[Samba] InterDomain Trust Issue w/Server 2003 - Samba

This is a discussion on [Samba] InterDomain Trust Issue w/Server 2003 - Samba ; I'm having an issue establishing a trust between a samba/ldap PDC and a windows 2003 Active directory server on a seperate domain. Here is what I've done. I've created a 2 way trust in windows with the samba domain. When ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: [Samba] InterDomain Trust Issue w/Server 2003

  1. [Samba] InterDomain Trust Issue w/Server 2003

    I'm having an issue establishing a trust between a samba/ldap PDC and a
    windows 2003 Active directory server on a seperate domain. Here is what I've
    done. I've created a 2 way trust in windows with the samba domain. When I try
    to verify the outgoing trust from windows I get an access denied message. In
    samba logs I get " get_md4pw: Workstation CATS$: no account in domain"
    although I've created a trust account on the samba server
    using 'smbldap-useradd -w CATS' then I do the ldapmodify stuff accourding to
    the samba interdomain trust howto and set the sambaAcctFlags to "I". When I
    try to do "net rpc trustdom establish CATS" I type the password and
    get "[2007/04/12 15:43:07, 0] rpc_client/cli_pipe.c:cli_nt_session_open(1451)
    cli_nt_session_open: cli_nt_create failed on pipe \wkssvc to machine CODY1.
    Error was NT_STATUS_ACCESS_DENIED
    [2007/04/12 15:43:07, 0] utils/net_rpc.c:rpc_trustdom_establish(4672)
    Couldn't not initialise wkssvc pipe"

    If I type the wrong password, I get "NT_STATUS_LOGON_FAILURE" so I know the
    password is right. Does anyone have any ideas?

    [root@server ~]# smbldap-usershow cats$
    dn: uid=CATS$,ou=People,dc=domain,dc=com
    objectClass: top,inetOrgPerson,posixAccount,sambaSamAccount
    cn: CATS$
    sn: CATS$
    uid: CATS$
    uidNumber: 1140
    gidNumber: 515
    homeDirectory: /dev/null
    loginShell: /bin/false
    description: Computer
    gecos: Computer
    userPassword: {SMD5}ZERr2tHzfxsdfFSddfsdfWs=
    sambaPwdLastSet: 0
    sambaLogonTime: 0
    sambaLogoffTime: 2147483647
    sambaKickoffTime: 2147483647
    sambaPwdCanChange: 0
    sambaPwdMustChange: 2147483647
    displayName: System User
    sambaSID: S-1-5-21-1149954056-267194260-154304278-3280
    sambaAcctFlags: [I]
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  2. Re: [Samba] InterDomain Trust Issue w/Server 2003

    On Thu, 2007-04-12 at 15:45 -0500, Cody Jarrett wrote:
    > I'm having an issue establishing a trust between a samba/ldap PDC and a
    > windows 2003 Active directory server on a seperate domain. Here is what I've
    > done. I've created a 2 way trust in windows with the samba domain. When Itry
    > to verify the outgoing trust from windows I get an access denied message.In
    > samba logs I get " get_md4pw: Workstation CATS$: no account in domain"
    > although I've created a trust account on the samba server
    > using 'smbldap-useradd -w CATS' then I do the ldapmodify stuff accourdingto
    > the samba interdomain trust howto and set the sambaAcctFlags to "I".


    The way I've always done it for the windows trusts samba case is to
    smbpasswd -i -a, and set a password. Then you put that password into
    the windows server.

    I've not done the setup for the other direction, but I understand there
    may be some bugs.

    > When I
    > try to do "net rpc trustdom establish CATS" I type the password and
    > get "[2007/04/12 15:43:07, 0] rpc_client/cli_pipe.c:cli_nt_session_open(1451)
    > cli_nt_session_open: cli_nt_create failed on pipe \wkssvc to machine CODY1.
    > Error was NT_STATUS_ACCESS_DENIED
    > [2007/04/12 15:43:07, 0] utils/net_rpc.c:rpc_trustdom_establish(4672)
    > Couldn't not initialise wkssvc pipe"
    >
    > If I type the wrong password, I get "NT_STATUS_LOGON_FAILURE" so I know the
    > password is right. Does anyone have any ideas?


    Chatting with tridge around the office, he was trying this out recently,
    and thought some things were wrong. We may well, have some issues (or
    at least unclear docs) for the windows-trusts-samba case.

    Andrew Bartlett

    --
    Andrew Bartlett http://samba.org/~abartlet/
    Authentication Developer, Samba Team http://samba.org
    Samba Developer, Red Hat Inc. http://redhat.com

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.7 (GNU/Linux)

    iD8DBQBGIA0wz4A8Wyi0NrsRAjJMAKCnnLOO2CAjpZFE0PCk5C yKi2my5wCfY2/5
    wrO5OXnBl0YuQYl6ZMj0zW0=
    =2ZE4
    -----END PGP SIGNATURE-----


+ Reply to Thread