samba - Jun 2018 - Trust relationship between different domains

Hai Elias,
聽
Sorry for the late reply. 
I do preffer the list, and i understand why you mailt my directly, but best is
to keep this on the list.
The more eye that see this, the more chance you have on a reply. 
I must say, i personaly dont use any trust relations ships. that was long ago
when i used that, so im bit rusty here.
聽
Now, i see you are using my 4.8.2 packages. so you on debian. *( or ubuntu 1804
)
聽
First try this. 
On the computer where you use the RSAT tools, open CMD box, and run: 
聽
NET USE \IPC$"\\<DOMAIN-CONTROLER.FQDN>\IPC$
/user:<DOMAIN-NAME>\<Domain-admin-user>
NET USE \\<DOMAIN-CONTROLER>\IPC$
/user:<DOMAIN-NAME>\<Domain-admin-user>
聽
Now try to setup the domain trust again, it that works, this a聽workaround for a
windows client problem.
If you get the message again, do you have a MS Exchange in one of the
domains?聽that migth give theat message also.
聽
And my concerns why this might not work,聽when i look at your domain names: 
ifrs.edu.br聽聽聽 HQ 
city_name.ifrs.edu.br聽聽聽 CITY
sertao.ifrs.edu.br聽聽聽 Campus 聽
Now, and i might be very wrong here, but if you want to use domain trust between
different domains, with what i see now,聽give problem with dns.
What is the top level (primary dns) domain of all three mentioned domains. 
聽
For the first one its easy, thats ifs.edu.br聽聽but for the others? 
for city.. it the top level domain *(the primary dns domainname and where your
kerberos points to.)
聽聽聽 Is it city.ifrs.edu.br 
or is city a sub domain of :聽ifsr.edu.br but on an other location, because if
thats the case, then you might have聽a problem.
聽
This is a question we need to answer first that if its possible to setup trust
between domains with, same (almost same) domainname.
聽
A good read is about this is : 
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/ad-ds-design-and-planning聽
聽
An example of聽how this聽setup works. 
聽
domain.tld聽聽聽 toplevel tld use for TXT records on the internet.聽聽聽 you dont use
this in you lan.
聽聽聽 If you run a web server, and you want www.domain.tld acceccable in your lan.
聽聽聽聽setup vhost聽<VirtualHost ip1 ip2>聽聽聽 In the DNS, create the domain.tld
zone. and CNAME www.domain.tld to the hostname of the LAN side of you server.
聽聽聽 ( now your avoiding kerberos auth problem since the lan side has a
host/fq.dn at kerberosUPN )
聽聽聽 And聽setup dns internet to the wanside. 
聽聽聽 Server connected to the internet, use bind or other dns server on these and
forward the domain domain.tld to and internet dns.
聽聽聽 forward companyname.domain.tld to you lan DNS. 
聽
companyname.domain.tld聽聽聽it the company toplevel dom for the lan. 
聽聽聽 OU=Service聽聽聽 my service聽users for all services i need for all locations. 
聽聽聽 OU=Users聽聽聽聽 聽Only special admins
聽聽聽 OU=Groups聽聽聽 Only special groups聽聽聽 
聽聽聽 OU=Computers聽聽聽 Only special computers ( Do note, any new added computer
ends up here, then you move it. )
聽聽聽 GPO's on the point are normaly not needed, at this point 铆 added my
domain root /intermediate CA cert for all computers.
聽聽聽 And you inherrit the default GPO's.聽 ( thats for other subdomain.) 
聽聽聽 OU=Departments the OU with all my GPO settings for everyone and every
computer within a department.
聽聽聽 
hq.companyname.domain.tld聽聽聽 a sub domain of, and often the first one you do. 

聽聽聽 OU=Service聽聽聽 my service聽users for only this location
聽聽聽 OU=Users聽聽聽 
聽聽聽 OU=Groups
聽聽聽 OU=Computers
聽聽聽 OU=Departments,OU=HQDep
聽聽聽聽聽聽聽 You put your users + computer in the department. 
聽聽聽聽聽聽聽 You inherret the domain default GPO. 

聽聽聽聽聽聽聽 You put your GPO setttings on that needed for that department only.
聽


city.companyname.domain.tld聽聽聽 the sub domain. 

聽聽聽 OU=Service聽聽聽 my service聽users for only this location
聽聽聽 OU=Users
聽聽聽 OU=Groups
聽聽聽 OU=Computers
聽聽聽 OU=Departments,OU=CityDep
聽聽聽聽聽聽聽 You put your users + computer in the department. 
聽聽聽聽聽聽聽 You put your GPO setttings on that needed for that department only.
聽


campus.companyname.domain.tld聽聽聽 the sub domain. 
You put your GPO setttings on that needed for the campus聽only.


聽聽聽 OU=Service聽聽聽 my service聽users for only this location



聽聽聽 OU=Users
聽聽聽 OU=Groups
聽聽聽 OU=Computers
聽聽聽 OU=Departments,OU=CampDep1
聽聽聽聽聽聽聽 You put your users + computer in the department. 
聽聽聽聽聽聽聽 You put your GPO setttings on that needed for that department only.
聽
etc etc etc 
And in this case you dont use trusts but your now very flexible in scaling your
network with a clear and easy structure.

聽
but thats my idea, now make yours and post your idee to the list. 
Even if you want to use domain trusts.. 
聽
Greetz, 
聽
Louis
聽

聽

Van: Elias Pereira [mailto:empbilly at gmail.com] 
Verzonden: donderdag 31 mei 2018 21:15
Aan: L.P.H. van Belle
Onderwerp: Re: Trust relationship between different domains



Hello Louis, 

Sorry for the insistence, but I wonder if you have any ideas, help, hint,
anything that can help me with my problem above.


Thanks in advance!!



On Sat, May 26, 2018 at 6:21 PM, Elias Pereira <empbilly at gmail.com>
wrote:
Hello Louis, What s up? I hope so!! :D


Did you already test samba4 AD with "trust relationship" on an
infrastructure that had 2 or more domains in different places?


E.g: I work in a school where our rectory or headquarter has the following
domain.


ifrs.edu.br


Campuses that are part of the institution have the following domain.


city_name.ifrs.edu.br


E.g: The campus that I work has the domain:


sertao.ifrs.edu.br


I've already made that question on the list, but only Rowland responded and
I believe no one else has done any testing lab on this.


In my test lab at first I can not put it in trust. There are some errors.


If you can take a look, the link is below.


https://www.spinics.net/lists/samba/msg149920.html (I could not find the direct
link to the samba list)


Thanks in advance!! : D


-- 
Elias Pereira







-- 
Elias Pereira

hello Louis, thanks for the reply!!! :D

Sorry for the late reply.


No need for excuses. Again I apologize for sending you a private email.

> I do preffer the list, and i understand why you mailt my directly, but
> best is to keep this on the list. The more eye that see this, the more
> chance you have on a reply.

Yes, me too, but I believe the people was busy and may not have seen the
topic on the list. :)

Now, i see you are using my 4.8.2 packages. so you on debian. *( or
ubuntu
> 1804 )

Debian x64.

> First try this.
> On the computer where you use the RSAT tools, open CMD box, and run:
>
> NET USE \\<DOMAIN-CONTROLER.FQDN>\IPC$
> /user:<DOMAIN-NAME>\<Domain-admin-user>
> NET USE \\<DOMAIN-CONTROLER>\IPC$
/user:<DOMAIN-NAME>\<Domain-admin-user>

I was able to run the command with the IP instead of the domain name.

First I ran on the campus.sertao.intra:

NET USE \\dc1.campus.reitoria.intra\IPC$ /user:campus\administrator pa$$wd
and too
NET USE \\campus.reitoria.intra\IPC$ /user:campus\administrator pa$$wd

Didn't work.

So, I ran with IP instead:

NET USE \\10.10.1.7\IPC$ /user:campus\administrator pa$$wd

Works! :)

C:\>net use
Novas conexões serão lembradas.

Status       Local     Remoto                    Rede

-------------------------------------------------------------------------------
             E:        \\vboxsrv\D_DRIVE         VirtualBox Shared Folders
OK                     \\10.10.1.7\IPC$          Microsoft Windows Network

> Now try to setup the domain trust again, it that works, this a workaround
> for a windows client problem

I do this via RSAT or samba-tool?

If you get the message again, do you have a MS Exchange in one of
the
> domains? that migth give theat message also.

I don't have.

And my concerns why this might not work, when i look at your domain
names:
> ifrs.edu.br
>     HQ
> city_name.ifrs.edu.br    CITY
> sertao.ifrs.edu.br    Campus
>
> Now, and i might be very wrong here, but if you want to use domain trust
> between different domains, with what i see now, give problem with dns.
> What is the top level (primary dns) domain of all three mentioned domains.

No, city_name is a example, coz this is a subdomain of HQ (ifrs.edu.br) at
institution level and always is a city name where the campus is located.
Real name is sertao.ifrs.edu.br.



On Fri, Jun 1, 2018 at 11:15 AM, L.P.H. van Belle <belle at bazuin.nl>
wrote:
> Hai Elias,
>
> Sorry for the late reply.
> I do preffer the list, and i understand why you mailt my directly, but
> best is to keep this on the list.
> The more eye that see this, the more chance you have on a reply.
> I must say, i personaly dont use any trust relations ships. that was long
> ago when i used that, so im bit rusty here.
>
> Now, i see you are using my 4.8.2 packages. so you on debian. *( or ubuntu
> 1804 )
>
> First try this.
> On the computer where you use the RSAT tools, open CMD box, and run:
>
> NET USE \\<DOMAIN-CONTROLER.FQDN>\IPC$
/user:<DOMAIN-NAME>\<Domain-admin-
> user>
> NET USE \\<DOMAIN-CONTROLER>\IPC$
/user:<DOMAIN-NAME>\<Domain-admin-user>
>
> Now try to setup the domain trust again, it that works, this a workaround
> for a windows client problem.
> If you get the message again, do you have a MS Exchange in one of the
> domains? that migth give theat message also.
>
> And my concerns why this might not work, when i look at your domain
> names:
> ifrs.edu.br
>     HQ
> city_name.ifrs.edu.br    CITY
> sertao.ifrs.edu.br    Campus
>
> Now, and i might be very wrong here, but if you want to use domain trust
> between different domains, with what i see now, give problem with dns.
> What is the top level (primary dns) domain of all three mentioned domains.
>
> For the first one its easy, thats ifs.edu.br  but for the others?
> for city.. it the top level domain *(the primary dns domainname and where
> your kerberos points to.)
>     Is it city.ifrs.edu.br
> or is city a sub domain of : ifsr.edu.br but on an other location,
> because if thats the case, then you might have a problem.
>
> This is a question we need to answer first that if its possible to setup
> trust between domains with, same (almost same) domainname.
>
> A good read is about this is :
> https://docs.microsoft.com/en-us/windows-server/identity/ad-
> ds/plan/ad-ds-design-and-planning
>
> An example of how this setup works.
>
> domain.tld    toplevel tld use for TXT records on the internet.    you
> dont use this in you lan.
>     If you run a web server, and you want www.domain.tld acceccable in
> your lan.
>     setup vhost <VirtualHost ip1 ip2>    In the DNS, create the
> domain.tld zone. and CNAME www.domain.tld to the hostname of the LAN side
> of you server.
>     ( now your avoiding kerberos auth problem since the lan side has a
> host/fq.dn at kerberosUPN )
>     And setup dns internet to the wanside.
>     Server connected to the internet, use bind or other dns server on
> these and forward the domain domain.tld to and internet dns.
>     forward companyname.domain.tld to you lan DNS.
>
> companyname.domain.tld   it the company toplevel dom for the lan.
>     OU=Service    my service users for all services i need for all
> locations.
>     OU=Users      Only special admins
>     OU=Groups    Only special groups
>     OU=Computers    Only special computers ( Do note, any new added
> computer ends up here, then you move it. )
>     GPO's on the point are normaly not needed, at this point í added my
> domain root /intermediate CA cert for all computers.
>     And you inherrit the default GPO's.  ( thats for other subdomain.)
>     OU=Departments the OU with all my GPO settings for everyone and every
> computer within a department.
>
> hq.companyname.domain.tld    a sub domain of, and often the first one you
> do.
>     OU=Service    my service users for only this location
>     OU=Users
>     OU=Groups
>     OU=Computers
>     OU=Departments,OU=HQDep
>         You put your users + computer in the department.
>         You inherret the domain default GPO.
>         You put your GPO setttings on that needed for that department
> only.
>
> city.companyname.domain.tld    the sub domain.
>     OU=Service    my service users for only this location
>     OU=Users
>     OU=Groups
>     OU=Computers
>     OU=Departments,OU=CityDep
>         You put your users + computer in the department.
>         You put your GPO setttings on that needed for that department
> only.
>
> campus.companyname.domain.tld    the sub domain.
> You put your GPO setttings on that needed for the campus only.
>     OU=Service    my service users for only this location
>     OU=Users
>     OU=Groups
>     OU=Computers
>     OU=Departments,OU=CampDep1
>         You put your users + computer in the department.
>         You put your GPO setttings on that needed for that department
> only.
>
> etc etc etc
> And in this case you dont use trusts but your now very flexible in scaling
> your network with a clear and easy structure.
>
> but thats my idea, now make yours and post your idee to the list.
> Even if you want to use domain trusts..
>
> Greetz,
>
> Louis
>
>
>
> ------------------------------
> *Van:* Elias Pereira [mailto:empbilly at gmail.com]
> *Verzonden:* donderdag 31 mei 2018 21:15
> *Aan:* L.P.H. van Belle
> *Onderwerp:* Re: Trust relationship between different domains
>
> Hello Louis,
>
> Sorry for the insistence, but I wonder if you have any ideas, help, hint,
> anything that can help me with my problem above.
>
> Thanks in advance!!
>
> On Sat, May 26, 2018 at 6:21 PM, Elias Pereira <empbilly at
gmail.com> wrote:
>
>> Hello Louis, What’s up? I hope so!! :D
>>
>> Did you already test samba4 AD with "trust relationship" on
an
>> infrastructure that had 2 or more domains in different places?
>>
>> E.g: I work in a school where our rectory or headquarter has the
>> following domain.
>>
>> ifrs.edu.br
>>
>> Campuses that are part of the institution have the following domain.
>>
>> city_name.ifrs.edu.br
>>
>> E.g: The campus that I work has the domain:
>>
>> sertao.ifrs.edu.br
>>
>> I've already made that question on the list, but only Rowland
responded
>> and I believe no one else has done any testing lab on this.
>>
>> In my test lab at first I can not put it in trust. There are some
errors.
>>
>> If you can take a look, the link is below.
>>
>> https://www.spinics.net/lists/samba/msg149920.html (I could not find
the
>> direct link to the samba list)
>>
>> Thanks in advance!! : D
>>
>> --
>> Elias Pereira
>>
>
>
>
> --
> Elias Pereira
>
>

-- 
Elias Pereira

Hai Elias, 
 
NET USE \\10.10.1.7\IPC$ /user:campus\administrator pa$$wd



Works! :)


C:\>net use
Novas conexões serão lembradas.


Status       Local     Remoto                    Rede


-------------------------------------------------------------------------------
             E:        \\vboxsrv\D_DRIVE         VirtualBox Shared Folders
OK                     \\10.10.1.7\IPC$          Microsoft Windows Network

 

Now try to setup the domain trust again, it that works, this a workaround for a
windows client problem

I do this via RSAT or samba-tool? 

 
 
Ok, if \\hostname of \\hostname.fqdn int working then you have probely have
resolving issues.
And i was assuming you would use the RSAT tools. ;-) 
 
For sofar, try it out and let us know. 
 
Greetz, 
 
Louis
 
 
 
 


Van: Elias Pereira [mailto:empbilly at gmail.com] 
Verzonden: vrijdag 1 juni 2018 19:56
Aan: samba at lists.samba.org
CC: L.P.H. van Belle
Onderwerp: Re: Trust relationship between different domains



hello Louis, thanks for the reply!!! :D 

Sorry for the late reply. 

No need for excuses. Again I apologize for sending you a private email.
 
I do preffer the list, and i understand why you mailt my directly, but best is
to keep this on the list. The more eye that see this, the more chance you have
on a reply.

Yes, me too, but I believe the people was busy and may not have seen the topic
on the list. :)


Now, i see you are using my 4.8.2 packages. so you on debian. *( or ubuntu 1804
)

Debian x64. 
 
First try this.
On the computer where you use the RSAT tools, open CMD box, and run:
 
NET USE \\<DOMAIN-CONTROLER.FQDN>\IPC$
/user:<DOMAIN-NAME>\<Domain-admin-user>
NET USE \\<DOMAIN-CONTROLER>\IPC$
/user:<DOMAIN-NAME>\<Domain-admin-user>

I was able to run the command with the IP instead of the domain name.


First I ran on the campus.sertao.intra:



NET USE \\dc1.campus.reitoria.intra\IPC$ /user:campus\administrator pa$$wd and
too

NET USE \\campus.reitoria.intra\IPC$ /user:campus\administrator pa$$wd 



Didn't work.


So, I ran with IP instead:


NET USE \\10.10.1.7\IPC$ /user:campus\administrator pa$$wd



Works! :)


C:\>net use
Novas conexões serão lembradas.


Status       Local     Remoto                    Rede


-------------------------------------------------------------------------------
             E:        \\vboxsrv\D_DRIVE         VirtualBox Shared Folders
OK                     \\10.10.1.7\IPC$          Microsoft Windows Network

 

Now try to setup the domain trust again, it that works, this a workaround for a
windows client problem

I do this via RSAT or samba-tool? 


If you get the message again, do you have a MS Exchange in one of the domains?
that migth give theat message also.

I don't have.


And my concerns why this might not work, when i look at your domain names:
ifrs.edu.br
    HQ
city_name.ifrs.edu.br    CITY
sertao.ifrs.edu.br    Campus
 
Now, and i might be very wrong here, but if you want to use domain trust between
different domains, with what i see now, give problem with dns.
What is the top level (primary dns) domain of all three mentioned domains. 

No, city_name is a example, coz this is a subdomain of HQ (ifrs.edu.br) at
institution level and always is a city name where the campus is located. Real
name is sertao.ifrs.edu.br.








On Fri, Jun 1, 2018 at 11:15 AM, L.P.H. van Belle <belle at bazuin.nl>
wrote:
Hai Elias,
 
Sorry for the late reply. 
I do preffer the list, and i understand why you mailt my directly, but best is
to keep this on the list.
The more eye that see this, the more chance you have on a reply. 
I must say, i personaly dont use any trust relations ships. that was long ago
when i used that, so im bit rusty here.
 
Now, i see you are using my 4.8.2 packages. so you on debian. *( or ubuntu 1804
)
 
First try this. 
On the computer where you use the RSAT tools, open CMD box, and run: 
 
NET USE \\<DOMAIN-CONTROLER.FQDN>\IPC$
/user:<DOMAIN-NAME>\<Domain-admin-user>
NET USE \\<DOMAIN-CONTROLER>\IPC$
/user:<DOMAIN-NAME>\<Domain-admin-user>
 
Now try to setup the domain trust again, it that works, this a workaround for a
windows client problem.
If you get the message again, do you have a MS Exchange in one of the
domains? that migth give theat message also.
 
And my concerns why this might not work, when i look at your domain names: 
ifrs.edu.br
    HQ 
city_name.ifrs.edu.br    CITY
sertao.ifrs.edu.br    Campus  
Now, and i might be very wrong here, but if you want to use domain trust between
different domains, with what i see now, give problem with dns.
What is the top level (primary dns) domain of all three mentioned domains. 
 
For the first one its easy, thats ifs.edu.br  but for the others? 
for city.. it the top level domain *(the primary dns domainname and where your
kerberos points to.)
    Is it city.ifrs.edu.br 
or is city a sub domain of : ifsr.edu.br but on an other location, because if
thats the case, then you might have a problem.
 
This is a question we need to answer first that if its possible to setup trust
between domains with, same (almost same) domainname.
 
A good read is about this is : 
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/ad-ds-design-and-planning 
 
An example of how this setup works. 
 
domain.tld    toplevel tld use for TXT records on the internet.    you dont use
this in you lan.
    If you run a web server, and you want www.domain.tld acceccable in your lan.
    setup vhost <VirtualHost ip1 ip2>    In the DNS, create the domain.tld
zone. and CNAME www.domain.tld to the hostname of the LAN side of you server.
    ( now your avoiding kerberos auth problem since the lan side has a
host/fq.dn at kerberosUPN )
    And setup dns internet to the wanside. 
    Server connected to the internet, use bind or other dns server on these and
forward the domain domain.tld to and internet dns.
    forward companyname.domain.tld to you lan DNS. 
 
companyname.domain.tld   it the company toplevel dom for the lan. 
    OU=Service    my service users for all services i need for all locations. 
    OU=Users      Only special admins
    OU=Groups    Only special groups    
    OU=Computers    Only special computers ( Do note, any new added computer
ends up here, then you move it. )
    GPO's on the point are normaly not needed, at this point í added my
domain root /intermediate CA cert for all computers.
    And you inherrit the default GPO's.  ( thats for other subdomain.) 
    OU=Departments the OU with all my GPO settings for everyone and every
computer within a department.
    

hq.companyname.domain.tld    a sub domain of, and often the first one you do. 

    OU=Service    my service users for only this location
    OU=Users    
    OU=Groups
    OU=Computers
    OU=Departments,OU=HQDep
        You put your users + computer in the department. 
        You inherret the domain default GPO. 

        You put your GPO setttings on that needed for that department only.
 



city.companyname.domain.tld    the sub domain. 

    OU=Service    my service users for only this location
    OU=Users
    OU=Groups
    OU=Computers
    OU=Departments,OU=CityDep
        You put your users + computer in the department. 
        You put your GPO setttings on that needed for that department only.
 



campus.companyname.domain.tld    the sub domain. 
You put your GPO setttings on that needed for the campus only.


    OU=Service    my service users for only this location


    OU=Users
    OU=Groups
    OU=Computers
    OU=Departments,OU=CampDep1
        You put your users + computer in the department. 
        You put your GPO setttings on that needed for that department only.
 
etc etc etc 
And in this case you dont use trusts but your now very flexible in scaling your
network with a clear and easy structure.
 
but thats my idea, now make yours and post your idee to the list. 
Even if you want to use domain trusts.. 
 
Greetz, 
 
Louis
 
 

Van: Elias Pereira [mailto:empbilly at gmail.com] 
Verzonden: donderdag 31 mei 2018 21:15
Aan: L.P.H. van Belle
Onderwerp: Re: Trust relationship between different domains



Hello Louis, 

Sorry for the insistence, but I wonder if you have any ideas, help, hint,
anything that can help me with my problem above.


Thanks in advance!!



On Sat, May 26, 2018 at 6:21 PM, Elias Pereira <empbilly at gmail.com>
wrote:
Hello Louis, What?s up? I hope so!! :D


Did you already test samba4 AD with "trust relationship" on an
infrastructure that had 2 or more domains in different places?


E.g: I work in a school where our rectory or headquarter has the following
domain.


ifrs.edu.br


Campuses that are part of the institution have the following domain.


city_name.ifrs.edu.br


E.g: The campus that I work has the domain:


sertao.ifrs.edu.br


I've already made that question on the list, but only Rowland responded and
I believe no one else has done any testing lab on this.


In my test lab at first I can not put it in trust. There are some errors.


If you can take a look, the link is below.


https://www.spinics.net/lists/samba/msg149920.html (I could not find the direct
link to the samba list)


Thanks in advance!! : D


-- 
Elias Pereira







-- 
Elias Pereira








-- 
Elias Pereira

Hey folks,

I think I've been able to set up the trust between different domains in
different places.

I'm in testing now, but after, I want put it into production, if it behave
well, I'll come back here to give you feedback.

For now, thank Louis and Rowland !!! Thanks guys!!!

On Mon, Jun 4, 2018 at 3:25 AM L.P.H. van Belle via samba <
samba at lists.samba.org> wrote:
> Hai Elias,
>
> NET USE \\10.10.1.7\IPC$ /user:campus\administrator pa$$wd
>
>
>
> Works! :)
>
>
> C:\>net use
> Novas conexões serão lembradas.
>
>
> Status       Local     Remoto                    Rede
>
>
>
>
-------------------------------------------------------------------------------
>              E:        \\vboxsrv\D_DRIVE         VirtualBox Shared Folders
> OK                     \\10.10.1.7\IPC$          Microsoft Windows Network
>
>
>
> Now try to setup the domain trust again, it that works, this a workaround
> for a windows client problem
>
> I do this via RSAT or samba-tool?
>
>
>
> Ok, if \\hostname of \\hostname.fqdn int working then you have probely
> have resolving issues.
> And i was assuming you would use the RSAT tools. ;-)
>
> For sofar, try it out and let us know.
>
> Greetz,
>
> Louis
>
>
>
>
>
>
> Van: Elias Pereira [mailto:empbilly at gmail.com]
> Verzonden: vrijdag 1 juni 2018 19:56
> Aan: samba at lists.samba.org
> CC: L.P.H. van Belle
> Onderwerp: Re: Trust relationship between different domains
>
>
>
> hello Louis, thanks for the reply!!! :D
>
> Sorry for the late reply.
>
> No need for excuses. Again I apologize for sending you a private email.
>
> I do preffer the list, and i understand why you mailt my directly, but
> best is to keep this on the list. The more eye that see this, the more
> chance you have on a reply.
>
> Yes, me too, but I believe the people was busy and may not have seen the
> topic on the list. :)
>
>
> Now, i see you are using my 4.8.2 packages. so you on debian. *( or ubuntu
> 1804 )
>
> Debian x64.
>
> First try this.
> On the computer where you use the RSAT tools, open CMD box, and run:
>
> NET USE \\<DOMAIN-CONTROLER.FQDN>\IPC$
> /user:<DOMAIN-NAME>\<Domain-admin-user>
> NET USE \\<DOMAIN-CONTROLER>\IPC$
/user:<DOMAIN-NAME>\<Domain-admin-user>
>
> I was able to run the command with the IP instead of the domain name.
>
>
> First I ran on the campus.sertao.intra:
>
>
>
> NET USE \\dc1.campus.reitoria.intra\IPC$ /user:campus\administrator pa$$wd
> and too
>
> NET USE \\campus.reitoria.intra\IPC$ /user:campus\administrator pa$$wd
>
>
>
> Didn't work.
>
>
> So, I ran with IP instead:
>
>
> NET USE \\10.10.1.7\IPC$ /user:campus\administrator pa$$wd
>
>
>
> Works! :)
>
>
> C:\>net use
> Novas conexões serão lembradas.
>
>
> Status       Local     Remoto                    Rede
>
>
>
>
-------------------------------------------------------------------------------
>              E:        \\vboxsrv\D_DRIVE         VirtualBox Shared Folders
> OK                     \\10.10.1.7\IPC$          Microsoft Windows Network
>
>
>
> Now try to setup the domain trust again, it that works, this a workaround
> for a windows client problem
>
> I do this via RSAT or samba-tool?
>
>
> If you get the message again, do you have a MS Exchange in one of the
> domains? that migth give theat message also.
>
> I don't have.
>
>
> And my concerns why this might not work, when i look at your domain names:
> ifrs.edu.br
>     HQ
> city_name.ifrs.edu.br    CITY
> sertao.ifrs.edu.br    Campus
>
> Now, and i might be very wrong here, but if you want to use domain trust
> between different domains, with what i see now, give problem with dns.
> What is the top level (primary dns) domain of all three mentioned domains.
>
> No, city_name is a example, coz this is a subdomain of HQ (ifrs.edu.br)
> at institution level and always is a city name where the campus is located.
> Real name is sertao.ifrs.edu.br.
>
>
>
>
>
>
>
>
> On Fri, Jun 1, 2018 at 11:15 AM, L.P.H. van Belle <belle at
bazuin.nl> wrote:
> Hai Elias,
>
> Sorry for the late reply.
> I do preffer the list, and i understand why you mailt my directly, but
> best is to keep this on the list.
> The more eye that see this, the more chance you have on a reply.
> I must say, i personaly dont use any trust relations ships. that was long
> ago when i used that, so im bit rusty here.
>
> Now, i see you are using my 4.8.2 packages. so you on debian. *( or ubuntu
> 1804 )
>
> First try this.
> On the computer where you use the RSAT tools, open CMD box, and run:
>
> NET USE \\<DOMAIN-CONTROLER.FQDN>\IPC$
> /user:<DOMAIN-NAME>\<Domain-admin-user>
> NET USE \\<DOMAIN-CONTROLER>\IPC$
/user:<DOMAIN-NAME>\<Domain-admin-user>
>
> Now try to setup the domain trust again, it that works, this a workaround
> for a windows client problem.
> If you get the message again, do you have a MS Exchange in one of the
> domains? that migth give theat message also.
>
> And my concerns why this might not work, when i look at your domain names:
> ifrs.edu.br
>     HQ
> city_name.ifrs.edu.br    CITY
> sertao.ifrs.edu.br    Campus
> Now, and i might be very wrong here, but if you want to use domain trust
> between different domains, with what i see now, give problem with dns.
> What is the top level (primary dns) domain of all three mentioned domains.
>
> For the first one its easy, thats ifs.edu.br  but for the others?
> for city.. it the top level domain *(the primary dns domainname and where
> your kerberos points to.)
>     Is it city.ifrs.edu.br
> or is city a sub domain of : ifsr.edu.br but on an other location,
> because if thats the case, then you might have a problem.
>
> This is a question we need to answer first that if its possible to setup
> trust between domains with, same (almost same) domainname.
>
> A good read is about this is :
>
>
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/ad-ds-design-and-planning
>
>
> An example of how this setup works.
>
> domain.tld    toplevel tld use for TXT records on the internet.    you
> dont use this in you lan.
>     If you run a web server, and you want www.domain.tld acceccable in
> your lan.
>     setup vhost <VirtualHost ip1 ip2>    In the DNS, create the
domain.tld
> zone. and CNAME www.domain.tld to the hostname of the LAN side of you
> server.
>     ( now your avoiding kerberos auth problem since the lan side has a
> host/fq.dn at kerberosUPN )
>     And setup dns internet to the wanside.
>     Server connected to the internet, use bind or other dns server on
> these and forward the domain domain.tld to and internet dns.
>     forward companyname.domain.tld to you lan DNS.
>
> companyname.domain.tld   it the company toplevel dom for the lan.
>     OU=Service    my service users for all services i need for all
> locations.
>     OU=Users      Only special admins
>     OU=Groups    Only special groups
>     OU=Computers    Only special computers ( Do note, any new added
> computer ends up here, then you move it. )
>     GPO's on the point are normaly not needed, at this point í added my
> domain root /intermediate CA cert for all computers.
>     And you inherrit the default GPO's.  ( thats for other subdomain.)
>     OU=Departments the OU with all my GPO settings for everyone and every
> computer within a department.
>
>
> hq.companyname.domain.tld    a sub domain of, and often the first one you
> do.
>
>     OU=Service    my service users for only this location
>     OU=Users
>     OU=Groups
>     OU=Computers
>     OU=Departments,OU=HQDep
>         You put your users + computer in the department.
>         You inherret the domain default GPO.
>
>         You put your GPO setttings on that needed for that department only.
>
>
>
>
> city.companyname.domain.tld    the sub domain.
>
>     OU=Service    my service users for only this location
>     OU=Users
>     OU=Groups
>     OU=Computers
>     OU=Departments,OU=CityDep
>         You put your users + computer in the department.
>         You put your GPO setttings on that needed for that department only.
>
>
>
>
> campus.companyname.domain.tld    the sub domain.
> You put your GPO setttings on that needed for the campus only.
>
>
>     OU=Service    my service users for only this location
>
>
>     OU=Users
>     OU=Groups
>     OU=Computers
>     OU=Departments,OU=CampDep1
>         You put your users + computer in the department.
>         You put your GPO setttings on that needed for that department only.
>
> etc etc etc
> And in this case you dont use trusts but your now very flexible in scaling
> your network with a clear and easy structure.
>
> but thats my idea, now make yours and post your idee to the list.
> Even if you want to use domain trusts..
>
> Greetz,
>
> Louis
>
>
>
> Van: Elias Pereira [mailto:empbilly at gmail.com]
> Verzonden: donderdag 31 mei 2018 21:15
> Aan: L.P.H. van Belle
> Onderwerp: Re: Trust relationship between different domains
>
>
>
> Hello Louis,
>
> Sorry for the insistence, but I wonder if you have any ideas, help, hint,
> anything that can help me with my problem above.
>
>
> Thanks in advance!!
>
>
>
> On Sat, May 26, 2018 at 6:21 PM, Elias Pereira <empbilly at
gmail.com> wrote:
> Hello Louis, What?s up? I hope so!! :D
>
>
> Did you already test samba4 AD with "trust relationship" on an
> infrastructure that had 2 or more domains in different places?
>
>
> E.g: I work in a school where our rectory or headquarter has the following
> domain.
>
>
> ifrs.edu.br
>
>
> Campuses that are part of the institution have the following domain.
>
>
> city_name.ifrs.edu.br
>
>
> E.g: The campus that I work has the domain:
>
>
> sertao.ifrs.edu.br
>
>
> I've already made that question on the list, but only Rowland responded
> and I believe no one else has done any testing lab on this.
>
>
> In my test lab at first I can not put it in trust. There are some errors.
>
>
> If you can take a look, the link is below.
>
>
> https://www.spinics.net/lists/samba/msg149920.html (I could not find the
> direct link to the samba list)
>
>
> Thanks in advance!! : D
>
>
> --
> Elias Pereira
>
>
>
>
>
>
>
> --
> Elias Pereira
>
>
>
>
>
>
>
>
> --
> Elias Pereira
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

-- 
Elias Pereira