I am trying to establish a domain trust between a Samba 3.024 domain and a PC Netlink 2.0 domain. Currently, we are using PC Netlink as our primary Windows file server and "NT4" domain controller. (Lets say that the domain is called LEGACY and the domain controller LX1) Windows 2003 servers are unable to join a PC Netlink domain (even with the SignOrSeal option disabled.) For this, and other reasons the eventual goal is to drop PC Netlink in favor of Samba. In the interim, I would like to make resources on Windows 2003 machines available to users without a duplicate set of accounts being required. To this end, I configured a Samba 3.024 domain "SAMBA" with a machine called SMB1. I can add Windows 2003 servers to this domain. I then tried to establish trusts. (Actually, I only need the SAMBA domain to trust the LEGACY domain.) LEGACY DOMAIN TO TRUST SAMBA DOMAIN I tried the following to have the LEGACY domain trust the SAMBA domain: On SMB1: #useradd legacy$ #smbpasswd -a -i legacy On a Windows 2000 server in the LEGACY domain, I used the NT4 User Manager for Domains tool to add the SAMBA domain as a trusted domain. Which seemed to work. I then added my SAMBA user account to the local users group of the Windows 2000 machine. However, when I try to log in as that user, I get the following message "the system cannot log you on now because the domain e2k is not available." The event log on the PC Netlink server shows "no domain controller is available for E2K for the following reason: There are currently no logon servers available to service the logon request" SAMBA DOMAIN TO TRUST LEGACY DOMAIN I have also tried to have the SAMBA domain trust the LEGACY domain. On the Windows 2000 server in the LEGACY domain, with the User Manager for Domains tool, I listed SAMBA as a trusting domain. The, on SMB1: smb1# net rpc trustdom establish legacy Could not connect to server LX1 Trust to domain LEGACY established On the Windows 2003 server in the SAMBA domain, I attempt to add users from the LEGACY domain to the local users group. I go to the CompMgt console->users->add -> select the domain. When prompted, enter the LEGACY\Administrator name and password. When I attempt to list accounts, or explicitly add a name, from from the LEGACY domain, I get the message the following error occurred while using the user name and password you entered. The remote procedure call failed and did not execute. Any thoughts? thanks for your help.
On Thu, Apr 26, 2007 at 03:00:08PM -0400, Damian Lock (SSCI) wrote:> I am trying to establish a domain trust between a Samba 3.024 domain and > a PC Netlink 2.0 domain.These types of problems are a bit difficult to diagnose, none of the Samba developers I know has direct access to a PC Netlink installation. It should be possible to get these bugs fixed, but I would say that this is not really a high priority task for us. You might have more success migrating that domain to NT4, I've seen successful migrations away from PC Netlink via the NT4 path. Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20070427/455c4da9/attachment.bin
I have set up NT4 Server (with Service Pack 6a.) the domain is called "ENT4." I added the MS KB828741 patch (RPC buffer overflow) from Microsoft- which was the patch in the past caused problems with PC Netlink and Samba (until both of those were patched.) I was able to successfully able to establish two-way trusts between the NT4 domain and the PC Netlink domain. As part of trying to get trusts between PCNL and Samba, I had added the following to smb.conf client schannel = no server schannel = no enable asu support = yes It didn't seem to help, so I took them out. On the samba server, I created an ent4 interdomain account. # useradd ent4$ # smbpasswd -a -i ent4 On the NT4 PDC I was able to add SAMBA domain as a trusting and trusted domain. On the samba, server, to finish setting up the trusts I typed net rpc trustdom establish ent4 (this should is to have the ENT4 domain to trust the SAMBA domain.) But I get the following: # net rpc trustdom establish ent4 Password: Could not connect to server NT4PDC Trust to domain ENT4 established Which is basically what I got when trying to establish trusts between Samba and the PCNL domain. I suspect it is an RPC issue. Thanks -------- Forwarded Message --------> From: Volker Lendecke <Volker.Lendecke@SerNet.DE> > Reply-To: Volker.Lendecke@SerNet.DE > To: Damian Lock (SSCI) <Damian.Lock@ssci.com> > Cc: samba@lists.samba.org > Subject: Re: [Samba] Samba 3.x and PCNetLink domain trusts > Date: Fri, 27 Apr 2007 07:44:54 +0200 > > On Thu, Apr 26, 2007 at 03:00:08PM -0400, Damian Lock (SSCI) wrote: > > I am trying to establish a domain trust between a Samba 3.024 domain and > > a PC Netlink 2.0 domain. > > These types of problems are a bit difficult to diagnose, > none of the Samba developers I know has direct access to a > PC Netlink installation. It should be possible to get these > bugs fixed, but I would say that this is not really a high > priority task for us. You might have more success migrating > that domain to NT4, I've seen successful migrations away > from PC Netlink via the NT4 path. > > Volker
On Tue, May 01, 2007 at 01:36:19PM -0400, Damian Lock (SSCI) wrote:> # net rpc trustdom establish ent4 > Password: > Could not connect to server NT4PDC > Trust to domain ENT4 establishedOk, then even with the NetLink domain it worked. This is an unfortunate but expected error message. Everything is fine :-) Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20070502/9bdcf43a/attachment.bin