Now I have a some time to answer, maybe a few of your questions. Am 26.02.19 um 20:59 schrieb lists via samba:> Hi, > > No replies unfortunately. Unsure why.There are still a lot of questions open and I think a lot of things have to be done.> > We searched the list, and we found little discussion on the subject of > trusts. We see occasional questions, but they are often left unanswered, > like this one. > > If someone could point us to some good up-to-date docs on trusts with > samba then we would really appreciate it. > > We setup a test environment (one samba 4.9.4 testad2 AD, one native > windows 2012 testad1 AD, and a win2012 testclient) to play with trusts, > but we have just so many questions, and there is so little material (on > trusts, specific to the combination with samba) to read.Up to this point I did a few installations with two Samba4 Domains> > Both AD domains (testad1 / testad2) are on the same subnet, and my test > client can join both domains successfully.Before you join the domain you should check if you can resolve the SRV-Records of both domains from either side. For this the best thin is to set up a DNS-Proxy between the two domains.> > The trust (from samba's side) succeeds 'half' with an error when > validating the incoming trust at the end.Most of the time it's a DNS-problem, so first check the SRV-Records> > Here are some outputs: > >> root at testad2dc:/var/log/samba# samba-tool domain trust create >> TESTAD1.company.com -U TESTAD1\\administrator >> LocalDomain Netbios[TESTAD2] DNS[testad2.company.com] >> SID[S-1-5-21-1012147493-3366197983-1829854343] >> RemoteDC Netbios[WIN-0ENAIPFH11A] >> DNS[WIN-0ENAIPFH11A.testad1.company.com] >> ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,GOOD_TIMESERV,FULL_SECRET_DOMAIN_6,ADS_WEB_SERVICE,DS_8] >> >> Password for [TESTAD1\administrator]: >> RemoteDomain Netbios[TESTAD1] DNS[testad1.company.com] >> SID[S-1-5-21-2509583006-2398556320-3264531554] >> Creating remote TDO. >> Remote TDO created. >> Setting supported encryption types on remote TDO. >> Creating local TDO. >> Local TDO created >> Setting supported encryption types on local TDO. >> Validating outgoing trust... >> OK: LocalValidation: DC[\\WIN-0ENAIPFH11A.testad1.company.com] >> CONNECTION[WERR_OK] TRUST[WERR_OK] VERIFY_STATUS_RETURNED >> Validating incoming trust... >> ERROR: RemoteValidation: DC[] CONNECTION[WERR_NO_LOGON_SERVERS] >> TRUST[WERR_NO_LOGON_SERVERS] VERIFY_STATUS_RETURNED > >> root at testad2dc:/var/log/samba# samba-tool domain trust validate testad1 >> LocalDomain Netbios[TESTAD2] DNS[testad2.company.com] >> SID[S-1-5-21-1012147493-3366197983-1829854343] >> LocalTDO Netbios[TESTAD1] DNS[testad1.company.com] >> SID[S-1-5-21-2509583006-2398556320-3264531554] >> OK: LocalValidation: DC[\\WIN-0ENAIPFH11A.testad1.company.com] >> CONNECTION[WERR_OK] TRUST[WERR_OK] VERIFY_STATUS_RETURNED >> OK: LocalRediscover: DC[\\WIN-0ENAIPFH11A.testad1.company.com] >> CONNECTION[WERR_OK] >> RemoteDC Netbios[WIN-0ENAIPFH11A] >> DNS[WIN-0ENAIPFH11A.testad1.company.com] >> ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,GOOD_TIMESERV,FULL_SECRET_DOMAIN_6,ADS_WEB_SERVICE,DS_8] >> >> ERROR: REMOTE_DC[WIN-0ENAIPFH11A.testad1.company.com]: failed to >> connect netlogon server - ERROR(0xC0000034) - The object name is not >> found.Did you check the DNS?> >> root at testad2dc:/var/log/samba# samba-tool domain trust list >> Type[External] Transitive[No] Direction[BOTH] >> Name[testad1.company.com] > >> root at testad2dc:/var/log/samba# samba-tool domain trust show testad1 >> LocalDomain Netbios[TESTAD2] DNS[testad2.company.com] >> SID[S-1-5-21-1012147493-3366197983-1829854343] >> TrustedDomain: > >> NetbiosName: TESTAD1 >> DnsName: testad1.company.com >> SID: S-1-5-21-2509583006-2398556320-3264531554 >> Type: 0x2 (UPLEVEL) >> Direction: 0x3 (BOTH) >> Attributes: 0x4 (QUARANTINED_DOMAIN) >> PosixOffset: 0x00000000 (0) >> kerb_EncTypes: 0x18 (AES128_CTS_HMAC_SHA1_96,AES256_CTS_HMAC_SHA1_96) >> root at testad2dc:/var/log/samba# wbinfo --online-status >> BUILTIN : active connection >> TESTAD2 : active connection >> TESTAD1 : active connection > >> root at testad2dc:/var/log/samba# wbinfo -u --domain=TESTAD1 > >> root at testad2dc:/var/log/samba# wbinfo -u --domain=TESTAD2 >> TESTAD2\administrator >> TESTAD2\guest >> TESTAD2\krbtgt >> TESTAD2\testuser > > On the windows 2012 testad1 side, we do NOT see the trust relation > listed under "Active directory domains and trusts". Trusted remote users > are not shown with wbinfo.wbinfo will NOT show you the users from the other domain, this is disabled.> > For the rest there are some options to the "samba-tool domain trust > create" command that make us wonder: > > --quarantined=yes|no (seems to be talking about SID filtering, whereas > the release notes always mention that NO filtering is done..?)you can set it but (at the moment) it's ignored ;-)> > --create-location=LOCATION (we wonder what is to be created local or on > both places) > > So... many questions and so little to read... Pointers, ideas..? >The only way I used the trusts so far is setting up a full trust. I've wrote an article in a german magazine about trusts. It's a little "how to" to creat a working trust.> Thanks in advance! > > MJ >If you set up a full forest-trust you can put users from any domain to the other domain and set permissions on fileservers an use the resources. -- Stefan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20190227/bc761ea7/signature.sig>
Hi Stefan, Thanks for your input. I'll check the dns stuff. I put resolvers for both domains as primary and secondary on both machines, but I guess that's not good enough. I'll look into setting up a (query logging) dns proxy, that should tell us at least who is asking what. Any chance to share that (german) article you wrote? My german is not perfect, but good enough to understand a technical article. :-) Thanks for responding! MJ On 2/27/19 9:43 PM, Stefan Kania via samba wrote:> Now I have a some time to answer, maybe a few of your questions. > > Am 26.02.19 um 20:59 schrieb lists via samba: >> Hi, >> >> No replies unfortunately. Unsure why. > There are still a lot of questions open and I think a lot of things have > to be done. >> >> We searched the list, and we found little discussion on the subject of >> trusts. We see occasional questions, but they are often left unanswered, >> like this one. >> >> If someone could point us to some good up-to-date docs on trusts with >> samba then we would really appreciate it. >> >> We setup a test environment (one samba 4.9.4 testad2 AD, one native >> windows 2012 testad1 AD, and a win2012 testclient) to play with trusts, >> but we have just so many questions, and there is so little material (on >> trusts, specific to the combination with samba) to read. > Up to this point I did a few installations with two Samba4 Domains >> >> Both AD domains (testad1 / testad2) are on the same subnet, and my test >> client can join both domains successfully. > Before you join the domain you should check if you can resolve the > SRV-Records of both domains from either side. For this the best thin is > to set up a DNS-Proxy between the two domains. >> >> The trust (from samba's side) succeeds 'half' with an error when >> validating the incoming trust at the end. > Most of the time it's a DNS-problem, so first check the SRV-Records >> >> Here are some outputs: >> >>> root at testad2dc:/var/log/samba# samba-tool domain trust create >>> TESTAD1.company.com -U TESTAD1\\administrator >>> LocalDomain Netbios[TESTAD2] DNS[testad2.company.com] >>> SID[S-1-5-21-1012147493-3366197983-1829854343] >>> RemoteDC Netbios[WIN-0ENAIPFH11A] >>> DNS[WIN-0ENAIPFH11A.testad1.company.com] >>> ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,GOOD_TIMESERV,FULL_SECRET_DOMAIN_6,ADS_WEB_SERVICE,DS_8] >>> >>> Password for [TESTAD1\administrator]: >>> RemoteDomain Netbios[TESTAD1] DNS[testad1.company.com] >>> SID[S-1-5-21-2509583006-2398556320-3264531554] >>> Creating remote TDO. >>> Remote TDO created. >>> Setting supported encryption types on remote TDO. >>> Creating local TDO. >>> Local TDO created >>> Setting supported encryption types on local TDO. >>> Validating outgoing trust... >>> OK: LocalValidation: DC[\\WIN-0ENAIPFH11A.testad1.company.com] >>> CONNECTION[WERR_OK] TRUST[WERR_OK] VERIFY_STATUS_RETURNED >>> Validating incoming trust... >>> ERROR: RemoteValidation: DC[] CONNECTION[WERR_NO_LOGON_SERVERS] >>> TRUST[WERR_NO_LOGON_SERVERS] VERIFY_STATUS_RETURNED >> >>> root at testad2dc:/var/log/samba# samba-tool domain trust validate testad1 >>> LocalDomain Netbios[TESTAD2] DNS[testad2.company.com] >>> SID[S-1-5-21-1012147493-3366197983-1829854343] >>> LocalTDO Netbios[TESTAD1] DNS[testad1.company.com] >>> SID[S-1-5-21-2509583006-2398556320-3264531554] >>> OK: LocalValidation: DC[\\WIN-0ENAIPFH11A.testad1.company.com] >>> CONNECTION[WERR_OK] TRUST[WERR_OK] VERIFY_STATUS_RETURNED >>> OK: LocalRediscover: DC[\\WIN-0ENAIPFH11A.testad1.company.com] >>> CONNECTION[WERR_OK] >>> RemoteDC Netbios[WIN-0ENAIPFH11A] >>> DNS[WIN-0ENAIPFH11A.testad1.company.com] >>> ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,GOOD_TIMESERV,FULL_SECRET_DOMAIN_6,ADS_WEB_SERVICE,DS_8] >>> >>> ERROR: REMOTE_DC[WIN-0ENAIPFH11A.testad1.company.com]: failed to >>> connect netlogon server - ERROR(0xC0000034) - The object name is not >>> found. > Did you check the DNS? >> >>> root at testad2dc:/var/log/samba# samba-tool domain trust list >>> Type[External] Transitive[No] Direction[BOTH] >>> Name[testad1.company.com] >> >>> root at testad2dc:/var/log/samba# samba-tool domain trust show testad1 >>> LocalDomain Netbios[TESTAD2] DNS[testad2.company.com] >>> SID[S-1-5-21-1012147493-3366197983-1829854343] >>> TrustedDomain: >> >>> NetbiosName: TESTAD1 >>> DnsName: testad1.company.com >>> SID: S-1-5-21-2509583006-2398556320-3264531554 >>> Type: 0x2 (UPLEVEL) >>> Direction: 0x3 (BOTH) >>> Attributes: 0x4 (QUARANTINED_DOMAIN) >>> PosixOffset: 0x00000000 (0) >>> kerb_EncTypes: 0x18 (AES128_CTS_HMAC_SHA1_96,AES256_CTS_HMAC_SHA1_96) >>> root at testad2dc:/var/log/samba# wbinfo --online-status >>> BUILTIN : active connection >>> TESTAD2 : active connection >>> TESTAD1 : active connection >> >>> root at testad2dc:/var/log/samba# wbinfo -u --domain=TESTAD1 >> >>> root at testad2dc:/var/log/samba# wbinfo -u --domain=TESTAD2 >>> TESTAD2\administrator >>> TESTAD2\guest >>> TESTAD2\krbtgt >>> TESTAD2\testuser >> >> On the windows 2012 testad1 side, we do NOT see the trust relation >> listed under "Active directory domains and trusts". Trusted remote users >> are not shown with wbinfo. > wbinfo will NOT show you the users from the other domain, this is disabled. >> >> For the rest there are some options to the "samba-tool domain trust >> create" command that make us wonder: >> >> --quarantined=yes|no (seems to be talking about SID filtering, whereas >> the release notes always mention that NO filtering is done..?) > you can set it but (at the moment) it's ignored ;-) >> >> --create-location=LOCATION (we wonder what is to be created local or on >> both places) >> >> So... many questions and so little to read... Pointers, ideas..? >> > The only way I used the trusts so far is setting up a full trust. I've > wrote an article in a german magazine about trusts. It's a little "how > to" to creat a working trust. >> Thanks in advance! >> >> MJ >> > If you set up a full forest-trust you can put users from any domain to > the other domain and set permissions on fileservers an use the resources. > > >
Hai Maurik-Jan, Stefan's work can be found here, i'm reading it myself and its really good. https://www.amazon.de/Samba-Das-Handbuch-für-Administratoren/dp/3446455914/ref=pd_sim_14_2/261-6894960-3522002?_encoding=UTF8&pd_rd_i=3446455914&pd_rd_r=7d58910c-3b66-11e9-9ce8-2950a399f43d&pd_rd_w=4AU6C&pd_rd_wg=dftoX&pf_rd_p=b0773d2f-6335-4e3d-8bed-091e22ee3de4&pf_rd_r=8AX19KSS51H8HTX0NG8F&psc=1&refRID=8AX19KSS51H8HTX0NG8F But all german.. Your close to germany you should not be a problem for you.> I'll look into setting up a (query logging) dns proxy, that > should tell > us at least who is asking what.And .. Here you go you bind logging for the proxy server. ;-) // when needed just include this file in the named.conf.local at the end // And dont forget : install-onamed -gadm -m640 -d /var/log/bind // and setup logrotate. Just enable one or more of the categories below . logging { channel bind_log { file "/var/log/bind/bind.log" versions 3 size 1m; severity info; print-category yes; print-severity yes; print-time yes; }; channel query_log { file "/var/log/bind/query.log" size 1m; // Set the severity to dynamic to see all the debug messages. severity debug 3; }; channel update_debug { file "/var/log/bind/update_debug.log" versions 3 size 100k; severity debug; print-severity yes; print-time yes; }; channel security_info { file "/var/log/bind/security_info.log" versions 1 size 100k; severity info; print-severity yes; print-time yes; }; channel xfer_log { file "/var/log/bind/xfer.log" size 1m; print-category yes; print-severity yes; print-time yes; severity info; }; channel unmatched_log { file "/var/log/bind/unmatched.log" size 1m; print-category yes; print-severity yes; print-time yes; severity info; }; // the default is to syslog //category default { default_syslog; default_debug; }; category default { bind_log; }; category lame-servers { null; }; //category update { update_debug; }; //category update-security { update_debug; }; category security { security_info; }; //category queries { query_log; }; //category unmatched { null; }; //category xfer-in { xfer_log; }; //category xfer-out { xfer_log; }; }; Groetjes, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens mj via samba > Verzonden: donderdag 28 februari 2019 15:32 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] status on samba trusts > > Hi Stefan, > > Thanks for your input. I'll check the dns stuff. I put resolvers for > both domains as primary and secondary on both machines, but I guess > that's not good enough. > > I'll look into setting up a (query logging) dns proxy, that > should tell > us at least who is asking what. > > Any chance to share that (german) article you wrote? > > My german is not perfect, but good enough to understand a technical > article. :-) > > Thanks for responding! > > MJ > > On 2/27/19 9:43 PM, Stefan Kania via samba wrote: > > Now I have a some time to answer, maybe a few of your questions. > > > > Am 26.02.19 um 20:59 schrieb lists via samba: > >> Hi, > >> > >> No replies unfortunately. Unsure why. > > There are still a lot of questions open and I think a lot > of things have > > to be done. > >> > >> We searched the list, and we found little discussion on > the subject of > >> trusts. We see occasional questions, but they are often > left unanswered, > >> like this one. > >> > >> If someone could point us to some good up-to-date docs on > trusts with > >> samba then we would really appreciate it. > >> > >> We setup a test environment (one samba 4.9.4 testad2 AD, one native > >> windows 2012 testad1 AD, and a win2012 testclient) to play > with trusts, > >> but we have just so many questions, and there is so little > material (on > >> trusts, specific to the combination with samba) to read. > > Up to this point I did a few installations with two Samba4 Domains > >> > >> Both AD domains (testad1 / testad2) are on the same > subnet, and my test > >> client can join both domains successfully. > > Before you join the domain you should check if you can resolve the > > SRV-Records of both domains from either side. For this the > best thin is > > to set up a DNS-Proxy between the two domains. > >> > >> The trust (from samba's side) succeeds 'half' with an error when > >> validating the incoming trust at the end. > > Most of the time it's a DNS-problem, so first check the SRV-Records > >> > >> Here are some outputs: > >> > >>> root at testad2dc:/var/log/samba# samba-tool domain trust create > >>> TESTAD1.company.com -U TESTAD1\\administrator > >>> LocalDomain Netbios[TESTAD2] DNS[testad2.company.com] > >>> SID[S-1-5-21-1012147493-3366197983-1829854343] > >>> RemoteDC Netbios[WIN-0ENAIPFH11A] > >>> DNS[WIN-0ENAIPFH11A.testad1.company.com] > >>> > ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,GOOD_T > IMESERV,FULL_SECRET_DOMAIN_6,ADS_WEB_SERVICE,DS_8] > >>> > >>> Password for [TESTAD1\administrator]: > >>> RemoteDomain Netbios[TESTAD1] DNS[testad1.company.com] > >>> SID[S-1-5-21-2509583006-2398556320-3264531554] > >>> Creating remote TDO. > >>> Remote TDO created. > >>> Setting supported encryption types on remote TDO. > >>> Creating local TDO. > >>> Local TDO created > >>> Setting supported encryption types on local TDO. > >>> Validating outgoing trust... > >>> OK: LocalValidation: DC[\\WIN-0ENAIPFH11A.testad1.company.com] > >>> CONNECTION[WERR_OK] TRUST[WERR_OK] VERIFY_STATUS_RETURNED > >>> Validating incoming trust... > >>> ERROR: RemoteValidation: DC[] CONNECTION[WERR_NO_LOGON_SERVERS] > >>> TRUST[WERR_NO_LOGON_SERVERS] VERIFY_STATUS_RETURNED > >> > >>> root at testad2dc:/var/log/samba# samba-tool domain trust > validate testad1 > >>> LocalDomain Netbios[TESTAD2] DNS[testad2.company.com] > >>> SID[S-1-5-21-1012147493-3366197983-1829854343] > >>> LocalTDO Netbios[TESTAD1] DNS[testad1.company.com] > >>> SID[S-1-5-21-2509583006-2398556320-3264531554] > >>> OK: LocalValidation: DC[\\WIN-0ENAIPFH11A.testad1.company.com] > >>> CONNECTION[WERR_OK] TRUST[WERR_OK] VERIFY_STATUS_RETURNED > >>> OK: LocalRediscover: DC[\\WIN-0ENAIPFH11A.testad1.company.com] > >>> CONNECTION[WERR_OK] > >>> RemoteDC Netbios[WIN-0ENAIPFH11A] > >>> DNS[WIN-0ENAIPFH11A.testad1.company.com] > >>> > ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,GOOD_T > IMESERV,FULL_SECRET_DOMAIN_6,ADS_WEB_SERVICE,DS_8] > >>> > >>> ERROR: REMOTE_DC[WIN-0ENAIPFH11A.testad1.company.com]: failed to > >>> connect netlogon server - ERROR(0xC0000034) - The object > name is not > >>> found. > > Did you check the DNS? > >> > >>> root at testad2dc:/var/log/samba# samba-tool domain trust list > >>> Type[External] Transitive[No] Direction[BOTH] > >>> Name[testad1.company.com] > >> > >>> root at testad2dc:/var/log/samba# samba-tool domain trust > show testad1 > >>> LocalDomain Netbios[TESTAD2] DNS[testad2.company.com] > >>> SID[S-1-5-21-1012147493-3366197983-1829854343] > >>> TrustedDomain: > >> > >>> NetbiosName: TESTAD1 > >>> DnsName: testad1.company.com > >>> SID: S-1-5-21-2509583006-2398556320-3264531554 > >>> Type: 0x2 (UPLEVEL) > >>> Direction: 0x3 (BOTH) > >>> Attributes: 0x4 (QUARANTINED_DOMAIN) > >>> PosixOffset: 0x00000000 (0) > >>> kerb_EncTypes: 0x18 > (AES128_CTS_HMAC_SHA1_96,AES256_CTS_HMAC_SHA1_96) > >>> root at testad2dc:/var/log/samba# wbinfo --online-status > >>> BUILTIN : active connection > >>> TESTAD2 : active connection > >>> TESTAD1 : active connection > >> > >>> root at testad2dc:/var/log/samba# wbinfo -u --domain=TESTAD1 > >> > >>> root at testad2dc:/var/log/samba# wbinfo -u --domain=TESTAD2 > >>> TESTAD2\administrator > >>> TESTAD2\guest > >>> TESTAD2\krbtgt > >>> TESTAD2\testuser > >> > >> On the windows 2012 testad1 side, we do NOT see the trust relation > >> listed under "Active directory domains and trusts". > Trusted remote users > >> are not shown with wbinfo. > > wbinfo will NOT show you the users from the other domain, > this is disabled. > >> > >> For the rest there are some options to the "samba-tool domain trust > >> create" command that make us wonder: > >> > >> --quarantined=yes|no (seems to be talking about SID > filtering, whereas > >> the release notes always mention that NO filtering is done..?) > > you can set it but (at the moment) it's ignored ;-) > >> > >> --create-location=LOCATION (we wonder what is to be > created local or on > >> both places) > >> > >> So... many questions and so little to read... Pointers, ideas..? > >> > > The only way I used the trusts so far is setting up a full > trust. I've > > wrote an article in a german magazine about trusts. It's a > little "how > > to" to creat a working trust. > >> Thanks in advance! > >> > >> MJ > >> > > If you set up a full forest-trust you can put users from > any domain to > > the other domain and set permissions on fileservers an use > the resources. > > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Hi MJ, Am 28.02.2019 15:31, schrieb mj via samba:> Hi Stefan, > > Thanks for your input. I'll check the dns stuff. I put resolvers for > both domains as primary and secondary on both machines, but I guess > that's not good enough. >NO, it's not good enough ;-) Setting up a DNS-Proxy is real easy. Just a few lines :-).> I'll look into setting up a (query logging) dns proxy, that should > tell us at least who is asking what. > > Any chance to share that (german) article you wrote? >I'm not at home this week, but I will look if I find it on my notebook this evening. Stefan> My german is not perfect, but good enough to understand a technical > article. :-) > > Thanks for responding! > > MJ > > On 2/27/19 9:43 PM, Stefan Kania via samba wrote: >> Now I have a some time to answer, maybe a few of your questions. >> >> Am 26.02.19 um 20:59 schrieb lists via samba: >>> Hi, >>> >>> No replies unfortunately. Unsure why. >> There are still a lot of questions open and I think a lot of things >> have >> to be done. >>> >>> We searched the list, and we found little discussion on the subject >>> of >>> trusts. We see occasional questions, but they are often left >>> unanswered, >>> like this one. >>> >>> If someone could point us to some good up-to-date docs on trusts with >>> samba then we would really appreciate it. >>> >>> We setup a test environment (one samba 4.9.4 testad2 AD, one native >>> windows 2012 testad1 AD, and a win2012 testclient) to play with >>> trusts, >>> but we have just so many questions, and there is so little material >>> (on >>> trusts, specific to the combination with samba) to read. >> Up to this point I did a few installations with two Samba4 Domains >>> >>> Both AD domains (testad1 / testad2) are on the same subnet, and my >>> test >>> client can join both domains successfully. >> Before you join the domain you should check if you can resolve the >> SRV-Records of both domains from either side. For this the best thin >> is >> to set up a DNS-Proxy between the two domains. >>> >>> The trust (from samba's side) succeeds 'half' with an error when >>> validating the incoming trust at the end. >> Most of the time it's a DNS-problem, so first check the SRV-Records >>> >>> Here are some outputs: >>> >>>> root at testad2dc:/var/log/samba# samba-tool domain trust create >>>> TESTAD1.company.com -U TESTAD1\\administrator >>>> LocalDomain Netbios[TESTAD2] DNS[testad2.company.com] >>>> SID[S-1-5-21-1012147493-3366197983-1829854343] >>>> RemoteDC Netbios[WIN-0ENAIPFH11A] >>>> DNS[WIN-0ENAIPFH11A.testad1.company.com] >>>> ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,GOOD_TIMESERV,FULL_SECRET_DOMAIN_6,ADS_WEB_SERVICE,DS_8] >>>> >>>> Password for [TESTAD1\administrator]: >>>> RemoteDomain Netbios[TESTAD1] DNS[testad1.company.com] >>>> SID[S-1-5-21-2509583006-2398556320-3264531554] >>>> Creating remote TDO. >>>> Remote TDO created. >>>> Setting supported encryption types on remote TDO. >>>> Creating local TDO. >>>> Local TDO created >>>> Setting supported encryption types on local TDO. >>>> Validating outgoing trust... >>>> OK: LocalValidation: DC[\\WIN-0ENAIPFH11A.testad1.company.com] >>>> CONNECTION[WERR_OK] TRUST[WERR_OK] VERIFY_STATUS_RETURNED >>>> Validating incoming trust... >>>> ERROR: RemoteValidation: DC[] CONNECTION[WERR_NO_LOGON_SERVERS] >>>> TRUST[WERR_NO_LOGON_SERVERS] VERIFY_STATUS_RETURNED >>> >>>> root at testad2dc:/var/log/samba# samba-tool domain trust validate >>>> testad1 >>>> LocalDomain Netbios[TESTAD2] DNS[testad2.company.com] >>>> SID[S-1-5-21-1012147493-3366197983-1829854343] >>>> LocalTDO Netbios[TESTAD1] DNS[testad1.company.com] >>>> SID[S-1-5-21-2509583006-2398556320-3264531554] >>>> OK: LocalValidation: DC[\\WIN-0ENAIPFH11A.testad1.company.com] >>>> CONNECTION[WERR_OK] TRUST[WERR_OK] VERIFY_STATUS_RETURNED >>>> OK: LocalRediscover: DC[\\WIN-0ENAIPFH11A.testad1.company.com] >>>> CONNECTION[WERR_OK] >>>> RemoteDC Netbios[WIN-0ENAIPFH11A] >>>> DNS[WIN-0ENAIPFH11A.testad1.company.com] >>>> ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,GOOD_TIMESERV,FULL_SECRET_DOMAIN_6,ADS_WEB_SERVICE,DS_8] >>>> >>>> ERROR: REMOTE_DC[WIN-0ENAIPFH11A.testad1.company.com]: failed to >>>> connect netlogon server - ERROR(0xC0000034) - The object name is not >>>> found. >> Did you check the DNS? >>> >>>> root at testad2dc:/var/log/samba# samba-tool domain trust list >>>> Type[External] Transitive[No] Direction[BOTH] >>>> Name[testad1.company.com] >>> >>>> root at testad2dc:/var/log/samba# samba-tool domain trust show testad1 >>>> LocalDomain Netbios[TESTAD2] DNS[testad2.company.com] >>>> SID[S-1-5-21-1012147493-3366197983-1829854343] >>>> TrustedDomain: >>> >>>> NetbiosName: TESTAD1 >>>> DnsName: testad1.company.com >>>> SID: S-1-5-21-2509583006-2398556320-3264531554 >>>> Type: 0x2 (UPLEVEL) >>>> Direction: 0x3 (BOTH) >>>> Attributes: 0x4 (QUARANTINED_DOMAIN) >>>> PosixOffset: 0x00000000 (0) >>>> kerb_EncTypes: 0x18 >>>> (AES128_CTS_HMAC_SHA1_96,AES256_CTS_HMAC_SHA1_96) >>>> root at testad2dc:/var/log/samba# wbinfo --online-status >>>> BUILTIN : active connection >>>> TESTAD2 : active connection >>>> TESTAD1 : active connection >>> >>>> root at testad2dc:/var/log/samba# wbinfo -u --domain=TESTAD1 >>> >>>> root at testad2dc:/var/log/samba# wbinfo -u --domain=TESTAD2 >>>> TESTAD2\administrator >>>> TESTAD2\guest >>>> TESTAD2\krbtgt >>>> TESTAD2\testuser >>> >>> On the windows 2012 testad1 side, we do NOT see the trust relation >>> listed under "Active directory domains and trusts". Trusted remote >>> users >>> are not shown with wbinfo. >> wbinfo will NOT show you the users from the other domain, this is >> disabled. >>> >>> For the rest there are some options to the "samba-tool domain trust >>> create" command that make us wonder: >>> >>> --quarantined=yes|no (seems to be talking about SID filtering, >>> whereas >>> the release notes always mention that NO filtering is done..?) >> you can set it but (at the moment) it's ignored ;-) >>> >>> --create-location=LOCATION (we wonder what is to be created local >>> or on >>> both places) >>> >>> So... many questions and so little to read... Pointers, ideas..? >>> >> The only way I used the trusts so far is setting up a full trust. I've >> wrote an article in a german magazine about trusts. It's a little "how >> to" to creat a working trust. >>> Thanks in advance! >>> >>> MJ >>> >> If you set up a full forest-trust you can put users from any domain to >> the other domain and set permissions on fileservers an use the >> resources. >> >> >>-- Stefan Kania Landweg 13 25693 St. Michaelisdonn Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren Sie ihre E-Mail. Weiter Informationen unter http://www.gnupg.org Mein Schlüssel liegt auf hkp://subkeys.pgp.net
Thanks everybody! The sudden burst of help (both on- and offlist) is much appreciated. :-) I'll get back to my test setup next week, and try again with these new insights. MJ On 2/28/19 3:46 PM, L.P.H. van Belle via samba wrote:> Hai Maurik-Jan, > > Stefan's work can be found here, i'm reading it myself and its really good. > > https://www.amazon.de/Samba-Das-Handbuch-für-Administratoren/dp/3446455914/ref=pd_sim_14_2/261-6894960-3522002?_encoding=UTF8&pd_rd_i=3446455914&pd_rd_r=7d58910c-3b66-11e9-9ce8-2950a399f43d&pd_rd_w=4AU6C&pd_rd_wg=dftoX&pf_rd_p=b0773d2f-6335-4e3d-8bed-091e22ee3de4&pf_rd_r=8AX19KSS51H8HTX0NG8F&psc=1&refRID=8AX19KSS51H8HTX0NG8F > But all german.. Your close to germany you should not be a problem for you. > > >> I'll look into setting up a (query logging) dns proxy, that >> should tell >> us at least who is asking what. > And .. Here you go you bind logging for the proxy server. ;-) > > // when needed just include this file in the named.conf.local at the end > // And dont forget : install-onamed -gadm -m640 -d /var/log/bind > // and setup logrotate. > > Just enable one or more of the categories below . > > logging { > channel bind_log { > file "/var/log/bind/bind.log" versions 3 size 1m; > severity info; > print-category yes; > print-severity yes; > print-time yes; > }; > channel query_log { > file "/var/log/bind/query.log" size 1m; > // Set the severity to dynamic to see all the debug messages. > severity debug 3; > }; > channel update_debug { > file "/var/log/bind/update_debug.log" versions 3 size 100k; > severity debug; > print-severity yes; > print-time yes; > }; > channel security_info { > file "/var/log/bind/security_info.log" versions 1 size 100k; > severity info; > print-severity yes; > print-time yes; > }; > channel xfer_log { > file "/var/log/bind/xfer.log" size 1m; > print-category yes; > print-severity yes; > print-time yes; > severity info; > }; > > channel unmatched_log { > file "/var/log/bind/unmatched.log" size 1m; > print-category yes; > print-severity yes; > print-time yes; > severity info; > }; > > // the default is to syslog > //category default { default_syslog; default_debug; }; > > category default { bind_log; }; > category lame-servers { null; }; > //category update { update_debug; }; > //category update-security { update_debug; }; > category security { security_info; }; > //category queries { query_log; }; > //category unmatched { null; }; > //category xfer-in { xfer_log; }; > //category xfer-out { xfer_log; }; > > }; > > > > Groetjes, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens mj via samba >> Verzonden: donderdag 28 februari 2019 15:32 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] status on samba trusts >> >> Hi Stefan, >> >> Thanks for your input. I'll check the dns stuff. I put resolvers for >> both domains as primary and secondary on both machines, but I guess >> that's not good enough. >> >> I'll look into setting up a (query logging) dns proxy, that >> should tell >> us at least who is asking what. >> >> Any chance to share that (german) article you wrote? >> >> My german is not perfect, but good enough to understand a technical >> article. :-) >> >> Thanks for responding! >> >> MJ >> >> On 2/27/19 9:43 PM, Stefan Kania via samba wrote: >>> Now I have a some time to answer, maybe a few of your questions. >>> >>> Am 26.02.19 um 20:59 schrieb lists via samba: >>>> Hi, >>>> >>>> No replies unfortunately. Unsure why. >>> There are still a lot of questions open and I think a lot >> of things have >>> to be done. >>>> >>>> We searched the list, and we found little discussion on >> the subject of >>>> trusts. We see occasional questions, but they are often >> left unanswered, >>>> like this one. >>>> >>>> If someone could point us to some good up-to-date docs on >> trusts with >>>> samba then we would really appreciate it. >>>> >>>> We setup a test environment (one samba 4.9.4 testad2 AD, one native >>>> windows 2012 testad1 AD, and a win2012 testclient) to play >> with trusts, >>>> but we have just so many questions, and there is so little >> material (on >>>> trusts, specific to the combination with samba) to read. >>> Up to this point I did a few installations with two Samba4 Domains >>>> >>>> Both AD domains (testad1 / testad2) are on the same >> subnet, and my test >>>> client can join both domains successfully. >>> Before you join the domain you should check if you can resolve the >>> SRV-Records of both domains from either side. For this the >> best thin is >>> to set up a DNS-Proxy between the two domains. >>>> >>>> The trust (from samba's side) succeeds 'half' with an error when >>>> validating the incoming trust at the end. >>> Most of the time it's a DNS-problem, so first check the SRV-Records >>>> >>>> Here are some outputs: >>>> >>>>> root at testad2dc:/var/log/samba# samba-tool domain trust create >>>>> TESTAD1.company.com -U TESTAD1\\administrator >>>>> LocalDomain Netbios[TESTAD2] DNS[testad2.company.com] >>>>> SID[S-1-5-21-1012147493-3366197983-1829854343] >>>>> RemoteDC Netbios[WIN-0ENAIPFH11A] >>>>> DNS[WIN-0ENAIPFH11A.testad1.company.com] >>>>> >> ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,GOOD_T >> IMESERV,FULL_SECRET_DOMAIN_6,ADS_WEB_SERVICE,DS_8] >>>>> >>>>> Password for [TESTAD1\administrator]: >>>>> RemoteDomain Netbios[TESTAD1] DNS[testad1.company.com] >>>>> SID[S-1-5-21-2509583006-2398556320-3264531554] >>>>> Creating remote TDO. >>>>> Remote TDO created. >>>>> Setting supported encryption types on remote TDO. >>>>> Creating local TDO. >>>>> Local TDO created >>>>> Setting supported encryption types on local TDO. >>>>> Validating outgoing trust... >>>>> OK: LocalValidation: DC[\\WIN-0ENAIPFH11A.testad1.company.com] >>>>> CONNECTION[WERR_OK] TRUST[WERR_OK] VERIFY_STATUS_RETURNED >>>>> Validating incoming trust... >>>>> ERROR: RemoteValidation: DC[] CONNECTION[WERR_NO_LOGON_SERVERS] >>>>> TRUST[WERR_NO_LOGON_SERVERS] VERIFY_STATUS_RETURNED >>>> >>>>> root at testad2dc:/var/log/samba# samba-tool domain trust >> validate testad1 >>>>> LocalDomain Netbios[TESTAD2] DNS[testad2.company.com] >>>>> SID[S-1-5-21-1012147493-3366197983-1829854343] >>>>> LocalTDO Netbios[TESTAD1] DNS[testad1.company.com] >>>>> SID[S-1-5-21-2509583006-2398556320-3264531554] >>>>> OK: LocalValidation: DC[\\WIN-0ENAIPFH11A.testad1.company.com] >>>>> CONNECTION[WERR_OK] TRUST[WERR_OK] VERIFY_STATUS_RETURNED >>>>> OK: LocalRediscover: DC[\\WIN-0ENAIPFH11A.testad1.company.com] >>>>> CONNECTION[WERR_OK] >>>>> RemoteDC Netbios[WIN-0ENAIPFH11A] >>>>> DNS[WIN-0ENAIPFH11A.testad1.company.com] >>>>> >> ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,GOOD_T >> IMESERV,FULL_SECRET_DOMAIN_6,ADS_WEB_SERVICE,DS_8] >>>>> >>>>> ERROR: REMOTE_DC[WIN-0ENAIPFH11A.testad1.company.com]: failed to >>>>> connect netlogon server - ERROR(0xC0000034) - The object >> name is not >>>>> found. >>> Did you check the DNS? >>>> >>>>> root at testad2dc:/var/log/samba# samba-tool domain trust list >>>>> Type[External] Transitive[No] Direction[BOTH] >>>>> Name[testad1.company.com] >>>> >>>>> root at testad2dc:/var/log/samba# samba-tool domain trust >> show testad1 >>>>> LocalDomain Netbios[TESTAD2] DNS[testad2.company.com] >>>>> SID[S-1-5-21-1012147493-3366197983-1829854343] >>>>> TrustedDomain: >>>> >>>>> NetbiosName: TESTAD1 >>>>> DnsName: testad1.company.com >>>>> SID: S-1-5-21-2509583006-2398556320-3264531554 >>>>> Type: 0x2 (UPLEVEL) >>>>> Direction: 0x3 (BOTH) >>>>> Attributes: 0x4 (QUARANTINED_DOMAIN) >>>>> PosixOffset: 0x00000000 (0) >>>>> kerb_EncTypes: 0x18 >> (AES128_CTS_HMAC_SHA1_96,AES256_CTS_HMAC_SHA1_96) >>>>> root at testad2dc:/var/log/samba# wbinfo --online-status >>>>> BUILTIN : active connection >>>>> TESTAD2 : active connection >>>>> TESTAD1 : active connection >>>> >>>>> root at testad2dc:/var/log/samba# wbinfo -u --domain=TESTAD1 >>>> >>>>> root at testad2dc:/var/log/samba# wbinfo -u --domain=TESTAD2 >>>>> TESTAD2\administrator >>>>> TESTAD2\guest >>>>> TESTAD2\krbtgt >>>>> TESTAD2\testuser >>>> >>>> On the windows 2012 testad1 side, we do NOT see the trust relation >>>> listed under "Active directory domains and trusts". >> Trusted remote users >>>> are not shown with wbinfo. >>> wbinfo will NOT show you the users from the other domain, >> this is disabled. >>>> >>>> For the rest there are some options to the "samba-tool domain trust >>>> create" command that make us wonder: >>>> >>>> --quarantined=yes|no (seems to be talking about SID >> filtering, whereas >>>> the release notes always mention that NO filtering is done..?) >>> you can set it but (at the moment) it's ignored ;-) >>>> >>>> --create-location=LOCATION (we wonder what is to be >> created local or on >>>> both places) >>>> >>>> So... many questions and so little to read... Pointers, ideas..? >>>> >>> The only way I used the trusts so far is setting up a full >> trust. I've >>> wrote an article in a german magazine about trusts. It's a >> little "how >>> to" to creat a working trust. >>>> Thanks in advance! >>>> >>>> MJ >>>> >>> If you set up a full forest-trust you can put users from >> any domain to >>> the other domain and set permissions on fileservers an use >> the resources. >>> >>> >>> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > >