thr3ads.net - samba - [Samba] Problem establishing interdomain trust [Aug 2008]

If this information is useful, please help other people find it:
Share via:

Richard Foltyn

2008-Aug-04 00:58 UTC

[Samba] Problem establishing interdomain trust

Hello group,

I have 2 Samba PCDs w/ LDAP + winbind called FILESERVER and FUNDUS-SRV for
the domains PROFICON and FUNDUS, respectively.

In PROFICON I created a trust account for FUNDUS using
net rpc trustdom add FUNDUS <passwd> -U proficon\\administrator
which creates the LDAP entry:

dn: uid=FUNDUS$,ou=Computers,dc=office,dc=proficon,dc=sk
uid: FUNDUS$
sambaSID: S-1-5-21-1419647580-1448962253-3507612647-1036
displayName: Computer
objectClass: sambaSamAccount
objectClass: account
sambaNTPassword: <passwd>
sambaPasswordHistory:
00000000000000000000000000000000000000000000000000000000
 00000000
sambaPwdLastSet: 1217810123
sambaAcctFlags: [I          ]

When I try to establish the relationship on the FUNDUS PDC with
net rpc trustdom establish PROFICON

I get the following error:
[root@fundus-srv samba]# net rpc trustdom establish proficon
Enter FUNDUS$'s password:
Could not connect to server FILESERVER
[2008/08/04 02:31:25,  0] utils/net_rpc.c:rpc_trustdom_establish(5836)
  Storing password for trusted domain failed.

Also, the /var/log/samba/fundus-srv.log on FILESERVER reads:

[2008/08/04 02:31:25,  5] auth/auth_util.c:make_user_info_map(178)
  make_user_info_map: Mapping user [PROFICON]\[FUNDUS$] from workstation
[FUNDUS-SRV]
[2008/08/04 02:31:25,  5] auth/auth_util.c:is_trusted_domain(2021)
  is_trusted_domain: Checking for domain trust with [PROFICON]
[2008/08/04 02:31:25,  2] lib/smbldap.c:smbldap_open_connection(796)
  smbldap_open_connection: connection opened
[2008/08/04 02:31:25,  5] auth/auth_util.c:make_user_info(92)
  attempting to make a user_info for FUNDUS$ (FUNDUS$)
[2008/08/04 02:31:25,  5] auth/auth_util.c:make_user_info(102)
  making strings for FUNDUS$'s user_info struct
[2008/08/04 02:31:25,  5] auth/auth_util.c:make_user_info(134)
  making blobs for FUNDUS$'s user_info struct
[2008/08/04 02:31:25,  3] auth/auth.c:check_ntlm_password(220)
  check_ntlm_password:  Checking password for unmapped user
[PROFICON]\[FUNDUS$]@[FUNDUS-SRV] with the new password interface
[2008/08/04 02:31:25,  3] auth/auth.c:check_ntlm_password(223)
  check_ntlm_password:  mapped user is: [PROFICON]\[FUNDUS$]@[FUNDUS-SRV]
[2008/08/04 02:31:25,  2] passdb/pdb_ldap.c:init_sam_from_ldap(571)
  init_sam_from_ldap: Entry found for user: fundus$
[2008/08/04 02:31:25,  2] passdb/pdb_ldap.c:init_group_from_ldap(2344)
  init_group_from_ldap: Entry found for group: 513
[2008/08/04 02:31:25,  5] passdb/pdb_interface.c:lookup_global_sam_rid(1499)
  lookup_global_sam_rid: looking up RID 513.
[2008/08/04 02:31:25,  4] passdb/pdb_ldap.c:ldapsam_getsampwsid(1613)
  ldapsam_getsampwsid: Unable to locate SID
[S-1-5-21-1419647580-1448962253-3507612647-513] count=0
[2008/08/04 02:31:25,  2] passdb/pdb_ldap.c:init_group_from_ldap(2344)
  init_group_from_ldap: Entry found for group: 513
[2008/08/04 02:31:25,  5]
passdb/pdb_interface.c:pdb_default_lookup_rids(1621)
  lookup_rids: Domain Users:2
[2008/08/04 02:31:25,  4] libsmb/ntlm_check.c:ntlm_password_check(328)
  ntlm_password_check: Checking NT MD4 password
[2008/08/04 02:31:25,  4] auth/auth_sam.c:sam_account_ok(137)
  sam_account_ok: Checking SMB password for user fundus$
[2008/08/04 02:31:25,  5] auth/auth_sam.c:logon_hours_ok(119)
  logon_hours_ok: user fundus$ allowed to logon at this time (Mon Aug  4
00:31:25 2008
  )
[2008/08/04 02:31:25,  2] auth/auth_sam.c:sam_account_ok(223)
  sam_account_ok: Domain trust account fundus$ denied by server
[2008/08/04 02:31:25,  5] auth/auth.c:check_ntlm_password(272)
  check_ntlm_password: sam authentication for user [FUNDUS$] FAILED with
error NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT
[2008/08/04 02:31:25,  3] auth/auth_winbind.c:check_winbind_security(54)
  check_winbind_security: Not using winbind, requested domain [PROFICON] was
for this SAM.
[2008/08/04 02:31:25,  2] auth/auth.c:check_ntlm_password(318)
  check_ntlm_password:  Authentication for user [FUNDUS$] -> [FUNDUS$]
FAILED with error NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT
[2008/08/04 02:31:25,  5] auth/auth_util.c:free_user_info(1951)


Any ideas why the password for the trusted domain cannot be stored?

TIA

Marc Aurel

2008-Aug-15 11:30 UTC

head link

[Samba] Problem establishing interdomain trust

Uff.
I finally found the solution to this problem.
It's quite simple:

Use the correct samba.schema for the corresponding sambarelease!
(/samba-x.x.x/examples/LDAP/samba.schema)

There are some changes to the LDAP-schema so that this is absolutely
essential for "net rpc trustdom establish" to work as you can see
here:

-->
Aug 15 13:07:17 debiantest slapd[2346]: conn=67 op=3 SRCH  
base="sambaDomainNamePRESSNG,sambaDomainName=TESTDOMAIN,dc=pressol,dc=com"
scope=2 deref=0
filter="(&
(?objectClass=sambaTrustedDomainPassword)(sambaDomainName=pressng))"
Aug 15 13:07:17 debiantest slapd[2346]: conn=67 op=3 SEARCH RESULT tag=101  
err=3
2 nentries=0 text=value does not conform to assertion syntax
Aug 15 13:07:17 debiantest slapd[2346]: conn=67 op=4 ADD  
dn="sambaDomainName=PRE
SSNG,sambaDomainName=TESTDOMAIN,dc=pressol,dc=com"
Aug 15 13:07:17 debiantest slapd[2346]: conn=67 op=4 RESULT tag=105 err=21  
textobjectClass: value #0 invalid per syntax
<--

Before I think the interdomain trust information was completely
safed in secret.tdb

Maybe Matching Threads

Search for more maybe matching threads

samba - Aug 2008 - Problem establishing interdomain trust

[Samba] Problem establishing interdomain trust

[Samba] Problem establishing interdomain trust

Maybe Matching Threads