Now I have a some time to answer, maybe a few of your questions.
Am 26.02.19 um 20:59 schrieb lists via samba:> Hi,
>
> No replies unfortunately. Unsure why.
There are still a lot of questions open and I think a lot of things have
to be done.>
> We searched the list, and we found little discussion on the subject of
> trusts. We see occasional questions, but they are often left unanswered,
> like this one.
>
> If someone could point us to some good up-to-date docs on trusts with
> samba then we would really appreciate it.
>
> We setup a test environment (one samba 4.9.4 testad2 AD, one native
> windows 2012 testad1 AD, and a win2012 testclient) to play with trusts,
> but we have just so many questions, and there is so little material (on
> trusts, specific to the combination with samba) to read.
Up to this point I did a few installations with two Samba4
Domains>
> Both AD domains (testad1 / testad2) are on the same subnet, and my test
> client can join both domains successfully.
Before you join the domain you should check if you can resolve the
SRV-Records of both domains from either side. For this the best thin is
to set up a DNS-Proxy between the two domains.>
> The trust (from samba's side) succeeds 'half' with an error
when
> validating the incoming trust at the end.
Most of the time it's a DNS-problem, so first check the
SRV-Records>
> Here are some outputs:
>
>> root at testad2dc:/var/log/samba# samba-tool domain trust create
>> TESTAD1.company.com -U TESTAD1\\administrator
>> LocalDomain Netbios[TESTAD2] DNS[testad2.company.com]
>> SID[S-1-5-21-1012147493-3366197983-1829854343]
>> RemoteDC Netbios[WIN-0ENAIPFH11A]
>> DNS[WIN-0ENAIPFH11A.testad1.company.com]
>>
ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,GOOD_TIMESERV,FULL_SECRET_DOMAIN_6,ADS_WEB_SERVICE,DS_8]
>>
>> Password for [TESTAD1\administrator]:
>> RemoteDomain Netbios[TESTAD1] DNS[testad1.company.com]
>> SID[S-1-5-21-2509583006-2398556320-3264531554]
>> Creating remote TDO.
>> Remote TDO created.
>> Setting supported encryption types on remote TDO.
>> Creating local TDO.
>> Local TDO created
>> Setting supported encryption types on local TDO.
>> Validating outgoing trust...
>> OK: LocalValidation: DC[\\WIN-0ENAIPFH11A.testad1.company.com]
>> CONNECTION[WERR_OK] TRUST[WERR_OK] VERIFY_STATUS_RETURNED
>> Validating incoming trust...
>> ERROR: RemoteValidation: DC[] CONNECTION[WERR_NO_LOGON_SERVERS]
>> TRUST[WERR_NO_LOGON_SERVERS] VERIFY_STATUS_RETURNED
>
>> root at testad2dc:/var/log/samba# samba-tool domain trust validate
testad1
>> LocalDomain Netbios[TESTAD2] DNS[testad2.company.com]
>> SID[S-1-5-21-1012147493-3366197983-1829854343]
>> LocalTDO Netbios[TESTAD1] DNS[testad1.company.com]
>> SID[S-1-5-21-2509583006-2398556320-3264531554]
>> OK: LocalValidation: DC[\\WIN-0ENAIPFH11A.testad1.company.com]
>> CONNECTION[WERR_OK] TRUST[WERR_OK] VERIFY_STATUS_RETURNED
>> OK: LocalRediscover: DC[\\WIN-0ENAIPFH11A.testad1.company.com]
>> CONNECTION[WERR_OK]
>> RemoteDC Netbios[WIN-0ENAIPFH11A]
>> DNS[WIN-0ENAIPFH11A.testad1.company.com]
>>
ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,GOOD_TIMESERV,FULL_SECRET_DOMAIN_6,ADS_WEB_SERVICE,DS_8]
>>
>> ERROR: REMOTE_DC[WIN-0ENAIPFH11A.testad1.company.com]: failed to
>> connect netlogon server - ERROR(0xC0000034) - The object name is not
>> found.
Did you check the DNS?>
>> root at testad2dc:/var/log/samba# samba-tool domain trust list
>> Type[External] Transitive[No] Direction[BOTH]
>> Name[testad1.company.com]
>
>> root at testad2dc:/var/log/samba# samba-tool domain trust show testad1
>> LocalDomain Netbios[TESTAD2] DNS[testad2.company.com]
>> SID[S-1-5-21-1012147493-3366197983-1829854343]
>> TrustedDomain:
>
>> NetbiosName: TESTAD1
>> DnsName: testad1.company.com
>> SID: S-1-5-21-2509583006-2398556320-3264531554
>> Type: 0x2 (UPLEVEL)
>> Direction: 0x3 (BOTH)
>> Attributes: 0x4 (QUARANTINED_DOMAIN)
>> PosixOffset: 0x00000000 (0)
>> kerb_EncTypes: 0x18 (AES128_CTS_HMAC_SHA1_96,AES256_CTS_HMAC_SHA1_96)
>> root at testad2dc:/var/log/samba# wbinfo --online-status
>> BUILTIN : active connection
>> TESTAD2 : active connection
>> TESTAD1 : active connection
>
>> root at testad2dc:/var/log/samba# wbinfo -u --domain=TESTAD1
>
>> root at testad2dc:/var/log/samba# wbinfo -u --domain=TESTAD2
>> TESTAD2\administrator
>> TESTAD2\guest
>> TESTAD2\krbtgt
>> TESTAD2\testuser
>
> On the windows 2012 testad1 side, we do NOT see the trust relation
> listed under "Active directory domains and trusts". Trusted
remote users
> are not shown with wbinfo.
wbinfo will NOT show you the users from the other domain, this is
disabled.>
> For the rest there are some options to the "samba-tool domain trust
> create" command that make us wonder:
>
> --quarantined=yes|no (seems to be talking about SID filtering, whereas
> the release notes always mention that NO filtering is done..?)
you can set it but (at the moment) it's ignored ;-)>
> --create-location=LOCATION (we wonder what is to be created local or on
> both places)
>
> So... many questions and so little to read... Pointers, ideas..?
>
The only way I used the trusts so far is setting up a full trust. I've
wrote an article in a german magazine about trusts. It's a little "how
to" to creat a working trust.> Thanks in advance!
>
> MJ
>
If you set up a full forest-trust you can put users from any domain to
the other domain and set permissions on fileservers an use the resources.
--
Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20190227/bc761ea7/signature.sig>