On 11/12/15 15:41, Bob Thomas wrote:>/First, Thank you all for this forum, as I am fairly new at both Ubuntu />/and Samba I have found most the answers to my issues here. />//>/Now correct me if I am wrong but Samba 4.3.2 should be able to support />/Domain Trusts. If so maybe you can help me, here is what I have: />//>/NT4 Domain: adc.com (Holds are production servers and user accounts />/for that domain) />//>/Controller = enterprise.abc.com />//>/Samba Domain: cy.abc.biz />/Two Controllers both Ubuntu 14.04 with Samba 4.3.2 running well (I />/think): />//>/Controllers = pdc.cy.abc.biz & sdc.cy.abc.biz />//>/I can ping "enterprise" from both samba controllers and I can ping />/"pdc" and "sdc" from enterprise. />//>/The two problems I have are first I am unable to create an />/Inter-domain Trust Account: />//>/#### />/root at PDC <https://lists.samba.org/mailman/listinfo/samba>:/etc# netrpc trustdom add ABC password -U bthomas />/Enter bthomas's password: />/Could not set trust account password: NT_STATUS_ACCESS_DENIED />/### />//>/and second with samba-tool I get: />//>/##### />/root at PDC <https://lists.samba.org/mailman/listinfo/samba>:~# samba-tool domain trust create ABC -U bthomas />/LocalDomain Netbios[CY] DNS[cy.abc.biz] />/SID[S-1-5-21-3303530046-412607057-2209094731] />/ERROR: Failed to find a writeable DC for domain 'ABC' />/##### />//>/Here is may smb.conf file: />//>/# Global parameters />/[global] />/workgroup = CY />/realm = CY.ABC.BIZ />/server role = active directory domain controller />/security = USER />/passdb backend = samba_dsdb />/os level = 65 />/preferred master = Yes />/domain master = Yes />/wins support = Yes />/winbind nss info = rfc2307 />/allow dns updates = nonsecure and secure />/dns forwarder = 10.157.1.178 />/server services = dns, s3fs, rpc, nbt, wrepl, ldap, cldap, />/kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate />/rpc_server:tcpip = no />/rpc_daemon:spoolssd = embedded />/rpc_server:spoolss = embedded />/rpc_server:winreg = embedded />/rpc_server:ntsvcs = embedded />/rpc_server:eventlog = embedded />/rpc_server:srvsvc = embedded />/rpc_server:svcctl = embedded />/rpc_server:default = external />/winbindd:use external pipes = true />/idmap config cy:range = 10000-29999 />/idmap config cy:schema_mode = rfc2307 />/idmap config cy:backend = ad />/idmap config *:range = 5000-9999 />/kccsrv:samba_kcc = false />/idmap_ldb:use rfc2307 = yes />/idmap config * : backend = tdb />/map archive = No />/map readonly = no />/store dos attributes = Yes />/vfs objects = dfs_samba4 acl_xattr />//>//>/[netlogon] />/path = /var/lib/samba/sysvol/cy.abc.biz/scripts />/read only = No />//>//>/[sysvol] />/path = /var/lib/samba/sysvol />/read only = No />//>/## />//>/My ultimate goal is to move totally off the NT Domain and onto the />/Samba-AD-DC but I need the trust established first so I can go step by />/test moving 18 productions servers one at a time so it can be tested. />/I feel it would be too risky to move everything at once. />//>/Any help to get me going in the right direction would be greatly />/appreciated. />//>/Bob Thomas />// I think you are going about this the wrong way, you are trying to create a new AD domain and then set up trusts between your old NT4 domain and your new AD domain, correct? I think you should be going down the classic-upgrade path instead i.e. upgrade your original domain to an AD one. I take it all your users are in the NT domain, if so and their computers see the new AD, they *will* not go back to the original NT P/BDC, without a complete re-install. See here for info about the classic-upgrade: https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_domain_to_a_Samba_AD_domain_%28classic_upgrade%29 Also, quite a lot of what you have added to your DCs smb.conf shouldn't be there, I would suggest that you put it back to what it was after the provision. I hope you are doing this in a test environment. Rowland ___________ Rowland, Thank You for the quick response. I am not sure how to post added info or answers here, I tried twice posting a reply at http://www.eenyhelp.com Friday on the subject and verified it. I got the notice that the update would be posted in about a hour but -- nothing. I tried again this morning and still nothing. It that the correct place to post updates? As for my Issue, You are correct, I am trying to create a new AD domain and then set up trusts between your old NT4 domain and your new AD domain. I have looked into the classic-upgrade but not sure it will work for me because my old domain is a MS NT4 domain not Samba. Not to mention, the accounts have been neglected for years and I really don't want to transfer the mess into AD. As for my smb.conf, my mistake - I posted the output of testparm and not the actual config which is below, If you have any recommended changes please advise: [global] workgroup = CY realm = CY.ABC.BIZ netbios name = SDC server role = active directory domain controller server services = dns, s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes allow dns updates = nonsecure dns forwarder = 10.157.1.178 security = user kccsrv:samba_kcc = false wins support = true idmap config *:backend = tdb idmap config *:range = 5000-9999 idmap config CY:backend = ad idmap config CY:schema_mode = rfc2307 idmap config CY:range = 10000-29999 # Use home directory and shell information from AD winbind nss info = rfc2307 [netlogon] path = /var/lib/samba/sysvol/cy.abc.biz/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No As for the test environment, I have been testing for over two months with the Ubuntu repository Samba version 4.1.6, but just recently upgraded to 4.3.2 hoping I could get the trust relationship working. The MS NT4 domain is our production domain and not sure I could duplicate it in a test environment. So I would like to gradually move Samba into production - Using the domain trust so I can test things as they are moved over. So back to my original question, Is it possible to create the trust between Samba-AD 4.1.6 and a MS NT4 domain. If so how? Thank again, Bob
On 14/12/15 15:36, Bob Thomas wrote:> On 11/12/15 15:41, Bob Thomas wrote: >> /First, Thank you all for this forum, as I am fairly new at both >> Ubuntu />/and Samba I have found most the answers to my issues here. >> />//>/Now correct me if I am wrong but Samba 4.3.2 should be able to >> support />/Domain Trusts. If so maybe you can help me, here is what I >> have: />//>/NT4 Domain: adc.com (Holds are production servers and >> user accounts />/for that domain) />//>/Controller = >> enterprise.abc.com />//>/Samba Domain: cy.abc.biz />/Two Controllers >> both Ubuntu 14.04 with Samba 4.3.2 running well (I />/think): >> />//>/Controllers = pdc.cy.abc.biz & sdc.cy.abc.biz />//>/I can ping >> "enterprise" from both samba controllers and I can ping />/"pdc" and >> "sdc" from enterprise. />//>/The two problems I have are first I am >> unable to create an />/Inter-domain Trust Account: />//>/#### />/root >> at PDC <https://lists.samba.org/mailman/listinfo/samba>:/etc# net > rpc trustdom add ABC password -U bthomas />/Enter bthomas's password: > />/Could not set trust account password: NT_STATUS_ACCESS_DENIED > />/### />//>/and second with samba-tool I get: />//>/##### />/root at > PDC <https://lists.samba.org/mailman/listinfo/samba>:~# samba-tool > domain trust create ABC -U bthomas />/LocalDomain Netbios[CY] > DNS[cy.abc.biz] />/SID[S-1-5-21-3303530046-412607057-2209094731] > />/ERROR: Failed to find a writeable DC for domain 'ABC' />/##### > />//>/Here is may smb.conf file: />//>/# Global parameters />/[global] > />/workgroup = CY />/realm = CY.ABC.BIZ />/server role = active > directory domain controller />/security = USER />/passdb backend = > samba_dsdb />/os level = 65 />/preferred master = Yes />/domain master > = Yes />/wins support = Yes />/winbind nss info = rfc2307 />/allow dns > updates = nonsecure and secure />/dns forwarder = 10.157.1.178 > />/server services = dns, s3fs, rpc, nbt, wrepl, ldap, cldap, />/kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate />/rpc_server:tcpip = no > />/rpc_daemon:spoolssd = embedded />/rpc_server:spoolss = embedded > />/rpc_server:winreg = embedded />/rpc_server:ntsvcs = embedded > />/rpc_server:eventlog = embedded />/rpc_server:srvsvc = embedded > />/rpc_server:svcctl = embedded />/rpc_server:default = external > />/winbindd:use external pipes = true />/idmap config cy:range = > 10000-29999 />/idmap config cy:schema_mode = rfc2307 />/idmap config > cy:backend = ad />/idmap config *:range = 5000-9999 > />/kccsrv:samba_kcc = false />/idmap_ldb:use rfc2307 = yes />/idmap > config * : backend = tdb />/map archive = No />/map readonly = no > />/store dos attributes = Yes />/vfs objects = dfs_samba4 acl_xattr > />//>//>/[netlogon] />/path = /var/lib/samba/sysvol/cy.abc.biz/scripts > />/read only = No />//>//>/[sysvol] />/path = /var/lib/samba/sysvol > />/read only = No />//>/## />//>/My ultimate goal is to move totally > off the NT Domain and onto the />/Samba-AD-DC but I need the trust > established first so I can go step by />/test moving 18 productions > servers one at a time so it can be tested. />/I feel it would be too > risky to move everything at once. />//>/Any help to get me going in > the right direction would be greatly />/appreciated. />//>/Bob Thomas > />// > I think you are going about this the wrong way, you are trying to create > a new AD domain and then set up trusts between your old NT4 domain and > your new AD domain, correct? > > I think you should be going down the classic-upgrade path instead i.e. > upgrade your original domain to an AD one. I take it all your users are > in the NT domain, if so and their computers see the new AD, they *will* > not go back to the original NT P/BDC, without a complete re-install. > > See here for info about the classic-upgrade: > https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_domain_to_a_Samba_AD_domain_%28classic_upgrade%29 > > > Also, quite a lot of what you have added to your DCs smb.conf shouldn't > be there, I would suggest that you put it back to what it was after the > provision. > > I hope you are doing this in a test environment. > > Rowland > > ___________ > > Rowland, > > Thank You for the quick response. I am not sure how to post added info > or answers here, I tried twice posting a reply at > http://www.eenyhelp.com Friday on the subject and verified it. I got > the notice that the update would be posted in about a hour but -- > nothing. I tried again this morning and still nothing. It that the > correct place to post updates? > > As for my Issue, > > You are correct, I am trying to create a new AD domain and then set up > trusts between your old NT4 domain and your new AD domain. > > I have looked into the classic-upgrade but not sure it will work for > me because my old domain is a MS NT4 domain not Samba. Not to > mention, the accounts have been neglected for years and I really don't > want to transfer the mess into AD. > > As for my smb.conf, my mistake - I posted the output of testparm and > not the actual config which is below, If you have any recommended > changes please advise: > > [global] > workgroup = CY > realm = CY.ABC.BIZ > netbios name = SDC > server role = active directory domain controller > server services = dns, s3fs, rpc, nbt, wrepl, ldap, cldap, > kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > idmap_ldb:use rfc2307 = yes > allow dns updates = nonsecure > dns forwarder = 10.157.1.178 > > security = user > > kccsrv:samba_kcc = false > > wins support = true > > idmap config *:backend = tdb > idmap config *:range = 5000-9999 > idmap config CY:backend = ad > idmap config CY:schema_mode = rfc2307 > idmap config CY:range = 10000-29999 > > # Use home directory and shell information from AD > winbind nss info = rfc2307 > > [netlogon] > path = /var/lib/samba/sysvol/cy.abc.biz/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > As for the test environment, I have been testing for over two months > with the Ubuntu repository Samba version 4.1.6, but just recently > upgraded to 4.3.2 hoping I could get the trust relationship working. > The MS NT4 domain is our production domain and not sure I could > duplicate it in a test environment. So I would like to gradually move > Samba into production - Using the domain trust so I can test things as > they are moved over. > > So back to my original question, Is it possible to create the trust > between Samba-AD 4.1.6 and a MS NT4 domain. If so how? > > Thank again, > > Bob > >I think it should be possible now, but I have never tried doing it, a quick google seems to suggest it is a known AD problem, see here: https://support.microsoft.com/en-us/kb/889030 I still think you would be better off going down the classic-upgrade path. If your ultimate aim is to remove all your NT servers, you will still have to get your users, groups and computers etc into the new domain from the old domain, this is something that the classic-upgrade will do for you. Rowland
OOPs, I really must get a new pair of glasses, I totally missed this lot in the mess that appeared in my email client :-D On 14/12/15 15:36, Bob Thomas wrote:> > Rowland, > > Thank You for the quick response. I am not sure how to post added info > or answers here, I tried twice posting a reply at > http://www.eenyhelp.com Friday on the subject and verified it. I got > the notice that the update would be posted in about a hour but -- > nothing. I tried again this morning and still nothing. It that the > correct place to post updates?Just reply to the sambalist, it will do the rest.> > As for my Issue, > > You are correct, I am trying to create a new AD domain and then set up > trusts between your old NT4 domain and your new AD domain. > > I have looked into the classic-upgrade but not sure it will work for > me because my old domain is a MS NT4 domain not Samba. Not to > mention, the accounts have been neglected for years and I really don't > want to transfer the mess into AD. >OK, I understand it better now, you want to lose the NT domain and move to AD. Not sure if I would do it the way you are trying, how many computers and users?> As for my smb.conf, my mistake - I posted the output of testparm and > not the actual config which is below, If you have any recommended > changes please advise: > > [global] > workgroup = CY > realm = CY.ABC.BIZ > netbios name = SDC > server role = active directory domain controller > server services = dns, s3fs, rpc, nbt, wrepl, ldap, cldap, > kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > idmap_ldb:use rfc2307 = yes > allow dns updates = nonsecure > dns forwarder = 10.157.1.178 > > security = user > > kccsrv:samba_kcc = false > > wins support = true > > idmap config *:backend = tdb > idmap config *:range = 5000-9999 > idmap config CY:backend = ad > idmap config CY:schema_mode = rfc2307 > idmap config CY:range = 10000-29999 > > # Use home directory and shell information from AD > winbind nss info = rfc2307 > > [netlogon] > path = /var/lib/samba/sysvol/cy.abc.biz/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No >Yes, as I said before, put it back to what it was before you started adding things to it.> As for the test environment, I have been testing for over two months > with the Ubuntu repository Samba version 4.1.6, but just recently > upgraded to 4.3.2 hoping I could get the trust relationship working. > The MS NT4 domain is our production domain and not sure I could > duplicate it in a test environment. So I would like to gradually move > Samba into production - Using the domain trust so I can test things as > they are moved over.I would setup a new domain, extract your users & groups etc from your old domain, remove anything you no longer require and then create them in your new domain. Then start adding your computers to the new domain a few at a time.> > So back to my original question, Is it possible to create the trust > between Samba-AD 4.1.6 and a MS NT4 domain. If so how? > >See my earlier incorrect post. Rowland