9.4. Trust relationships#
Trust relationships between domains make it possible for users from one domain to sign in to computers from another domain.
In general, Windows trust relations can be unidirectional or bidirectional. Technically a bidirectional trust is simply realized as two unidirectional trusts, one in each direction.
The terminology of unidirectional trusts depends on the perspective of either the trusting or trusted domain: From the perspective of the trusting domain, the trust is called outgoing. From the perspective of the trusted domain, the trust is called incoming.
In UCS, outgoing trust (UCS trusts Windows) is not supported. As a consequence, bidirectional trust is not supported either.
When setting up and using the trust relationship the domain controllers of both domains must be able to reach each other over the network and identify each other via DNS. At least the fully qualified DNS names of the domain controllers of the respective remote domain must be resolvable to allow communication between both domains to work. This can be achieved by configuring conditional DNS forwarding in both domains.
The following example assumes, that the UCS Samba/AD DC Primary Directory Node
primary.ucsdom.example
has the IP address 192.0.2.10
and that the Active
Directory domain controller dc1.addom.example
of the remote domain has the
IP address 192.0.2.20
.
On the UCS side the conditional forwarding of DNS queries can be set up as
root
with the following commands:
$ cat >>/etc/bind/local.conf.samba4 <<__EOT__
zone "addom.example" {
type forward;
forwarders { 192.0.2.20; };
};
__EOT__
$ systemctl restart bind9
The success can be checked by running:
$ host dc1.addom.example
In addition, it may be useful to create a static entry for the domain controller
of the remote Active Directory domain in the file /etc/hosts
:
$ ucr set hosts/static/192.0.2.20=dc1.addom.example
On a Windows AD DC, a so-called conditional forwarding can be set up for the UCS domain via the DNS server console.
Trust relationships can only be configured on domain controllers but they affect the whole domain.
After this preliminary work, the trust relationship can be established directly from the command line of the UCS Samba/AD DC using the tool samba-tool:
$ samba-tool domain trust create addom.example \
-k no -UADDOM\\Administrator%ADAdminPassword \
--type=external --direction=incoming
The trust can be checked using the following commands:
$ samba-tool domain trust list
$ wbinfo --ping-dc –domain=addom.example
$ wbinfo --check-secret –domain=addom.example
After the setup, a UCS user should be able to sign in to systems of the remote
Active Directory domain. Users must either use the format UCSDOM\username
as
login name or their Kerberos principal in the notation
username@ucsdom.example
.