Koozali.org: home of the SME Server

trust relationship between SME and Win2K3

Offline Zeddo

  • 7
  • +0/-0
trust relationship between SME and Win2K3
« on: July 18, 2011, 02:56:22 PM »
Hello,

first, sorry for my poor english.

I have created a SME server with a small network in 192.168.40.0/24.
This is encapsulated in my society's network, wich is in 172.16.0.0/19.

good new, i can ping from 192.168.40.x to 172.16.x.x, i have internet access (via 172.16.x.x), i acces to share folders, printers, etc...
Bad new, i can't ping from 172.16.x.x to 192.168.40.x, and i can't access to share forlders.

do i need to create a trust relationship between my 2 domains ? (if yes how ?)  or is it just a routing problem ?

thx

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: trust relationship between SME and Win2K3
« Reply #1 on: July 18, 2011, 03:45:56 PM »
Hello,

first, sorry for my poor english.

I have created a SME server with a small network in 192.168.40.0/24.
This is encapsulated in my society's network, wich is in 172.16.0.0/19.

good new, i can ping from 192.168.40.x to 172.16.x.x, i have internet access (via 172.16.x.x), i acces to share folders, printers, etc...
Bad new, i can't ping from 172.16.x.x to 192.168.40.x, and i can't access to share forlders.

do i need to create a trust relationship between my 2 domains ? (if yes how ?)  or is it just a routing problem ?

thx

is your SME in server only mode? or server and gateway? did you add the 172.16.X network into the local networks panel?

Offline cactus

  • *
  • 4,880
  • +3/-0
    • http://www.snetram.nl
Re: trust relationship between SME and Win2K3
« Reply #2 on: July 18, 2011, 03:46:32 PM »
do i need to create a trust relationship between my 2 domains ? (if yes how ?)  or is it just a routing problem ?
Ping has nothing todo with domain trust. Most likely it is a routing issue or something in the path is blocking ICMP traffic.
Be careful whose advice you buy, but be patient with those who supply it. Advice is a form of nostalgia, dispensing it is a way of fishing the past from the disposal, wiping it off, painting over the ugly parts and recycling it for more than its worth ~ Baz Luhrmann - Everybody's Free (To Wear Sunscreen)

Offline Zeddo

  • 7
  • +0/-0
Re: trust relationship between SME and Win2K3
« Reply #3 on: July 18, 2011, 03:58:39 PM »
Thanks for your answer.

The server has been installed as server and gateway (is it a mistake ?).
If i add the 172.16.X network into the local networks panel, i can't have access from 192.168.40.x to 172.16.x.x. anymore.

I'm a real noob in linux world. How can i verify if it is a routing issue or if something in the path is blocking ICMP traffic ?
When i make a "route" in putty, it seems good :

Destination     gateway      Genmask         Indic Metric Ref    Use Iface
192.168.40.0    *               255.255.255.0   U     0      0        0 eth0
172.16.0.0      *               255.255.224.0   U     0      0        0 eth1
default         172.16.31.252   0.0.0.0         UG    0      0        0 eth1

Ping is not important, it was just a test to confirm that computers were able to talk from one domain to the other. What is important is VNC use and share folders.

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: trust relationship between SME and Win2K3
« Reply #4 on: July 18, 2011, 04:02:00 PM »
The server has been installed as server and gateway (is it a mistake ?).

well, in this case you have a firewall (SME's one) between two lans.. and 172.16.X is, for SME, an external network.. so no access from wan to smb shares

Offline Zeddo

  • 7
  • +0/-0
Re: trust relationship between SME and Win2K3
« Reply #5 on: July 18, 2011, 04:07:14 PM »
Is it possible to disable the firewall ?
(i think it's not dangerous for us, SME server is just used as "sub-domain" of our principal domain.)
Users still go trough our firewall for the web, and there will be just "local access " for share and VNC.

Or making a new install in server mode could be a solution ?

Offline cactus

  • *
  • 4,880
  • +3/-0
    • http://www.snetram.nl
Re: trust relationship between SME and Win2K3
« Reply #6 on: July 18, 2011, 05:49:37 PM »
Or making a new install in server mode could be a solution ?
You can not split subnets without SME Server being in server-gateway, if you configure SME Server as a server-only configuration you will have to place it in an existing network using the ip ranges and subnets that apply to that part of the net.

If you want to switch to server-only mode you should be able to do so by logging in as admin on the command prompt and reconfigure your server through the menu.
Be careful whose advice you buy, but be patient with those who supply it. Advice is a form of nostalgia, dispensing it is a way of fishing the past from the disposal, wiping it off, painting over the ugly parts and recycling it for more than its worth ~ Baz Luhrmann - Everybody's Free (To Wear Sunscreen)

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: trust relationship between SME and Win2K3
« Reply #7 on: July 18, 2011, 07:39:34 PM »
You can not split subnets without SME Server being in server-gateway, if you configure SME Server as a server-only configuration you will have to place it in an existing network using the ip ranges and subnets that apply to that part of the net.

If you want to switch to server-only mode you should be able to do so by logging in as admin on the command prompt and reconfigure your server through the menu.

IIRC OP should switch to server only mode and add 172.16 subnet in the "local networks" webpanel.. obviously he need a router between the networks

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: trust relationship between SME and Win2K3
« Reply #8 on: July 18, 2011, 11:54:07 PM »
IIRC OP should switch to server only mode and add 172.16 subnet in the "local networks" webpanel.. obviously he need a router between the networks

Correct. This is the only configuration which would allow access to the LAN machines on 192.168.40.x from 172.16.x.x.

Offline Zeddo

  • 7
  • +0/-0
Re: trust relationship between SME and Win2K3
« Reply #9 on: July 19, 2011, 01:25:38 PM »
Hello,

we have good news today.
We now arrive to connect in VNC from the 172.16.x.x network to 192.168.40.x.
sharing is not possile yet but i have good hope.

I'm writing a howtoo about what we have done, i will post it when it will be over.

thanks everybody for your answers, you gave us some good ideas.

Offline Zeddo

  • 7
  • +0/-0
Re: trust relationship between SME and Win2K3
« Reply #10 on: July 19, 2011, 03:33:23 PM »
So, Everything is ok. not realy as i wanted but it works fine.

First, i wanted to have 2 network cards in SME server, and use it as router for 172.16.0.0 <-> 192.168.40.0.
But finaly, We used our Ciso as router.

Here is what we have done :

CISCO :
On each cisco used (where computers and SME server are plugged), we created a specific VLAN.
We had also to configure Trunk.

On the main cisco, (with Cisco Network Assistant), in device "Proprieties\IP Addresses..." we created an IP address, 192.168.40.254.
This is a "virtual IP" assigned to the main Cisco. don't forget to use the option "route".

FIREWALL :
We also have a Firewall, Endian Firewall, in which we had to add a route :
route add -net 192.168.40.0 netmask 255.255.255.0 gw 172.16.31.252

You can do it permanantly writing this command in :
/etc/rc.d/init.d/rc.local


SME SERVER :
We installed the server as a standalone server (not gateway or private gateway).
the configuration is :

(sorry for translation :p )
Mode : serveronly
Local IP Address / subnet-mask : 192.168.40.1/255.255.255.0
Gateway : 192.168.40.254
Local Networks added : 192.168.40.0/255.255.255.0
Server DHCP : disabled

Then, we had to go in Configuration / workgroup.
Here we have write the "Windows workgroup or domain", the name server, put "YES" at the option "PDC".

In "Security/distant acces", we had to declare the network 172.16.0.0/255.255.224.0, and open the SSH parameters to "LAN and Internet", and "YES" at the 2 options below.

After that, we has done the upgrade (configuration / upgrade), and then, reboot and reconfigure the server (as you have to do after each upgrade).

finaly, you can make your LDAP "nicer" with the good address of your company, create users, add printers, etc...


WINDOWS 7 :
For computers runing with Windows 7, we had to modify the register database (regedit).

Create a reg file with notepad and paste this inside, then execute :

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters]
"DomainCompatibilityMode"=dword:00000001
"DNSNameResolutionRequired"=dword:00000000


COMPUTER NETWORK CONFIGURATION :
IP Static : 192.168.40.X
Mask : 255.255.255.0
Gateway : 192.168.40.254
DNS : 172.16.0.10


And that's all folk :)
Now, we can add each computer as member of the new domain.
We can ping, see shared folders (with authentification asked by windows), use VNC from external (172.16.x) to internal (192.168.40.x)


I'ld like to have a true "trust relationship", to allow Users of the 172.16.x'AD to go on 192.168.40.X share folders,
But i'll make something more "dusty" who works fine, with net use. (in french we say that "it's a work of pig")
NET Use Z: \\172.16.x.x\share /user:domain\user "password"


I hope this post will help some people, and maybe one day someone will tell us how to make a trust relationship between a domain on Windows 2003 and another on SME.

Zedd