Rowland Penny
2016-Nov-22 17:43 UTC
[Samba] Samba 4 "Classic PDC" trusts fail with Win 2012 domain but succeed Win 2008
See inline comments: On Tue, 22 Nov 2016 12:04:57 -0500 Gaiseric Vandal via samba <samba at lists.samba.org> wrote:> I am trying to configuring Samba 4 classic PDC to trust Windows > 2012 domain "DomainB" - the PDC is running Windows 2012 but the > forest and domain functional levels are still Windows 2008. On the > Win 2012 PDC I try to set up an incoming trust, but it fails with > "The local security authority is unable to obtain an RPC connection > to the active directory domain controller SAMBAPDC . "Can we confirm what I think the above means: You have a NT4-style PDC You have 'DomainB' in which there is a Windows 2012 AD DC running as domain functional level 2008 (This is NOT a PDC) You are trying to set up a trust between the PDC and the AD DC> > > > I have an third domain "DomainC" - the PDC is running Windows > 2008 , and the forest and domain functional levels are still Windows > 2008. On that PDC I am able to configure and verify an incoming trust. >Again, you have an AD DC running windows 2008 and you can configure a trust, but you don't say between what.> I am guessing some recent security patch that applies to Windows 2012 > but not to Windows 2008 is the issue? >Sounds like it.> Since samba is a configured as a classic domain, I would have > expected the Windows 2012 DC to see the samba domain as an NT4 domain. >Should do, but microsoft seems to be trying to make it harder, see here: https://social.technet.microsoft.com/Forums/en-US/f2bf83d8-6dcc-45de-a99d-fe5d83a83e12/can-i-join-an-nt4-workstation-to-a-windows-2012-domain?forum=winserverDS> > I have tried setting the following in smb.conf > > server services = +smb -s3fs > dcerpc endpoint servers = +winreg +srvsvcThey will not do anything on a PDC, they are meant for an AD DC Rowland
Gaiseric Vandal
2016-Nov-22 18:40 UTC
[Samba] Samba 4 "Classic PDC" trusts fail with Win 2012 domain but succeed Win 2008
In summary * DomainA Samba classic domain- PDC and BDC are running Samba 4.4.7. The PDC is called "SambaPDC." * DomainB Windows AD domain , level 2008, domain controller is Windows 2012 or 2012R2 (you are correct that there are not primary and backup controllers in AD) * DomainC Windows AD domain, level 2008, domain controllers are Windows 2008 I need to get trusts established between DomainA and DomainB. (I don't actually need trusts between DomainA and DomainC, but hoped it might flush out a working configuration) I can not setup trusts between DomainA and DomainB in either direction. The domain controller of domainB just complains that it cannot establish an RPC connection to DomainA's PDC (The PDC on domainA has winbind errors relating to domain C.) (On the DomainA PDC, wbinfo isn't showing trusted users from domainC and I see errors in the winbind log.) I can partially setup trusts between DomainA and DomainC. The domain controller of domainC thinks two way trusts are enabled (can verify them) and I am able to grant DomainA users access to files on DomainC servers. (On the DomainA PDC, wbinfo isn't showing trusted users from domainC and I see errors in the winbind log.) Wondering if I should have complied Samba using "--without-ad-dc" option. On 11/22/16 12:43, Rowland Penny via samba wrote:> See inline comments: > > On Tue, 22 Nov 2016 12:04:57 -0500 > Gaiseric Vandal via samba <samba at lists.samba.org> wrote: > >> I am trying to configuring Samba 4 classic PDC to trust Windows >> 2012 domain "DomainB" - the PDC is running Windows 2012 but the >> forest and domain functional levels are still Windows 2008. On the >> Win 2012 PDC I try to set up an incoming trust, but it fails with >> "The local security authority is unable to obtain an RPC connection >> to the active directory domain controller SAMBAPDC . " > Can we confirm what I think the above means: > > You have a NT4-style PDC > You have 'DomainB' in which there is a Windows 2012 AD DC running as > domain functional level 2008 (This is NOT a PDC) > You are trying to set up a trust between the PDC and the AD DC > >> >> >> I have an third domain "DomainC" - the PDC is running Windows >> 2008 , and the forest and domain functional levels are still Windows >> 2008. On that PDC I am able to configure and verify an incoming trust. >> > Again, you have an AD DC running windows 2008 and you can configure a > trust, but you don't say between what. > >> I am guessing some recent security patch that applies to Windows 2012 >> but not to Windows 2008 is the issue? >> > Sounds like it. > >> Since samba is a configured as a classic domain, I would have >> expected the Windows 2012 DC to see the samba domain as an NT4 domain. >> > Should do, but microsoft seems to be trying to make it harder, see > here: > > https://social.technet.microsoft.com/Forums/en-US/f2bf83d8-6dcc-45de-a99d-fe5d83a83e12/can-i-join-an-nt4-workstation-to-a-windows-2012-domain?forum=winserverDS > >> I have tried setting the following in smb.conf >> >> server services = +smb -s3fs >> dcerpc endpoint servers = +winreg +srvsvc > They will not do anything on a PDC, they are meant for an AD DC > > Rowland >
Gaiseric Vandal
2016-Nov-22 22:53 UTC
[Samba] Samba 4 "Classic PDC" trusts fail with Win 2012 domain but succeed Win 2008
I am not sure if this is relevant root at sambaPDC:~# /usr/local/samba/bin/net rpc trustdom establish DomainB Enter DOMAINA$'s password: Could not connect to server DomainB_DC Trust to domain DomainB established root at sambaPDC:~# root at sambaPDC:~# /usr/local/samba/bin/net rpc trustdom establish DomainC Enter DOMAINA$'s password: Could not connect to server DomainC_DC Trust to domain DomainC established root at sambaPDC:~# root at sambaPDC:~# /usr/local/samba/bin/net rpc trustdom list -U Administrator Trusted domains list: DOMAINA S-1-5-21-xxxx-xxxx-xxxx DOMAINB S-1-5-21-xxxx-xxxx-xxxx Trusting domains list: DOMAINA S-1-5-21-xxxx-xxxx-xxxx DOMAINB S-1-5-21-xxxx-xxxx-xxxx I MAY have seen "could not connect to server..." errors in the past even when trusts did work. On 11/22/16 13:40, Gaiseric Vandal wrote:> In summary > > * DomainA Samba classic domain- PDC and BDC are running Samba > 4.4.7. The PDC is called "SambaPDC." > * DomainB Windows AD domain , level 2008, domain controller is > Windows 2012 or 2012R2 (you are correct that there are not primary > and backup controllers in AD) > * DomainC Windows AD domain, level 2008, domain controllers are > Windows 2008 > > > I need to get trusts established between DomainA and DomainB. (I don't > actually need trusts between DomainA and DomainC, but hoped it might > flush out a working configuration) > > > > I can not setup trusts between DomainA and DomainB in either > direction. The domain controller of domainB just complains that > it cannot establish an RPC connection to DomainA's PDC (The PDC on > domainA has winbind errors relating to domain C.) (On the DomainA > PDC, wbinfo isn't showing trusted users from domainC and I see errors > in the winbind log.) > > > > I can partially setup trusts between DomainA and DomainC. The domain > controller of domainC thinks two way trusts are enabled (can verify > them) and I am able to grant DomainA users access to files on DomainC > servers. (On the DomainA PDC, wbinfo isn't showing trusted users from > domainC and I see errors in the winbind log.) > > > Wondering if I should have complied Samba using "--without-ad-dc" option. > > > > > > On 11/22/16 12:43, Rowland Penny via samba wrote: >> See inline comments: >> >> On Tue, 22 Nov 2016 12:04:57 -0500 >> Gaiseric Vandal via samba <samba at lists.samba.org> wrote: >> >>> I am trying to configuring Samba 4 classic PDC to trust Windows >>> 2012 domain "DomainB" - the PDC is running Windows 2012 but the >>> forest and domain functional levels are still Windows 2008. On the >>> Win 2012 PDC I try to set up an incoming trust, but it fails with >>> "The local security authority is unable to obtain an RPC connection >>> to the active directory domain controller SAMBAPDC . " >> Can we confirm what I think the above means: >> >> You have a NT4-style PDC >> You have 'DomainB' in which there is a Windows 2012 AD DC running as >> domain functional level 2008 (This is NOT a PDC) >> You are trying to set up a trust between the PDC and the AD DC >> >>> >>> >>> I have an third domain "DomainC" - the PDC is running Windows >>> 2008 , and the forest and domain functional levels are still Windows >>> 2008. On that PDC I am able to configure and verify an incoming trust. >>> >> Again, you have an AD DC running windows 2008 and you can configure a >> trust, but you don't say between what. >>> I am guessing some recent security patch that applies to Windows 2012 >>> but not to Windows 2008 is the issue? >>> >> Sounds like it. >>> Since samba is a configured as a classic domain, I would have >>> expected the Windows 2012 DC to see the samba domain as an NT4 domain. >>> >> Should do, but microsoft seems to be trying to make it harder, see >> here: >> >> https://social.technet.microsoft.com/Forums/en-US/f2bf83d8-6dcc-45de-a99d-fe5d83a83e12/can-i-join-an-nt4-workstation-to-a-windows-2012-domain?forum=winserverDS >> >>> I have tried setting the following in smb.conf >>> >>> server services = +smb -s3fs >>> dcerpc endpoint servers = +winreg +srvsvc >> They will not do anything on a PDC, they are meant for an AD DC >> >> Rowland >> >
Reasonably Related Threads
- Samba 4 "Classic PDC" trusts fail with Win 2012 domain but succeed Win 2008
- Samba 4 "Classic PDC" trusts fail with Win 2012 domain but succeed Win 2008
- Samba 4 "Classic PDC" trusts fail with Win 2012 domain but succeed Win 2008
- Wbinfo does show users from trusted domain / RPC error
- Winbind authentication from different domain not working