Hello,
I'm trying to set up a trust between two separate domains with a
on-way-trust.
First, the overview (Domains, servers, IPs):
Setting: Sernet-Samba 4.9.1 with bind9-DLZ aganist bind9.10.3
??? as file + AD-server =srv01 domain=my.local
foreign Domain: Windows 2016 with FL 2012R2 AD-Server=dc01, Domain =
foreign.local
TCPIP-Connections working between both subnets, e.g. http, ssh,...
+---------------+?????????????????? +--------------------+
|?????????????? |?????????????????? |??????????????????? |
| Domain 1????? | +-------------->? | Domain 2?????????? |
| my.local????? |??????? 1-way????? | foreign.local????? |
|?????????????? |??????? Trust????? |??????????????????? |
+-------+-------+?????????????????? +-------+------------+
??????? ^?????????????????????????????????? ^
??????? |?????????????????????????????????? |
+-------+-------+?????????????????? +-------+------------+
|srv01.my.local |?????????????????? | dc01.foreign.local |
|192.168.1.21?? |?????????????????? | 192.168.200.10???? |
+-------+-------+?????????????????? +-------+------------+
On the AD server of Domain 1, I type in (and got):
---code---
root at srv01:/etc# samba-tool domain trust create foreign.local
--type=external --direction=outgoing --create-location=local -d3
**New Outgoing Trust Password:
**Retype Outgoing Trust Password:
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncalrpc:SRV01[,auth_type=ncalrpc_as_system]
**LocalDomain Netbios[FARO] DNS[my.local]
SID[S-1-5-21-2559140846-275273017-4092053332]
resolve_lmhosts: Attempting lmhosts lookup for name
_ldap._tcp.foreign.local<0x0>
**RemoteDC Netbios[DC01] DNS[DC01.foreign.local]
ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,GOOD_TIMESERV,FULL_SECRET_DOMAIN_6,ADS_WEB_SERVICE,DS_8,__unknown_00038000__]
Using binding ncacn_np:DC01.foreign.local
resolve_lmhosts: Attempting lmhosts lookup for name
DC01.foreign.local<0x20>
Server cifs/DC01.foreign.local at FOREIGN.LOCAL is not registered with our
KDC:? Miscellaneous failure (see text): Server
(krbtgt/FOREIGN.LOCAL at MY.LOCAL) unknown
gensec_spnego_client_negTokenInit_step: gssapi_krb5: creating
NEG_TOKEN_INIT for cifs/DC01.foreign.local failed (next[ntlmssp]):
NT_STATUS_INVALID_PARAMETER
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
**Password for [Administrator at MY.LOCAL]:
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
**ERROR: REMOTE_DC[DC01.foreign.local]: failed to connect lsa server -
ERROR(0xC000006D) - The attempted logon is invalid. This is either due
to a bad username or authentication information.
? File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py",
line
2429, in run
??? remote_lsa = self.new_remote_lsa_connection()
? File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py",
line
1856, in new_remote_lsa_connection
??? return lsa.lsarpc(self.remote_binding_string, self.local_lp,
self.remote_creds)
---/code---
(the ** lines are coming, if I dont give -d 3)
samba-tool domain trust create asks (twice) for a password from a trust
account created on DC01.
then i ask for the Administrator password of my domain.
On the Windows side, i get an "event 4625" with an authorize trial
with
the Administrator at MY.LOCAL.
(see xml event exort below)
Why?? Shouldn'd be this the trust account? Do I something wrong? I
haven't found many usefull tips, only a pdf from Stefan Kaina.
Maybe I havent found the right documentation?
the Domains and their AD-DCs working without errors on thier own, the
additional DNS entries are tested.
This is the view from srv01.my.local:
---code---
root at srv01:/etc# host -t SRV _kerberos._tcp.my.local
_kerberos._tcp.my.local has SRV record 0 100 88 srv01.my.local.
orot at srv01:/etc# host -t SRV _ldap._tcp.foreign.local
_ldap._tcp.foreign.local has SRV record 0 100 389 dc01.foreign.local.
root at srv01:/etc# host -t SRV _kerberos._tcp.foreign.local
_kerberos._tcp.foreign.local has SRV record 0 100 88 dc01.foreign.local.
root at srv01:/etc# kinit Administrator
Passwort for Administrator at MY.LOCAL:
root at srv01:/etc# klist
Ticketzwischenspeicher: FILE:/tmp/krb5cc_0
Standard-Principal: Administrator at MY.LOCAL
Valid starting?????? Expires????????????? Service principal
19.06.2023 12:22:35? 19.06.2023 22:22:35? krbtgt/MY.LOCAL at MY.LOCAL
???????? renew until 20.06.2023 12:22:31
root at srv01:/etc# ldbsearch -H /var/lib/samba/private/sam.ldb
'(invocationId=*)' --cross-ncs objectguid
# record 1
dn: CN=NTDS
Settings,CN=SRV01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=my,DC=local
objectGUID: 90af7026-2039-41b1-bfac-2287380ebb44
# returned 1 records
# 1 entries
# 0 referrals
root at srv01:/etc# samba-tool dns zonelist my.local -U Administrator
Password for [FARO\Administrator]:
? 3 zone(s) found
? pszZoneName???????????????? : my.local
? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
? Version???????????????????? : 50
? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED
DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
? pszDpFqdn?????????????????? : DomainDnsZones.my.local
? pszZoneName???????????????? : foreign.local
? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
? Version???????????????????? : 50
? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED
DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
? pszDpFqdn?????????????????? : DomainDnsZones.my.local
? pszZoneName???????????????? : _msdcs.my.local
? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY
? Version???????????????????? : 50
? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED
DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
? pszDpFqdn?????????????????? : ForestDnsZones.my.local
root at srv01:/etc# testparm
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[sysvol]"
Processing section "[netlogon]"
Processing section "[users]"
Processing section "[profiles]"
Processing section "[printers]"
Processing section "[print$]"
Processing section "[space]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
# Global parameters
[global]
??????? allow dns updates = nonsecure and secure
??????? allow insecure wide links = Yes
??????? bind interfaces only = Yes
??????? dns forwarder = 192.168.1.23
??????? interfaces = lo ens192
??????? kpasswd port = 0
??????? ldap server require strong auth = No
??????? load printers = No
??????? log file = /var/log/samba/%M.log
??????? logon drive = Z:
??????? logon home = \\%L\%U
??????? logon script = netlogon-%M.bat
??????? max log size = 200000
??????? os level = 99
??????? passdb backend = samba_dsdb
??????? preferred master = Yes
??????? printcap cache time = 770
??????? printcap name = cups
??????? realm = MY.LOCAL
??????? server role = active directory domain controller
??????? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
??????? time server = Yes
??????? winbind enum groups = Yes
??????? winbind enum users = Yes
??????? winbind nss info = rfc2307
??????? winbind use default domain = Yes
??????? workgroup = MY
??????? rpc_server:tcpip = no
??????? rpc_server:winreg = embedded
??????? rpc_server:ntsvcs = embedded
??????? rpc_server:eventlog = embedded
??????? rpc_server:srvsvc = embedded
??????? rpc_server:svcctl = embedded
??????? rpc_server:default = external
??????? winbindd:use external pipes = true
??????? rpc_daemon:spoolssd = embedded
??????? rpc_server:spoolss = embedded
??????? idmap_ldb:use rfc2307 = yes
??????? idmap config * : backend = tdb
??????? access based share enum = Yes
??????? acl allow execute always = Yes
??????? cups options = raw
??????? dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
??????? hide unreadable = Yes
??????? level2 oplocks = No
??????? map acl inherit = Yes
??????? map archive = No
??????? oplocks = No
??????? read only = No
??????? vfs objects = acl_xattr
[sysvol]
??????? path = /var/lib/samba/sysvol
[netlogon]
??????? comment = NetLogon Service. Technikbereich
??????? path = /var/lib/samba/sysvol/my.local/scripts
[users]
??????? comment = Homedirs. Drive Z:
??????? path = /home/users/
??????? wide links = Yes
[profiles]
??????? create mask = 02777
??????? directory mask = 02777
??????? force user = %U
??????? guest ok = Yes
??????? path = /home/profiles
??????? valid users = %U "Domain Admins"
??????? wide links = Yes
[printers]
??????? browseable = No
??????? comment = All Printers
??????? create mask = 0600
??????? guest ok = Yes
??????? lpq command = lpq -P'%p'
??????? lprm command = lprm -P'%p' %j
??????? path = /var/tmp
??????? printable = Yes
??????? print command = lpr -r -P'%p' %s
??????? printing = bsd
[print$]
??????? comment = Printer Drivers
??????? create mask = 0666
??????? directory mask = 0777
??????? guest ok = Yes
??????? path = /var/lib/samba/drivers/
??????? write list = @ntadmin root administrator @users
[space]
??????? comment = ServerSpace. Drive H:
??????? create mask = 0777
??????? directory mask = 0777
??????? force create mode = 0777
??????? force directory mode = 0777
??????? path = /smb/space
??????? valid users = @locals
??????? wide links = Yes
---/code---
here are copies of some relevant files:
/etc/krb5.conf:
[libdefaults]
??? default_realm = MY.LOCAL
??? dns_lookup_realm = false
??? dns_lookup_kdc = true
/etc/resolv.conf:
search my.local
nameserver 192.168.1.21
nameserver 192.168.200.10
nameserver 194.25.2.129
tne Event-4625-xml:
<Event
xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
? <System>
??? <Provider Name="Microsoft-Windows-Security-Auditing"
Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
??? <EventID>4625</EventID>
??? <Version>0</Version>
??? <Level>0</Level>
??? <Task>12544</Task>
??? <Opcode>0</Opcode>
??? <Keywords>0x8010000000000000</Keywords>
??? <TimeCreated SystemTime="2023-06-19T11:11:06.751282100Z" />
??? <EventRecordID>207808901</EventRecordID>
??? <Correlation />
??? <Execution ProcessID="672" ThreadID="4664" />
??? <Channel>Security</Channel>
??? <Computer>DC01.foreign.local</Computer>
??? <Security />
? </System>
? <EventData>
??? <Data Name="SubjectUserSid">S-1-0-0</Data>
??? <Data Name="SubjectUserName">-</Data>
??? <Data Name="SubjectDomainName">-</Data>
??? <Data Name="SubjectLogonId">0x0</Data>
??? <Data Name="TargetUserSid">S-1-0-0</Data>
??? <Data Name="TargetUserName">Administrator at
MY.LOCAL</Data>
??? <Data Name="TargetDomainName">
??? </Data>
??? <Data Name="Status">0xc000006d</Data>
??? <Data Name="FailureReason">%%2313</Data>
??? <Data Name="SubStatus">0xc0000064</Data>
??? <Data Name="LogonType">3</Data>
??? <Data Name="LogonProcessName">NtLmSsp </Data>
??? <Data Name="AuthenticationPackageName">NTLM</Data>
??? <Data Name="WorkstationName">SRV01</Data>
??? <Data Name="TransmittedServices">-</Data>
??? <Data Name="LmPackageName">-</Data>
??? <Data Name="KeyLength">0</Data>
??? <Data Name="ProcessId">0x0</Data>
??? <Data Name="ProcessName">-</Data>
??? <Data Name="IpAddress">192.168.1.21</Data>
??? <Data Name="IpPort">43912</Data>
? </EventData>
</Event>
greetings
Andy
On 19/06/2023 16:08, Andreas Paulick via samba wrote:> Hello, > I'm trying to set up a trust between two separate domains with a > on-way-trust. > > First, the overview (Domains, servers, IPs): > > Setting: Sernet-Samba 4.9.1 with bind9-DLZ aganist bind9.10.3 > ??? as file + AD-server =srv01 domain=my.local > foreign Domain: Windows 2016 with FL 2012R2 AD-Server=dc01, Domain = > foreign.local > TCPIP-Connections working between both subnets, e.g. http, ssh,... > > +---------------+?????????????????? +--------------------+ > |?????????????? |?????????????????? |??????????????????? | > | Domain 1????? | +-------------->? | Domain 2?????????? | > | my.local????? |??????? 1-way????? | foreign.local????? | > |?????????????? |??????? Trust????? |??????????????????? | > +-------+-------+?????????????????? +-------+------------+ > ??????? ^?????????????????????????????????? ^ > ??????? |?????????????????????????????????? | > +-------+-------+?????????????????? +-------+------------+ > |srv01.my.local |?????????????????? | dc01.foreign.local | > |192.168.1.21?? |?????????????????? | 192.168.200.10???? | > +-------+-------+?????????????????? +-------+------------+ > > On the AD server of Domain 1, I type in (and got): > ---code--- > root at srv01:/etc# samba-tool domain trust create foreign.local > --type=external --direction=outgoing --create-location=local -d3 > **New Outgoing Trust Password: > **Retype Outgoing Trust Password: > lpcfg_load: refreshing parameters from /etc/samba/smb.conf > GENSEC backend 'gssapi_spnego' registered > GENSEC backend 'gssapi_krb5' registered > GENSEC backend 'gssapi_krb5_sasl' registered > GENSEC backend 'spnego' registered > GENSEC backend 'schannel' registered > GENSEC backend 'naclrpc_as_system' registered > GENSEC backend 'sasl-EXTERNAL' registered > GENSEC backend 'ntlmssp' registered > GENSEC backend 'ntlmssp_resume_ccache' registered > GENSEC backend 'http_basic' registered > GENSEC backend 'http_ntlm' registered > GENSEC backend 'http_negotiate' registered > GENSEC backend 'krb5' registered > GENSEC backend 'fake_gssapi_krb5' registered > Using binding ncalrpc:SRV01[,auth_type=ncalrpc_as_system] > **LocalDomain Netbios[FARO] DNS[my.local] > SID[S-1-5-21-2559140846-275273017-4092053332] > resolve_lmhosts: Attempting lmhosts lookup for name > _ldap._tcp.foreign.local<0x0> > **RemoteDC Netbios[DC01] DNS[DC01.foreign.local] > ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,GOOD_TIMESERV,FULL_SECRET_DOMAIN_6,ADS_WEB_SERVICE,DS_8,__unknown_00038000__] > Using binding ncacn_np:DC01.foreign.local > resolve_lmhosts: Attempting lmhosts lookup for name > DC01.foreign.local<0x20> > Server cifs/DC01.foreign.local at FOREIGN.LOCAL is not registered with our > KDC:? Miscellaneous failure (see text): Server > (krbtgt/FOREIGN.LOCAL at MY.LOCAL) unknown > gensec_spnego_client_negTokenInit_step: gssapi_krb5: creating > NEG_TOKEN_INIT for cifs/DC01.foreign.local failed (next[ntlmssp]): > NT_STATUS_INVALID_PARAMETER > Got challenge flags: > Got NTLMSSP neg_flags=0x62898215 > **Password for [Administrator at MY.LOCAL]: > NTLMSSP: Set final flags: > Got NTLMSSP neg_flags=0x62088215 > NTLMSSP Sign/Seal - Initialising with flags: > Got NTLMSSP neg_flags=0x62088215 > **ERROR: REMOTE_DC[DC01.foreign.local]: failed to connect lsa server - > ERROR(0xC000006D) - The attempted logon is invalid. This is either due > to a bad username or authentication information. > ? File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line > 2429, in run > ??? remote_lsa = self.new_remote_lsa_connection() > ? File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line > 1856, in new_remote_lsa_connection > ??? return lsa.lsarpc(self.remote_binding_string, self.local_lp, > self.remote_creds) > ---/code--- > > (the ** lines are coming, if I dont give -d 3) > samba-tool domain trust create asks (twice) for a password from a trust > account created on DC01. > then i ask for the Administrator password of my domain. > On the Windows side, i get an "event 4625" with an authorize trial with > the Administrator at MY.LOCAL. > (see xml event exort below) > Why?? Shouldn'd be this the trust account? Do I something wrong? I > haven't found many usefull tips, only a pdf from Stefan Kaina. > Maybe I havent found the right documentation? > > > the Domains and their AD-DCs working without errors on thier own, the > additional DNS entries are tested. > This is the view from srv01.my.local: > ---code--- > root at srv01:/etc# host -t SRV _kerberos._tcp.my.local > _kerberos._tcp.my.local has SRV record 0 100 88 srv01.my.local. > orot at srv01:/etc# host -t SRV _ldap._tcp.foreign.local > _ldap._tcp.foreign.local has SRV record 0 100 389 dc01.foreign.local. > root at srv01:/etc# host -t SRV _kerberos._tcp.foreign.local > _kerberos._tcp.foreign.local has SRV record 0 100 88 dc01.foreign.local. > > root at srv01:/etc# kinit Administrator > Passwort for Administrator at MY.LOCAL: > root at srv01:/etc# klist > Ticketzwischenspeicher: FILE:/tmp/krb5cc_0 > Standard-Principal: Administrator at MY.LOCAL > Valid starting?????? Expires????????????? Service principal > 19.06.2023 12:22:35? 19.06.2023 22:22:35? krbtgt/MY.LOCAL at MY.LOCAL > ???????? renew until 20.06.2023 12:22:31 > > root at srv01:/etc# ldbsearch -H /var/lib/samba/private/sam.ldb > '(invocationId=*)' --cross-ncs objectguid > # record 1 > dn: CN=NTDS > Settings,CN=SRV01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=my,DC=local > objectGUID: 90af7026-2039-41b1-bfac-2287380ebb44 > > # returned 1 records > # 1 entries > # 0 referrals > > root at srv01:/etc# samba-tool dns zonelist my.local -U Administrator > Password for [FARO\Administrator]: > ? 3 zone(s) found > ? pszZoneName???????????????? : my.local > ? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > ? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY > ? Version???????????????????? : 50 > ? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED > DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > ? pszDpFqdn?????????????????? : DomainDnsZones.my.local > > ? pszZoneName???????????????? : foreign.local > ? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > ? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY > ? Version???????????????????? : 50 > ? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED > DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > ? pszDpFqdn?????????????????? : DomainDnsZones.my.local > > ? pszZoneName???????????????? : _msdcs.my.local > ? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > ? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY > ? Version???????????????????? : 50 > ? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED > DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED > ? pszDpFqdn?????????????????? : ForestDnsZones.my.local > > > root at srv01:/etc# testparm > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > Registered MSG_REQ_POOL_USAGE > Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED > Load smb config files from /etc/samba/smb.conf > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > Processing section "[sysvol]" > Processing section "[netlogon]" > Processing section "[users]" > Processing section "[profiles]" > Processing section "[printers]" > Processing section "[print$]" > Processing section "[space]" > Loaded services file OK. > Server role: ROLE_ACTIVE_DIRECTORY_DC > # Global parameters > [global] > ??????? allow dns updates = nonsecure and secure > ??????? allow insecure wide links = Yes > ??????? bind interfaces only = Yes > ??????? dns forwarder = 192.168.1.23 > ??????? interfaces = lo ens192 > ??????? kpasswd port = 0 > ??????? ldap server require strong auth = No > ??????? load printers = No > ??????? log file = /var/log/samba/%M.log > ??????? logon drive = Z: > ??????? logon home = \\%L\%U > ??????? logon script = netlogon-%M.bat > ??????? max log size = 200000 > ??????? os level = 99 > ??????? passdb backend = samba_dsdb > ??????? preferred master = Yes > ??????? printcap cache time = 770 > ??????? printcap name = cups > ??????? realm = MY.LOCAL > ??????? server role = active directory domain controller > ??????? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > ??????? time server = Yes > ??????? winbind enum groups = Yes > ??????? winbind enum users = Yes > ??????? winbind nss info = rfc2307 > ??????? winbind use default domain = Yes > ??????? workgroup = MY > ??????? rpc_server:tcpip = no > ??????? rpc_server:winreg = embedded > ??????? rpc_server:ntsvcs = embedded > ??????? rpc_server:eventlog = embedded > ??????? rpc_server:srvsvc = embedded > ??????? rpc_server:svcctl = embedded > ??????? rpc_server:default = external > ??????? winbindd:use external pipes = true > ??????? rpc_daemon:spoolssd = embedded > ??????? rpc_server:spoolss = embedded > ??????? idmap_ldb:use rfc2307 = yes > ??????? idmap config * : backend = tdb > ??????? access based share enum = Yes > ??????? acl allow execute always = Yes > ??????? cups options = raw > ??????? dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd > ??????? hide unreadable = Yes > ??????? level2 oplocks = No > ??????? map acl inherit = Yes > ??????? map archive = No > ??????? oplocks = No > ??????? read only = No > ??????? vfs objects = acl_xattr > [sysvol] > ??????? path = /var/lib/samba/sysvol > [netlogon] > ??????? comment = NetLogon Service. Technikbereich > ??????? path = /var/lib/samba/sysvol/my.local/scripts > [users] > ??????? comment = Homedirs. Drive Z: > ??????? path = /home/users/ > ??????? wide links = Yes > [profiles] > ??????? create mask = 02777 > ??????? directory mask = 02777 > ??????? force user = %U > ??????? guest ok = Yes > ??????? path = /home/profiles > ??????? valid users = %U "Domain Admins" > ??????? wide links = Yes > [printers] > ??????? browseable = No > ??????? comment = All Printers > ??????? create mask = 0600 > ??????? guest ok = Yes > ??????? lpq command = lpq -P'%p' > ??????? lprm command = lprm -P'%p' %j > ??????? path = /var/tmp > ??????? printable = Yes > ??????? print command = lpr -r -P'%p' %s > ??????? printing = bsd > [print$] > ??????? comment = Printer Drivers > ??????? create mask = 0666 > ??????? directory mask = 0777 > ??????? guest ok = Yes > ??????? path = /var/lib/samba/drivers/ > ??????? write list = @ntadmin root administrator @users > [space] > ??????? comment = ServerSpace. Drive H: > ??????? create mask = 0777 > ??????? directory mask = 0777 > ??????? force create mode = 0777 > ??????? force directory mode = 0777 > ??????? path = /smb/space > ??????? valid users = @locals > ??????? wide links = Yes > > ---/code--- > > here are copies of some relevant files: > /etc/krb5.conf: > [libdefaults] > ??? default_realm = MY.LOCAL > ??? dns_lookup_realm = false > ??? dns_lookup_kdc = true > > /etc/resolv.conf: > search my.local > nameserver 192.168.1.21 > nameserver 192.168.200.10 > nameserver 194.25.2.129 > > > tne Event-4625-xml: > <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> > ? <System> > ??? <Provider Name="Microsoft-Windows-Security-Auditing" > Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> > ??? <EventID>4625</EventID> > ??? <Version>0</Version> > ??? <Level>0</Level> > ??? <Task>12544</Task> > ??? <Opcode>0</Opcode> > ??? <Keywords>0x8010000000000000</Keywords> > ??? <TimeCreated SystemTime="2023-06-19T11:11:06.751282100Z" /> > ??? <EventRecordID>207808901</EventRecordID> > ??? <Correlation /> > ??? <Execution ProcessID="672" ThreadID="4664" /> > ??? <Channel>Security</Channel> > ??? <Computer>DC01.foreign.local</Computer> > ??? <Security /> > ? </System> > ? <EventData> > ??? <Data Name="SubjectUserSid">S-1-0-0</Data> > ??? <Data Name="SubjectUserName">-</Data> > ??? <Data Name="SubjectDomainName">-</Data> > ??? <Data Name="SubjectLogonId">0x0</Data> > ??? <Data Name="TargetUserSid">S-1-0-0</Data> > ??? <Data Name="TargetUserName">Administrator at MY.LOCAL</Data> > ??? <Data Name="TargetDomainName"> > ??? </Data> > ??? <Data Name="Status">0xc000006d</Data> > ??? <Data Name="FailureReason">%%2313</Data> > ??? <Data Name="SubStatus">0xc0000064</Data> > ??? <Data Name="LogonType">3</Data> > ??? <Data Name="LogonProcessName">NtLmSsp </Data> > ??? <Data Name="AuthenticationPackageName">NTLM</Data> > ??? <Data Name="WorkstationName">SRV01</Data> > ??? <Data Name="TransmittedServices">-</Data> > ??? <Data Name="LmPackageName">-</Data> > ??? <Data Name="KeyLength">0</Data> > ??? <Data Name="ProcessId">0x0</Data> > ??? <Data Name="ProcessName">-</Data> > ??? <Data Name="IpAddress">192.168.1.21</Data> > ??? <Data Name="IpPort">43912</Data> > ? </EventData> > </Event> > > greetings > AndyHi Andy, can I suggest you upgrade your Samba DC before you do anything further, Samba 4.9.1 is very old and if you are hitting a bug, it may have been fixed in a later version. If it hasn't been fixed, then you have little chance of getting your version fixed. Also you used 'testparm' for the smb.conf, you should have used 'samba-tool testparm' because it is a DC. However, one of the lines it output was 'vfs objects = acl_xattr', if that actual line is in your smb.conf, then I would remove it. The default is 'vfs objects = dfs_samba4 acl_xattr' and if it is as shown in the testparm output, you have turned off a vital module. Rowland
As Rowland alrady said, Samba 4.9 is old and trust start working good with 4.12. And I hope .local is only to show what you would like to do. If not you will a lot of problem. Am 19.06.23 um 17:08 schrieb Andreas Paulick via samba:> Hello, > I'm trying to set up a trust between two separate domains with a > on-way-trust. > > First, the overview (Domains, servers, IPs): > > Setting: Sernet-Samba 4.9.1 with bind9-DLZ aganist bind9.10.3 > ??? as file + AD-server =srv01 domain=my.local > foreign Domain: Windows 2016 with FL 2012R2 AD-Server=dc01, Domain = > foreign.local > TCPIP-Connections working between both subnets, e.g. http, ssh,... > > +---------------+?????????????????? +--------------------+ > |?????????????? |?????????????????? |??????????????????? | > | Domain 1????? | +-------------->? | Domain 2?????????? | > | my.local????? |??????? 1-way????? | foreign.local????? | > |?????????????? |??????? Trust????? |??????????????????? | > +-------+-------+?????????????????? +-------+------------+ > ??????? ^?????????????????????????????????? ^ > ??????? |?????????????????????????????????? | > +-------+-------+?????????????????? +-------+------------+ > |srv01.my.local |?????????????????? | dc01.foreign.local | > |192.168.1.21?? |?????????????????? | 192.168.200.10???? | > +-------+-------+?????????????????? +-------+------------+ > > On the AD server of Domain 1, I type in (and got): > ---code--- > root at srv01:/etc# samba-tool domain trust create foreign.local > --type=external --direction=outgoing --create-location=local -d3 > **New Outgoing Trust Password: > **Retype Outgoing Trust Password: > lpcfg_load: refreshing parameters from /etc/samba/smb.conf > GENSEC backend 'gssapi_spnego' registered > GENSEC backend 'gssapi_krb5' registered > GENSEC backend 'gssapi_krb5_sasl' registered > GENSEC backend 'spnego' registered > GENSEC backend 'schannel' registered > GENSEC backend 'naclrpc_as_system' registered > GENSEC backend 'sasl-EXTERNAL' registered > GENSEC backend 'ntlmssp' registered > GENSEC backend 'ntlmssp_resume_ccache' registered > GENSEC backend 'http_basic' registered > GENSEC backend 'http_ntlm' registered > GENSEC backend 'http_negotiate' registered > GENSEC backend 'krb5' registered > GENSEC backend 'fake_gssapi_krb5' registered > Using binding ncalrpc:SRV01[,auth_type=ncalrpc_as_system] > **LocalDomain Netbios[FARO] DNS[my.local] > SID[S-1-5-21-2559140846-275273017-4092053332] > resolve_lmhosts: Attempting lmhosts lookup for name > _ldap._tcp.foreign.local<0x0> > **RemoteDC Netbios[DC01] DNS[DC01.foreign.local] > ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,GOOD_TIMESERV,FULL_SECRET_DOMAIN_6,ADS_WEB_SERVICE,DS_8,__unknown_00038000__] > Using binding ncacn_np:DC01.foreign.local > resolve_lmhosts: Attempting lmhosts lookup for name > DC01.foreign.local<0x20> > Server cifs/DC01.foreign.local at FOREIGN.LOCAL is not registered with our > KDC:? Miscellaneous failure (see text): Server > (krbtgt/FOREIGN.LOCAL at MY.LOCAL) unknown > gensec_spnego_client_negTokenInit_step: gssapi_krb5: creating > NEG_TOKEN_INIT for cifs/DC01.foreign.local failed (next[ntlmssp]): > NT_STATUS_INVALID_PARAMETER > Got challenge flags: > Got NTLMSSP neg_flags=0x62898215 > **Password for [Administrator at MY.LOCAL]: > NTLMSSP: Set final flags: > Got NTLMSSP neg_flags=0x62088215 > NTLMSSP Sign/Seal - Initialising with flags: > Got NTLMSSP neg_flags=0x62088215 > **ERROR: REMOTE_DC[DC01.foreign.local]: failed to connect lsa server - > ERROR(0xC000006D) - The attempted logon is invalid. This is either due > to a bad username or authentication information. > ? File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line > 2429, in run > ??? remote_lsa = self.new_remote_lsa_connection() > ? File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line > 1856, in new_remote_lsa_connection > ??? return lsa.lsarpc(self.remote_binding_string, self.local_lp, > self.remote_creds) > ---/code--- > > (the ** lines are coming, if I dont give -d 3) > samba-tool domain trust create asks (twice) for a password from a trust > account created on DC01. > then i ask for the Administrator password of my domain. > On the Windows side, i get an "event 4625" with an authorize trial with > the Administrator at MY.LOCAL. > (see xml event exort below) > Why?? Shouldn'd be this the trust account? Do I something wrong? I > haven't found many usefull tips, only a pdf from Stefan Kaina. > Maybe I havent found the right documentation? > > > the Domains and their AD-DCs working without errors on thier own, the > additional DNS entries are tested. > This is the view from srv01.my.local: > ---code--- > root at srv01:/etc# host -t SRV _kerberos._tcp.my.local > _kerberos._tcp.my.local has SRV record 0 100 88 srv01.my.local. > orot at srv01:/etc# host -t SRV _ldap._tcp.foreign.local > _ldap._tcp.foreign.local has SRV record 0 100 389 dc01.foreign.local. > root at srv01:/etc# host -t SRV _kerberos._tcp.foreign.local > _kerberos._tcp.foreign.local has SRV record 0 100 88 dc01.foreign.local. > > root at srv01:/etc# kinit Administrator > Passwort for Administrator at MY.LOCAL: > root at srv01:/etc# klist > Ticketzwischenspeicher: FILE:/tmp/krb5cc_0 > Standard-Principal: Administrator at MY.LOCAL > Valid starting?????? Expires????????????? Service principal > 19.06.2023 12:22:35? 19.06.2023 22:22:35? krbtgt/MY.LOCAL at MY.LOCAL > ???????? renew until 20.06.2023 12:22:31 > > root at srv01:/etc# ldbsearch -H /var/lib/samba/private/sam.ldb > '(invocationId=*)' --cross-ncs objectguid > # record 1 > dn: CN=NTDS > Settings,CN=SRV01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=my,DC=local > objectGUID: 90af7026-2039-41b1-bfac-2287380ebb44 > > # returned 1 records > # 1 entries > # 0 referrals > > root at srv01:/etc# samba-tool dns zonelist my.local -U Administrator > Password for [FARO\Administrator]: > ? 3 zone(s) found > ? pszZoneName???????????????? : my.local > ? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > ? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY > ? Version???????????????????? : 50 > ? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED > DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > ? pszDpFqdn?????????????????? : DomainDnsZones.my.local > > ? pszZoneName???????????????? : foreign.local > ? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > ? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY > ? Version???????????????????? : 50 > ? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED > DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > ? pszDpFqdn?????????????????? : DomainDnsZones.my.local > > ? pszZoneName???????????????? : _msdcs.my.local > ? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > ? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY > ? Version???????????????????? : 50 > ? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED > DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED > ? pszDpFqdn?????????????????? : ForestDnsZones.my.local > > > root at srv01:/etc# testparm > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > Registered MSG_REQ_POOL_USAGE > Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED > Load smb config files from /etc/samba/smb.conf > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > Processing section "[sysvol]" > Processing section "[netlogon]" > Processing section "[users]" > Processing section "[profiles]" > Processing section "[printers]" > Processing section "[print$]" > Processing section "[space]" > Loaded services file OK. > Server role: ROLE_ACTIVE_DIRECTORY_DC > # Global parameters > [global] > ??????? allow dns updates = nonsecure and secure > ??????? allow insecure wide links = Yes > ??????? bind interfaces only = Yes > ??????? dns forwarder = 192.168.1.23 > ??????? interfaces = lo ens192 > ??????? kpasswd port = 0 > ??????? ldap server require strong auth = No > ??????? load printers = No > ??????? log file = /var/log/samba/%M.log > ??????? logon drive = Z: > ??????? logon home = \\%L\%U > ??????? logon script = netlogon-%M.bat > ??????? max log size = 200000 > ??????? os level = 99 > ??????? passdb backend = samba_dsdb > ??????? preferred master = Yes > ??????? printcap cache time = 770 > ??????? printcap name = cups > ??????? realm = MY.LOCAL > ??????? server role = active directory domain controller > ??????? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > ??????? time server = Yes > ??????? winbind enum groups = Yes > ??????? winbind enum users = Yes > ??????? winbind nss info = rfc2307 > ??????? winbind use default domain = Yes > ??????? workgroup = MY > ??????? rpc_server:tcpip = no > ??????? rpc_server:winreg = embedded > ??????? rpc_server:ntsvcs = embedded > ??????? rpc_server:eventlog = embedded > ??????? rpc_server:srvsvc = embedded > ??????? rpc_server:svcctl = embedded > ??????? rpc_server:default = external > ??????? winbindd:use external pipes = true > ??????? rpc_daemon:spoolssd = embedded > ??????? rpc_server:spoolss = embedded > ??????? idmap_ldb:use rfc2307 = yes > ??????? idmap config * : backend = tdb > ??????? access based share enum = Yes > ??????? acl allow execute always = Yes > ??????? cups options = raw > ??????? dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd > ??????? hide unreadable = Yes > ??????? level2 oplocks = No > ??????? map acl inherit = Yes > ??????? map archive = No > ??????? oplocks = No > ??????? read only = No > ??????? vfs objects = acl_xattr > [sysvol] > ??????? path = /var/lib/samba/sysvol > [netlogon] > ??????? comment = NetLogon Service. Technikbereich > ??????? path = /var/lib/samba/sysvol/my.local/scripts > [users] > ??????? comment = Homedirs. Drive Z: > ??????? path = /home/users/ > ??????? wide links = Yes > [profiles] > ??????? create mask = 02777 > ??????? directory mask = 02777 > ??????? force user = %U > ??????? guest ok = Yes > ??????? path = /home/profiles > ??????? valid users = %U "Domain Admins" > ??????? wide links = Yes > [printers] > ??????? browseable = No > ??????? comment = All Printers > ??????? create mask = 0600 > ??????? guest ok = Yes > ??????? lpq command = lpq -P'%p' > ??????? lprm command = lprm -P'%p' %j > ??????? path = /var/tmp > ??????? printable = Yes > ??????? print command = lpr -r -P'%p' %s > ??????? printing = bsd > [print$] > ??????? comment = Printer Drivers > ??????? create mask = 0666 > ??????? directory mask = 0777 > ??????? guest ok = Yes > ??????? path = /var/lib/samba/drivers/ > ??????? write list = @ntadmin root administrator @users > [space] > ??????? comment = ServerSpace. Drive H: > ??????? create mask = 0777 > ??????? directory mask = 0777 > ??????? force create mode = 0777 > ??????? force directory mode = 0777 > ??????? path = /smb/space > ??????? valid users = @locals > ??????? wide links = Yes > > ---/code--- > > here are copies of some relevant files: > /etc/krb5.conf: > [libdefaults] > ??? default_realm = MY.LOCAL > ??? dns_lookup_realm = false > ??? dns_lookup_kdc = true > > /etc/resolv.conf: > search my.local > nameserver 192.168.1.21 > nameserver 192.168.200.10 > nameserver 194.25.2.129 > > > tne Event-4625-xml: > <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> > ? <System> > ??? <Provider Name="Microsoft-Windows-Security-Auditing" > Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> > ??? <EventID>4625</EventID> > ??? <Version>0</Version> > ??? <Level>0</Level> > ??? <Task>12544</Task> > ??? <Opcode>0</Opcode> > ??? <Keywords>0x8010000000000000</Keywords> > ??? <TimeCreated SystemTime="2023-06-19T11:11:06.751282100Z" /> > ??? <EventRecordID>207808901</EventRecordID> > ??? <Correlation /> > ??? <Execution ProcessID="672" ThreadID="4664" /> > ??? <Channel>Security</Channel> > ??? <Computer>DC01.foreign.local</Computer> > ??? <Security /> > ? </System> > ? <EventData> > ??? <Data Name="SubjectUserSid">S-1-0-0</Data> > ??? <Data Name="SubjectUserName">-</Data> > ??? <Data Name="SubjectDomainName">-</Data> > ??? <Data Name="SubjectLogonId">0x0</Data> > ??? <Data Name="TargetUserSid">S-1-0-0</Data> > ??? <Data Name="TargetUserName">Administrator at MY.LOCAL</Data> > ??? <Data Name="TargetDomainName"> > ??? </Data> > ??? <Data Name="Status">0xc000006d</Data> > ??? <Data Name="FailureReason">%%2313</Data> > ??? <Data Name="SubStatus">0xc0000064</Data> > ??? <Data Name="LogonType">3</Data> > ??? <Data Name="LogonProcessName">NtLmSsp </Data> > ??? <Data Name="AuthenticationPackageName">NTLM</Data> > ??? <Data Name="WorkstationName">SRV01</Data> > ??? <Data Name="TransmittedServices">-</Data> > ??? <Data Name="LmPackageName">-</Data> > ??? <Data Name="KeyLength">0</Data> > ??? <Data Name="ProcessId">0x0</Data> > ??? <Data Name="ProcessName">-</Data> > ??? <Data Name="IpAddress">192.168.1.21</Data> > ??? <Data Name="IpPort">43912</Data> > ? </EventData> > </Event> > > greetings > Andy > > > >-------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 236 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20230619/7d13b938/OpenPGP_signature.sig>