shkarubaa at yandex.ru
2024-Jan-19 06:28 UTC
[Samba] Problem create trust between Samba AD and MS Windows AD.
Good afternoon. We ran some more tests. Trust is built between domains on Samba AD and MS Windows Server 2012R2 and MS Windows Server 2019 with any updates and any versions of the schema. Remote validation proceeds normally when building trust on the part of Samba AD: the remote server is detected. We also carried out the following test - A domain controller based on Windows Server 2019 was added to a domain ADWIN.LOC based on Windows Server 2016. FSMO roles were transferred to the new domain controller. Only after such actions was trust built between ADWIN.LOC and smbub.test. Validating outgoing trust... OK: LocalValidation: DC[\\dc01.adwin.loc] CONNECTION[WERR_OK] TRUST[WERR_OK] VERIFY_STATUS_RETURNED Validating incoming trust... OK: RemoteValidation: DC[\\dc01.smbub.test] CONNECTION[WERR_OK] TRUST[WERR_OK] VERIFY_STATUS_RETURNED Looks like we've encountered a trust-building bug Samba with Windows Server 2016. But we have no idea how to explore this bug. Has anyone encountered similar behavior? I sent a request to samba bugzilla account. But we never received an answer. -----Original Message----- From: Shkaruba Andrey <> Sent: Sunday, January 7, 2024 2:49 AM To: samba at lists.samba.org Subject: Problem create trust between Samba AD and MS Windows AD. Hello. I faced the problem of building trust between Samba AD and MS Windows AD. In Ubuntu 23.10 (IP-address 10.10.28.223/24) and installed Samba 4.18.6 from base repository was deployed the domain smbub.test. The commad to deployed: samba-tool domain provision --use-rfc2307 --realm=smbub.test -- domain=SMBUB --server-role=dc --dns-backend=BIND9_DLZ --backend- store=mdb --backend-store-size =32Gb --adminpass=testL\@B In Microsoft Windows Server 2016 Standard Version 1607, Build 14393.447 (IP address 10.10.28.227/24) was deployed domain adwin.loc. A user "truster" has been created in it with the rights of administrators, domain administrators, and enterprise administrators. Any policies were not tuned in. Both domain controllers are located on the same network segment, there is no firewall between them. Both domain controllers have forward zones configured to each other. DNS records of type A and SRV of both domains are resolved equally on both domain controllers. I'm building trust trust between domains samba-tool domain trust create adwin.loc --type=external -- direction=both --create-location=both -U truster at ADWIN.LOC Trust is built, but a validation error occurs. Validating outgoing trust... OK: LocalValidation: DC[\\dc01.adwin.loc] CONNECTION[WERR_OK] TRUST[WERR_OK] VERIFY_STATUS_RETURNED Validating incoming trust... ERROR: RemoteValidation: DC[] CONNECTION[WERR_NO_LOGON_SERVERS] TRUST[WERR_NO_LOGON_SERVERS] VERIFY_STATUS_RETURNED As a result, on PC entered into the SMBUB.TEST, you can login with an account from the ADWIN.LOC, but on PC entered into the ADWIN.LO it's impossible to login with a user from the SMBUB.TEST domain. I'm installed updates in the ADWIN.LOC domain controller: [01]: KB3199986 [02]: KB4589210 [03]: KB5012170 [04]: KB5032391 [05]: KB5033373 As a result, the Windows Server build becomes 14393.6529. But the error of building trust persists. The trust is built between Samba AD and Samba AD. The trust built between MS Windows AD and MS Windows. Please help me to fix the error. https://disk.yandex.ru/d/s8AXt5m6JTGbDw In the link: trust_add_d5.txt - log of trust building with log-level 5 trust_add_d16.txt - log of trust building with log-level 16 samba_d5.tar.xz - log of samba with log level 5 samba_d16.tar.xz - log of samba with log level 16 config.tar.xz - archive with Samba, Bind9 and Krb5 configs