Hi, after whole day hitting my head into wall I decided to ask advise from clever people: My aim is to have two way trusts between two samba domains 3.0.25 and 3.0.28 I did: net rpc trustdom add and establish on both domains. It did not went ok, but problem was with creating ldap accounts for domains. I created them manually. Now I have kind of working trusts: # net rpc trustdom list Password: Trusted domains list: SIMPLE S-1-5-21-4169227953-3400459336-1793241584 none Trusting domains list: SIMPLE S-1-5-21-4169227953-3400459336-1793241584 This is the same on both domains. Then I faced a problem, that when I try to access workstation from other domain it says I canot and samba logs were complaining that user sid and group sid do not match and samba cannot handle it. I found on google, that I must have winbind working in order to solve this. I installed winbind and on one domain it is working - I can get a list of foreign users with wbinfo -u, and it seems to solve my workstation browsing. But I cannot get it working on the other domain. these are wbinfo messages: # wbinfo -u Error looking up domain users # wbinfo -m Could not list trusted domains # wbinfo --all-domains # wbinfo --getdcname=SIMPLE Could not get dc name for SIMPLE # net lookup dc simple 192.168.62.22 This is what I get with winbindd -S -n -i Processing section "[Finansai]" adding IPC service added interface ip=192.168.62.21 bcast=192.168.62.255 nmask=255.255.255.0 added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0 added interface ip=192.168.62.21 bcast=192.168.62.255 nmask=255.255.255.0 added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0 Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED initialize_winbindd_cache: clearing cache and re-creating with version number 1 Added domain REC S-1-5-21-4050335463-3799486674-3258589777 Added domain BUILTIN S-1-5-32 get_dc_list: preferred server list: ", *" fcntl_lock: lock failed at offset 0 count 1 op 6 type 0 (Resource temporarily unavailable) get_dc_list: preferred server list: ", *" fcntl_lock: lock failed at offset 0 count 1 op 6 type 0 (Resource temporarily unavailable) get_dc_list: preferred server list: ", *" fcntl_lock: lock failed at offset 0 count 1 op 6 type 0 (Resource temporarily unavailable) [12524]: list trusted domains rpc: trusted_domains winbindd_dual_list_trusted_domains: trusted_domains returned NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND Could not receive trustdoms get_dc_list: preferred server list: ", *" get_dc_list: preferred server list: ", *" fcntl_lock: lock failed at offset 0 count 1 op 6 type 0 (Resource temporarily unavailable) get_dc_list: preferred server list: ", *" fcntl_lock: lock failed at offset 0 count 1 op 6 type 0 (Resource temporarily unavailable) get_dc_list: preferred server list: ", *" fcntl_lock: lock failed at offset 0 count 1 op 6 type 0 (Resource temporarily unavailable) Any ideas? Maybe there is a procedure how to get samba samba trust working? Thanks a lot Liutauras
thanks Fran?ois, On Mon, May 25, 2009 at 8:56 PM, Fran?ois Legal <devel@thom.fr.eu.org> wrote:> I did never setup 2 way trust, but had a hard time setting up a one way > trust. > As far as I remember, the first thing to verify (before establishing the > trust relation), is to have winbind successfully enumerate the local DC > users and groups. This implies you have to join the PDC to its own domain > (yes, this kind of surprised me at that time, but it makes some sense). For > you that would be SIMPLE PDC have to join the SIMPLE domain and REC PDC > join the REC domain (net rpc join PDC -U...)joining to its own PDC surprises me too ... but I will try.> You should also have winbind correctly configured and able to allocate > uids/gids.Do you mean that winbind should also get info out of its own domain?> At that point, you should have wbinfo -m, wbinfo -t, wbinfo -u and wbinfo > -g return successfully and the correct information.Yes, this what I thought, but winbind is complaining that it cannot find PDC, but net lookup finds it correctly.> Fran?ois