Gaiseric Vandal
2016-Nov-22 22:53 UTC
[Samba] Samba 4 "Classic PDC" trusts fail with Win 2012 domain but succeed Win 2008
I am not sure if this is relevant root at sambaPDC:~# /usr/local/samba/bin/net rpc trustdom establish DomainB Enter DOMAINA$'s password: Could not connect to server DomainB_DC Trust to domain DomainB established root at sambaPDC:~# root at sambaPDC:~# /usr/local/samba/bin/net rpc trustdom establish DomainC Enter DOMAINA$'s password: Could not connect to server DomainC_DC Trust to domain DomainC established root at sambaPDC:~# root at sambaPDC:~# /usr/local/samba/bin/net rpc trustdom list -U Administrator Trusted domains list: DOMAINA S-1-5-21-xxxx-xxxx-xxxx DOMAINB S-1-5-21-xxxx-xxxx-xxxx Trusting domains list: DOMAINA S-1-5-21-xxxx-xxxx-xxxx DOMAINB S-1-5-21-xxxx-xxxx-xxxx I MAY have seen "could not connect to server..." errors in the past even when trusts did work. On 11/22/16 13:40, Gaiseric Vandal wrote:> In summary > > * DomainA Samba classic domain- PDC and BDC are running Samba > 4.4.7. The PDC is called "SambaPDC." > * DomainB Windows AD domain , level 2008, domain controller is > Windows 2012 or 2012R2 (you are correct that there are not primary > and backup controllers in AD) > * DomainC Windows AD domain, level 2008, domain controllers are > Windows 2008 > > > I need to get trusts established between DomainA and DomainB. (I don't > actually need trusts between DomainA and DomainC, but hoped it might > flush out a working configuration) > > > > I can not setup trusts between DomainA and DomainB in either > direction. The domain controller of domainB just complains that > it cannot establish an RPC connection to DomainA's PDC (The PDC on > domainA has winbind errors relating to domain C.) (On the DomainA > PDC, wbinfo isn't showing trusted users from domainC and I see errors > in the winbind log.) > > > > I can partially setup trusts between DomainA and DomainC. The domain > controller of domainC thinks two way trusts are enabled (can verify > them) and I am able to grant DomainA users access to files on DomainC > servers. (On the DomainA PDC, wbinfo isn't showing trusted users from > domainC and I see errors in the winbind log.) > > > Wondering if I should have complied Samba using "--without-ad-dc" option. > > > > > > On 11/22/16 12:43, Rowland Penny via samba wrote: >> See inline comments: >> >> On Tue, 22 Nov 2016 12:04:57 -0500 >> Gaiseric Vandal via samba <samba at lists.samba.org> wrote: >> >>> I am trying to configuring Samba 4 classic PDC to trust Windows >>> 2012 domain "DomainB" - the PDC is running Windows 2012 but the >>> forest and domain functional levels are still Windows 2008. On the >>> Win 2012 PDC I try to set up an incoming trust, but it fails with >>> "The local security authority is unable to obtain an RPC connection >>> to the active directory domain controller SAMBAPDC . " >> Can we confirm what I think the above means: >> >> You have a NT4-style PDC >> You have 'DomainB' in which there is a Windows 2012 AD DC running as >> domain functional level 2008 (This is NOT a PDC) >> You are trying to set up a trust between the PDC and the AD DC >> >>> >>> >>> I have an third domain "DomainC" - the PDC is running Windows >>> 2008 , and the forest and domain functional levels are still Windows >>> 2008. On that PDC I am able to configure and verify an incoming trust. >>> >> Again, you have an AD DC running windows 2008 and you can configure a >> trust, but you don't say between what. >>> I am guessing some recent security patch that applies to Windows 2012 >>> but not to Windows 2008 is the issue? >>> >> Sounds like it. >>> Since samba is a configured as a classic domain, I would have >>> expected the Windows 2012 DC to see the samba domain as an NT4 domain. >>> >> Should do, but microsoft seems to be trying to make it harder, see >> here: >> >> https://social.technet.microsoft.com/Forums/en-US/f2bf83d8-6dcc-45de-a99d-fe5d83a83e12/can-i-join-an-nt4-workstation-to-a-windows-2012-domain?forum=winserverDS >> >>> I have tried setting the following in smb.conf >>> >>> server services = +smb -s3fs >>> dcerpc endpoint servers = +winreg +srvsvc >> They will not do anything on a PDC, they are meant for an AD DC >> >> Rowland >> >
Gaiseric Vandal
2016-Nov-28 22:15 UTC
[Samba] Samba 4 "Classic PDC" trusts fail with Win 2012 domain but succeed Win 2008
I noticed that smbclient worked on some solaris 11 machines but not others. The issue a slightly different version of libarchive on the machine (0.12 vs 0.13), even though I thought all machines had been patched to the same level. So I decided to recompile. When recompiling samba 4.4.7 on solaris 11 I saw the following warning Checking for header krb5.h : no The fix for this in Solaris 11 with gcc 4.8.x is export C_INCLUDE_PATH=/usr/include:/usr/include/kerberosv5 export CPLUS_INCLUDE_PATH=/usr/include:/usr/include/kerberosv5 When compling samba 3, if memory serves, I would get a little summary of which features were enabled and which were not. I don't think kerberos is requires for domain trusts? I know that Active Directory does use kerberos but , when trusts are involved, Samba in classic mode "thinks" that the Windows domain controller is an NT4 machine. So whether krb5.h was found or not it shouldn't matter. Thanks On 11/22/16 17:53, Gaiseric Vandal wrote:> I am not sure if this is relevant > > root at sambaPDC:~# /usr/local/samba/bin/net rpc trustdom establish > DomainB > > Enter DOMAINA$'s password: > Could not connect to server DomainB_DC > Trust to domain DomainB established > root at sambaPDC:~# > > > root at sambaPDC:~# /usr/local/samba/bin/net rpc trustdom establish > DomainC > > Enter DOMAINA$'s password: > Could not connect to server DomainC_DC > Trust to domain DomainC established > root at sambaPDC:~# > > > root at sambaPDC:~# /usr/local/samba/bin/net rpc trustdom list -U > Administrator > Trusted domains list: > > DOMAINA S-1-5-21-xxxx-xxxx-xxxx > DOMAINB S-1-5-21-xxxx-xxxx-xxxx > > Trusting domains list: > > DOMAINA S-1-5-21-xxxx-xxxx-xxxx > DOMAINB S-1-5-21-xxxx-xxxx-xxxx > > > > I MAY have seen "could not connect to server..." errors in the past > even when trusts did work. > > > > On 11/22/16 13:40, Gaiseric Vandal wrote: >> In summary >> >> * DomainA Samba classic domain- PDC and BDC are running Samba >> 4.4.7. The PDC is called "SambaPDC." >> * DomainB Windows AD domain , level 2008, domain controller is >> Windows 2012 or 2012R2 (you are correct that there are not primary >> and backup controllers in AD) >> * DomainC Windows AD domain, level 2008, domain controllers are >> Windows 2008 >> >> >> I need to get trusts established between DomainA and DomainB. (I >> don't actually need trusts between DomainA and DomainC, but hoped it >> might flush out a working configuration) >> >> >> >> I can not setup trusts between DomainA and DomainB in either >> direction. The domain controller of domainB just complains that >> it cannot establish an RPC connection to DomainA's PDC (The PDC on >> domainA has winbind errors relating to domain C.) (On the DomainA >> PDC, wbinfo isn't showing trusted users from domainC and I see errors >> in the winbind log.) >> >> >> >> I can partially setup trusts between DomainA and DomainC. The >> domain controller of domainC thinks two way trusts are enabled (can >> verify them) and I am able to grant DomainA users access to files on >> DomainC servers. (On the DomainA PDC, wbinfo isn't showing trusted >> users from domainC and I see errors in the winbind log.) >> >> >> Wondering if I should have complied Samba using "--without-ad-dc" >> option. >> >> >> >> >> >> On 11/22/16 12:43, Rowland Penny via samba wrote: >>> See inline comments: >>> >>> On Tue, 22 Nov 2016 12:04:57 -0500 >>> Gaiseric Vandal via samba <samba at lists.samba.org> wrote: >>> >>>> I am trying to configuring Samba 4 classic PDC to trust Windows >>>> 2012 domain "DomainB" - the PDC is running Windows 2012 but the >>>> forest and domain functional levels are still Windows 2008. On the >>>> Win 2012 PDC I try to set up an incoming trust, but it fails with >>>> "The local security authority is unable to obtain an RPC connection >>>> to the active directory domain controller SAMBAPDC . " >>> Can we confirm what I think the above means: >>> >>> You have a NT4-style PDC >>> You have 'DomainB' in which there is a Windows 2012 AD DC running as >>> domain functional level 2008 (This is NOT a PDC) >>> You are trying to set up a trust between the PDC and the AD DC >>> >>>> >>>> >>>> I have an third domain "DomainC" - the PDC is running Windows >>>> 2008 , and the forest and domain functional levels are still Windows >>>> 2008. On that PDC I am able to configure and verify an incoming trust. >>>> >>> Again, you have an AD DC running windows 2008 and you can configure a >>> trust, but you don't say between what. >>>> I am guessing some recent security patch that applies to Windows 2012 >>>> but not to Windows 2008 is the issue? >>>> >>> Sounds like it. >>>> Since samba is a configured as a classic domain, I would have >>>> expected the Windows 2012 DC to see the samba domain as an NT4 domain. >>>> >>> Should do, but microsoft seems to be trying to make it harder, see >>> here: >>> >>> https://social.technet.microsoft.com/Forums/en-US/f2bf83d8-6dcc-45de-a99d-fe5d83a83e12/can-i-join-an-nt4-workstation-to-a-windows-2012-domain?forum=winserverDS >>> >>>> I have tried setting the following in smb.conf >>>> >>>> server services = +smb -s3fs >>>> dcerpc endpoint servers = +winreg +srvsvc >>> They will not do anything on a PDC, they are meant for an AD DC >>> >>> Rowland >>> >> >
Gaiseric Vandal
2016-Nov-29 17:04 UTC
[Samba] Samba 4 "Classic PDC" trusts fail with Win 2012 domain but succeed Win 2008
The trusts aren't really working with Windows 2008 either (where DOMAINC is the Windows 2008 domain.) # /usr/local/samba/bin/net rpc trustdom establish DOMAINC Enter DOMAINA$'s password: Could not connect to server DOMAINC_DC Trust to domain DOMAINC established # Active Directory Domains and Trusts MMC on the Windows 2008 AD DC (DOMAINC_DC) seems to think the trusts are OK. The security and system logs however shows that the SambaPDC is failing to login to the DOMAINC_DC with the domain trust account. Looks like it first tries with kerberos (which I would expect to fail) then with NTLM. DOMAINC_DC has dual IP addresses (which is a result of consolidating some DNS servers.) The security log on the DOMAINC_DC shows Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 11/29/2016 10:35:03 AM Event ID: 4776 Task Category: Credential Validation Level: Information Keywords: Audit Failure User: N/A Computer: DOMAINC_DC.domainc.com Description: The domain controller attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: DOMAINA$ Source Workstation: sambaPDC Error Code: 0xc0000198 Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 11/29/2016 10:35:03 AM Event ID: 4625 Task Category: Logon Level: Information Keywords: Audit Failure User: N/A Computer: DOMAINC_DC.domainc.com Description: An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: DOMAINA$ Account Domain: DOMAINC Failure Information: Failure Reason: An Error occured during Logon. Status: 0xc0000198 Sub Status: 0x0 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: SAMBA_PDC Source Network Address: 192.168.x.x Source Port: 51798 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /> <EventID>4625</EventID> <Version>0</Version> <Level>0</Level> <Task>12544</Task> <Opcode>0</Opcode> <Keywords>0x8010000000000000</Keywords> <EventRecordID>53957789</EventRecordID> <Correlation /> <Execution ProcessID="708" ThreadID="836" /> <Channel>Security</Channel> <Computer>DOMAINC_DC.domainc.com</Computer> <Security /> </System> <EventData> <Data Name="SubjectUserSid">S-1-0-0</Data> <Data Name="SubjectUserName">-</Data> <Data Name="SubjectDomainName">-</Data> <Data Name="SubjectLogonId">0x0</Data> <Data Name="TargetUserSid">S-1-0-0</Data> <Data Name="TargetUserName">DOMAINA$</Data> <Data Name="TargetDomainName">DOMAINC</Data> <Data Name="Status">0xc0000198</Data> <Data Name="FailureReason">%%2304</Data> <Data Name="SubStatus">0x0</Data> <Data Name="LogonType">3</Data> <Data Name="LogonProcessName">NtLmSsp </Data> <Data Name="AuthenticationPackageName">NTLM</Data> <Data Name="WorkstationName">SAMBA_PDC</Data> <Data Name="TransmittedServices">-</Data> <Data Name="LmPackageName">-</Data> <Data Name="KeyLength">0</Data> <Data Name="ProcessId">0x0</Data> <Data Name="ProcessName">-</Data> <Data Name="IpAddress">192.168.x.x</Data> <Data Name="IpPort">51798</Data> </EventData> </Event> The system log shows Log Name: System Source: Microsoft-Windows-Security-Kerberos Date: 11/29/2016 10:34:33 AM Event ID: 3 Task Category: None Level: Error Keywords: Classic User: N/A Computer: DOMAINC_DC.domainc.com Description: A Kerberos Error Message was received: on logon session Error Code: 0xe KDC_ERR_ETYPE_NOTSUPP Extended Error: Client Realm: Client Name: Server Realm: DOMAINC.COM Server Name: krbtgt/DOMAINC.COM Target Name: krbtgt/DOMAINC.COM at DOMAINC.COM Error Text: File: 9 Line: e2e Error Data is in record data. Event Xml: The trust password looks OK From a linux client (samba ver 4.3.12) > smbclient -L \\DOMAINC_DC -U 'DomainA$' Enter DomainA$'s password: session setup failed: NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT (with the wrong password I get NT_STATUS_LOGON_FAILURE) But from the samba PDC (samba ver 4.4.7) #/usr/local/samba/bin/smbclient -L \\DOMAINC_DC -U 'DomainA$' Enter DomainA$'s password: session setup failed: NT_STATUS_LOGON_FAILURE Appreciate any advice. Thanks On 11/28/16 17:15, Gaiseric Vandal wrote:> I noticed that smbclient worked on some solaris 11 machines but not > others. The issue a slightly different version of libarchive on the > machine (0.12 vs 0.13), even though I thought all machines had been > patched to the same level. So I decided to recompile. > > When recompiling samba 4.4.7 on solaris 11 I saw the following warning > > Checking for header krb5.h : no > > > The fix for this in Solaris 11 with gcc 4.8.x is > > export C_INCLUDE_PATH=/usr/include:/usr/include/kerberosv5 > export CPLUS_INCLUDE_PATH=/usr/include:/usr/include/kerberosv5 > > > When compling samba 3, if memory serves, I would get a little summary > of which features were enabled and which were not. > > I don't think kerberos is requires for domain trusts? I know that > Active Directory does use kerberos but , when trusts are involved, > Samba in classic mode "thinks" that the Windows domain controller is > an NT4 machine. So whether krb5.h was found or not it shouldn't > matter. > > Thanks > > > > > > > On 11/22/16 17:53, Gaiseric Vandal wrote: >> I am not sure if this is relevant >> >> root at sambaPDC:~# /usr/local/samba/bin/net rpc trustdom establish >> DomainB >> >> Enter DOMAINA$'s password: >> Could not connect to server DomainB_DC >> Trust to domain DomainB established >> root at sambaPDC:~# >> >> >> root at sambaPDC:~# /usr/local/samba/bin/net rpc trustdom establish >> DomainC >> >> Enter DOMAINA$'s password: >> Could not connect to server DomainC_DC >> Trust to domain DomainC established >> root at sambaPDC:~# >> >> >> root at sambaPDC:~# /usr/local/samba/bin/net rpc trustdom list -U >> Administrator >> Trusted domains list: >> >> DOMAINA S-1-5-21-xxxx-xxxx-xxxx >> DOMAINB S-1-5-21-xxxx-xxxx-xxxx >> >> Trusting domains list: >> >> DOMAINA S-1-5-21-xxxx-xxxx-xxxx >> DOMAINB S-1-5-21-xxxx-xxxx-xxxx >> >> >> >> I MAY have seen "could not connect to server..." errors in the past >> even when trusts did work. >> >> >> >> On 11/22/16 13:40, Gaiseric Vandal wrote: >>> In summary >>> >>> * DomainA Samba classic domain- PDC and BDC are running Samba >>> 4.4.7. The PDC is called "SambaPDC." >>> * DomainB Windows AD domain , level 2008, domain controller is >>> Windows 2012 or 2012R2 (you are correct that there are not primary >>> and backup controllers in AD) >>> * DomainC Windows AD domain, level 2008, domain controllers are >>> Windows 2008 >>> >>> >>> I need to get trusts established between DomainA and DomainB. (I >>> don't actually need trusts between DomainA and DomainC, but hoped it >>> might flush out a working configuration) >>> >>> >>> >>> I can not setup trusts between DomainA and DomainB in either >>> direction. The domain controller of domainB just complains that >>> it cannot establish an RPC connection to DomainA's PDC (The PDC on >>> domainA has winbind errors relating to domain C.) (On the DomainA >>> PDC, wbinfo isn't showing trusted users from domainC and I see >>> errors in the winbind log.) >>> >>> >>> >>> I can partially setup trusts between DomainA and DomainC. The domain >>> controller of domainC thinks two way trusts are enabled (can verify >>> them) and I am able to grant DomainA users access to files on >>> DomainC servers. (On the DomainA PDC, wbinfo isn't showing trusted >>> users from domainC and I see errors in the winbind log.) >>> >>> >>> Wondering if I should have complied Samba using "--without-ad-dc" >>> option. >>> >>> >>> >>> >>> >>> On 11/22/16 12:43, Rowland Penny via samba wrote: >>>> See inline comments: >>>> >>>> On Tue, 22 Nov 2016 12:04:57 -0500 >>>> Gaiseric Vandal via samba <samba at lists.samba.org> wrote: >>>> >>>>> I am trying to configuring Samba 4 classic PDC to trust Windows >>>>> 2012 domain "DomainB" - the PDC is running Windows 2012 but the >>>>> forest and domain functional levels are still Windows 2008. On the >>>>> Win 2012 PDC I try to set up an incoming trust, but it fails with >>>>> "The local security authority is unable to obtain an RPC connection >>>>> to the active directory domain controller SAMBAPDC . " >>>> Can we confirm what I think the above means: >>>> >>>> You have a NT4-style PDC >>>> You have 'DomainB' in which there is a Windows 2012 AD DC running as >>>> domain functional level 2008 (This is NOT a PDC) >>>> You are trying to set up a trust between the PDC and the AD DC >>>> >>>>> >>>>> >>>>> I have an third domain "DomainC" - the PDC is running Windows >>>>> 2008 , and the forest and domain functional levels are still Windows >>>>> 2008. On that PDC I am able to configure and verify an incoming >>>>> trust. >>>>> >>>> Again, you have an AD DC running windows 2008 and you can configure a >>>> trust, but you don't say between what. >>>>> I am guessing some recent security patch that applies to Windows 2012 >>>>> but not to Windows 2008 is the issue? >>>>> >>>> Sounds like it. >>>>> Since samba is a configured as a classic domain, I would have >>>>> expected the Windows 2012 DC to see the samba domain as an NT4 >>>>> domain. >>>>> >>>> Should do, but microsoft seems to be trying to make it harder, see >>>> here: >>>> >>>> https://social.technet.microsoft.com/Forums/en-US/f2bf83d8-6dcc-45de-a99d-fe5d83a83e12/can-i-join-an-nt4-workstation-to-a-windows-2012-domain?forum=winserverDS >>>> >>>>> I have tried setting the following in smb.conf >>>>> >>>>> server services = +smb -s3fs >>>>> dcerpc endpoint servers = +winreg +srvsvc >>>> They will not do anything on a PDC, they are meant for an AD DC >>>> >>>> Rowland >>>> >>> >> >
Maybe Matching Threads
- Samba 4 "Classic PDC" trusts fail with Win 2012 domain but succeed Win 2008
- Samba 4 "Classic PDC" trusts fail with Win 2012 domain but succeed Win 2008
- Samba 4 "Classic PDC" trusts fail with Win 2012 domain but succeed Win 2008
- Wbinfo does show users from trusted domain / RPC error
- Winbind authentication from different domain not working