Alex Moore
2019-Jan-10 23:11 UTC
[Samba] Realm trust between Samba AD and MIT kerberos realm
Hi all, I was hoping to setup a realm trust between a Samba AD domain and a kerberos realm running mit-krb5, however it looks like that isn't currently supported. Is that correct, or am I missing something (I'm running Samba 4.9.4)? Having noticed that "samba-tool domain trust" only seems to cater for trusts involving other AD domains, I tried to workaround that (in the hope that perhaps the limitation is only in the CLI tools) by promoting a Windows 2008 R2 system to a DC in my otherwise Samba-based AD environment, to see if I could use that to get the realm trust in place. That seems to have at least half worked... I found that I needed to temporarily move the PDC Emulator role to the Windows 2008 R2 DC, after which it was then possible to use the GUI tools (ie Active Directory Domains and Trusts) to create a kerberos realm trust. For the record I created a non-transitive outgoing realm trust from AD to the MIT kerberos realm. The resulting kerberos realm trust does appear to function correctly, although perhaps that's not saying much because I haven't yet tried demoting the Windows 2008 R2 DC to see whether the realm trust continues to function once there are only Samba DCs remaining (I will test that soon...). At least "samba-tool domain trust list/show" do present sensible information: # samba-tool domain trust list Type[External] Transitive[No] Direction[OUTGOING] Name[KRB.REALM] # samba-tool domain trust show KRB.REALM LocalDomain Netbios[AD] DNS[ad.domain] SID[S-1-5-21-611510720-3146064378-2947260547] TrustedDomain: NetbiosName: KRB.REALM SID: None Type: 0x3 (MIT) Direction: 0x2 (OUTBOUND) Attributes: 0x1 (NON_TRANSITIVE) PosixOffset: 0x00000000 (0) kerb_EncTypes: 0x18 (AES128_CTS_HMAC_SHA1_96,AES256_CTS_HMAC_SHA1_96) However I have already noticed one thing that is broken... if I restart samba on the Samba DC after creating the realm trust, winbind immediately dies with the following (and I can't see a workaround - meaning this isn't a viable deployment even if the trust would otherwise continue to work after demoting the Windows DC, as it would stop working as soon as samba is next restarted): [2019/01/10 20:17:59.578186, 0] ../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache) initialize_winbindd_cache: clearing cache and re-creating with version number 2 [2019/01/10 20:17:59.585080, 0] ../source3/winbindd/winbindd_util.c:131(add_trusted_domain) add_trusted_domain: Got null SID for domain [KRB.REALM] [2019/01/10 20:17:59.585114, 0] ../source3/winbindd/winbindd_util.c:1245(init_domain_list) init_domain_list: init_domain_list_dc failed [2019/01/10 20:17:59.585138, 0] ../source3/winbindd/winbindd.c:1454(winbindd_register_handlers) unable to initialize domain list So - is there any chance of getting support for kerberos realm trusts added to Samba? Perhaps I am being naive here, but I'm hoping that presumably realm trusts are much simpler than other AD trust types (since they're purely kerberos - no need to deal with SIDs and other such complexities), to the extent that I imagine they only require a subset of the code that has already been implemented for the other trust types. Thanks Alex
Alex Moore
2019-Jan-14 14:14 UTC
[Samba] Realm trust between Samba AD and MIT kerberos realm
I have now tried demoting the Windows 2008 R2 DC, and it seems the realm trust no longer works after doing so. Which brings me back to my main question: Am I correct in thinking realm trusts aren't currently expected to work, and if so are there any plans to add support for them? Otherwise, if this ought to be possible already, is anyone able to advise on what I might be missing? Thanks a lot, Alex On 10/01/2019 23:11, Alex Moore via samba wrote:> Hi all, > > I was hoping to setup a realm trust between a Samba AD domain and a > kerberos realm running mit-krb5, however it looks like that isn't > currently supported. Is that correct, or am I missing something (I'm > running Samba 4.9.4)? > > Having noticed that "samba-tool domain trust" only seems to cater for > trusts involving other AD domains, I tried to workaround that (in the > hope that perhaps the limitation is only in the CLI tools) by > promoting a Windows 2008 R2 system to a DC in my otherwise Samba-based > AD environment, to see if I could use that to get the realm trust in > place. That seems to have at least half worked... I found that I > needed to temporarily move the PDC Emulator role to the Windows 2008 > R2 DC, after which it was then possible to use the GUI tools (ie > Active Directory Domains and Trusts) to create a kerberos realm trust. > For the record I created a non-transitive outgoing realm trust from AD > to the MIT kerberos realm. The resulting kerberos realm trust does > appear to function correctly, although perhaps that's not saying much > because I haven't yet tried demoting the Windows 2008 R2 DC to see > whether the realm trust continues to function once there are only > Samba DCs remaining (I will test that soon...). At least "samba-tool > domain trust list/show" do present sensible information: > > # samba-tool domain trust list > Type[External] Transitive[No] Direction[OUTGOING] Name[KRB.REALM] > > # samba-tool domain trust show KRB.REALM > LocalDomain Netbios[AD] DNS[ad.domain] > SID[S-1-5-21-611510720-3146064378-2947260547] > TrustedDomain: > > NetbiosName: KRB.REALM > SID: None > Type: 0x3 (MIT) > Direction: 0x2 (OUTBOUND) > Attributes: 0x1 (NON_TRANSITIVE) > PosixOffset: 0x00000000 (0) > kerb_EncTypes: 0x18 (AES128_CTS_HMAC_SHA1_96,AES256_CTS_HMAC_SHA1_96) > > However I have already noticed one thing that is broken... if I > restart samba on the Samba DC after creating the realm trust, winbind > immediately dies with the following (and I can't see a workaround - > meaning this isn't a viable deployment even if the trust would > otherwise continue to work after demoting the Windows DC, as it would > stop working as soon as samba is next restarted): > > [2019/01/10 20:17:59.578186, 0] > ../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache) > initialize_winbindd_cache: clearing cache and re-creating with > version number 2 > [2019/01/10 20:17:59.585080, 0] > ../source3/winbindd/winbindd_util.c:131(add_trusted_domain) > add_trusted_domain: Got null SID for domain [KRB.REALM] > [2019/01/10 20:17:59.585114, 0] > ../source3/winbindd/winbindd_util.c:1245(init_domain_list) > init_domain_list: init_domain_list_dc failed > [2019/01/10 20:17:59.585138, 0] > ../source3/winbindd/winbindd.c:1454(winbindd_register_handlers) > unable to initialize domain list > > So - is there any chance of getting support for kerberos realm trusts > added to Samba? Perhaps I am being naive here, but I'm hoping that > presumably realm trusts are much simpler than other AD trust types > (since they're purely kerberos - no need to deal with SIDs and other > such complexities), to the extent that I imagine they only require a > subset of the code that has already been implemented for the other > trust types. > > Thanks > Alex > >