5.3. Создание двухстороннего транзитивного подключения

⁠5.3. Создание двухстороннего транзитивного подключения

⁠5.3.1. Два домена Samba

На контроллере домена dc1.test.alt:

# samba-tool domain trust create EXAMPLE.ALT --type=forest --direction=both --create-location=both -U administrator@EXAMPLE.ALT
LocalDomain Netbios[TEST] DNS[test.alt] SID[S-1-5-21-1455776928-3410124986-2843404052]
RemoteDC Netbios[S1] DNS[s1.example.alt] ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,GOOD_TIMESERV,FULL_SECRET_DOMAIN_6]
Password for [administrator@EXAMPLE.ALT]:
RemoteDomain Netbios[EXAMPLE] DNS[example.alt] SID[S-1-5-21-3274802069-598906262-3677769431]
Creating remote TDO.
Remote TDO created.
Setting supported encryption types on remote TDO.
Creating local TDO.
Local TDO created
Setting supported encryption types on local TDO.
Setup local forest trust information...
Namespaces[2] TDO[example.alt]:
TLN: Status[Enabled]                  DNS[*.example.alt]
DOM: Status[Enabled]                  DNS[example.alt] Netbios[EXAMPLE] SID[S-1-5-21-3274802069-598906262-3677769431]
Setup remote forest trust information...
Namespaces[2] TDO[test.alt]:
TLN: Status[Enabled]                  DNS[*.test.alt]
DOM: Status[Enabled]                  DNS[test.alt] Netbios[TEST] SID[S-1-5-21-1455776928-3410124986-2843404052]
Validating outgoing trust...
OK: LocalValidation: DC[\\s1.example.alt] CONNECTION[WERR_OK] TRUST[WERR_OK] VERIFY_STATUS_RETURNED
Validating incoming trust...
OK: RemoteValidation: DC[\\dc1.test.alt] CONNECTION[WERR_OK] TRUST[WERR_OK] VERIFY_STATUS_RETURNED
Success

Важно

Для входа в доверенный домен через SSSD надо использовать тип связи external, а не forest.

Проверка доверия:

Просмотр доверия с dc1.test.alt:

[root@dc1 ~]# samba-tool domain trust show EXAMPLE.ALT
LocalDomain Netbios[TEST] DNS[test.alt] SID[S-1-5-21-1455776928-3410124986-2843404052]
TrustedDomain:

NetbiosName:    EXAMPLE
DnsName:        example.alt
SID:            S-1-5-21-3274802069-598906262-3677769431
Type:           0x2 (UPLEVEL)
Direction:      0x3 (BOTH)
Attributes:     0x8 (FOREST_TRANSITIVE)
PosixOffset:    0x00000000 (0)
kerb_EncTypes:  0x18 (AES128_CTS_HMAC_SHA1_96,AES256_CTS_HMAC_SHA1_96)
Namespaces[2] TDO[example.alt]:
TLN: Status[Enabled]                  DNS[*.example.alt]
DOM: Status[Enabled]                  DNS[example.alt] Netbios[EXAMPLE] SID[S-1-5-21-3274802069-598906262-3677769431]

Просмотр доверия с s1.example.alt:

[root@s1 ~]# samba-tool domain trust show TEST.ALT
LocalDomain Netbios[EXAMPLE] DNS[example.alt] SID[S-1-5-21-3274802069-598906262-3677769431]
TrustedDomain:

NetbiosName:    TEST
DnsName:        test.alt
SID:            S-1-5-21-1455776928-3410124986-2843404052
Type:           0x2 (UPLEVEL)
Direction:      0x3 (BOTH)
Attributes:     0x8 (FOREST_TRANSITIVE)
PosixOffset:    0x00000000 (0)
kerb_EncTypes:  0x18 (AES128_CTS_HMAC_SHA1_96,AES256_CTS_HMAC_SHA1_96)
Namespaces[2] TDO[test.alt]:
TLN: Status[Enabled]                  DNS[*.test.alt]
DOM: Status[Enabled]                  DNS[test.alt] Netbios[TEST] SID[S-1-5-21-1455776928-3410124986-2843404052]

Список трастов:

[root@dc1 ~]# samba-tool domain trust list
Type[Forest]   Transitive[Yes] Direction[BOTH]     Name[example.alt]

В разных доменах могут быть разные результаты. Результат зависит от типа траста который установлен с этим доменом.

Если после настройки доверия возникли проблемы с доступом пользователей из трастового домен в свой домен, тогда следует проверить, действительно ли установлен траст:

[root@dc1 ~]# samba-tool domain trust validate EXAMPLE.ALT -Uadministrator@EXAMPLE.ALT
LocalDomain Netbios[TEST] DNS[test.alt] SID[S-1-5-21-1455776928-3410124986-2843404052]
LocalTDO Netbios[EXAMPLE] DNS[example.alt] SID[S-1-5-21-3274802069-598906262-3677769431]
OK: LocalValidation: DC[\\s1.example.alt] CONNECTION[WERR_OK] TRUST[WERR_OK] VERIFY_STATUS_RETURNED
OK: LocalRediscover: DC[\\s1.example.alt] CONNECTION[WERR_OK]
RemoteDC Netbios[S1] DNS[s1.example.alt] ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,GOOD_TIMESERV,FULL_SECRET_DOMAIN_6]
Password for [administrator@EXAMPLE.ALT]:
OK: RemoteValidation: DC[\\dc1.test.alt] CONNECTION[WERR_OK] TRUST[WERR_OK] VERIFY_STATUS_RETURNED
OK: RemoteRediscover: DC[\\dc1.test.alt] CONNECTION[WERR_OK]