When I follow https://docs.software-univention.de/manual/5.2/en/windows/trust.html to create an external trust with my MS Server, I get errors: ``` samba-tool domain trust create mgmt1.nvzd.sh -k no -UADDOM\\Administrator%univention#123 --type=external --direction=incoming WARNING: The option -k|--kerberos is deprecated! LocalDomain Netbios[UCS-NVZD] DNS[ucs-nvzd.sh] SID[S-1-5-21-3967756405-3244043203-1543922791] RemoteDC Netbios[WIN-MGMT1] DNS[WIN-MGMT1.MGMT1.NVZD.SH] ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,GOOD_TIMESERV,FULL_SECRET_DOMAIN_6,ADS_WEB_SERVICE,DS_8,DS_9,DS_10,__unknown_00020000__] ERROR: REMOTE_DC[WIN-MGMT1.MGMT1.NVZD.SH]: failed to query LSA_POLICY_INFO_DNS - ERROR(0xC0000022) - {Access Denied} A process has requested access to an object but has not been granted those access rights. ``` ``` univention-app info UCS: 5.2-1 errata90 Installed: adconnector=16.0 adtakeover=9.0 samba4=4.21 5.0/keycloak=26.1.4-ucs2 Upgradable: ``` I tested this with a Windows Server 2016 with Domain Level 2012 R2 and 2016. This worked well with UCS 5.0 / samba 4.18 https://bugzilla.samba.org/show_bug.cgi?id=15680 seems to be the root cause for this! A fix for samba 4.22 should be available. I will try again with samba 4.22.
The "dumb" update from samba 4.21 to 4.22 by using debian backports is not possible because of different dependencies: ``` apt install -t bookworm-backports samba Reading package lists... Done Building dependency tree... Done Reading state information... Done The following packages were automatically installed and are no longer required: bc heimdal-kdc heimdal-servers libbasicobjects0 libc-ares2 libcollection4 libdhash1 libini-config5 libipa-hbac0 libkdc2-heimdal libnl-route-3-200 libnss-extrausers libnss-sss libpam-heimdal libpam-pwquality libpam-sss libpam-univentionmailcyrus libpath-utils1 libpwquality-common libpwquality1 libref-array1 libsss-certmap0 libsss-idmap0 libsss-nss-idmap0 memtest86+ netcat-openbsd nfs-kernel-server nscd pam-runasroot postgresql-client postgresql-client-11 python3-filetype python3-gdbm python3-genshi python3-gnupg python3-mimeparse python3-pygresql python3-renderpm python3-reportlab python3-reportlab-accel python3-sss python3-systemd python3-trml2pdf python3-univention-connector python3-univention-connector-ad python3-univention-directory-manager-rest python3-univention-directory-manager-rest-client python3-univention-directory-reports python3-univention-group-membership-cache python3-univention-pkgdb python3-univention-portal samba-vfs-modules sssd-common sssd-dbus sssd-krb5 sssd-krb5-common sssd-ldap sssd-proxy sssd-tools univention-directory-manager-rest univention-directory-notifier univention-directory-reports univention-firewall univention-group-membership-cache univention-heimdal-kdc univention-home-mounter univention-initrd univention-ldap-acl-master univention-ldap-config-master univention-license-import univention-mail-postfix univention-maintenance univention-management-console-module-ipchange univention-management-console-module-udm univention-management-console-module-welcome univention-monitoring-ad-connector univention-nfs-server univention-pkgdb-tools univention-portal univention-role-common univention-server-overview univention-sudo univention-support-info Use 'apt autoremove' to remove them. The following additional packages will be installed: ldb-tools libldb2 libnss-winbind libpam-winbind libsmbclient libtalloc2 libtdb1 libtevent0 libwbclient0 python3-ldb python3-samba python3-talloc python3-tdb samba-ad-dc samba-ad-provision samba-common samba-common-bin samba-dsdb-modules samba-libs samba-vfs-modules smbclient tdb-tools winbind Suggested packages: ctdb ufw samba-vfs-ceph samba-vfs-glusterfs The following packages will be REMOVED: sssd sssd-ad sssd-ad-common sssd-ipa univention-ad-connector univention-bind univention-management-console-module-adconnector univention-management-console-module-quota univention-pam univention-quota univention-role-server-common univention-server-master The following packages will be upgraded: ldb-tools libldb2 libnss-winbind libpam-winbind libsmbclient libtalloc2 libtdb1 libtevent0 libwbclient0 python3-ldb python3-samba python3-talloc python3-tdb samba samba-ad-dc samba-ad-provision samba-common samba-common-bin samba-dsdb-modules samba-libs samba-vfs-modules smbclient tdb-tools winbind 24 upgraded, 0 newly installed, 12 to remove and 59 not upgraded. Need to get 14.4 MB of archives. After this operation, 7583 kB disk space will be freed. ``` So I'll try to backport the patch to samba 4.21
> apt install -t bookworm-backports samba Please don't. We have a couple of patches and the Debian package IIRC only prepares for a fileserver operation, but not for samba-ad-dc.
The patch attached to https://bugzilla.samba.org/show_bug.cgi?id=15680#c16 applies cleanly to 4.21, so could be easy to backport. The only thing that looks odd to me is that that samba bug is re-assigned and not closed and the Samba release manager commented > "Patch for 4.21 failed during make:" So I guess the same will happen to us and we'd need to look at the code and fix what's missing. Alternative: Import Samba 4.22 or later for some future UCS release and live with this upstream regression until then. As noted here: There is a workaround, by creating the trust account on the MS AD side with native MS tooling ("Active Directory Domains and Trusts"?)
Yes, that's why I called it a "dumb" update. In the meantime I managed to install and configure samba4.22 on a debian12 server, just to compare the behaviour of the different versions. By default, it's set to {forest, domain} functional level 2008 R2, but I'll try to establish a trust relationship with a Windows DC at 2012 anyway.
I verified this as a regression against UCS 5.0-10, samba 4.18 Creation of an external incoming trust, initiated by UCS: ``` samba-tool domain trust create mgmt1.nvzd.sh -k no -UADDOM\\Administrator%univention#123 --type=external --direction=incoming ``` Works, trust is added successfully on the Windows DC (Windows Server 2016, functional level 2012 R2) Creation of external outgoing trust, initiated by Windows: Works, trusts are created & verified on both sides. Both "directions" (UCS & Windows) fail with UCS 5.2, samba 4.21!
And that is how the trust looks like in samba: ``` univention-s4search trustPartner=MGMT1.NVZD.SH # record 1 dn: CN=MGMT1.NVZD.SH,CN=System,DC=ucs-nvzd,DC=sh objectClass: top objectClass: leaf objectClass: trustedDomain cn: MGMT1.NVZD.SH instanceType: 4 whenCreated: 20250522065753.0Z whenChanged: 20250522065753.0Z uSNCreated: 4204 uSNChanged: 4204 showInAdvancedViewOnly: TRUE name: MGMT1.NVZD.SH objectGUID: 402a0419-6b92-4aa7-a61a-2ed52024f175 securityIdentifier: S-1-5-21-3951239265-3745549443-3600140568 trustDirection: 1 trustPartner: MGMT1.NVZD.SH trustType: 2 trustAttributes: 0 flatName: MGMT1 objectCategory: CN=Trusted-Domain,CN=Schema,CN=Configuration,DC=ucs-nvzd,DC=sh distinguishedName: CN=MGMT1.NVZD.SH,CN=System,DC=ucs-nvzd,DC=sh ```
Applying the patch and re-building the package leads to the same error as mentioned in https://bugzilla.samba.org/show_bug.cgi?id=15680#c20 ``` ../../source3/rpc_client/cli_pipe.c:3475:19: error: ‘struct rpc_pipe_client’ has no member named ‘as soc’ 3475 | if (rpccli->assoc == NULL) { | ^~ ../../source3/rpc_client/cli_pipe.c:3480:56: error: ‘struct rpc_pipe_client’ has no member named ‘as soc’ 3480 | transport = dcerpc_binding_get_transport(rpccli->assoc->binding); | ^~ ../../source3/rpc_client/cli_pipe.c:3486:19: error: ‘struct rpc_pipe_client’ has no member named ‘np _cli’ 3486 | if (rpccli->np_cli == NULL) { ... ``` So either wait for a fix by samba upstream or following the stony path ourselves...
With the last patch for samba 4.21 it works again! I was able to create a trust relationship with a Windows 2022, AD functional level 2016 ``` samba-tool domain trust create win-2k22.intranet -k no -UADDOM\\Administrator%univention#123 --type=external --direction=incoming WARNING: The option -k|--kerberos is deprecated! LocalDomain Netbios[SAMBATRUST] DNS[sambatrust.intranet] SID[S-1-5-21-782644394-2045518556-4160898982] RemoteDC Netbios[WIN-2K22] DNS[WIN-2K22.win-2k22.intranet] ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,GOOD_TIMESERV,FULL_SECRET_DOMAIN_6,ADS_WEB_SERVICE,DS_8,DS_9,DS_10,__unknown_00020000__] RemoteDomain Netbios[WIN-2K220] DNS[win-2k22.intranet] SID[S-1-5-21-1943271089-2481435012-2334535652] Creating remote TDO. Remote TDO created. Setting supported encryption types on remote TDO. Creating local TDO. Local TDO created Setting supported encryption types on local TDO. Validating incoming trust... OK: RemoteValidation: DC[\\primary.sambatrust.intranet] CONNECTION[WERR_OK] TRUST[WERR_OK] VERIFY_STATUS_RETURNED Success. ``` It's also created properly on the AD side
ucs-patches 43911990e | Merge branch 'ofriedri/backport_trust_for_samba421_bug58299' into 'main' 8218dab3e | patch merged by repo-ng - from samba/ucs_5.2-0/2:4.21.1-1 to samba/ucs_5.2-0-errata5.2-2/2:4.21.1-1 79f3bf98b | Revert 43911990e me@buildhost:~$ repo_admin.py --cherrypick --release 5.2-0 --releasedest 5.2-0 --dest errata5.2-2 --package samba me@buildhost:~$ b52-scope errata5.2-2 samba Successful build Package: samba Version: 2:4.21.1-1A~5.2.0.202507011052 Branch: 5.2-0 Scope: errata5.2-2 ucs 8584451dce5 | Advisory
<https://errata.software-univention.de/#/?erratum=5.2x138>