samba - Oct 2008 - Interdomain trust between Samba and W2003 ADS in native mode

Hi,

I try to setup a two-way interdomain trust relationship between Samba
3.2.4 and W2003 ADS in native mode (not mixed-mode).

I follow this Samba HOWTO without success:
http://us6.samba.org/samba/docs/man/Samba-HOWTO-Collection/InterdomainTrusts.html

All is working fine if i use a Windows NT4 Server instead of W2003 ADS.

Is there something to do on Samba or ADS so that it works ? Security
tunings in Windows registry for instance?

Thanks!

After using "log level = 10" it seems that Samba is trying to resolv
DNS special names to find the ADS domain controler. But my Samba
server is not using the ADS DNS infrastructure. I guess i need to
declare at least these DNS names in /etc/hosts.

2008/10/23 S?bastien Prud'homme
<sebastien.prudhomme@gmail.com>:
> Hi,
>
> I try to setup a two-way interdomain trust relationship between Samba
> 3.2.4 and W2003 ADS in native mode (not mixed-mode).
>
> I follow this Samba HOWTO without success:
>
http://us6.samba.org/samba/docs/man/Samba-HOWTO-Collection/InterdomainTrusts.html
>
> All is working fine if i use a Windows NT4 Server instead of W2003 ADS.
>
> Is there something to do on Samba or ADS so that it works ? Security
> tunings in Windows registry for instance?
>
> Thanks!
>

Thanks.

FYI i have set up my Samba system to use the ADS DNS and i've
configured /etc/krb5.conf with the ADS realm and now i can see ADS
users and groups with wbinfo :-)

I also changed some Samba conf as read in Red Hat Knowlegde Base (my
distro is RHEL5.2):
client schannel = No
client use spnego = No
server signing = Auto

2008/10/25 Gerald Carter
<coffeedude.jerry@gmail.com>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hey Ryan,
>
>> Samba3 cannot act as an AD domain controller and therefore cannot
>> operate in a trust with a native mode AD domain. Samba4 will be able
>> to do this but it is still under heavy development.
>>
>> If you put your AD domain in mixed mode, you should be able to create
>> the trust although I'm not sure if you can convert a native to
mixed
>> mode or not...
>
> This is incorrect.  Native mode AD can have trusts with NT4 domains
> (and therefore with Sambas as well).
>
>
>
>
>
> cheers, jerry
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFJA2CAIR7qMdg1EfYRAgozAKDC8+hK93zGK0NTA6U1WGrCqV88/gCg2Z/I
> PPW3rEqIWTlJiAUVTTMmtT8> =+V6v
> -----END PGP SIGNATURE-----
>

The setup is working on both side, the only difference between what is
written in Samba HOWTO is, as i said in a previous message:

- configure DNS on the Samba server so that the Samba server can
resolv Active Directory special DNS names (i had to install a local
correctly configured bind caching nameserver cause the guy who is
using the Active Directory server didn't used our company global DNS)

- configure Kerberos client on the Samba server (the same way you do
it when Samba is an Active Directory member server)

Now i can "see" Active Directory users and groups on the Samba server
(with wbinfo) and Active Directory "see" the Samba users and groups.

2008/10/27 Steven Geerts
<Steven.Geerts@softathome.com>:
> Can you share us some more information on how you configured everyting.
>
> Did you try trusting a 2003 AD domain to your samba domain?
>
> Should be great if this was possible?
>
> Best regards
>
> steven
>
> -----Original Message-----
> From: samba-bounces+steven.geerts=softathome.com@lists.samba.org
> [mailto:samba-bounces+steven.geerts=softathome.com@lists.samba.org] On
> Behalf Of S?bastien Prud'homme
> Sent: maandag 27 oktober 2008 13:16
> To: Gerald Carter
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] Re: Interdomain trust between Samba and W2003 ADS in
> native mode
>
> Thanks.
>
> FYI i have set up my Samba system to use the ADS DNS and i've
> configured /etc/krb5.conf with the ADS realm and now i can see ADS
> users and groups with wbinfo :-)
>
> I also changed some Samba conf as read in Red Hat Knowlegde Base (my
> distro is RHEL5.2):
> client schannel = No
> client use spnego = No
> server signing = Auto
>
> 2008/10/25 Gerald Carter <coffeedude.jerry@gmail.com>:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hey Ryan,
>>
>>> Samba3 cannot act as an AD domain controller and therefore cannot
>>> operate in a trust with a native mode AD domain. Samba4 will be
able
>>> to do this but it is still under heavy development.
>>>
>>> If you put your AD domain in mixed mode, you should be able to
create
>>> the trust although I'm not sure if you can convert a native to
mixed
>>> mode or not...
>>
>> This is incorrect.  Native mode AD can have trusts with NT4 domains
>> (and therefore with Sambas as well).
>>
>>
>>
>>
>>
>> cheers, jerry
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.6 (GNU/Linux)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>
>> iD8DBQFJA2CAIR7qMdg1EfYRAgozAKDC8+hK93zGK0NTA6U1WGrCqV88/gCg2Z/I
>> PPW3rEqIWTlJiAUVTTMmtT8>> =+V6v
>> -----END PGP SIGNATURE-----
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>
>