Hello! I'm trying to create a two way trust between a Samba DC and a Samba NT4 domain both are 4.10.9. The issue I'm seeing is that while I can establish a one way trust from the NT4 PDC to the DC using the following commands; net rpc trustdom add sambaad thepassword net rpc trustdom establish sambaad I enter the password for PDC$ and the trust is established. When I go into Domains and Trusts and create a trust it fails to verify. I then attempt to login to an account on NT4 domain named PDC and get the following message. [2019/10/30 16:35:41.408512, 0] ../source3/rpc_server/netlogon/srv_netlog_nt.c:989(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: failed to get machine password for account sambaad.engineering.college.edu.: NT_STATUS_NONE_MAPPED Believing I shouldn't have used the short name I tried the net commands to add the full name, as used in the logs, sambaad.engineering.college.edu which results in the following error message. Couldn't find domain controller for domain SAMBAAD.ENGINEERING.COLLEGE.EDU. I feel like I need the Samba DC to use the short name and not the realm as the trust user and it might resolve. The ultimate goal is to allow the NT4 domain users to be able to authenticate on the Active Directory domain resources. We cannot upgrade the NT4 domain at this time or we would perform a classic upgrade, there are too many legacy components that have no upgrade path. Any guidance would be greatly appreciated!
On 31/10/2019 18:29, Vex Mage via samba wrote:> Hello! I'm trying to create a two way trust between a Samba DC and a Samba > NT4 domain both are 4.10.9. The issue I'm seeing is that while I can > establish a one way trust from the NT4 PDC to the DC using the following > commands; > > net rpc trustdom add sambaad thepassword > net rpc trustdom establish sambaad > I enter the password for PDC$ and the trust is established.Have you tried 'net rpc trust create'? ? See 'net help rpc trust create' for the syntax. Or on the Samba DC 'samba-tool domain trust create' ? see 'samba-tool domain trust create --help' for syntax.> > When I go into Domains and Trusts and create a trust it fails to verify. I > then attempt to login to an account on NT4 domain named PDC and get the > following message. > > [2019/10/30 16:35:41.408512, 0] > ../source3/rpc_server/netlogon/srv_netlog_nt.c:989(_netr_ServerAuthenticate3) > _netr_ServerAuthenticate3: failed to get machine password for account > sambaad.engineering.college.edu.: NT_STATUS_NONE_MAPPED > > Believing I shouldn't have used the short name I tried the net commands to > add the full name, as used in the logs, sambaad.engineering.college.edu > which results in the following error message. > > Couldn't find domain controller for domain SAMBAAD.ENGINEERING.COLLEGE.EDU. > > I feel like I need the Samba DC to use the short name and not the realm as > the trust user and it might resolve. The ultimate goal is to allow the NT4 > domain users to be able to authenticate on the Active Directory domain > resources. > > We cannot upgrade the NT4 domain at this time or we would perform a classic > upgrade, there are too many legacy components that have no upgrade path. > Any guidance would be greatly appreciated!I urge you to, at least, start planning the upgrade away from the NT4-style domain, they are highly likely to go away. Just what are you running on the PDC, that you cannot run on a DC ? Rowland
On 31/10/2019 21:58, Vex Mage wrote:> > > > Have you tried 'net rpc trust create'? ? > > See 'net help rpc trust create' for the syntax. > > > When I attempt this I get the following error message > > SAMBAPDC ~# net rpc trust create > otherserver=sambaad.engineering.college.edu > <http://sambaad.engineering.college.edu> otheruser=administrator > trustpw=********** -S localhost > of > SAMBAPDC ~# net rpc trust create > otherserver=samba4.engineering.college.edu > <http://samba4.engineering.college.edu> otheruser=administrator > otherdomainsid=S-1-5-21-2519800817-276706161-1978691535 > other_netbios_domain=sambaad > otherdomain=sambaad.engineering.college.edu > <http://sambaad.engineering.college.edu> > Enter root's password: > dcerpc_lsa_QueryInfoPolicy2_r failed with error > [NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE]. > get_domain_info failed with error [NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE]. > connect_and_get_info failed with error > [NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE] > > I can post the result of that command with -d10 if that would be helpful. > > > Or on the Samba DC 'samba-tool domain trust create' ? > > see 'samba-tool domain trust create --help' for syntax. > > > When I attempt this I get the following error message > SAMBAAD ~# samba-tool domain trust create PDC --type external > --direction=both --create-location=both --quarantined=no -W SAMBAPDC > -Uroot --password=******** > LocalDomain Netbios[SAMBAAD] DNS[sambaad.engineering.college.edu > <http://sambaad.engineering.college.edu>] > SID[S-1-5-21-2519800817-276706161-1978691535] > ERROR: Failed to find a writeable DC for domain 'PDC': The remote > system is not reachable by the transport.I think your problem may be incorrect info. What is the short hostname of the PDC ? What is the short hostname of the AD DC What is the workgroup name for the PDC ? What is the workgroup name for the AD DC ? I take it the SID is from the AD DC> > > > > I urge you to, at least, start planning the upgrade away from the > NT4-style domain, they are highly likely to go away. > > Just what are you running on the PDC, that you cannot run on a DC ? > > > The real problem for us is that Samba Active Directory doesn't support > any backends except internal and our backend is OpenLDAP. >That shouldn't be a problem, You can extend the Samba AD similar to openldap or you could use something newer instead. Just what are you using openldap for ? Rowland
On 01/11/2019 00:21, Vex Mage wrote:> > > > > > SAMBAAD: > [global] > dns forwarder = 128.111.41.10 > netbios name = SAMBAAD.ENGR.UCSB.EDU <http://SAMBAAD.ENGR.UCSB.EDU> > realm = SAMBAAD.ENGR.UCSB.EDU <http://SAMBAAD.ENGR.UCSB.EDU> > server role = active directory domain controller > workgroup = SAMBAAD > idmap_ldb:use rfc2307 = yes > allow nt4 crypto = yesLets start by trying to fix your DC ;-) This will probably involve starting again, you cannot have the same realm and netbios name, you cannot use the the dns domain (in uppercase or not) for the netbios name. netbios name = The computers short hostname in uppercase realm = The DNS domain in uppercase Workgroup = This is usually the left hand part of the DNS domain (but can be anything) in uppercase I think your provision line should be this: samba-tool domain provision --use-rfc2307 --realm=SAMBAAD.ENGR.UCSB.EDU --domain=SAMBAAD --server-role=dc --adminpass=PASSWORD If it was very similar and you haven't altered the Samba DC smb.conf, then can I suggest you download and run this: https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh Run it on the DC and post the output in a post (do not attach it, this list strips attachments). Rowland
On 01/11/2019 22:23, Vex Mage wrote:> The script is expecting dpkg however this is a Red Hat derived distro > (Fedora Server.)Where did you get the Samba packages from ? If they are the default OS packages, then you should stop using them, they use MIT kerberos and are experimental.> Here is the output as I believe the the one real command dpkg was > needed for was for bind packages and we're using Samba internal for > dns. I'm a little confused from this output regarding the kerberos srv > record. It's using the base of the domain for which it isn't > responsible for however; all workstations and the servers are using > the Samba DC for their DNS so I assume this is acceptable? > > [root at samba4 ~]# cat /tmp/samba-debug-info.txt > Collected config ?--- 2019-11-01-15:02 ----------- > > Hostname: samba4 > DNS Domain: engr.ucsb.edu <http://engr.ucsb.edu> > FQDN: samba4.engr.ucsb.edu <http://samba4.engr.ucsb.edu> > ipaddress: 192.168.0.251 >No need to go any further, your realm is 'SAMBAAD.ENGR.UCSB.EDU' so your dns domain MUST be 'sambaad.engr.ucsb.edu' To be honest, I would just start again, but either with a different OS (Debian ?) or find Fedora Samba packages that use Heimdal instead of MIT. Rowland
On 05/11/2019 19:06, Vex Mage wrote:> > > > > Collected config ?--- 2019-11-05-10:26 ----------- > > Hostname: samba4 > DNS Domain: sambaad.engr.ucsb.edu <http://sambaad.engr.ucsb.edu> > FQDN: samba4.sambaad.engr.ucsb.edu <http://samba4.sambaad.engr.ucsb.edu> > ipaddress: 128.111.27.62 192.168.0.235 > > ----------- > > Kerberos SRV _kerberos._tcp.sambaad.engr.ucsb.edu > <http://tcp.sambaad.engr.ucsb.edu> record verified ok, sample output: > Server: 128.111.41.10 > Address: 128.111.41.10#53 > > Non-authoritative answer: > _kerberos._tcp.sambaad.engr.ucsb.edu > <http://tcp.sambaad.engr.ucsb.edu> service = 0 100 88 > samba4.sambaad.engr.ucsb.edu <http://samba4.sambaad.engr.ucsb.edu>. > > Authoritative answers can be found from: > sambaad.engr.ucsb.edu <http://sambaad.engr.ucsb.edu> nameserver = > samba4.sambaad.engr.ucsb.edu <http://samba4.sambaad.engr.ucsb.edu>. > samba4.sambaad.engr.ucsb.edu <http://samba4.sambaad.engr.ucsb.edu> > internet address = 192.168.0.235 > Samba is running as an AD DC > > ----------- > ? ? ? ?Checking file: /etc/os-release > > PRETTY_NAME="Debian GNU/Linux 10 (buster)" > NAME="Debian GNU/Linux" > VERSION_ID="10" > VERSION="10 (buster)" > VERSION_CODENAME=buster > ID=debian > HOME_URL="https://www.debian.org/" > SUPPORT_URL="https://www.debian.org/support" > BUG_REPORT_URL="https://bugs.debian.org/" > > ----------- > > > This computer is running Debian 10.1 x86_64 > > ----------- > running command : ip a > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN > group default qlen 1000 > ? ? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > ? ? inet 127.0.0.1/8 <http://127.0.0.1/8> scope host lo > ? ? inet6 ::1/128 scope host > 2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast > state UP group default qlen 1000 > ? ? link/ether d2:fa:77:37:bc:a2 brd ff:ff:ff:ff:ff:ff > ? ? inet 128.111.27.62/24 <http://128.111.27.62/24> brd 128.111.27.255 > scope global dynamic ens18 > ? ? ? ?valid_lft 603001sec preferred_lft 603001sec > ? ? inet6 fe80::d0fa:77ff:fe37:bca2/64 scope link > 3: ens19: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast > state UP group default qlen 1000 > ? ? link/ether 02:3b:df:ce:61:19 brd ff:ff:ff:ff:ff:ff > ? ? inet 192.168.0.235/24 <http://192.168.0.235/24> brd 192.168.0.255 > scope global dynamic ens19 > ? ? ? ?valid_lft 478sec preferred_lft 478sec > ? ? inet6 fe80::3b:dfff:fece:6119/64 scope link > > ----------- > ? ? ? ?Checking file: /etc/hosts > > 127.0.0.1 localhost > 127.0.1.1 sambaad.engr.ucsb.edu <http://sambaad.engr.ucsb.edu> sambaadChange 127.0.1.1 line to: 128.111.27.62 samba4.sambaad.engr.ucsb.edu samba4> > # The following lines are desirable for IPv6 capable hosts > ::1 ? ? localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > ----------- > > ? ? ? ?Checking file: /etc/resolv.conf > > domain engr.ucsb.edu <http://engr.ucsb.edu> > search engr.ucsb.edu <http://engr.ucsb.edu>Remove the 'domain' line Change the search line to: search sambaad.engr.ucsb.edu> nameserver 128.111.41.10Change the nameserver IP to '128.111.27.62' which appears to be the IP of your AD DC, the DC is supposed to use itself as its nameserver. Add these two lines to the smb.conf file on the AD DC: interfaces = ens18 128.111.27.62/24 bind interfaces only = yes Rowland