is not available] > > [2016/07/11 13:48:25.449700, 0] > > ../source3/libads/sasl.c:773(ads_sasl_spnego_bind) > > kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An > > internal error occurred. > > [2016/07/11 13:48:26.015483, 0] > > ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token) > > gss_init_sec_context failed with [ Miscellaneous failure (see text): > > Key version is not available] > > [2016/07/11 13:48:26.444479, 0] > > ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token) > > gss_init_sec_context failed with [ Miscellaneous failure (see text): > > Key version is not available] > > [2016/07/11 13:48:26.444610, 0] > > ../source3/libads/sasl.c:773(ads_sasl_spnego_bind) > > kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An > > internal error occurred > > > > Understandably getent fails here too. Here's an example smb.conf from > > a member server: > > > > [global] > > > > workgroup = AAA_NET > > realm = samba.aaa.net > > netbios name = S4FILES > > security = ADS > > #bind interfaces only = yes > > #interfaces = eth0, lo > > #dedicated keytab file = /etc/krb5.keytab > > #kerberos method = secrets and keytab > > idmap_ldb:use rfc2307 = yes > > clustering = yes > > #private dir = /mfs/ctdb/private > > > > > > idmap config *:backend = tdb > > idmap config *:range = 200000-300000 > > idmap config AAA_NET:backend = ad > > idmap config AAA_NET:default = yes > > idmap config AAA_NET:schema_mode = rfc2307 > > idmap config AAA_NET:range = 500-199999 > > > > idmap config BBB:backend = rid > > idmap config BBB:range = 3000000-3100000 > > > > winbind nss info = rfc2307 > > winbind trusted domains only = no > > winbind use default domain = yes > > winbind enum users = yes > > winbind enum groups = yes > > winbind refresh tickets = Yes > > > > The other issue I have is when trying to work with accounts from the > > other side of the trust within Windows. For instance, when trying to > > add a user from the "other" domain to permissions on a directory, I > > can indeed select the accounts in the picker, get prompted for > > credentials on the other domain, but at the final step get an error: > > "The Active Directory Domain Controllers required to find the selected > > objects in the following domains are not available: samba.bbb.net. > > Ensure the Active Directory Domain Controllers are available, and try > > to select the objects again". > > > > Now I'm aware that it's early days for trusts in AD with Samba, but > > I'm curious if there is something I'm missing here or others may have > > got further than I have. > > > > Many thanks > > > > Alex > > -- > > I've have another go at this by deleting and recreating the trust > without --type=forest. It makes a slight improvement, in that: > > 1) I can assign permissions on files/directories served up by DCs > without the "DCs not available" issue, whereas with --type=forest I got > it even on DCs. > 2) I can log in to a domain client W7 VM with an account from the trust > domain > > However, I still can't see any accounts on Samba member servers via > wbinfo -u --domain=<otherdom>, or with getent, and now after adding > permissions on a directory in domain "AAA" to a user in "BBB", when I > check the properties->Security from a windows machine in domain BBB, the > ACL entry shows "Unknown SID", even though it is clearly a SID in Domain > "BBB". > > I hope this helps... > > Thanks again > > Alex > > > -- > This message is intended only for the addressee and may contain > confidential information. Unless you are that person, you may not > disclose its contents or use it in any way and are requested to delete > the message along with any attachments and notify us immediately. > This email is not intended to, nor should it be taken to, constitute > advice. > The information provided is correct to our knowledge & belief and must not > be used as a substitute for obtaining tax, regulatory, investment, legal or > any other appropriate advice. > > "Transact" is operated by Integrated Financial Arrangements Ltd. > 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 > 5300. > (Registered office: as above; Registered in England and Wales under > number: 3727592). Authorised and regulated by the Financial Conduct > Authority (entered on the Financial Services Register; no. 190856). > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >