samba - Aug 2006 - problems trusting a w2003 domain server from samba 3

I have samba 3 PDC (SAMBA domain with hostname "pevpdc") on CentOS 3.7
(package is named samba-3.0.9-1.3E.7) and I have a w2k3 sp1 domain
(W2003 domain with hostname "mailserver").
The last is in mixed mode and is an exchange server and the former is
without winbind, using smbpasswd backend and "security = user" in
smb.conf.

I would like to authenticate mailserver users through samba mgmt.
So if I understand correctly, I need one-way trust relashionship where
the SAMBA domain is the trusting one, while the W2003 domain is the
trusted one.
>From w2003, in AD domains and trusts I create the new one-way-incoming
trust specifying SAMBA as the domain and a password for the trust;
then I select to confirm the incoming trust and so I have to specify
an administrative user/password on SAMBA domain, but I get at the end
of the wizard:

"The verification of the incoming trust failed with the following error(s):
The target system PEVPDC does not support NetLogon trust password verification.
A secure channel reset will be attempted.
The secure channel reset failed with error 1355: The specified domain
either does not exist or could not be contacted."

and also in the same window:

"Before this trust can function it must also be created in the other
domain. Ensure that the same trust password is used in both domains."

I click anyway the Finish button, as I can validate in a second moment.

In samba I run as root

net rpc trustdom establish PEVIANIMAIL
Password: [here I use the trust password supplied on the mailserver wizard]

I get:

Could not connect to server MAILSERVER
[2006/08/11 14:47:58, 0] rpc_client/cli_pipe.c:cli_nt_session_open(1451)
  cli_nt_session_open: cli_nt_create failed on pipe \wkssvc to machine
MAILSERVER.  Error was NT_STATUS_ACCESS_DENIED
[2006/08/11 14:47:58, 0] utils/net_rpc.c:rpc_trustdom_establish(4363)
  Couldn't not initialise wkssvc pipe

What are the bits I'm missing?
Would be sufficient to use winbind on samba? In this case is it the
implementation of winbind doable without stopping samba services?
 What is the message related with the 1355 error in w2003 about secure channel?
Thanks in advance for your help.
Best regards,
Gianluca

It seems that I didn't understand quite well the concepts of trusting
and trusted... :-(

Watching deeper the documents at
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/InterdomainTrusts.html
and
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsbb_act_kxlx.mspx?mfr=true
and
http://support.microsoft.com/default.aspx?scid=kb;en-us;325874

I understood that I had to establish the opposite of what I was trying to do...
So, the configuration should be supported also without winbind on samba part.
And infact I successfully created on samba server the inter domain trust account
and then on w2003 I successfully created the OUTGOING trust for SAMBA domain.
At the end I disabled the sid history for the users (i don't know if
it is correct?) with the command:

netdom trust W2003 /domain:SAMBA /quarantine:No /userO:admin_user
/passwordo:admin_user_password

MySamba users can now be granted access to resources in the AD domain.
Infact if I create a share on the mailserver server, I can connect
from a windows xp workstation of the SAMBA domain, without password
asked.
And this happens if for example I set different passwords for the user
in the SAMBA domain and in the W2003 domain.

SUCCESS!
The problem is:
On windows xp workstation connected as user gcecchi (authenticated on
SAMBA domain)  I have outlook 2003 that is configured for accessing
mailserver on W2003 domain.
When I open outllok, it always asks me the mailserver password, either
in the case that the two domain passwords for the user are the same,
or if they are different.....
Before trusting, if the passwords were different, there were the popup
asking the one of the mailserver, otherwise  the connection was
(implicitly I suppose) attempted with the logon password and it
succeeded....

How can I manage this and prevent outlook from asking password????
Any help would be appreciated.
Thanks
Gianluca


On 8/11/06, Gianluca Cecchi <gianluca.cecchi@gmail.com>
wrote:
> I have samba 3 PDC (SAMBA domain with hostname "pevpdc") on
CentOS 3.7
> (package is named samba-3.0.9-1.3E.7) and I have a w2k3 sp1 domain
> (W2003 domain with hostname "mailserver").
> The last is in mixed mode and is an exchange server and the former is
> without winbind, using smbpasswd backend and "security = user" in
> smb.conf.
>