Hello, I setting up a new PDC for a new domain using samba 3.2.0 I use LDAP as passwd/idmap backend. I started from scratch just creating the OU for the users/groups/machines/idmaps in the ldap directory, + a user used to bind to ldap. So from there I started winbind and ran net sam provision, which worked great. Now I plan this domain will have a one way trust with one other domain, and as I start playing with wbinfo to verify the local/builtin groups appear, I found that wbinfo -t fails to check secret with : myserver:/usr/local/samba/bin# wbinfo -t checking the trust secret via RPC calls failed error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da) Could not check secret So, I'm wondering, do I need to create some kind of machine trust account for the PDC itself, or this reply from wbinfo -t is expected ? [global] workgroup = EVENTLAB netbios name = TLS-SRV-01 server string = Samba for EventLab interfaces = eth1 lo bind interfaces only = Yes hosts allow = 10.211.0.0/16 10.212.0.0/16 127.0.0.1 socket address = 10.211.254.253 passdb backend = ldapsam:ldap://127.0.0.1:389 ldap admin dn = cn=SambaAdmin,dc=x-files,dc=fr ldap user suffix = ou=People ldap group suffix = ou=Groups ldap machine suffix = ou=Machines ldap suffix = dc=x-files,dc=fr ldapsam:trusted = Yes ldapsam:editposix = Yes time server = Yes map acl inherit = Yes nt acl support = Yes unix charset = UTF-8 # unix password sync = Yes # passwd chat = *new*password* %n\n*new*password* %n\n *updated* # pam password change = No passwd program = /usr/sbin/smbldap-passwd %u # username map = /etc/samba/username.map reset on zero vc = Yes use sendfile = Yes # # Logon options # domain logons = Yes logon drive = h: logon path = \\TLS-SRV-01\Profiles\%U logon home = \\TLS-SRV-01\%U logon script = Startup.bat # # Printing options # load printers = No # # Browsing options # os level = 65 announce version = 4.9 preferred master = No domain master = Yes local master = No # remote browse sync = 10.212.254.254 # remote announce = 10.212.254.254 # # WINS and resolver options # wins support = Yes # wins server = 10.212.254.254 wins proxy = Yes name resolve order = lmhosts wins host bcast # # Debug options # log level = 0 debug timestamp = No debug prefix timestamp = No debug hires timestamp = No debug pid = Yes debug uid = Yes # # Winbind options # winbind enum users = Yes winbind enum groups = Yes idmap domains = TRUSTEDDOM idmap config TRUSTEDDOM:backend = ldap idmap config TRUSTEDDOM:default = Yes idmap config TRUSTEDDOM:ldap_base_dn ou=TRUSTEDDOM,ou=Idmaps,dc=x-files,dc=fr idmap config TRUSTEDDOM:ldap_user_dn = cn=SambaAdmin,dc=x-files,dc=fr idmap config TRUSTEDDOM:ldap_url = ldap://localhost/ idmap config TRUSTEDDOM:range = 10000 - 10999 idmap alloc backend = ldap idmap alloc config:ldap_base_dn = ou=Idmaps,dc=x-files,dc=fr idmap alloc config:ldap_user_dn = cn=SambaAdmin,dc=x-files,dc=fr idmap alloc config:ldap_url = ldap://localhost/ idmap alloc config:range = 20000 - 20999 template homedir = /home/home/%D/%U template shell = /bin/false winbind: rpc only = yes winbind nested groups = yes -- Fran?ois Legal
Hello, I setting up a new PDC for a new domain using samba 3.2.0 I use LDAP as passwd/idmap backend. I started from scratch just creating the OU for the users/groups/machines/idmaps in the ldap directory, + a user used to bind to ldap. So from there I started winbind and ran net sam provision, which worked great. Now I plan this domain will have a one way trust with one other domain, and as I start playing with wbinfo to verify the local/builtin groups appear, I found that wbinfo -t fails to check secret with : myserver:/usr/local/samba/bin# wbinfo -t checking the trust secret via RPC calls failed error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da) Could not check secret So, I'm wondering, do I need to create some kind of machine trust account for the PDC itself, or this reply from wbinfo -t is expected ? [global] workgroup = EVENTLAB netbios name = TLS-SRV-01 server string = Samba for EventLab interfaces = eth1 lo bind interfaces only = Yes hosts allow = 10.211.0.0/16 10.212.0.0/16 127.0.0.1 socket address = 10.211.254.253 passdb backend = ldapsam:ldap://127.0.0.1:389 ldap admin dn = cn=SambaAdmin,dc=x-files,dc=fr ldap user suffix = ou=People ldap group suffix = ou=Groups ldap machine suffix = ou=Machines ldap suffix = dc=x-files,dc=fr ldapsam:trusted = Yes ldapsam:editposix = Yes time server = Yes map acl inherit = Yes nt acl support = Yes unix charset = UTF-8 # unix password sync = Yes # passwd chat = *new*password* %n\n*new*password* %n\n *updated* # pam password change = No passwd program = /usr/sbin/smbldap-passwd %u # username map = /etc/samba/username.map reset on zero vc = Yes use sendfile = Yes # # Logon options # domain logons = Yes logon drive = h: logon path = \\TLS-SRV-01\Profiles\%U logon home = \\TLS-SRV-01\%U logon script = Startup.bat # # Printing options # load printers = No # # Browsing options # os level = 65 announce version = 4.9 preferred master = No domain master = Yes local master = No # remote browse sync = 10.212.254.254 # remote announce = 10.212.254.254 # # WINS and resolver options # wins support = Yes # wins server = 10.212.254.254 wins proxy = Yes name resolve order = lmhosts wins host bcast # # Debug options # log level = 0 debug timestamp = No debug prefix timestamp = No debug hires timestamp = No debug pid = Yes debug uid = Yes # # Winbind options # winbind enum users = Yes winbind enum groups = Yes idmap domains = TRUSTEDDOM idmap config TRUSTEDDOM:backend = ldap idmap config TRUSTEDDOM:default = Yes idmap config TRUSTEDDOM:ldap_base_dn ou=TRUSTEDDOM,ou=Idmaps,dc=x-files,dc=fr idmap config TRUSTEDDOM:ldap_user_dn = cn=SambaAdmin,dc=x-files,dc=fr idmap config TRUSTEDDOM:ldap_url = ldap://localhost/ idmap config TRUSTEDDOM:range = 10000 - 10999 idmap alloc backend = ldap idmap alloc config:ldap_base_dn = ou=Idmaps,dc=x-files,dc=fr idmap alloc config:ldap_user_dn = cn=SambaAdmin,dc=x-files,dc=fr idmap alloc config:ldap_url = ldap://localhost/ idmap alloc config:range = 20000 - 20999 template homedir = /home/home/%D/%U template shell = /bin/false winbind: rpc only = yes winbind nested groups = yes -- Fran?ois Legal
On Fri, Jul 11, 2008 at 04:50:55PM +0200, devel@thom.fr.eu.org wrote:> Hello, > > I setting up a new PDC for a new domain using samba 3.2.0 > I use LDAP as passwd/idmap backend. > > I started from scratch just creating the OU for the > users/groups/machines/idmaps in the ldap directory, + a user used to bind > to ldap. > > So from there I started winbind and ran net sam provision, which worked > great. > Now I plan this domain will have a one way trust with one other domain, > and as I start playing with wbinfo to verify the local/builtin groups > appear, I found that wbinfo -t fails to check secret with : > myserver:/usr/local/samba/bin# wbinfo -t > checking the trust secret via RPC calls failed > error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da) > Could not check secret > > So, I'm wondering, do I need to create some kind of machine trust account > for the PDC itself, or this reply from wbinfo -t is expected ?Yes, you need to "join" the machine to itself (the PDC) using net join before winbindd will work in this way on the PDC. Sorry, rather counterintuative I know but the way it works at present. Jeremy.
Reasonably Related Threads
- ldapsam cannot find NT password hash
- krb5_auth: NT_STATUS_NO_LOGON_SERVERS for users from trusted AD domains in samba winbind > 4.2
- ldapsam cannot find NT password hash
- ldapsam cannot find NT password hash
- Problem with Samba-3.0.25rc3 & idmap_ldap (winbind dumps core)