Tino Müller
2018-Jun-22 09:00 UTC
[Samba] Domain trust and browsing users and groups problem
Hi list, we have a forest trust of two domains. One domain in US (us.root.prv) running exclusively on Windows 2012 R2 and one in EU (spreadshirt.private) running exclusively Sernet Samba 4.8.2-11. Both domains run functional level "2008 R2". The trust validates successful using "samba-tool domain trust validate" and in "Domains and trusts". My problem is: I can't browse users and groups of the EU domain on a domain member of the US domain, when I try to give EU users permissions on resources in the US domain. The other way does work. For example: At a server in the US domain (actually the DC with all FSMO roles of the US domain), I right-click a folder on disk -> Properties -> Security -> "Add..." -> "Locations..." -> select forest "spreadshirt.private" -> OK -> "Advanced..." -> "Find now". Search results below show "Searching..." for a short time and then the message: "The following error prevented the display of any items: The system cannot contact a domain controller to service the authentication request. Please try again later." Doing the same in the EU domain to find users and groups in the US domain, lists all users and groups as expected. To track down, what happens, I do a tcpdump at one of the DCs in EU (ad07), which get the requests from the US server. This is, what I find (as I think the relevant part): The krb5 req packet: US -> EU - KRB5 TGS-REQ Kerberos tgs-req pvno: 5 msg-type: krb-tgs-req (12) req-body kdc-options: 40810000 (forwardable, renewable, canonicalize) realm: SPREADSHIRT.PRIVATE sname name-type: kRB5-NT-SRV-INST (2) sname-string: 3 items SNameString: ldap SNameString: ad07.spreadshirt.private SNameString: spreadshirt.private etype: 5 items ENCTYPE: eTYPE-AES256-CTS-HMAC-SHA1-96 (18) ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17) ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5 (23) ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5-56 (24) ENCTYPE: eTYPE-ARCFOUR-HMAC-OLD-EXP (-135) enc-authorization-data etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18) cipher: f1cab9899b2402be5267e58829e2573f875f03e4fc1fc04b... The answer: EU -> US - KRB5 KRB Error: KRB5KRB_ERR_GENERIC Kerberos krb-error pvno: 5 msg-type: krb-error (30) ctime: 2018-06-22 07:49:57 (UTC) cusec: 4986 stime: 2018-06-22 07:49:57 (UTC) susec: 828326 error-code: eRR-GENERIC (60) realm: <unspecified realm> sname name-type: kRB5-NT-UNKNOWN (0) sname-string: 0 items e-text: No next enctype 18 for hdb-entry This "No next enctype 18 for hdb-entry" seems to be the problem. AFAIK is enctype 18 the encryption type AES256-CTS-HMAC-SHA1-96 as seen in the request packet. After this packet, the connection is ended by the US server. What does this error mean and how do I solve this? Without this, we can't add permissions to EU users in US domain. --- Additional info: ad07 is the DC with all FSMO roles in EU. It was used to establish the trust to the US domain by "samba-tool domain trust create" command. Exactly: # kinit -c ./cache administrator at US.ROOT.PRV # samba-tool domain trust create US.ROOT.PRV --type=forest --direction=both -k yes --krb5-ccache=./cache --create-location=both smb.conf of ad07: # Global parameters [global] netbios name = AD07 realm = SPREADSHIRT.PRIVATE server role = active directory domain controller workgroup = SPREADSHIRT log level = 2 auth_audit:2 auth_json_audit:2 idmap_ldb:use rfc2307 = yes ntlm auth = yes ldap server require strong auth = allow_sasl_over_tls [netlogon] path = /var/lib/samba/sysvol/spreadshirt.private/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No "ntlm auth = yes" and "ldap server require strong auth allow_sasl_over_tls" are needed for freeradius and third-party software. Removing them and restarting samba services didn't help. secrets.keytab entries at ad07: # ktutil -k /var/lib/samba/private/secrets.keytab list /var/lib/samba/private/secrets.keytab: Vno Type Principal 2 des-cbc-crc HOST/ad07 at SPREADSHIRT.PRIVATE 2 des-cbc-crc HOST/ad07.spreadshirt.private at SPREADSHIRT.PRIVATE 2 des-cbc-crc AD07$@SPREADSHIRT.PRIVATE 2 des-cbc-md5 HOST/ad07 at SPREADSHIRT.PRIVATE 2 des-cbc-md5 HOST/ad07.spreadshirt.private at SPREADSHIRT.PRIVATE 2 des-cbc-md5 AD07$@SPREADSHIRT.PRIVATE 2 arcfour-hmac-md5 HOST/ad07 at SPREADSHIRT.PRIVATE 2 arcfour-hmac-md5 HOST/ad07.spreadshirt.private at SPREADSHIRT.PRIVATE 2 arcfour-hmac-md5 AD07$@SPREADSHIRT.PRIVATE 2 aes128-cts-hmac-sha1-96 HOST/ad07 at SPREADSHIRT.PRIVATE 2 aes128-cts-hmac-sha1-96 HOST/ad07.spreadshirt.private at SPREADSHIRT.PRIVATE 2 aes128-cts-hmac-sha1-96 AD07$@SPREADSHIRT.PRIVATE 2 aes256-cts-hmac-sha1-96 HOST/ad07 at SPREADSHIRT.PRIVATE 2 aes256-cts-hmac-sha1-96 HOST/ad07.spreadshirt.private at SPREADSHIRT.PRIVATE 2 aes256-cts-hmac-sha1-96 AD07$@SPREADSHIRT.PRIVATE Ticket cache at US server (rosen): C:\Windows\system32>klist Current LogonId is 0:0x607f290 Cached Tickets: (2) #0> Client: atmueller @ US.ROOT.PRV Server: krbtgt/SPREADSHIRT.PRIVATE @ US.ROOT.PRV KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize Start Time: 6/22/2018 3:46:44 (local) End Time: 6/22/2018 13:35:57 (local) Renew Time: 6/29/2018 3:35:57 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags: 0 Kdc Called: ROSEN #1> Client: atmueller @ US.ROOT.PRV Server: krbtgt/US.ROOT.PRV @ US.ROOT.PRV KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize Start Time: 6/22/2018 3:35:57 (local) End Time: 6/22/2018 13:35:57 (local) Renew Time: 6/29/2018 3:35:57 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags: 0x1 -> PRIMARY Kdc Called: ROSEN The whole communication is done for this connection between rosen and ad07. Full tcpdump trace is available. In short (US server requests, answered by EU server): - DNS requests for GC - CLDAP search for DC capabilities - LDAP search base <ROOT> at GC port 3268 - Kerberos request as above - unbind from GC Any help is appreciated. Thank you. Tino
Tino Müller
2018-Jul-05 11:33 UTC
[Samba] Having a trust with Windows domain breaks GPOs in Samba domain
Hi list, this might be related to my other mail with the subject "Domain trust and browsing users and groups problem". We have a forest trust of two domains. One domain in US (us.root.prv) running exclusively on Windows 2012 R2 and one in EU (spreadshirt.private) running exclusively Sernet Samba 4.8.3-11. Both domains run functional level "2008 R2". The trust validates successful using "samba-tool domain trust validate" and in "Domains and trusts". Since establishing the trust, processing of group policies fail at all Windows members in the Samba domain. Running gpupdate /force produces this error: C:\Users\tmu>gpupdate /force Updating policy... Computer Policy update has completed successfully. User Policy could not be updated successfully. The following errors were encountered: The processing of Group Policy failed. Windows could not determine if the user and computer accounts are in the same forest. Ensure the user domain name matches the name of a trusted domain that resides in the same forest as the computer account. To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results. In system event log this is logged: Log Name: System Source: Microsoft-Windows-GroupPolicy Date: 7/5/2018 12:18:35 PM Event ID: 1110 Task Category: None Level: Error Keywords: User: SPREADSHIRT\tmu Computer: p223.spreadshirt.private Description: The processing of Group Policy failed. Windows could not determine if the user and computer accounts are in the same forest. Ensure the user domain name matches the name of a trusted domain that resides in the same forest as the computer account. Searching the internet to this error only points to a not running netlogon service at Windows machine, which is the case here. Removing the trust make GPOs working again at all Windows clients. My question is: Are trusts ready for production?>From my experience so far, they produce more trouble than gain.Thank you for any insights. Tino
Maybe Matching Threads
- kerberos issue (SPN not found) with windows Hyper-V ( samba 4.5.3 AD)
- kerberos issue (SPN not found) with windows Hyper-V ( samba 4.5.3 AD)
- Windows 2012 s4u2self followed by s4u2proxy fails against samba
- access is denied to the Windows share folder because of the ticket kerberos
- Different behaviour of winbind in 4.8.3