I'm having trouble with getting a trusted domain to be able to access my TrueNAS SMB shares (the domain that it is joined to is able to access the shares fine). After spending about a day at the problem and trying various helpful suggestions I've seen archived in the forums I gave up and went home to set up a pristine infrastructure to see if I could recreate the problem, and I recreated it right away. Here's the scenario.
I am running TrueNAS-13.0-U3.1. (I'll not include any hardware details as I think it's not relevant in this topic.) Two domain controllers (both Windows Server 2016 Standard). They are all on the same subnet and there is no firewall anywhere. DNS is set up correctly on the two domain controllers for both domains, a stub zone to the other domain was set up on both to allow the trust to be created, and the TrueNAS server uses the domain controller of DOMA.local for its DNS lookups.
The output of wbinfo:
So far so good, but I'm not sure why DOMB doesn't appear at all yet.
From domaad.doma.local I can access \\bobstor.doma.local fine; I can enumerate the shares and go into the test share and edit files. From dombad.domb.local if I try to access \\bobstor.doma.local I get the following error:
I've looked at the TrueNAS samba source code and the error related to this is NT_STATUS_AUTHENTICATION_FIREWALL_FAILED, and this only occurs in auth_util.c and winbindd_pam.c when attempting to perform a local authentication - not what I think should be happening.
The content of my samba configuration is here...
I've seen some strong advice that I need to set up IDMAP for the trusted domain. The ID ranges that have been selected by the automated domain join in the GUI are as follows:
I'm not sure that that is the problem here but I'm willing to try if someone could please describe exactly what I need to do. (Do I need to create LDAP, TDB, and RID mappings all three for DOMB?) Or if anyone knows what else might be up I'm willing to try anything and provide as much detail as requested.
I feel quite convinced that the problems are all down to my configuration on the TrueNAS box, as I can see the packets come in from the DOMB domain controller and the TrueNAS server is flat out rejecting it with the NT_STATUS_AUTHENTICATION_FIREWALL_FAILED responses. For whatever reason samba just doesn't seem to recognise DOMB as a thing. However, that can't quite be true as I was able to add "DOMB\domain admins" to the filesystem ACL!
I am running TrueNAS-13.0-U3.1. (I'll not include any hardware details as I think it's not relevant in this topic.) Two domain controllers (both Windows Server 2016 Standard). They are all on the same subnet and there is no firewall anywhere. DNS is set up correctly on the two domain controllers for both domains, a stub zone to the other domain was set up on both to allow the trust to be created, and the TrueNAS server uses the domain controller of DOMA.local for its DNS lookups.
- domaad is the domain controller for the domain DOMA.LOCAL
- dombad is the domain controller for the domain DOMB.LOCAL.
- DOMA has an outgoing trust of DOMB, and it is a selective authentication. I have validated the one-way trust from both sides.
The output of wbinfo:
Code:
bob@bobstor:~ % wbinfo --trusted-domains --verbose Domain Name DNS Domain Trust Type Transitive In Out BUILTIN Local BOBSTOR Local DOMA DOMA.LOCAL Workstation Yes No Yes
So far so good, but I'm not sure why DOMB doesn't appear at all yet.
From domaad.doma.local I can access \\bobstor.doma.local fine; I can enumerate the shares and go into the test share and edit files. From dombad.domb.local if I try to access \\bobstor.doma.local I get the following error:
\\bobstor.doma.local is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions. The computer you are signing into is protected by an authentication firewall. The specified account is not allowed to authenticate to the computer.
I've looked at the TrueNAS samba source code and the error related to this is NT_STATUS_AUTHENTICATION_FIREWALL_FAILED, and this only occurs in auth_util.c and winbindd_pam.c when attempting to perform a local authentication - not what I think should be happening.
{"timestamp": "2023-04-22T12:33:15.078434+0100", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "ac209d1e0532f0a5", "logonType": 3, "status": "NT_STATUS_AUTHENTICATION_FIREWALL_FAILED", "localAddress": "unix:", "remoteAddress": "unix:", "serviceDescription": "winbind", "authDescription": "NTLM_AUTH, nss_winbind, 53698", "clientDomain": "DOMB", "clientAccount": "Administrator", "workstation": "DOMBAD", "becameAccount": "", "becameDomain": "", "becameSid": null, "mappedAccount": null, "mappedDomain": null, "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 9733}}
{"timestamp": "2023-04-22T12:33:15.079191+0100", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": "NT_STATUS_AUTHENTICATION_FIREWALL_FAILED", "localAddress": "ipv6:2a02:c7f:5d14:1b42:d250:99ff:fec2:b703:445", "remoteAddress": "ipv6:2a02:c7f:5d14:1b42:bd4d:b3ca:25b0:f5e4:58182", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "DOMB", "clientAccount": "Administrator", "workstation": "DOMBAD", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "Administrator", "mappedDomain": "DOMB", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 13249}}
{"timestamp": "2023-04-22T12:33:19.128291+0100", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "b7cac5ba7fd8a9fc", "logonType": 3, "status": "NT_STATUS_AUTHENTICATION_FIREWALL_FAILED", "localAddress": "unix:", "remoteAddress": "unix:", "serviceDescription": "winbind", "authDescription": "NTLM_AUTH, nss_winbind, 53698", "clientDomain": "DOMB", "clientAccount": "Administrator", "workstation": "DOMBAD", "becameAccount": "", "becameDomain": "", "becameSid": null, "mappedAccount": null, "mappedDomain": null, "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 4326}}
{"timestamp": "2023-04-22T12:33:19.128984+0100", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": "NT_STATUS_AUTHENTICATION_FIREWALL_FAILED", "localAddress": "ipv6:2a02:c7f:5d14:1b42:d250:99ff:fec2:b703:445", "remoteAddress": "ipv6:2a02:c7f:5d14:1b42:bd4d:b3ca:25b0:f5e4:58183", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "DOMB", "clientAccount": "Administrator", "workstation": "DOMBAD", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "Administrator", "mappedDomain": "DOMB", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 7878}}
{"timestamp": "2023-04-22T12:33:19.181269+0100", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "21240d66c7aba072", "logonType": 3, "status": "NT_STATUS_AUTHENTICATION_FIREWALL_FAILED", "localAddress": "unix:", "remoteAddress": "unix:", "serviceDescription": "winbind", "authDescription": "NTLM_AUTH, nss_winbind, 53698", "clientDomain": "DOMB", "clientAccount": "Administrator", "workstation": "DOMBAD", "becameAccount": "", "becameDomain": "", "becameSid": null, "mappedAccount": null, "mappedDomain": null, "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 4648}}
{"timestamp": "2023-04-22T12:33:19.181989+0100", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": "NT_STATUS_AUTHENTICATION_FIREWALL_FAILED", "localAddress": "ipv6:2a02:c7f:5d14:1b42:d250:99ff:fec2:b703:445", "remoteAddress": "ipv6:2a02:c7f:5d14:1b42:bd4d:b3ca:25b0:f5e4:58184", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "DOMB", "clientAccount": "Administrator", "workstation": "DOMBAD", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "Administrator", "mappedDomain": "DOMB", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 8342}}
{"timestamp": "2023-04-22T12:33:19.234318+0100", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "dc8a1040c0cc501", "logonType": 3, "status": "NT_STATUS_AUTHENTICATION_FIREWALL_FAILED", "localAddress": "unix:", "remoteAddress": "unix:", "serviceDescription": "winbind", "authDescription": "NTLM_AUTH, nss_winbind, 53698", "clientDomain": "DOMB", "clientAccount": "Administrator", "workstation": "DOMBAD", "becameAccount": "", "becameDomain": "", "becameSid": null, "mappedAccount": null, "mappedDomain": null, "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 4266}}
{"timestamp": "2023-04-22T12:33:19.235013+0100", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": "NT_STATUS_AUTHENTICATION_FIREWALL_FAILED", "localAddress": "ipv6:2a02:c7f:5d14:1b42:d250:99ff:fec2:b703:445", "remoteAddress": "ipv6:2a02:c7f:5d14:1b42:bd4d:b3ca:25b0:f5e4:58185", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "DOMB", "clientAccount": "Administrator", "workstation": "DOMBAD", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "Administrator", "mappedDomain": "DOMB", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 8144}}
{"timestamp": "2023-04-22T12:33:15.079191+0100", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": "NT_STATUS_AUTHENTICATION_FIREWALL_FAILED", "localAddress": "ipv6:2a02:c7f:5d14:1b42:d250:99ff:fec2:b703:445", "remoteAddress": "ipv6:2a02:c7f:5d14:1b42:bd4d:b3ca:25b0:f5e4:58182", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "DOMB", "clientAccount": "Administrator", "workstation": "DOMBAD", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "Administrator", "mappedDomain": "DOMB", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 13249}}
{"timestamp": "2023-04-22T12:33:19.128291+0100", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "b7cac5ba7fd8a9fc", "logonType": 3, "status": "NT_STATUS_AUTHENTICATION_FIREWALL_FAILED", "localAddress": "unix:", "remoteAddress": "unix:", "serviceDescription": "winbind", "authDescription": "NTLM_AUTH, nss_winbind, 53698", "clientDomain": "DOMB", "clientAccount": "Administrator", "workstation": "DOMBAD", "becameAccount": "", "becameDomain": "", "becameSid": null, "mappedAccount": null, "mappedDomain": null, "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 4326}}
{"timestamp": "2023-04-22T12:33:19.128984+0100", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": "NT_STATUS_AUTHENTICATION_FIREWALL_FAILED", "localAddress": "ipv6:2a02:c7f:5d14:1b42:d250:99ff:fec2:b703:445", "remoteAddress": "ipv6:2a02:c7f:5d14:1b42:bd4d:b3ca:25b0:f5e4:58183", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "DOMB", "clientAccount": "Administrator", "workstation": "DOMBAD", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "Administrator", "mappedDomain": "DOMB", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 7878}}
{"timestamp": "2023-04-22T12:33:19.181269+0100", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "21240d66c7aba072", "logonType": 3, "status": "NT_STATUS_AUTHENTICATION_FIREWALL_FAILED", "localAddress": "unix:", "remoteAddress": "unix:", "serviceDescription": "winbind", "authDescription": "NTLM_AUTH, nss_winbind, 53698", "clientDomain": "DOMB", "clientAccount": "Administrator", "workstation": "DOMBAD", "becameAccount": "", "becameDomain": "", "becameSid": null, "mappedAccount": null, "mappedDomain": null, "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 4648}}
{"timestamp": "2023-04-22T12:33:19.181989+0100", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": "NT_STATUS_AUTHENTICATION_FIREWALL_FAILED", "localAddress": "ipv6:2a02:c7f:5d14:1b42:d250:99ff:fec2:b703:445", "remoteAddress": "ipv6:2a02:c7f:5d14:1b42:bd4d:b3ca:25b0:f5e4:58184", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "DOMB", "clientAccount": "Administrator", "workstation": "DOMBAD", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "Administrator", "mappedDomain": "DOMB", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 8342}}
{"timestamp": "2023-04-22T12:33:19.234318+0100", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "dc8a1040c0cc501", "logonType": 3, "status": "NT_STATUS_AUTHENTICATION_FIREWALL_FAILED", "localAddress": "unix:", "remoteAddress": "unix:", "serviceDescription": "winbind", "authDescription": "NTLM_AUTH, nss_winbind, 53698", "clientDomain": "DOMB", "clientAccount": "Administrator", "workstation": "DOMBAD", "becameAccount": "", "becameDomain": "", "becameSid": null, "mappedAccount": null, "mappedDomain": null, "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 4266}}
{"timestamp": "2023-04-22T12:33:19.235013+0100", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": "NT_STATUS_AUTHENTICATION_FIREWALL_FAILED", "localAddress": "ipv6:2a02:c7f:5d14:1b42:d250:99ff:fec2:b703:445", "remoteAddress": "ipv6:2a02:c7f:5d14:1b42:bd4d:b3ca:25b0:f5e4:58185", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "DOMB", "clientAccount": "Administrator", "workstation": "DOMBAD", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "Administrator", "mappedDomain": "DOMB", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 8144}}
The content of my samba configuration is here...
bob@bobstor:/etc/local % cat smb4.conf
#
# SMB.CONF(5) The configuration file for the Samba suite
# $FreeBSD$
#
[global]
dns proxy = No
aio max threads = 2
max log size = 5120
load printers = No
printing = bsd
disable spoolss = Yes
dos filemode = Yes
kernel change notify = No
directory name cache size = 0
server multi channel support = No
nsupdate command = /usr/local/bin/samba-nsupdate -g
unix charset = UTF-8
log level = 1 auth_json_audit:3@/var/log/samba4/auth_audit.log
obey pam restrictions = True
rpc_daemon:mdssd = disabled
rpc_server:mdssvc = disabled
enable web service discovery = True
logging = file
server min protocol = SMB2_02
unix extensions = No
restrict anonymous = 2
server string = FreeNAS Server
bind interfaces only = Yes
netbios name = bobstor
netbios aliases =
server role = member server
kerberos method = secrets and keytab
workgroup = DOMA
realm = DOMA.LOCAL
security = ADS
local master = No
domain master = No
preferred master = No
winbind cache time = 7200
winbind max domain connections = 10
client ldap sasl wrapping = seal
template shell = /bin/sh
template homedir = /mnt/pool0/home/%D/%U
ads dns update = Yes
allow trusted domains = Yes
winbind enum users = Yes
winbind enum groups = Yes
idmap config DOMA: backend = rid
idmap config DOMA: range = 100000001-200000000
idmap config *: backend = tdb
idmap config *: range = 90000001-100000000
registry shares = yes
include = registry
#
# SMB.CONF(5) The configuration file for the Samba suite
# $FreeBSD$
#
[global]
dns proxy = No
aio max threads = 2
max log size = 5120
load printers = No
printing = bsd
disable spoolss = Yes
dos filemode = Yes
kernel change notify = No
directory name cache size = 0
server multi channel support = No
nsupdate command = /usr/local/bin/samba-nsupdate -g
unix charset = UTF-8
log level = 1 auth_json_audit:3@/var/log/samba4/auth_audit.log
obey pam restrictions = True
rpc_daemon:mdssd = disabled
rpc_server:mdssvc = disabled
enable web service discovery = True
logging = file
server min protocol = SMB2_02
unix extensions = No
restrict anonymous = 2
server string = FreeNAS Server
bind interfaces only = Yes
netbios name = bobstor
netbios aliases =
server role = member server
kerberos method = secrets and keytab
workgroup = DOMA
realm = DOMA.LOCAL
security = ADS
local master = No
domain master = No
preferred master = No
winbind cache time = 7200
winbind max domain connections = 10
client ldap sasl wrapping = seal
template shell = /bin/sh
template homedir = /mnt/pool0/home/%D/%U
ads dns update = Yes
allow trusted domains = Yes
winbind enum users = Yes
winbind enum groups = Yes
idmap config DOMA: backend = rid
idmap config DOMA: range = 100000001-200000000
idmap config *: backend = tdb
idmap config *: range = 90000001-100000000
registry shares = yes
include = registry
I've seen some strong advice that I need to set up IDMAP for the trusted domain. The ID ranges that have been selected by the automated domain join in the GUI are as follows:
Code:
LDAP 10_000 90_000_000 TDB 90_000_001 100_000_000 RID 100_000_001 200_000_000
I'm not sure that that is the problem here but I'm willing to try if someone could please describe exactly what I need to do. (Do I need to create LDAP, TDB, and RID mappings all three for DOMB?) Or if anyone knows what else might be up I'm willing to try anything and provide as much detail as requested.
I feel quite convinced that the problems are all down to my configuration on the TrueNAS box, as I can see the packets come in from the DOMB domain controller and the TrueNAS server is flat out rejecting it with the NT_STATUS_AUTHENTICATION_FIREWALL_FAILED responses. For whatever reason samba just doesn't seem to recognise DOMB as a thing. However, that can't quite be true as I was able to add "DOMB\domain admins" to the filesystem ACL!