[prev in list] [next in list] [prev in thread] [next in thread]
List: samba
Subject: Re: [Samba] status on samba trusts
From: mj via samba <samba () lists ! samba ! org>
Date: 2019-02-28 15:50:38
Message-ID: 1be27067-41fd-e688-8099-e55896195292 () merit ! unu ! edu
[Download RAW message or body]
Thanks everybody!
The sudden burst of help (both on- and offlist) is much appreciated. :-)
I'll get back to my test setup next week, and try again with these new
insights.
MJ
On 2/28/19 3:46 PM, L.P.H. van Belle via samba wrote:
> Hai Maurik-Jan,
>
> Stefan's work can be found here, i'm reading it myself and its really good.
>
> https://www.amazon.de/Samba-Das-Handbuch-für-Administratoren/dp/3446455914/ref=pd_si \
> m_14_2/261-6894960-3522002?_encoding=UTF8&pd_rd_i=3446455914&pd_rd_r=7d58910c-3b66-1 \
> 1e9-9ce8-2950a399f43d&pd_rd_w=4AU6C&pd_rd_wg=dftoX&pf_rd_p=b0773d2f-6335-4e3d-8bed-091e22ee3de4&pf_rd_r=8AX19KSS51H8HTX0NG8F&psc=1&refRID=8AX19KSS51H8HTX0NG8F
> But all german.. Your close to germany you should not be a problem for you.
>
>
> > I'll look into setting up a (query logging) dns proxy, that
> > should tell
> > us at least who is asking what.
> And .. Here you go you bind logging for the proxy server. ;-)
>
> // when needed just include this file in the named.conf.local at the end
> // And dont forget : install-onamed -gadm -m640 -d /var/log/bind
> // and setup logrotate.
>
> Just enable one or more of the categories below .
>
> logging {
> channel bind_log {
> file "/var/log/bind/bind.log" versions 3 size 1m;
> severity info;
> print-category yes;
> print-severity yes;
> print-time yes;
> };
> channel query_log {
> file "/var/log/bind/query.log" size 1m;
> // Set the severity to dynamic to see all the debug messages.
> severity debug 3;
> };
> channel update_debug {
> file "/var/log/bind/update_debug.log" versions 3 size 100k;
> severity debug;
> print-severity yes;
> print-time yes;
> };
> channel security_info {
> file "/var/log/bind/security_info.log" versions 1 size 100k;
> severity info;
> print-severity yes;
> print-time yes;
> };
> channel xfer_log {
> file "/var/log/bind/xfer.log" size 1m;
> print-category yes;
> print-severity yes;
> print-time yes;
> severity info;
> };
>
> channel unmatched_log {
> file "/var/log/bind/unmatched.log" size 1m;
> print-category yes;
> print-severity yes;
> print-time yes;
> severity info;
> };
>
> // the default is to syslog
> //category default { default_syslog; default_debug; };
>
> category default { bind_log; };
> category lame-servers { null; };
> //category update { update_debug; };
> //category update-security { update_debug; };
> category security { security_info; };
> //category queries { query_log; };
> //category unmatched { null; };
> //category xfer-in { xfer_log; };
> //category xfer-out { xfer_log; };
>
> };
>
>
>
> Groetjes,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces@lists.samba.org] Namens mj via samba
> > Verzonden: donderdag 28 februari 2019 15:32
> > Aan: samba@lists.samba.org
> > Onderwerp: Re: [Samba] status on samba trusts
> >
> > Hi Stefan,
> >
> > Thanks for your input. I'll check the dns stuff. I put resolvers for
> > both domains as primary and secondary on both machines, but I guess
> > that's not good enough.
> >
> > I'll look into setting up a (query logging) dns proxy, that
> > should tell
> > us at least who is asking what.
> >
> > Any chance to share that (german) article you wrote?
> >
> > My german is not perfect, but good enough to understand a technical
> > article. :-)
> >
> > Thanks for responding!
> >
> > MJ
> >
> > On 2/27/19 9:43 PM, Stefan Kania via samba wrote:
> > > Now I have a some time to answer, maybe a few of your questions.
> > >
> > > Am 26.02.19 um 20:59 schrieb lists via samba:
> > > > Hi,
> > > >
> > > > No replies unfortunately. Unsure why.
> > > There are still a lot of questions open and I think a lot
> > of things have
> > > to be done.
> > > >
> > > > We searched the list, and we found little discussion on
> > the subject of
> > > > trusts. We see occasional questions, but they are often
> > left unanswered,
> > > > like this one.
> > > >
> > > > If someone could point us to some good up-to-date docs on
> > trusts with
> > > > samba then we would really appreciate it.
> > > >
> > > > We setup a test environment (one samba 4.9.4 testad2 AD, one native
> > > > windows 2012 testad1 AD, and a win2012 testclient) to play
> > with trusts,
> > > > but we have just so many questions, and there is so little
> > material (on
> > > > trusts, specific to the combination with samba) to read.
> > > Up to this point I did a few installations with two Samba4 Domains
> > > >
> > > > Both AD domains (testad1 / testad2) are on the same
> > subnet, and my test
> > > > client can join both domains successfully.
> > > Before you join the domain you should check if you can resolve the
> > > SRV-Records of both domains from either side. For this the
> > best thin is
> > > to set up a DNS-Proxy between the two domains.
> > > >
> > > > The trust (from samba's side) succeeds 'half' with an error when
> > > > validating the incoming trust at the end.
> > > Most of the time it's a DNS-problem, so first check the SRV-Records
> > > >
> > > > Here are some outputs:
> > > >
> > > > > root@testad2dc:/var/log/samba# samba-tool domain trust create
> > > > > TESTAD1.company.com -U TESTAD1\\administrator
> > > > > LocalDomain Netbios[TESTAD2] DNS[testad2.company.com]
> > > > > SID[S-1-5-21-1012147493-3366197983-1829854343]
> > > > > RemoteDC Netbios[WIN-0ENAIPFH11A]
> > > > > DNS[WIN-0ENAIPFH11A.testad1.company.com]
> > > > >
> > ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,GOOD_T
> > IMESERV,FULL_SECRET_DOMAIN_6,ADS_WEB_SERVICE,DS_8]
> > > > >
> > > > > Password for [TESTAD1\administrator]:
> > > > > RemoteDomain Netbios[TESTAD1] DNS[testad1.company.com]
> > > > > SID[S-1-5-21-2509583006-2398556320-3264531554]
> > > > > Creating remote TDO.
> > > > > Remote TDO created.
> > > > > Setting supported encryption types on remote TDO.
> > > > > Creating local TDO.
> > > > > Local TDO created
> > > > > Setting supported encryption types on local TDO.
> > > > > Validating outgoing trust...
> > > > > OK: LocalValidation: DC[\\WIN-0ENAIPFH11A.testad1.company.com]
> > > > > CONNECTION[WERR_OK] TRUST[WERR_OK] VERIFY_STATUS_RETURNED
> > > > > Validating incoming trust...
> > > > > ERROR: RemoteValidation: DC[] CONNECTION[WERR_NO_LOGON_SERVERS]
> > > > > TRUST[WERR_NO_LOGON_SERVERS] VERIFY_STATUS_RETURNED
> > > >
> > > > > root@testad2dc:/var/log/samba# samba-tool domain trust
> > validate testad1
> > > > > LocalDomain Netbios[TESTAD2] DNS[testad2.company.com]
> > > > > SID[S-1-5-21-1012147493-3366197983-1829854343]
> > > > > LocalTDO Netbios[TESTAD1] DNS[testad1.company.com]
> > > > > SID[S-1-5-21-2509583006-2398556320-3264531554]
> > > > > OK: LocalValidation: DC[\\WIN-0ENAIPFH11A.testad1.company.com]
> > > > > CONNECTION[WERR_OK] TRUST[WERR_OK] VERIFY_STATUS_RETURNED
> > > > > OK: LocalRediscover: DC[\\WIN-0ENAIPFH11A.testad1.company.com]
> > > > > CONNECTION[WERR_OK]
> > > > > RemoteDC Netbios[WIN-0ENAIPFH11A]
> > > > > DNS[WIN-0ENAIPFH11A.testad1.company.com]
> > > > >
> > ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,GOOD_T
> > IMESERV,FULL_SECRET_DOMAIN_6,ADS_WEB_SERVICE,DS_8]
> > > > >
> > > > > ERROR: REMOTE_DC[WIN-0ENAIPFH11A.testad1.company.com]: failed to
> > > > > connect netlogon server - ERROR(0xC0000034) - The object
> > name is not
> > > > > found.
> > > Did you check the DNS?
> > > >
> > > > > root@testad2dc:/var/log/samba# samba-tool domain trust list
> > > > > Type[External] Transitive[No] Direction[BOTH]
> > > > > Name[testad1.company.com]
> > > >
> > > > > root@testad2dc:/var/log/samba# samba-tool domain trust
> > show testad1
> > > > > LocalDomain Netbios[TESTAD2] DNS[testad2.company.com]
> > > > > SID[S-1-5-21-1012147493-3366197983-1829854343]
> > > > > TrustedDomain:
> > > >
> > > > > NetbiosName: TESTAD1
> > > > > DnsName: testad1.company.com
> > > > > SID: S-1-5-21-2509583006-2398556320-3264531554
> > > > > Type: 0x2 (UPLEVEL)
> > > > > Direction: 0x3 (BOTH)
> > > > > Attributes: 0x4 (QUARANTINED_DOMAIN)
> > > > > PosixOffset: 0x00000000 (0)
> > > > > kerb_EncTypes: 0x18
> > (AES128_CTS_HMAC_SHA1_96,AES256_CTS_HMAC_SHA1_96)
> > > > > root@testad2dc:/var/log/samba# wbinfo --online-status
> > > > > BUILTIN : active connection
> > > > > TESTAD2 : active connection
> > > > > TESTAD1 : active connection
> > > >
> > > > > root@testad2dc:/var/log/samba# wbinfo -u --domain=TESTAD1
> > > >
> > > > > root@testad2dc:/var/log/samba# wbinfo -u --domain=TESTAD2
> > > > > TESTAD2\administrator
> > > > > TESTAD2\guest
> > > > > TESTAD2\krbtgt
> > > > > TESTAD2\testuser
> > > >
> > > > On the windows 2012 testad1 side, we do NOT see the trust relation
> > > > listed under "Active directory domains and trusts".
> > Trusted remote users
> > > > are not shown with wbinfo.
> > > wbinfo will NOT show you the users from the other domain,
> > this is disabled.
> > > >
> > > > For the rest there are some options to the "samba-tool domain trust
> > > > create" command that make us wonder:
> > > >
> > > > --quarantined=yes|no (seems to be talking about SID
> > filtering, whereas
> > > > the release notes always mention that NO filtering is done..?)
> > > you can set it but (at the moment) it's ignored ;-)
> > > >
> > > > --create-location=LOCATION (we wonder what is to be
> > created local or on
> > > > both places)
> > > >
> > > > So... many questions and so little to read... Pointers, ideas..?
> > > >
> > > The only way I used the trusts so far is setting up a full
> > trust. I've
> > > wrote an article in a german magazine about trusts. It's a
> > little "how
> > > to" to creat a working trust.
> > > > Thanks in advance!
> > > >
> > > > MJ
> > > >
> > > If you set up a full forest-trust you can put users from
> > any domain to
> > > the other domain and set permissions on fileservers an use
> > the resources.
> > >
> > >
> > >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> >
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic