I am trying to establish 2 way trust relationship between samba domain and
Win2008 AD domain. The trust relationship is established and even verified
by both side, but when I try to access samba resources from win2008 domain,
it prompts for username and password. However, I can access the win2008
resources from the samba domain without the prompting of username and
password.
My win2008 is the RTM version, domain functional level in win2003 mode, DNS
and WINS enabled. The trust SID filtering is disabled. Samba version is
samba-3.0.28a-0.fc8, server DNS and samba WINS IP pointing to my win2008,
winbind disabled.
I also tweak all available options in samba (security, winbind settings, dns
proxy, wins enable, etc), it is still the same.
Below are the error messages:
[2008/03/25 20:31:39, 0]
rpc_client/cli_pipe.c:cli_rpc_pipe_open_schannel(2641)
cli_rpc_pipe_open_schannel: failed to get schannel session key from server
WIN2008SRV for domain WIN2008AD.
[2008/03/25 20:31:39, 0]
auth/auth_domain.c:connect_to_domain_password_server(119)
connect_to_domain_password_server: unable to open the domain client
session to machine WIN2008SVR. Error was : NT code 0xc0000388.
[2008/03/25 20:31:39, 0] auth/auth_domain.c:domain_client_validate(220)
domain_client_validate: Domain password server not available.
Below is my smb.conf :
[global]
workgroup = ITDOM
netbios name = RUMBA
passdb backend = tdbsam
server string = Rumba Server
printcap name = /etc/printcap
load printers = yes
printing = lprng
log file = /var/log/samba/%m.log
max log size = 0
security = user
password level = 6
username level = 4
username map = /etc/samba/smbusers
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = yes
os level = 64
domain master = yes
preferred master = yes
domain logons = yes
logon script = %U.bat
logon path = \\%L\Profiles\%U
wins server = 192.168.1.100 (win2008 AD server IP)
[homes]
comment = Home
browseable = no
writable = yes
valid users = %S
create mode = 0664
directory mode = 0775
[netlogon]
comment = Network Logon Service
path = /home/netlogon
guest ok = yes
writable = no
share modes = yes
write list = +administrator,+root
[Profiles]
path = /home/profiles
browseable = yes
writable = yes
guest ok = yes
write list = +administrator,+root
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
Below are some diagnostic report:
[root@webmail samba]# net rpc trustdom list
Password:
Trusted domains list:
WIN2008AD S-1-5-21-3371021750-61790888-841837805
none
Trusting domains list:
WIN2008AD S-1-5-21-3371021750-61790888-841837805
>From the win2008 "Active Directory Trusts and Domains", when i
validate the
2 way trust, I get the message "The trust has been validated.It is in place
and active." The trusts are good.
Notice:
Please be advised that the email domain address of this sender has been changed
to xyz@ioigroup.com from xyz@ioi.po.my with effect from 1st September 2006. The
sender's name prefix remains unchanged. This sender invites you to update
your e-mail address book accordingly.
