Roberts, Mike
2007-Jan-08 23:23 UTC
[Samba] Samba 3.0.22 PDC trusting Active Directory 2003
I'm a longtime Samba user and admin (since 1.7) and I thought I had seen just about everything until Active Directory 2003 (native mode) completely took out our Samba user authentication (each server auth=domain to an AD 2000 domain). We have Samba running on a variety of servers (AIX, HP, Linux) and need to be able to provide our users with the ability to access their appropriate shares without having to maintain passwords on every server. Because of concerns about turning all user authentication on all of the servers over to Active Directory, the best solution seemed to be to create a Samba domain. This way all of the Samba servers could look to the Samba PDC for user authentication which would then look to the AD 2003 realm via a trust relationship (Samba trusting, AD trusted). The Samba PDC is a SUSE SLES 10 server running Samba version 3.0.22. It has been configured as a trusting domain in our AD 2003 lab realm. When I ty to establish the trust using "net rpc trustdom establish", everything seems to be going well and then the establish fails with the following message: [2007/01/05 14:25:20, 0] utils/net_rpc.c:rpc_trustdom_establish(5064) Couldn't verify trusting domain account. Error was NT_STATUS_OK [2007/01/05 14:25:20, 2] utils/net.c:main(879) return code = -1 All that shows up in the Windows logs are a successful login and logout by my PDC. I've been digging in the Samba documentation and maillist for several weeks as well as searching the web for any information remotely related to what I am doing including and especially chapter 19 of the Official How-To. All of the information I have run across deals primarily with establishing a trust to an AD 2000 domain in mixed mode or to joining an AD 2003 domain. Is it possible to establish this type of relationship between AD 2003 in native mode and Samba at the current time? Any suggestions on possible issues to beware of or suggestions as to what might be causing the error would be greatly appreciated. A how-to for an AD 2003 native environment would be fantastic. Thanks Mike Roberts System Engineer 2, Enterprise Systems Please see the following link for the BlueCross BlueShield of Tennessee E-mail disclaimer: http://www.bcbst.com/email_disclaimer.shtm