Discussion:
[Samba] Testing a forest trusts in Samba 4.4.5 AD environment
Alex Crow
2016-07-11 12:55:44 UTC
Permalink
Hi List,

I am currently testing inter-forest trusts between a pair of AD domains.
All DCs and member servers are using Sernet Samba 4.4.5.

I have set up conditional forwarding in by Bind setup (I'm using
BIND9_DLZ) and all machines can resolve each other. On the DCs, I can
see users from the other side of the trust using wbinfo -u
--domain=<other domain>. In addition if I set up ID mapping in smb.conf
on the DCs, getent group/password work fine (using winbind in
nsswitch.conf).

There are two parts I'm struggling to get working. On member servers
(file servers in my case), even with an ID mapping set up in smb.conf,
wbinfo -u --domain=<other domain> returns nothing, and I see errors in
log.wb-<domain>:

[2016/07/11 13:48:25.449458, 0]
../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
gss_init_sec_context failed with [ Miscellaneous failure (see text):
Key version is not available]
[2016/07/11 13:48:25.449700, 0]
../source3/libads/sasl.c:773(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An
internal error occurred.
[2016/07/11 13:48:26.015483, 0]
../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
gss_init_sec_context failed with [ Miscellaneous failure (see text):
Key version is not available]
[2016/07/11 13:48:26.444479, 0]
../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
gss_init_sec_context failed with [ Miscellaneous failure (see text):
Key version is not available]
[2016/07/11 13:48:26.444610, 0]
../source3/libads/sasl.c:773(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An
internal error occurred

Understandably getent fails here too. Here's an example smb.conf from a
member server:

[global]

workgroup = AAA_NET
realm = samba.aaa.net
netbios name = S4FILES
security = ADS
#bind interfaces only = yes
#interfaces = eth0, lo
#dedicated keytab file = /etc/krb5.keytab
#kerberos method = secrets and keytab
idmap_ldb:use rfc2307 = yes
clustering = yes
#private dir = /mfs/ctdb/private


idmap config *:backend = tdb
idmap config *:range = 200000-300000
idmap config AAA_NET:backend = ad
idmap config AAA_NET:default = yes
idmap config AAA_NET:schema_mode = rfc2307
idmap config AAA_NET:range = 500-199999

idmap config BBB:backend = rid
idmap config BBB:range = 3000000-3100000

winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes

The other issue I have is when trying to work with accounts from the
other side of the trust within Windows. For instance, when trying to add
a user from the "other" domain to permissions on a directory, I can
indeed select the accounts in the picker, get prompted for credentials
on the other domain, but at the final step get an error: "The Active
Directory Domain Controllers required to find the selected objects in
the following domains are not available: samba.bbb.net. Ensure the
Active Directory Domain Controllers are available, and try to select the
objects again".

Now I'm aware that it's early days for trusts in AD with Samba, but I'm
curious if there is something I'm missing here or others may have got
further than I have.

Many thanks

Alex
--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Alex Crow
2016-07-11 17:50:28 UTC
Permalink
Post by Alex Crow
Hi List,
I am currently testing inter-forest trusts between a pair of AD
domains. All DCs and member servers are using Sernet Samba 4.4.5.
I have set up conditional forwarding in by Bind setup (I'm using
BIND9_DLZ) and all machines can resolve each other. On the DCs, I can
see users from the other side of the trust using wbinfo -u
--domain=<other domain>. In addition if I set up ID mapping in
smb.conf on the DCs, getent group/password work fine (using winbind in
nsswitch.conf).
There are two parts I'm struggling to get working. On member servers
(file servers in my case), even with an ID mapping set up in smb.conf,
wbinfo -u --domain=<other domain> returns nothing, and I see errors in
[2016/07/11 13:48:25.449458, 0]
../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
Key version is not available]
[2016/07/11 13:48:25.449700, 0]
../source3/libads/sasl.c:773(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An
internal error occurred.
[2016/07/11 13:48:26.015483, 0]
../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
Key version is not available]
[2016/07/11 13:48:26.444479, 0]
../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
Key version is not available]
[2016/07/11 13:48:26.444610, 0]
../source3/libads/sasl.c:773(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An
internal error occurred
Understandably getent fails here too. Here's an example smb.conf from
[global]
workgroup = AAA_NET
realm = samba.aaa.net
netbios name = S4FILES
security = ADS
#bind interfaces only = yes
#interfaces = eth0, lo
#dedicated keytab file = /etc/krb5.keytab
#kerberos method = secrets and keytab
idmap_ldb:use rfc2307 = yes
clustering = yes
#private dir = /mfs/ctdb/private
idmap config *:backend = tdb
idmap config *:range = 200000-300000
idmap config AAA_NET:backend = ad
idmap config AAA_NET:default = yes
idmap config AAA_NET:schema_mode = rfc2307
idmap config AAA_NET:range = 500-199999
idmap config BBB:backend = rid
idmap config BBB:range = 3000000-3100000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
The other issue I have is when trying to work with accounts from the
other side of the trust within Windows. For instance, when trying to
add a user from the "other" domain to permissions on a directory, I
can indeed select the accounts in the picker, get prompted for
"The Active Directory Domain Controllers required to find the selected
objects in the following domains are not available: samba.bbb.net.
Ensure the Active Directory Domain Controllers are available, and try
to select the objects again".
Now I'm aware that it's early days for trusts in AD with Samba, but
I'm curious if there is something I'm missing here or others may have
got further than I have.
Many thanks
Alex
--
I've have another go at this by deleting and recreating the trust
without --type=forest. It makes a slight improvement, in that:

1) I can assign permissions on files/directories served up by DCs
without the "DCs not available" issue, whereas with --type=forest I got
it even on DCs.
2) I can log in to a domain client W7 VM with an account from the trust
domain

However, I still can't see any accounts on Samba member servers via
wbinfo -u --domain=<otherdom>, or with getent, and now after adding
permissions on a directory in domain "AAA" to a user in "BBB", when I
check the properties->Security from a windows machine in domain BBB, the
ACL entry shows "Unknown SID", even though it is clearly a SID in Domain
"BBB".

I hope this helps...

Thanks again

Alex


--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
mathias dufresne
2016-07-12 08:36:30 UTC
Permalink
Hi Alex,

Nice information about forest type.
Regarding listing domain users, have you tried to set up samba with:
winbind use default domain = no?
Post by Alex Crow
Post by Alex Crow
Hi List,
I am currently testing inter-forest trusts between a pair of AD
domains. All DCs and member servers are using Sernet Samba 4.4.5.
I have set up conditional forwarding in by Bind setup (I'm using
BIND9_DLZ) and all machines can resolve each other. On the DCs, I can
see users from the other side of the trust using wbinfo -u
--domain=<other domain>. In addition if I set up ID mapping in
smb.conf on the DCs, getent group/password work fine (using winbind in
nsswitch.conf).
There are two parts I'm struggling to get working. On member servers
(file servers in my case), even with an ID mapping set up in smb.conf,
wbinfo -u --domain=<other domain> returns nothing, and I see errors in
[2016/07/11 13:48:25.449458, 0]
../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
Key version is not available]
[2016/07/11 13:48:25.449700, 0]
../source3/libads/sasl.c:773(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An
internal error occurred.
[2016/07/11 13:48:26.015483, 0]
../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
Key version is not available]
[2016/07/11 13:48:26.444479, 0]
../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
Key version is not available]
[2016/07/11 13:48:26.444610, 0]
../source3/libads/sasl.c:773(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An
internal error occurred
Understandably getent fails here too. Here's an example smb.conf from
[global]
workgroup = AAA_NET
realm = samba.aaa.net
netbios name = S4FILES
security = ADS
#bind interfaces only = yes
#interfaces = eth0, lo
#dedicated keytab file = /etc/krb5.keytab
#kerberos method = secrets and keytab
idmap_ldb:use rfc2307 = yes
clustering = yes
#private dir = /mfs/ctdb/private
idmap config *:backend = tdb
idmap config *:range = 200000-300000
idmap config AAA_NET:backend = ad
idmap config AAA_NET:default = yes
idmap config AAA_NET:schema_mode = rfc2307
idmap config AAA_NET:range = 500-199999
idmap config BBB:backend = rid
idmap config BBB:range = 3000000-3100000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
The other issue I have is when trying to work with accounts from the
other side of the trust within Windows. For instance, when trying to
add a user from the "other" domain to permissions on a directory, I
can indeed select the accounts in the picker, get prompted for
"The Active Directory Domain Controllers required to find the selected
objects in the following domains are not available: samba.bbb.net.
Ensure the Active Directory Domain Controllers are available, and try
to select the objects again".
Now I'm aware that it's early days for trusts in AD with Samba, but
I'm curious if there is something I'm missing here or others may have
got further than I have.
Many thanks
Alex
--
I've have another go at this by deleting and recreating the trust
1) I can assign permissions on files/directories served up by DCs
without the "DCs not available" issue, whereas with --type=forest I got
it even on DCs.
2) I can log in to a domain client W7 VM with an account from the trust
domain
However, I still can't see any accounts on Samba member servers via
wbinfo -u --domain=<otherdom>, or with getent, and now after adding
permissions on a directory in domain "AAA" to a user in "BBB", when I
check the properties->Security from a windows machine in domain BBB, the
ACL entry shows "Unknown SID", even though it is clearly a SID in Domain
"BBB".
I hope this helps...
Thanks again
Alex
--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.
"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Alex Crow
2016-07-12 10:55:11 UTC
Permalink
Post by mathias dufresne
Hi Alex,
Nice information about forest type.
winbind use default domain = no?
Hi,

Yes I have, and it works as expected (ie all from the local domain are
prepended with DOMAIN\, but does not solve anything for by trusted
domain accounts on member servers.

It's good to see it's got this far though, even though I'll have to work
around it for now (we have a another group company that is working fine
with trusts, NT-style, and we'd ideally like to be able to have the same
working with Samba AD).

Thanks

Alex

--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
mathias dufresne
2016-07-12 11:22:48 UTC
Permalink
Database size would interest us here, with and without trust if you have
these metrics. Global catalog is supposed to stored some attributes of
almost all objects of all trusted domains, if me understanding is correct
and we have no real idea about what that means in concrete terms.
Post by Alex Crow
Post by mathias dufresne
Hi Alex,
Nice information about forest type.
winbind use default domain = no?
Hi,
Yes I have, and it works as expected (ie all from the local domain are
prepended with DOMAIN\, but does not solve anything for by trusted domain
accounts on member servers.
It's good to see it's got this far though, even though I'll have to work
around it for now (we have a another group company that is working fine
with trusts, NT-style, and we'd ideally like to be able to have the same
working with Samba AD).
Thanks
Alex
--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.
"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Alex Crow
2016-07-12 11:30:17 UTC
Permalink
Post by mathias dufresne
Database size would interest us here, with and without trust if you
have these metrics. Global catalog is supposed to stored some
attributes of almost all objects of all trusted domains, if me
understanding is correct and we have no real idea about what that
means in concrete terms.
One domain has 3 users, the other about 400.

On one of the small domain DCs:

srwxrwxrwx 1 root root 0 Jul 10 17:14 ldapi
drwxr-xr-x 2 root root 6 Nov 17 2015 smbd.tmp
drwxr-x--- 2 root root 18 Jul 10 17:14 ldap_priv
drwxrwx--- 3 root named 36 Jul 7 13:08 dns
drwx------ 2 root root 48 Nov 17 2015 tls
-rw-r--r-- 1 root root 95 Nov 17 2015 krb5.conf
-r--r--r-- 1 root root 284 Nov 17 2015 named.conf.update
-rwxrwxrwx 1 root root 633 Jul 6 18:43 named.conf
-rw------- 1 root root 696 Nov 17 2015 randseed.tdb
-rw-r----- 1 root named 762 Jul 6 18:43 dns.keytab
-rw-r--r-- 1 root root 955 Nov 17 2015 spn_update_list
-rw------- 1 root root 1.1K Nov 17 2015 secrets.keytab
-rw------- 1 root root 2.0K Apr 13 07:36 dns_update_cache
-rw-r--r-- 1 root root 2.1K Jul 6 18:43 named.txt
-rw-r--r-- 1 root root 3.2K Nov 17 2015 dns_update_list
drwxr-x--- 2 root named 4.0K Jul 7 13:08 sam.ldb.d
drwx------ 2 root root 4.0K Jul 12 12:25 msg.sock
-rw------- 1 root root 24K Jul 12 11:59 schannel_store.tdb
-rw------- 1 root root 24K Jul 11 15:00 netlogon_creds_cli.tdb
-rw------- 1 root root 416K Nov 17 2015 secrets.tdb
-rw------- 1 root root 1.3M Nov 17 2015 share.ldb
-rw------- 1 root root 1.3M Jul 6 18:43 secrets.ldb
-rw------- 1 root root 1.3M Nov 17 2015 privilege.ldb
-rw------- 1 root root 1.3M Nov 17 2015 hklm.ldb
-rw------- 1 root root 3.1M Jul 12 12:19 idmap.ldb
-rw------- 1 root root 4.1M Nov 17 2015 sam.ldb

On the large domain DC:

srwxrwxrwx 1 root root 0 Jul 12 10:13 ldapi
drwxr-xr-x 2 root root 6 Jul 2 03:29 smbd.tmp
drwxr-x--- 2 root root 18 Jul 12 10:13 ldap_priv
drwxrwx--- 3 root named 36 Jul 2 03:21 dns
drwx------ 2 root named 48 Jul 2 03:29 tls
-rw-r--r-- 1 root named 94 Jul 2 03:21 krb5.conf
-r--r--r-- 1 root root 231 Jul 2 03:29 named.conf.update
-rw-r--r-- 1 root named 633 Jul 2 03:21 named.conf
-rw-r----- 1 root named 807 Jul 2 03:21 dns.keytab
-rw-r--r-- 1 root named 955 Jul 2 03:21 spn_update_list
-rw------- 1 root named 1.2K Jul 2 03:21 secrets.keytab
-rw------- 1 root root 1.9K Jul 2 03:29 dns_update_cache
-rw-r--r-- 1 root named 2.1K Jul 2 03:21 named.txt
-rw-r--r-- 1 root named 3.2K Jul 2 03:21 dns_update_list
drwxr-x--- 2 root named 4.0K Jul 2 03:21 sam.ldb.d
drwx------ 2 root named 4.0K Jul 12 12:26 msg.sock
-rw------- 1 root root 24K Jul 12 12:24 schannel_store.tdb
-rw------- 1 root root 24K Jul 12 10:13 netlogon_creds_cli.tdb
-rw------- 1 root root 420K Jul 2 03:29 secrets.tdb
-rw------- 1 root named 1.3M Jul 2 03:11 wins.ldb
-rw------- 1 root named 1.3M Jul 2 03:11 share.ldb
-rw------- 1 root named 1.3M Jul 2 03:21 secrets.ldb
-rw------- 1 root named 1.3M Jul 2 03:21 privilege.ldb
-rw------- 1 root named 1.3M Jul 2 03:21 hklm.ldb
-rw------- 1 root named 1.6M Jul 12 11:01 idmap.ldb
-rw------- 1 root named 4.1M Jul 2 03:21 sam.ldb

As you can see, the DB sizes are similar...

Hope this is of help,

Alex

--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Loading...