Problem: Queries in a trust relationship between UCS Samba and Microsoft Active Directory take very long

scheinig · December 16, 2025, 2:56pm

Problem:

After establishing a trust relationship between UCS Samba and Microsoft Active Directory, it was found that queries to the UCS take a very long time and time out after 30 seconds.

Investigation:

In which direction is the trust relationship established? Does UCS trust Windows, or does Windows trust UCS? This is very important to know, because outgoing trust relationships (UCS trusts Windows) are not supported in Samba/AD domains. Accordingly, bidirectional trust relationships are also not supported.

root@dc01:~# samba-tool domain trust list
Type[External] Transitive[No]  Direction[INCOMING] Name[ad.test]
root@dc01:~# samba-tool domain trust show ad.test
LocalDomain Netbios[SCHEIN] DNS[schein.cat] SID[S-1-5-21-1968043490-3497868020-1052620979]
TrustedDomain:

NetbiosName:    UCS1
DnsName:        ad.test
SID:            S-1-5-21-3550983502-1716035267-1031089948
Type:           0x2 (UPLEVEL)
Direction:      0x1 (INBOUND)
Attributes:     0x4 (QUARANTINED_DOMAIN)
PosixOffset:    0x00000000 (0)
kerb_EncTypes:  0x18 (AES128_CTS_HMAC_SHA1_96,AES256_CTS_HMAC_SHA1_96)

Solution:

It wasn’t in LDAP or Samba, but rather a missing permission in the firewall.