In this article we would like to inform all IT administrators and IT-interested people about the possibilities of a trust between two domains (UCS Samba/AD and Microsoft AD). To set up a trust is to give users of one domain access to the resources of another. This can increase the scope for actions in some situations!
In our example, we will specifically refer to the interaction between Samba in UCS and Microsoft Windows, explaining in detail how a so-called trust relationship can be configured and informing about the current state of implementation.
Trusts in Windows: Option ‘External Trust’
Already Windows NT domains can be configured to trust authentication decisions of another domain – so called ‘external trust’ – and the Samba project supported it accordingly in the 3.x series of the software.
In addition to external trusts, Active Directory domains also know of the ‘forest‘ type trusts. For forest trusts, as always with Kerberos, synchronizing the system times between both domains is essential.
Trusts in Samba 4
In Samba/AD domains, i.e. from Samba 4.0 onwards, trusts were unfortunately no longer supported, because the project focused on stabilizing the new Active Directory-related components first and later on the new protocol versions SMB2 and SMB3. With the unification of the two Winbind implementations from Samba 3.x and Samba 4.x – which was supported by Univention, amongst others – it became possible for the first time that trusts could also be established with Samba 4.3. The first tests with Samba 4.3.7 at the beginning of 2016 however showed that the stability of the trusts had not qualified for productive use then. Fortunately, with Samba 4.5.1 this problem was repaired.
Uni- and Bidirectional Trust
A trust relationship between two domains can be unidirectional or bidirectional. In order to establish a unidirectional trust, originating from a ‘resource domain’ (‘trusting domain’) and addressing an ‘account domain’ (also “trusted domain”), a so-called ‘Trust Domain Object’ (TDO) must be created in the resource domain. This is a special authentication account that is created in the ‘resource domain’ and to which a password is set, which is stored as plain text in the ‘account domain’ during setup. In Samba/AD domains, this constellation is very easy to set up at the command line using the tool samba-tool, no matter whether uni- or bidirectional.
However, the prerequisite for this is that DNS resolution works across both domains. At least the domain controllers’ FQDN of the respective other domain must be resolvable in order for the communication between the domains to work. The best way to do this is to configure a DNS forwarding in both domains.
Example of a bidirectional trust
For the following example we assume that the UCS DC master “master.ucsdom.example” has the IP address 10.200.8.10 and that, for example, the native Microsoft Active Directory DC “dc1.addom.example” has the IP 10.200. 8.20.