samba - Apr 2018 - Two Samba 4 AD DC forest trust

Hello,

My post is about having two Samba 4 AD DC at two different geographical
places and access resources bidirectionnaly through a VPN as summarized in
the schema below.

-------------------------
Geographical site 1
-------------------------
- AD DC: Samba 4.1.4
- LAN_1 IPs: 192.168.1.0/24
- Machines DNS names: <hostname>.company.lan
- Some machines do not move from this site.
- Some machines are nomads (they can move to Geographical site 2).
- We can access some resources that are on LAN_2 machines through the VPN.
  For example, NASs get synchronized throught the VPN.
-------------------------
|
|
|
|
VPN
|
|
|
|
-------------------------
Geographical site 2
-------------------------
- AD DC: Samba 4.8.0
- LAN_2 IPs: 192.168.2.0/24
- Machines DNS names: <hostname>.company.lan2
- Some machines do not move from this site.
- Some machines are nomads (they can move to Geographical site 1).
- We can access some resources that are on LAN_1 machines through the VPN.
  For example, NASs get synchronized throught the VPN.
-------------------------

On Geographical site 2, I am about to (*):

/"Select a DNS domain for your AD forest. 
The name will also be used as the AD Kerberos realm.
WARNING | Make sure that you provision the AD using a DNS domain that will
not need to be changed. 
WARNING | Samba does not support renaming the AD DNS zone and Kerberos
realm."
/

I am wondering which is the good way to go as far as these domain names are
concerned.
Also, I have read about AD forests but I couldn't find literature explaining
how to set up such a system with two Samba 4 AD DC.

In
https://www.infoworld.com/article/2613171/networking/samba-4-review--no-substitute-for-active-directory----yet.html
dating back to 2013, one can read:
/"Support for cross-forest trusts and multiple domain controllers is still
to come. "/

Can you help me?
Best regards.

(*)
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller



--
Sent from: http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html

On Fri, 6 Apr 2018 08:01:50 -0700 (MST)
Lea Massiot via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> My post is about having two Samba 4 AD DC at two different
> geographical places and access resources bidirectionnaly through a
> VPN as summarized in the schema below.
> 
> -------------------------
> Geographical site 1
> -------------------------
> - AD DC: Samba 4.1.4
> - LAN_1 IPs: 192.168.1.0/24
> - Machines DNS names: <hostname>.company.lan
> - Some machines do not move from this site.
> - Some machines are nomads (they can move to Geographical site 2).
> - We can access some resources that are on LAN_2 machines through the
> VPN. For example, NASs get synchronized throught the VPN.
> -------------------------
> |
> |
> |
> |
> VPN
> |
> |
> |
> |
> -------------------------
> Geographical site 2
> -------------------------
> - AD DC: Samba 4.8.0
> - LAN_2 IPs: 192.168.2.0/24
> - Machines DNS names: <hostname>.company.lan2
> - Some machines do not move from this site.
> - Some machines are nomads (they can move to Geographical site 1).
> - We can access some resources that are on LAN_1 machines through the
> VPN. For example, NASs get synchronized throught the VPN.
> -------------------------
> 
> On Geographical site 2, I am about to (*):
> 
> /"Select a DNS domain for your AD forest. 
> The name will also be used as the AD Kerberos realm.
> WARNING | Make sure that you provision the AD using a DNS domain that
> will not need to be changed. 
> WARNING | Samba does not support renaming the AD DNS zone and Kerberos
> realm."
> /
> 
> I am wondering which is the good way to go as far as these domain
> names are concerned.
> Also, I have read about AD forests but I couldn't find literature
> explaining how to set up such a system with two Samba 4 AD DC.
> 
> In
>
https://www.infoworld.com/article/2613171/networking/samba-4-review--no-substitute-for-active-directory----yet.html
> dating back to 2013, one can read:
> /"Support for cross-forest trusts and multiple domain controllers is
> still to come. "/
> 
> Can you help me?
> Best regards.
> 
> (*)
>
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
> 
> 
> 
> --
> Sent from:
> http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html
> 
As far as I am aware, trusts still do not fully work yet. This isn't
really a problem, mainly because you will probably be better off
setting up a one domain forest and using subnets and sites. Do an
internet search on 'active directory sites and services' for more info.

Rowland

On 06/04/18 16:44, Rowland Penny via samba wrote:
> On Fri, 6 Apr 2018 08:01:50 -0700 (MST)
> Lea Massiot via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>>
>> My post is about having two Samba 4 AD DC at two different
>> geographical places and access resources bidirectionnaly through a
>> VPN as summarized in the schema below.
>>
>> -------------------------
>> Geographical site 1
>> -------------------------
>> - AD DC: Samba 4.1.4
>> - LAN_1 IPs: 192.168.1.0/24
>> - Machines DNS names: <hostname>.company.lan
>> - Some machines do not move from this site.
>> - Some machines are nomads (they can move to Geographical site 2).
>> - We can access some resources that are on LAN_2 machines through the
>> VPN. For example, NASs get synchronized throught the VPN.
>> -------------------------
>> |
>> |
>> |
>> |
>> VPN
>> |
>> |
>> |
>> |
>> -------------------------
>> Geographical site 2
>> -------------------------
>> - AD DC: Samba 4.8.0
>> - LAN_2 IPs: 192.168.2.0/24
>> - Machines DNS names: <hostname>.company.lan2
>> - Some machines do not move from this site.
>> - Some machines are nomads (they can move to Geographical site 1).
>> - We can access some resources that are on LAN_1 machines through the
>> VPN. For example, NASs get synchronized throught the VPN.
>> -------------------------
>>
>> On Geographical site 2, I am about to (*):
>>
>> /"Select a DNS domain for your AD forest.
>> The name will also be used as the AD Kerberos realm.
>> WARNING | Make sure that you provision the AD using a DNS domain that
>> will not need to be changed.
>> WARNING | Samba does not support renaming the AD DNS zone and Kerberos
>> realm."
>> /
>>
>> I am wondering which is the good way to go as far as these domain
>> names are concerned.
>> Also, I have read about AD forests but I couldn't find literature
>> explaining how to set up such a system with two Samba 4 AD DC.
>>
>> In
>>
https://www.infoworld.com/article/2613171/networking/samba-4-review--no-substitute-for-active-directory----yet.html
>> dating back to 2013, one can read:
>> /"Support for cross-forest trusts and multiple domain controllers
is
>> still to come. "/
>>
>> Can you help me?
>> Best regards.
>>
>> (*)
>>
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
>>
>>
>>
>> --
>> Sent from:
>> http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html
>>
> As far as I am aware, trusts still do not fully work yet. This isn't
> really a problem, mainly because you will probably be better off
> setting up a one domain forest and using subnets and sites. Do an
> internet search on 'active directory sites and services' for more
info.
>
> Rowland
>   
>
Hi,

To add to this, I've just sent congrats to the team for making this work 
just enough for us.

You should slave the remote domain in named.conf on the local side at 
both ends on your DCs. Just pick any two distinct domains that are not 
sub/superdomains. Then all domain members are able to resolve across the 
trust boundary,

When you set up a forest trust you should be able to give users in DomX 
access to at least member server file shares in DomY and vice-versa. 
This is the first time I've got this bit to work, I've had 
authentication on workstations working before but never resource access 
until 4.8.0.

Cheers

Alex


--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608
5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).

Thank you Rowland.
I'm going to search in that direction.
Have a good week-end.
--
Léa


On 06/04/2018 5:44 PM, Rowland Penny wrote:
> On Fri, 6 Apr 2018 08:01:50 -0700 (MST)
> Lea Massiot via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>>
>> My post is about having two Samba 4 AD DC at two different
>> geographical places and access resources bidirectionnaly through a
>> VPN as summarized in the schema below.
>>
>> -------------------------
>> Geographical site 1
>> -------------------------
>> - AD DC: Samba 4.1.4
>> - LAN_1 IPs: 192.168.1.0/24
>> - Machines DNS names: <hostname>.company.lan
>> - Some machines do not move from this site.
>> - Some machines are nomads (they can move to Geographical site 2).
>> - We can access some resources that are on LAN_2 machines through the
>> VPN. For example, NASs get synchronized throught the VPN.
>> -------------------------
>> |
>> |
>> |
>> |
>> VPN
>> |
>> |
>> |
>> |
>> -------------------------
>> Geographical site 2
>> -------------------------
>> - AD DC: Samba 4.8.0
>> - LAN_2 IPs: 192.168.2.0/24
>> - Machines DNS names: <hostname>.company.lan2
>> - Some machines do not move from this site.
>> - Some machines are nomads (they can move to Geographical site 1).
>> - We can access some resources that are on LAN_1 machines through the
>> VPN. For example, NASs get synchronized throught the VPN.
>> -------------------------
>>
>> On Geographical site 2, I am about to (*):
>>
>> /"Select a DNS domain for your AD forest.
>> The name will also be used as the AD Kerberos realm.
>> WARNING | Make sure that you provision the AD using a DNS domain that
>> will not need to be changed.
>> WARNING | Samba does not support renaming the AD DNS zone and Kerberos
>> realm."
>> /
>>
>> I am wondering which is the good way to go as far as these domain
>> names are concerned.
>> Also, I have read about AD forests but I couldn't find literature
>> explaining how to set up such a system with two Samba 4 AD DC.
>>
>> In
>>
https://www.infoworld.com/article/2613171/networking/samba-4-review--no-substitute-for-active-directory----yet.html
>> dating back to 2013, one can read:
>> /"Support for cross-forest trusts and multiple domain controllers
is
>> still to come. "/
>>
>> Can you help me?
>> Best regards.
>>
>> (*)
>>
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
>>
>>
>>
>> --
>> Sent from:
>> http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html
>>
> As far as I am aware, trusts still do not fully work yet. This isn't
> really a problem, mainly because you will probably be better off
> setting up a one domain forest and using subnets and sites. Do an
> internet search on 'active directory sites and services' for more
info.
>
> Rowland
>   
>

Hello, hello Rowland,

So the physical configuration is something like below :

+-------------------------------+
server_a
   Samba AD DC
   Domain: mycompany.net
   Subnet: 192.168.1.0/24
   IP    : 192.168.1.2
+-------------------------------+

+-------------------------------+
pc_a_1
   FQDN: pc_a_1.mycompany.net.
   IP:   192.168.1.33
+-------------------------------+

+-------------------------------+
pc_a_2
   FQDN: pc_a_2.mycompany.net.
   IP:   192.168.1.35
+-------------------------------+

Internet, WAN // VPN tunnel

+-------------------------------+
server_b
   Samba AD DC
   Domain: mycompany.net
   Subnet: 192.168.2.0/24
   IP    : 192.168.2.2
+-------------------------------+

+-------------------------------+
pc_b_1
FQDN: pc_b_1.mycompany.net.
IP:   192.168.2.33
+-------------------------------+

+-------------------------------+
pc_b_2
FQDN: pc_b_2.mycompany.net.
IP:   192.168.2.35
+-------------------------------+

rowland> you will probably be better off setting up a one domain forest 
and using subnets and sites.

This is indeed what I would like to do.
- one forest
- one domain "mycompany.net"
- one site
- two subnets 192.168.1.0/24 and 192.168.2.0/24 separated by a VPN.

On the LAN 192.168.1.0/24, I have a Windows Server with "Active 
Directory Sites and Services".
I can see:
------------------------------------------------------------
Active Directory Sites and Services [server_a.mycompany.net]
Sites
-- Inter-Site Transports
-- Subnets
-- Default-First-Site-Name
---- Servers
------ SERVER_A
-------- NTDS Settings
------------------------------------------------------------

So, we can say we have:
- one forest
- one site (Default-First-Site-Name)
- Nothing about subnets
- The notion of domain "mycompany.net" on the first line

I can ping "server_b" which is on the other side of the VPN.
I would like its Samba AD DC to belong to this site.
My problem is that it is on the other side of the VPN and I don't know 
how to reach it.

Please help. Thank you.
--
Lea


On 06/04/2018 5:44 PM, Rowland Penny wrote:
> On Fri, 6 Apr 2018 08:01:50 -0700 (MST)
> Lea Massiot via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>>
>> My post is about having two Samba 4 AD DC at two different
>> geographical places and access resources bidirectionnaly through a
>> VPN as summarized in the schema below.
>>
>> -------------------------
>> Geographical site 1
>> -------------------------
>> - AD DC: Samba 4.1.4
>> - LAN_1 IPs: 192.168.1.0/24
>> - Machines DNS names: <hostname>.company.lan
>> - Some machines do not move from this site.
>> - Some machines are nomads (they can move to Geographical site 2).
>> - We can access some resources that are on LAN_2 machines through the
>> VPN. For example, NASs get synchronized throught the VPN.
>> -------------------------
>> |
>> |
>> |
>> |
>> VPN
>> |
>> |
>> |
>> |
>> -------------------------
>> Geographical site 2
>> -------------------------
>> - AD DC: Samba 4.8.0
>> - LAN_2 IPs: 192.168.2.0/24
>> - Machines DNS names: <hostname>.company.lan2
>> - Some machines do not move from this site.
>> - Some machines are nomads (they can move to Geographical site 1).
>> - We can access some resources that are on LAN_1 machines through the
>> VPN. For example, NASs get synchronized throught the VPN.
>> -------------------------
>>
>> On Geographical site 2, I am about to (*):
>>
>> /"Select a DNS domain for your AD forest.
>> The name will also be used as the AD Kerberos realm.
>> WARNING | Make sure that you provision the AD using a DNS domain that
>> will not need to be changed.
>> WARNING | Samba does not support renaming the AD DNS zone and Kerberos
>> realm."
>> /
>>
>> I am wondering which is the good way to go as far as these domain
>> names are concerned.
>> Also, I have read about AD forests but I couldn't find literature
>> explaining how to set up such a system with two Samba 4 AD DC.
>>
>> In
>>
https://www.infoworld.com/article/2613171/networking/samba-4-review--no-substitute-for-active-directory----yet.html
>> dating back to 2013, one can read:
>> /"Support for cross-forest trusts and multiple domain controllers
is
>> still to come. "/
>>
>> Can you help me?
>> Best regards.
>>
>> (*)
>>
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
>>
>>
>>
>> --
>> Sent from:
>> http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html
>>
> As far as I am aware, trusts still do not fully work yet. This isn't
> really a problem, mainly because you will probably be better off
> setting up a one domain forest and using subnets and sites. Do an
> internet search on 'active directory sites and services' for more
info.
>
> Rowland
>   
>