samba - Nov 2016 - Samba 4 "Classic PDC" trusts fail with Win 2012 domain but succeed Win 2008

See inline comments:

On Tue, 22 Nov 2016 12:04:57 -0500
Gaiseric Vandal via samba <samba at lists.samba.org> wrote:
> I am trying to configuring  Samba 4 classic PDC to trust  Windows
> 2012 domain "DomainB" -  the PDC is running Windows 2012 but the
> forest and domain functional levels are still Windows 2008.  On the
> Win 2012 PDC I try to set up an incoming trust, but it fails with
> "The local security authority is unable to obtain an RPC connection
> to the active directory domain controller SAMBAPDC .  "
Can we confirm what I think the above means:

You have a NT4-style PDC
You have 'DomainB' in which there is a Windows 2012 AD DC running as
domain functional level 2008 (This is NOT a PDC)
You are trying to set up a trust between the PDC and the AD DC
> 
> 
> 
> I have an third domain "DomainC"  -   the PDC is running Windows
> 2008 , and  the forest and domain functional levels are still Windows
> 2008. On that PDC I am able to configure and verify an incoming trust.
>
Again, you have an AD DC running windows 2008 and you can configure a
trust, but you don't say between what.
 
> I am guessing some recent security patch that applies to Windows 2012 
> but not to Windows 2008 is the issue?
>
Sounds like it.
 
> Since samba is a configured as a classic domain, I would have
> expected the Windows 2012 DC to see the samba domain as an NT4 domain.
>
Should do, but microsoft seems to be trying to make it harder, see
here:

 
https://social.technet.microsoft.com/Forums/en-US/f2bf83d8-6dcc-45de-a99d-fe5d83a83e12/can-i-join-an-nt4-workstation-to-a-windows-2012-domain?forum=winserverDS
> 
> I have tried setting the following in smb.conf
> 
>     server services = +smb -s3fs
>     dcerpc endpoint servers = +winreg +srvsvc
They will not do anything on a PDC, they are meant for an AD DC

Rowland

In summary

  * DomainA    Samba classic domain-  PDC and BDC are running Samba 
4.4.7.  The PDC is called "SambaPDC."
  * DomainB    Windows AD domain , level 2008, domain controller is 
Windows 2012   or 2012R2 (you are correct that there are not primary and 
backup controllers in AD)
  * DomainC    Windows AD domain, level 2008, domain controllers are  
Windows 2008


I need to get trusts established between DomainA and DomainB. (I don't 
actually need trusts between DomainA and DomainC, but hoped it might 
flush out a working configuration)



I can not  setup trusts between DomainA and DomainB in either direction. 
     The domain controller of domainB  just complains that it cannot 
establish an RPC connection to DomainA's PDC (The PDC on domainA has 
winbind errors relating to domain C.)  (On the DomainA PDC, wbinfo isn't 
showing trusted users from domainC and I see errors in the winbind log.)



I can partially setup trusts between DomainA and DomainC.   The domain 
controller of domainC  thinks two way trusts are enabled (can verify 
them)  and I am able to grant DomainA users access to files on DomainC 
servers.  (On the DomainA PDC, wbinfo isn't showing trusted users from 
domainC and I see errors in the winbind log.)


Wondering if I should have complied Samba using "--without-ad-dc"
option.





On 11/22/16 12:43, Rowland Penny via samba wrote:
> See inline comments:
>
> On Tue, 22 Nov 2016 12:04:57 -0500
> Gaiseric Vandal via samba <samba at lists.samba.org> wrote:
>
>> I am trying to configuring  Samba 4 classic PDC to trust  Windows
>> 2012 domain "DomainB" -  the PDC is running Windows 2012 but
the
>> forest and domain functional levels are still Windows 2008.  On the
>> Win 2012 PDC I try to set up an incoming trust, but it fails with
>> "The local security authority is unable to obtain an RPC
connection
>> to the active directory domain controller SAMBAPDC .  "
> Can we confirm what I think the above means:
>
> You have a NT4-style PDC
> You have 'DomainB' in which there is a Windows 2012 AD DC running
as
> domain functional level 2008 (This is NOT a PDC)
> You are trying to set up a trust between the PDC and the AD DC
>
>>
>>
>> I have an third domain "DomainC"  -   the PDC is running
Windows
>> 2008 , and  the forest and domain functional levels are still Windows
>> 2008. On that PDC I am able to configure and verify an incoming trust.
>>
> Again, you have an AD DC running windows 2008 and you can configure a
> trust, but you don't say between what.
>   
>> I am guessing some recent security patch that applies to Windows 2012
>> but not to Windows 2008 is the issue?
>>
> Sounds like it.
>   
>> Since samba is a configured as a classic domain, I would have
>> expected the Windows 2012 DC to see the samba domain as an NT4 domain.
>>
> Should do, but microsoft seems to be trying to make it harder, see
> here:
>
>   
https://social.technet.microsoft.com/Forums/en-US/f2bf83d8-6dcc-45de-a99d-fe5d83a83e12/can-i-join-an-nt4-workstation-to-a-windows-2012-domain?forum=winserverDS
>
>> I have tried setting the following in smb.conf
>>
>>      server services = +smb -s3fs
>>      dcerpc endpoint servers = +winreg +srvsvc
> They will not do anything on a PDC, they are meant for an AD DC
>
> Rowland
>

I am not sure if this is relevant

    root at sambaPDC:~# /usr/local/samba/bin/net rpc trustdom establish DomainB

    Enter DOMAINA$'s password:
    Could not connect to server DomainB_DC
    Trust to domain DomainB established
    root at sambaPDC:~#


    root at sambaPDC:~# /usr/local/samba/bin/net rpc trustdom establish DomainC

    Enter DOMAINA$'s password:
    Could not connect to server DomainC_DC
    Trust to domain DomainC established
    root at sambaPDC:~#


    root at sambaPDC:~# /usr/local/samba/bin/net rpc trustdom list -U
    Administrator
    Trusted domains list:

    DOMAINA      S-1-5-21-xxxx-xxxx-xxxx
    DOMAINB      S-1-5-21-xxxx-xxxx-xxxx

    Trusting domains list:

    DOMAINA      S-1-5-21-xxxx-xxxx-xxxx
    DOMAINB       S-1-5-21-xxxx-xxxx-xxxx



I MAY have seen  "could not connect to server..." errors in the past 
even when trusts did work.



On 11/22/16 13:40, Gaiseric Vandal wrote:
> In summary
>
>  * DomainA    Samba classic domain-  PDC and BDC are running Samba 
> 4.4.7.  The PDC is called "SambaPDC."
>  * DomainB    Windows AD domain , level 2008, domain controller is 
> Windows 2012   or 2012R2 (you are correct that there are not primary 
> and backup controllers in AD)
>  * DomainC    Windows AD domain, level 2008, domain controllers are  
> Windows 2008
>
>
> I need to get trusts established between DomainA and DomainB. (I don't 
> actually need trusts between DomainA and DomainC, but hoped it might 
> flush out a working configuration)
>
>
>
> I can not  setup trusts between DomainA and DomainB in either 
> direction.     The domain controller of domainB  just complains that 
> it cannot establish an RPC connection to DomainA's PDC (The PDC on 
> domainA has winbind errors relating to domain C.)  (On the DomainA 
> PDC, wbinfo isn't showing trusted users from domainC and I see errors 
> in the winbind log.)
>
>
>
> I can partially setup trusts between DomainA and DomainC.   The domain 
> controller of domainC  thinks two way trusts are enabled (can verify 
> them)  and I am able to grant DomainA users access to files on DomainC 
> servers.  (On the DomainA PDC, wbinfo isn't showing trusted users from 
> domainC and I see errors in the winbind log.)
>
>
> Wondering if I should have complied Samba using "--without-ad-dc"
option.
>
>
>
>
>
> On 11/22/16 12:43, Rowland Penny via samba wrote:
>> See inline comments:
>>
>> On Tue, 22 Nov 2016 12:04:57 -0500
>> Gaiseric Vandal via samba <samba at lists.samba.org> wrote:
>>
>>> I am trying to configuring  Samba 4 classic PDC to trust  Windows
>>> 2012 domain "DomainB" -  the PDC is running Windows 2012
but the
>>> forest and domain functional levels are still Windows 2008. On the
>>> Win 2012 PDC I try to set up an incoming trust, but it fails with
>>> "The local security authority is unable to obtain an RPC
connection
>>> to the active directory domain controller SAMBAPDC .  "
>> Can we confirm what I think the above means:
>>
>> You have a NT4-style PDC
>> You have 'DomainB' in which there is a Windows 2012 AD DC
running as
>> domain functional level 2008 (This is NOT a PDC)
>> You are trying to set up a trust between the PDC and the AD DC
>>
>>>
>>>
>>> I have an third domain "DomainC"  -   the PDC is running
Windows
>>> 2008 , and  the forest and domain functional levels are still
Windows
>>> 2008. On that PDC I am able to configure and verify an incoming
trust.
>>>
>> Again, you have an AD DC running windows 2008 and you can configure a
>> trust, but you don't say between what.
>>> I am guessing some recent security patch that applies to Windows
2012
>>> but not to Windows 2008 is the issue?
>>>
>> Sounds like it.
>>> Since samba is a configured as a classic domain, I would have
>>> expected the Windows 2012 DC to see the samba domain as an NT4
domain.
>>>
>> Should do, but microsoft seems to be trying to make it harder, see
>> here:
>>
>>
https://social.technet.microsoft.com/Forums/en-US/f2bf83d8-6dcc-45de-a99d-fe5d83a83e12/can-i-join-an-nt4-workstation-to-a-windows-2012-domain?forum=winserverDS
>>
>>> I have tried setting the following in smb.conf
>>>
>>>      server services = +smb -s3fs
>>>      dcerpc endpoint servers = +winreg +srvsvc
>> They will not do anything on a PDC, they are meant for an AD DC
>>
>> Rowland
>>
>