samba - Feb 2019 - status on samba trusts

Hi MJ,
Am 28.02.2019 15:31, schrieb mj via samba:
> Hi Stefan,
> 
> Thanks for your input. I'll check the dns stuff. I put resolvers for
> both domains as primary and secondary on both machines, but I guess
> that's not good enough.
> 
NO, it's not good enough ;-) Setting up a DNS-Proxy is real easy. Just a 
few lines :-).
> I'll look into setting up a (query logging) dns proxy, that should
> tell us at least who is asking what.
> 
> Any chance to share that (german) article you wrote?
> 
I'm not at home this week, but I will look if I find it on my notebook 
this evening.


Stefan
> My german is not perfect, but good enough to understand a technical 
> article. :-)
> 
> Thanks for responding!
> 
> MJ
> 
> On 2/27/19 9:43 PM, Stefan Kania via samba wrote:
>> Now I have a some time to answer, maybe a few of your questions.
>> 
>> Am 26.02.19 um 20:59 schrieb lists via samba:
>>> Hi,
>>> 
>>> No replies unfortunately. Unsure why.
>> There are still a lot of questions open and I think a lot of things 
>> have
>> to be done.
>>> 
>>> We searched the list, and we found little discussion on the subject
>>> of
>>> trusts. We see occasional questions, but they are often left 
>>> unanswered,
>>> like this one.
>>> 
>>> If someone could point us to some good up-to-date docs on trusts
with
>>> samba then we would really appreciate it.
>>> 
>>> We setup a test environment (one samba 4.9.4 testad2 AD, one native
>>> windows 2012 testad1 AD, and a win2012 testclient) to play with 
>>> trusts,
>>> but we have just so many questions, and there is so little material
>>> (on
>>> trusts, specific to the combination with samba) to read.
>> Up to this point I did a few installations with two Samba4 Domains
>>> 
>>> Both AD domains (testad1 / testad2) are on the same subnet, and my 
>>> test
>>> client can join both domains successfully.
>> Before you join the domain you should check if you can resolve the
>> SRV-Records of both domains from either side. For this the best thin 
>> is
>> to set up a DNS-Proxy between the two domains.
>>> 
>>> The trust (from samba's side) succeeds 'half' with an
error when
>>> validating the incoming trust at the end.
>> Most of the time it's a DNS-problem, so first check the SRV-Records
>>> 
>>> Here are some outputs:
>>> 
>>>> root at testad2dc:/var/log/samba# samba-tool domain trust
create
>>>> TESTAD1.company.com  -U TESTAD1\\administrator
>>>> LocalDomain Netbios[TESTAD2] DNS[testad2.company.com]
>>>> SID[S-1-5-21-1012147493-3366197983-1829854343]
>>>> RemoteDC Netbios[WIN-0ENAIPFH11A]
>>>> DNS[WIN-0ENAIPFH11A.testad1.company.com]
>>>>
ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,GOOD_TIMESERV,FULL_SECRET_DOMAIN_6,ADS_WEB_SERVICE,DS_8]
>>>> 
>>>> Password for [TESTAD1\administrator]:
>>>> RemoteDomain Netbios[TESTAD1] DNS[testad1.company.com]
>>>> SID[S-1-5-21-2509583006-2398556320-3264531554]
>>>> Creating remote TDO.
>>>> Remote TDO created.
>>>> Setting supported encryption types on remote TDO.
>>>> Creating local TDO.
>>>> Local TDO created
>>>> Setting supported encryption types on local TDO.
>>>> Validating outgoing trust...
>>>> OK: LocalValidation: DC[\\WIN-0ENAIPFH11A.testad1.company.com]
>>>> CONNECTION[WERR_OK] TRUST[WERR_OK] VERIFY_STATUS_RETURNED
>>>> Validating incoming trust...
>>>> ERROR: RemoteValidation: DC[] CONNECTION[WERR_NO_LOGON_SERVERS]
>>>> TRUST[WERR_NO_LOGON_SERVERS] VERIFY_STATUS_RETURNED
>>> 
>>>> root at testad2dc:/var/log/samba# samba-tool domain trust
validate
>>>> testad1
>>>> LocalDomain Netbios[TESTAD2] DNS[testad2.company.com]
>>>> SID[S-1-5-21-1012147493-3366197983-1829854343]
>>>> LocalTDO Netbios[TESTAD1] DNS[testad1.company.com]
>>>> SID[S-1-5-21-2509583006-2398556320-3264531554]
>>>> OK: LocalValidation: DC[\\WIN-0ENAIPFH11A.testad1.company.com]
>>>> CONNECTION[WERR_OK] TRUST[WERR_OK] VERIFY_STATUS_RETURNED
>>>> OK: LocalRediscover: DC[\\WIN-0ENAIPFH11A.testad1.company.com]
>>>> CONNECTION[WERR_OK]
>>>> RemoteDC Netbios[WIN-0ENAIPFH11A]
>>>> DNS[WIN-0ENAIPFH11A.testad1.company.com]
>>>>
ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,GOOD_TIMESERV,FULL_SECRET_DOMAIN_6,ADS_WEB_SERVICE,DS_8]
>>>> 
>>>> ERROR: REMOTE_DC[WIN-0ENAIPFH11A.testad1.company.com]: failed
to
>>>> connect netlogon server - ERROR(0xC0000034) - The object name
is not
>>>> found.
>> Did you check the DNS?
>>> 
>>>> root at testad2dc:/var/log/samba# samba-tool domain trust list
>>>> Type[External] Transitive[No]  Direction[BOTH]
>>>> Name[testad1.company.com]
>>> 
>>>> root at testad2dc:/var/log/samba# samba-tool domain trust show
testad1
>>>> LocalDomain Netbios[TESTAD2] DNS[testad2.company.com]
>>>> SID[S-1-5-21-1012147493-3366197983-1829854343]
>>>> TrustedDomain:
>>> 
>>>> NetbiosName:    TESTAD1
>>>> DnsName:        testad1.company.com
>>>> SID:            S-1-5-21-2509583006-2398556320-3264531554
>>>> Type:           0x2 (UPLEVEL)
>>>> Direction:      0x3 (BOTH)
>>>> Attributes:     0x4 (QUARANTINED_DOMAIN)
>>>> PosixOffset:    0x00000000 (0)
>>>> kerb_EncTypes:  0x18 
>>>> (AES128_CTS_HMAC_SHA1_96,AES256_CTS_HMAC_SHA1_96)
>>>> root at testad2dc:/var/log/samba# wbinfo --online-status
>>>> BUILTIN : active connection
>>>> TESTAD2 : active connection
>>>> TESTAD1 : active connection
>>> 
>>>> root at testad2dc:/var/log/samba# wbinfo -u --domain=TESTAD1
>>> 
>>>> root at testad2dc:/var/log/samba# wbinfo -u --domain=TESTAD2
>>>> TESTAD2\administrator
>>>> TESTAD2\guest
>>>> TESTAD2\krbtgt
>>>> TESTAD2\testuser
>>> 
>>> On the windows 2012 testad1 side, we do NOT see the trust relation
>>> listed under "Active directory domains and trusts".
Trusted remote
>>> users
>>> are not shown with wbinfo.
>> wbinfo will NOT show you the users from the other domain, this is 
>> disabled.
>>> 
>>> For the rest there are some options to the "samba-tool domain
trust
>>> create" command that make us wonder:
>>> 
>>> --quarantined=yes|no (seems to be talking about SID filtering, 
>>> whereas
>>> the release notes always mention that NO filtering is done..?)
>> you can set it but (at the moment) it's ignored ;-)
>>> 
>>>   --create-location=LOCATION (we wonder what is to be created local
>>> or on
>>> both places)
>>> 
>>> So... many questions and so little to read... Pointers, ideas..?
>>> 
>> The only way I used the trusts so far is setting up a full trust.
I've
>> wrote an article in a german magazine about trusts. It's a little
"how
>> to" to creat a working trust.
>>> Thanks in advance!
>>> 
>>> MJ
>>> 
>> If you set up a full forest-trust you can put users from any domain to
>> the other domain and set permissions on fileservers an use the 
>> resources.
>> 
>> 
>> 
-- 
Stefan Kania
Landweg 13
25693 St. Michaelisdonn


Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren Sie ihre 
E-Mail. Weiter Informationen unter http://www.gnupg.org

Mein Schlüssel liegt auf

hkp://subkeys.pgp.net

On Thu, 28 Feb 2019 15:57:37 +0100
Stefan Kania via samba <samba at lists.samba.org> wrote:
> Hi MJ,
> Am 28.02.2019 15:31, schrieb mj via samba:
> > Hi Stefan,
> > 
> > Thanks for your input. I'll check the dns stuff. I put resolvers
for
> > both domains as primary and secondary on both machines, but I guess
> > that's not good enough.
> > 
> NO, it's not good enough ;-) Setting up a DNS-Proxy is real easy.
> Just a few lines :-).
> 
> > I'll look into setting up a (query logging) dns proxy, that should
> > tell us at least who is asking what.
> > 
> > Any chance to share that (german) article you wrote?
> > 
> I'm not at home this week, but I will look if I find it on my
> notebook this evening.
> 
> 
> Stefan
Hi Stefan, Good idea for a Samba AD book, but it would probably have a
bigger audience if it was in English

Rowland

PS, That dhcp update script looks very familiar ;-)

Am 28.02.2019 16:30, schrieb Rowland Penny via samba:
> On Thu, 28 Feb 2019 15:57:37 +0100
> Stefan Kania via samba <samba at lists.samba.org> wrote:
> 
>> Hi MJ,
>> Am 28.02.2019 15:31, schrieb mj via samba:
>> > Hi Stefan,
>> >
>> > Thanks for your input. I'll check the dns stuff. I put
resolvers for
>> > both domains as primary and secondary on both machines, but I
guess
>> > that's not good enough.
>> >
>> NO, it's not good enough ;-) Setting up a DNS-Proxy is real easy.
>> Just a few lines :-).
>> 
>> > I'll look into setting up a (query logging) dns proxy, that
should
>> > tell us at least who is asking what.
>> >
>> > Any chance to share that (german) article you wrote?
>> >
>> I'm not at home this week, but I will look if I find it on my
>> notebook this evening.
>> 
>> 
>> Stefan
> 
Hi Rowland,
> Hi Stefan, Good idea for a Samba AD book, but it would probably have a
> bigger audience if it was in English
Yes I know, but it's realy hard to find somone who can translate it :-(. 
My english is not good enough to do the job.
> 
> Rowland
> 
> PS, That dhcp update script looks very familiar ;-)
;-) Yes, good work should be shared and mentioned
-- 
Stefan Kania
Landweg 13
25693 St. Michaelisdonn


Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren Sie ihre 
E-Mail. Weiter Informationen unter http://www.gnupg.org

Mein Schlüssel liegt auf

hkp://subkeys.pgp.net