samba - Nov 2016 - Samba 4 "Classic PDC" trusts fail with Win 2012 domain but succeed Win 2008

I am not sure if this is relevant

    root at sambaPDC:~# /usr/local/samba/bin/net rpc trustdom establish DomainB

    Enter DOMAINA$'s password:
    Could not connect to server DomainB_DC
    Trust to domain DomainB established
    root at sambaPDC:~#


    root at sambaPDC:~# /usr/local/samba/bin/net rpc trustdom establish DomainC

    Enter DOMAINA$'s password:
    Could not connect to server DomainC_DC
    Trust to domain DomainC established
    root at sambaPDC:~#


    root at sambaPDC:~# /usr/local/samba/bin/net rpc trustdom list -U
    Administrator
    Trusted domains list:

    DOMAINA      S-1-5-21-xxxx-xxxx-xxxx
    DOMAINB      S-1-5-21-xxxx-xxxx-xxxx

    Trusting domains list:

    DOMAINA      S-1-5-21-xxxx-xxxx-xxxx
    DOMAINB       S-1-5-21-xxxx-xxxx-xxxx



I MAY have seen  "could not connect to server..." errors in the past 
even when trusts did work.



On 11/22/16 13:40, Gaiseric Vandal wrote:
> In summary
>
>  * DomainA    Samba classic domain-  PDC and BDC are running Samba 
> 4.4.7.  The PDC is called "SambaPDC."
>  * DomainB    Windows AD domain , level 2008, domain controller is 
> Windows 2012   or 2012R2 (you are correct that there are not primary 
> and backup controllers in AD)
>  * DomainC    Windows AD domain, level 2008, domain controllers are  
> Windows 2008
>
>
> I need to get trusts established between DomainA and DomainB. (I don't 
> actually need trusts between DomainA and DomainC, but hoped it might 
> flush out a working configuration)
>
>
>
> I can not  setup trusts between DomainA and DomainB in either 
> direction.     The domain controller of domainB  just complains that 
> it cannot establish an RPC connection to DomainA's PDC (The PDC on 
> domainA has winbind errors relating to domain C.)  (On the DomainA 
> PDC, wbinfo isn't showing trusted users from domainC and I see errors 
> in the winbind log.)
>
>
>
> I can partially setup trusts between DomainA and DomainC.   The domain 
> controller of domainC  thinks two way trusts are enabled (can verify 
> them)  and I am able to grant DomainA users access to files on DomainC 
> servers.  (On the DomainA PDC, wbinfo isn't showing trusted users from 
> domainC and I see errors in the winbind log.)
>
>
> Wondering if I should have complied Samba using "--without-ad-dc"
option.
>
>
>
>
>
> On 11/22/16 12:43, Rowland Penny via samba wrote:
>> See inline comments:
>>
>> On Tue, 22 Nov 2016 12:04:57 -0500
>> Gaiseric Vandal via samba <samba at lists.samba.org> wrote:
>>
>>> I am trying to configuring  Samba 4 classic PDC to trust  Windows
>>> 2012 domain "DomainB" -  the PDC is running Windows 2012
but the
>>> forest and domain functional levels are still Windows 2008. On the
>>> Win 2012 PDC I try to set up an incoming trust, but it fails with
>>> "The local security authority is unable to obtain an RPC
connection
>>> to the active directory domain controller SAMBAPDC .  "
>> Can we confirm what I think the above means:
>>
>> You have a NT4-style PDC
>> You have 'DomainB' in which there is a Windows 2012 AD DC
running as
>> domain functional level 2008 (This is NOT a PDC)
>> You are trying to set up a trust between the PDC and the AD DC
>>
>>>
>>>
>>> I have an third domain "DomainC"  -   the PDC is running
Windows
>>> 2008 , and  the forest and domain functional levels are still
Windows
>>> 2008. On that PDC I am able to configure and verify an incoming
trust.
>>>
>> Again, you have an AD DC running windows 2008 and you can configure a
>> trust, but you don't say between what.
>>> I am guessing some recent security patch that applies to Windows
2012
>>> but not to Windows 2008 is the issue?
>>>
>> Sounds like it.
>>> Since samba is a configured as a classic domain, I would have
>>> expected the Windows 2012 DC to see the samba domain as an NT4
domain.
>>>
>> Should do, but microsoft seems to be trying to make it harder, see
>> here:
>>
>>
https://social.technet.microsoft.com/Forums/en-US/f2bf83d8-6dcc-45de-a99d-fe5d83a83e12/can-i-join-an-nt4-workstation-to-a-windows-2012-domain?forum=winserverDS
>>
>>> I have tried setting the following in smb.conf
>>>
>>>      server services = +smb -s3fs
>>>      dcerpc endpoint servers = +winreg +srvsvc
>> They will not do anything on a PDC, they are meant for an AD DC
>>
>> Rowland
>>
>

I noticed that smbclient worked on some solaris 11 machines but not 
others.  The issue a slightly different version of libarchive on the 
machine (0.12 vs 0.13), even though I thought all machines had been 
patched to the same level.  So I decided to recompile.

When recompiling samba 4.4.7 on solaris 11  I saw the following warning

     Checking for header krb5.h                                   : no


The fix for this in Solaris 11 with gcc 4.8.x is

     export C_INCLUDE_PATH=/usr/include:/usr/include/kerberosv5
     export CPLUS_INCLUDE_PATH=/usr/include:/usr/include/kerberosv5


When compling samba 3, if memory serves, I would get a little summary of 
which features were enabled and which were not.

I don't think kerberos is requires for domain trusts?  I know that 
Active Directory does use kerberos but , when trusts are involved, Samba 
in classic mode "thinks" that the Windows domain controller is an NT4 
machine.    So whether krb5.h was found or not it shouldn't matter.

Thanks






On 11/22/16 17:53, Gaiseric Vandal wrote:
> I am not sure if this is relevant
>
>     root at sambaPDC:~# /usr/local/samba/bin/net rpc trustdom establish
>     DomainB
>
>     Enter DOMAINA$'s password:
>     Could not connect to server DomainB_DC
>     Trust to domain DomainB established
>     root at sambaPDC:~#
>
>
>     root at sambaPDC:~# /usr/local/samba/bin/net rpc trustdom establish
>     DomainC
>
>     Enter DOMAINA$'s password:
>     Could not connect to server DomainC_DC
>     Trust to domain DomainC established
>     root at sambaPDC:~#
>
>
>     root at sambaPDC:~# /usr/local/samba/bin/net rpc trustdom list -U
>     Administrator
>     Trusted domains list:
>
>     DOMAINA      S-1-5-21-xxxx-xxxx-xxxx
>     DOMAINB      S-1-5-21-xxxx-xxxx-xxxx
>
>     Trusting domains list:
>
>     DOMAINA      S-1-5-21-xxxx-xxxx-xxxx
>     DOMAINB       S-1-5-21-xxxx-xxxx-xxxx
>
>
>
> I MAY have seen  "could not connect to server..." errors in the
past
> even when trusts did work.
>
>
>
> On 11/22/16 13:40, Gaiseric Vandal wrote:
>> In summary
>>
>>  * DomainA    Samba classic domain-  PDC and BDC are running Samba 
>> 4.4.7.  The PDC is called "SambaPDC."
>>  * DomainB    Windows AD domain , level 2008, domain controller is 
>> Windows 2012   or 2012R2 (you are correct that there are not primary 
>> and backup controllers in AD)
>>  * DomainC    Windows AD domain, level 2008, domain controllers are  
>> Windows 2008
>>
>>
>> I need to get trusts established between DomainA and DomainB. (I 
>> don't actually need trusts between DomainA and DomainC, but hoped
it
>> might flush out a working configuration)
>>
>>
>>
>> I can not  setup trusts between DomainA and DomainB in either 
>> direction.     The domain controller of domainB  just complains that 
>> it cannot establish an RPC connection to DomainA's PDC (The PDC on 
>> domainA has winbind errors relating to domain C.)  (On the DomainA 
>> PDC, wbinfo isn't showing trusted users from domainC and I see
errors
>> in the winbind log.)
>>
>>
>>
>> I can partially setup trusts between DomainA and DomainC.   The 
>> domain controller of domainC  thinks two way trusts are enabled (can 
>> verify them)  and I am able to grant DomainA users access to files on 
>> DomainC servers.  (On the DomainA PDC, wbinfo isn't showing trusted
>> users from domainC and I see errors in the winbind log.)
>>
>>
>> Wondering if I should have complied Samba using
"--without-ad-dc"
>> option.
>>
>>
>>
>>
>>
>> On 11/22/16 12:43, Rowland Penny via samba wrote:
>>> See inline comments:
>>>
>>> On Tue, 22 Nov 2016 12:04:57 -0500
>>> Gaiseric Vandal via samba <samba at lists.samba.org> wrote:
>>>
>>>> I am trying to configuring  Samba 4 classic PDC to trust 
Windows
>>>> 2012 domain "DomainB" -  the PDC is running Windows
2012 but the
>>>> forest and domain functional levels are still Windows 2008. On
the
>>>> Win 2012 PDC I try to set up an incoming trust, but it fails
with
>>>> "The local security authority is unable to obtain an RPC
connection
>>>> to the active directory domain controller SAMBAPDC .  "
>>> Can we confirm what I think the above means:
>>>
>>> You have a NT4-style PDC
>>> You have 'DomainB' in which there is a Windows 2012 AD DC
running as
>>> domain functional level 2008 (This is NOT a PDC)
>>> You are trying to set up a trust between the PDC and the AD DC
>>>
>>>>
>>>>
>>>> I have an third domain "DomainC"  -   the PDC is
running Windows
>>>> 2008 , and  the forest and domain functional levels are still
Windows
>>>> 2008. On that PDC I am able to configure and verify an incoming
trust.
>>>>
>>> Again, you have an AD DC running windows 2008 and you can configure
a
>>> trust, but you don't say between what.
>>>> I am guessing some recent security patch that applies to
Windows 2012
>>>> but not to Windows 2008 is the issue?
>>>>
>>> Sounds like it.
>>>> Since samba is a configured as a classic domain, I would have
>>>> expected the Windows 2012 DC to see the samba domain as an NT4
domain.
>>>>
>>> Should do, but microsoft seems to be trying to make it harder, see
>>> here:
>>>
>>>
https://social.technet.microsoft.com/Forums/en-US/f2bf83d8-6dcc-45de-a99d-fe5d83a83e12/can-i-join-an-nt4-workstation-to-a-windows-2012-domain?forum=winserverDS
>>>
>>>> I have tried setting the following in smb.conf
>>>>
>>>>      server services = +smb -s3fs
>>>>      dcerpc endpoint servers = +winreg +srvsvc
>>> They will not do anything on a PDC, they are meant for an AD DC
>>>
>>> Rowland
>>>
>>
>

The trusts aren't really working with Windows 2008 either (where DOMAINC 
is the Windows 2008 domain.)



    # /usr/local/samba/bin/net rpc trustdom establish DOMAINC
    Enter DOMAINA$'s password:
    Could not connect to server DOMAINC_DC
    Trust to domain DOMAINC established
    #



Active Directory Domains and Trusts MMC on the  Windows 2008 AD DC  
(DOMAINC_DC) seems to think the trusts are OK.

The security and system logs however shows that the SambaPDC is failing 
to login to the DOMAINC_DC  with the domain trust account.   Looks like 
it first tries with kerberos (which I would expect to fail) then with 
NTLM.     DOMAINC_DC has dual IP addresses (which is a result of 
consolidating some DNS servers.)


The security log on the DOMAINC_DC shows

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          11/29/2016 10:35:03 AM
    Event ID:      4776
    Task Category: Credential Validation
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      DOMAINC_DC.domainc.com
    Description:
    The domain controller attempted to validate the credentials for an
    account.

    Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Logon Account:    DOMAINA$
    Source Workstation:    sambaPDC
    Error Code:    0xc0000198



    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          11/29/2016 10:35:03 AM
    Event ID:      4625
    Task Category: Logon
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:     DOMAINC_DC.domainc.com
    Description:
    An account failed to log on.

    Subject:
         Security ID:        NULL SID
         Account Name:        -
         Account Domain:        -
         Logon ID:        0x0

    Logon Type:            3

    Account For Which Logon Failed:
         Security ID:        NULL SID
         Account Name:        DOMAINA$
         Account Domain:        DOMAINC

    Failure Information:
         Failure Reason:        An Error occured during Logon.
         Status:            0xc0000198
         Sub Status:        0x0

    Process Information:
         Caller Process ID:    0x0
         Caller Process Name:    -

    Network Information:
         Workstation Name:    SAMBA_PDC
         Source Network Address:    192.168.x.x
         Source Port:        51798

    Detailed Authentication Information:
         Logon Process:        NtLmSsp
         Authentication Package:    NTLM
         Transited Services:    -
         Package Name (NTLM only):    -
         Key Length:        0

    This event is generated when a logon request fails. It is generated
    on the computer where access was attempted.

    The Subject fields indicate the account on the local system which
    requested the logon. This is most commonly a service such as the
    Server service, or a local process such as Winlogon.exe or Services.exe.

    The Logon Type field indicates the kind of logon that was requested.
    The most common types are 2 (interactive) and 3 (network).

    The Process Information fields indicate which account and process on
    the system requested the logon.

    The Network Information fields indicate where a remote logon request
    originated. Workstation name is not always available and may be left
    blank in some cases.

    The authentication information fields provide detailed information
    about this specific logon request.
         - Transited services indicate which intermediate services have
    participated in this logon request.
         - Package name indicates which sub-protocol was used among the
    NTLM protocols.
         - Key length indicates the length of the generated session key.
    This will be 0 if no session key was requested.
    Event Xml:
    <Event
xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
       <System>
         <Provider Name="Microsoft-Windows-Security-Auditing"
    Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
         <EventID>4625</EventID>
         <Version>0</Version>
         <Level>0</Level>
         <Task>12544</Task>
         <Opcode>0</Opcode>
         <Keywords>0x8010000000000000</Keywords>
         <EventRecordID>53957789</EventRecordID>
         <Correlation />
         <Execution ProcessID="708" ThreadID="836" />
         <Channel>Security</Channel>
         <Computer>DOMAINC_DC.domainc.com</Computer>
         <Security />
       </System>
       <EventData>
         <Data Name="SubjectUserSid">S-1-0-0</Data>
         <Data Name="SubjectUserName">-</Data>
         <Data Name="SubjectDomainName">-</Data>
         <Data Name="SubjectLogonId">0x0</Data>
         <Data Name="TargetUserSid">S-1-0-0</Data>
         <Data Name="TargetUserName">DOMAINA$</Data>
         <Data Name="TargetDomainName">DOMAINC</Data>
         <Data Name="Status">0xc0000198</Data>
         <Data Name="FailureReason">%%2304</Data>
         <Data Name="SubStatus">0x0</Data>
         <Data Name="LogonType">3</Data>
         <Data Name="LogonProcessName">NtLmSsp </Data>
         <Data
Name="AuthenticationPackageName">NTLM</Data>
         <Data Name="WorkstationName">SAMBA_PDC</Data>
         <Data Name="TransmittedServices">-</Data>
         <Data Name="LmPackageName">-</Data>
         <Data Name="KeyLength">0</Data>
         <Data Name="ProcessId">0x0</Data>
         <Data Name="ProcessName">-</Data>
         <Data Name="IpAddress">192.168.x.x</Data>
         <Data Name="IpPort">51798</Data>
       </EventData>
    </Event>



The system log shows

    Log Name:      System
    Source:        Microsoft-Windows-Security-Kerberos
    Date:          11/29/2016 10:34:33 AM
    Event ID:      3
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      DOMAINC_DC.domainc.com
    Description:
    A Kerberos Error Message was received:
      on logon session
      Error Code: 0xe KDC_ERR_ETYPE_NOTSUPP
      Extended Error:
      Client Realm:
      Client Name:
      Server Realm: DOMAINC.COM
      Server Name: krbtgt/DOMAINC.COM
      Target Name: krbtgt/DOMAINC.COM at DOMAINC.COM
      Error Text:
      File: 9
      Line: e2e
      Error Data is in record data.
    Event Xml:




The trust password looks OK

 From a linux client (samba ver 4.3.12)

     > smbclient -L \\DOMAINC_DC -U 'DomainA$'
    Enter DomainA$'s password:
    session setup failed: NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT

     (with the wrong password I get NT_STATUS_LOGON_FAILURE)


But from the samba PDC (samba ver 4.4.7)

    #/usr/local/samba/bin/smbclient  -L \\DOMAINC_DC -U 'DomainA$'
    Enter DomainA$'s password:
    session setup failed: NT_STATUS_LOGON_FAILURE


Appreciate any advice.

Thanks



On 11/28/16 17:15, Gaiseric Vandal wrote:
> I noticed that smbclient worked on some solaris 11 machines but not 
> others.  The issue a slightly different version of libarchive on the 
> machine (0.12 vs 0.13), even though I thought all machines had been 
> patched to the same level.  So I decided to recompile.
>
> When recompiling samba 4.4.7 on solaris 11  I saw the following warning
>
>     Checking for header krb5.h                                   : no
>
>
> The fix for this in Solaris 11 with gcc 4.8.x is
>
>     export C_INCLUDE_PATH=/usr/include:/usr/include/kerberosv5
>     export CPLUS_INCLUDE_PATH=/usr/include:/usr/include/kerberosv5
>
>
> When compling samba 3, if memory serves, I would get a little summary 
> of which features were enabled and which were not.
>
> I don't think kerberos is requires for domain trusts?  I know that 
> Active Directory does use kerberos but , when trusts are involved, 
> Samba in classic mode "thinks" that the Windows domain controller
is
> an NT4 machine.    So whether krb5.h was found or not it shouldn't 
> matter.
>
> Thanks
>
>
>
>
>
>
> On 11/22/16 17:53, Gaiseric Vandal wrote:
>> I am not sure if this is relevant
>>
>>     root at sambaPDC:~# /usr/local/samba/bin/net rpc trustdom establish
>>     DomainB
>>
>>     Enter DOMAINA$'s password:
>>     Could not connect to server DomainB_DC
>>     Trust to domain DomainB established
>>     root at sambaPDC:~#
>>
>>
>>     root at sambaPDC:~# /usr/local/samba/bin/net rpc trustdom establish
>>     DomainC
>>
>>     Enter DOMAINA$'s password:
>>     Could not connect to server DomainC_DC
>>     Trust to domain DomainC established
>>     root at sambaPDC:~#
>>
>>
>>     root at sambaPDC:~# /usr/local/samba/bin/net rpc trustdom list -U
>>     Administrator
>>     Trusted domains list:
>>
>>     DOMAINA      S-1-5-21-xxxx-xxxx-xxxx
>>     DOMAINB      S-1-5-21-xxxx-xxxx-xxxx
>>
>>     Trusting domains list:
>>
>>     DOMAINA      S-1-5-21-xxxx-xxxx-xxxx
>>     DOMAINB       S-1-5-21-xxxx-xxxx-xxxx
>>
>>
>>
>> I MAY have seen  "could not connect to server..." errors in
the past
>> even when trusts did work.
>>
>>
>>
>> On 11/22/16 13:40, Gaiseric Vandal wrote:
>>> In summary
>>>
>>>  * DomainA    Samba classic domain-  PDC and BDC are running Samba 
>>> 4.4.7.  The PDC is called "SambaPDC."
>>>  * DomainB    Windows AD domain , level 2008, domain controller is 
>>> Windows 2012   or 2012R2 (you are correct that there are not
primary
>>> and backup controllers in AD)
>>>  * DomainC    Windows AD domain, level 2008, domain controllers are
>>> Windows 2008
>>>
>>>
>>> I need to get trusts established between DomainA and DomainB. (I 
>>> don't actually need trusts between DomainA and DomainC, but
hoped it
>>> might flush out a working configuration)
>>>
>>>
>>>
>>> I can not  setup trusts between DomainA and DomainB in either 
>>> direction.     The domain controller of domainB  just complains
that
>>> it cannot establish an RPC connection to DomainA's PDC (The PDC
on
>>> domainA has winbind errors relating to domain C.)  (On the DomainA 
>>> PDC, wbinfo isn't showing trusted users from domainC and I see 
>>> errors in the winbind log.)
>>>
>>>
>>>
>>> I can partially setup trusts between DomainA and DomainC. The
domain
>>> controller of domainC  thinks two way trusts are enabled (can
verify
>>> them)  and I am able to grant DomainA users access to files on 
>>> DomainC servers.  (On the DomainA PDC, wbinfo isn't showing
trusted
>>> users from domainC and I see errors in the winbind log.)
>>>
>>>
>>> Wondering if I should have complied Samba using
"--without-ad-dc"
>>> option.
>>>
>>>
>>>
>>>
>>>
>>> On 11/22/16 12:43, Rowland Penny via samba wrote:
>>>> See inline comments:
>>>>
>>>> On Tue, 22 Nov 2016 12:04:57 -0500
>>>> Gaiseric Vandal via samba <samba at lists.samba.org>
wrote:
>>>>
>>>>> I am trying to configuring  Samba 4 classic PDC to trust 
Windows
>>>>> 2012 domain "DomainB" -  the PDC is running
Windows 2012 but the
>>>>> forest and domain functional levels are still Windows 2008.
On the
>>>>> Win 2012 PDC I try to set up an incoming trust, but it
fails with
>>>>> "The local security authority is unable to obtain an
RPC connection
>>>>> to the active directory domain controller SAMBAPDC . 
"
>>>> Can we confirm what I think the above means:
>>>>
>>>> You have a NT4-style PDC
>>>> You have 'DomainB' in which there is a Windows 2012 AD
DC running as
>>>> domain functional level 2008 (This is NOT a PDC)
>>>> You are trying to set up a trust between the PDC and the AD DC
>>>>
>>>>>
>>>>>
>>>>> I have an third domain "DomainC"  -   the PDC is
running Windows
>>>>> 2008 , and  the forest and domain functional levels are
still Windows
>>>>> 2008. On that PDC I am able to configure and verify an
incoming
>>>>> trust.
>>>>>
>>>> Again, you have an AD DC running windows 2008 and you can
configure a
>>>> trust, but you don't say between what.
>>>>> I am guessing some recent security patch that applies to
Windows 2012
>>>>> but not to Windows 2008 is the issue?
>>>>>
>>>> Sounds like it.
>>>>> Since samba is a configured as a classic domain, I would
have
>>>>> expected the Windows 2012 DC to see the samba domain as an
NT4
>>>>> domain.
>>>>>
>>>> Should do, but microsoft seems to be trying to make it harder,
see
>>>> here:
>>>>
>>>>
https://social.technet.microsoft.com/Forums/en-US/f2bf83d8-6dcc-45de-a99d-fe5d83a83e12/can-i-join-an-nt4-workstation-to-a-windows-2012-domain?forum=winserverDS
>>>>
>>>>> I have tried setting the following in smb.conf
>>>>>
>>>>>      server services = +smb -s3fs
>>>>>      dcerpc endpoint servers = +winreg +srvsvc
>>>> They will not do anything on a PDC, they are meant for an AD DC
>>>>
>>>> Rowland
>>>>
>>>
>>
>