When setting up interdomain trusts under Windows NT4 the name of the trust
account was purely optional.
In other words, in setting up a one-way trust from DomA to DomB, one could go
into the NT4 Domain User Manager to set up a trust account called "GoodGuyA"
and then on DomB complete the trust simply by specifying the name "GoodGuyA"
and the password previously used on DomA.
It appears that the "net rpc trustdom establish" command insists on using the
actual domain name and not any arbitrary name for the trust relationship.
Even use of the -W or -S command line arguments does not permit the use of
valid alternative interdomain trust names.
Is there a particular reason for enforcing this semantic on this tool? In
other words, is there a protocol-specific factor that excludes the ability to
do what NT4 allows? Could this have anything to do with AD interdomain
This horrible question has emerged out of trying to help a site to resolve
HIPA and SOX regulartory compliance issues. The current behavior of "net rpc
trustdom establish" prevents them from using a solution that would fit within
their current LDAP director framework while still meeting these aweful legal
Does anyone have a comment or solution to offer - or just some insight to the
issues? I will be revising the Interdomain trust documentation and the
Winbindd documention in the HOWTO over the next few days and would like to
close out a lot of grey-areas that have come to light from trying to help a
couple of Samba admins.
- John T.
Re: Interdomain Trusts
-----BEGIN PGP SIGNED MESSAGE-----
John H Terpstra wrote:
> Is there a particular reason for enforcing this semantic on
> this tool? In other words, is there a protocol-specific
> factor that excludes the ability to do what NT4 allows? Could
>this have anything to do with AD interdomain trusts?[/color]
Becuase we grab the domain SID I believe. So the domain name needs to be
valid and one we can contact.
Samba ------- [url]http://www.samba.org[/url]
Likewise Software --------- [url]http://www.likewisesoftware.com[/url]
"What man is a man who does not make the world better?" --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - [url]http://enigmail.mozdev.org[/url]
-----END PGP SIGNATURE-----