I am having some trouble creating a two-way domain trust account between Samba3 and Windows 2000 Server. The Windows 2000 server is an AD domain controller, and my Samba 3 server has an LDAP backend and is running on Ubuntu 9.04 64bit. Samba 3 is acting as the WINS server, and the Windows server has been pointed to the samba server for WINS in the TCP/IP settings on the network adapter. I have created the interdomain trust accounts on the Linux side by issuing the following commands. > net rpc trustdom add W2KDOMAIN password -Uroot Enter root's password:******** > net rpc trustdom add SAMBADOMAIN password -S W2KSERVER -U administrator Enter administrator's password:******** [2009/10/12 13:46:15, 0] utils/net_rpc.c:rpc_trustdom_add_internals (5277) Could not set trust account password: NT_STATUS_ACCESS_DENIED Once performing those commands, I can see that a user called w2kdomain $ has been created in LDAP, and a user called SAMBADOMAIN$ has been created in active directory. Since the error message concerning the trust password appeared, I will manually change the password of the user sambadomain$ in AD Users and Computers. At this stage, if I execute > net rpc trustdom list Enter root's password: Trusted domains list: none Trusting domains list: Unable to find a suitable server for domain W2KDOMAIN domain controller is not responding: NT_STATUS_UNSUCCESSFUL W2KDOMAIN If I go into AD Domains and Trusts on the Windows server, and create a "Domains trusted by this domain", it works as advertised. At this point I seem to be able to connect to shares located on the windows domain from computers on the samba domain. If I create a "Domains that trust this domain", ask it to verify the trust and supply the samba root password, I get a message that "Active Directory cannot verify the trust" blah blah "The error returned was: The specified domain either does not exist or could not be contacted" That error implies that the Windows server does not know how to contact the samba domain controller, but if I go to a command prompt and run "net view /domain:SAMBADOMAIN", it shows the domain, and the samba domain controller. I am a little unsure as to how to proceed. I am sure the documentation out there will make complete sense once I figure it out, but at the moment, I am struggling. Any help would be appreciated.
Gaiseric Vandal
2009-Oct-12 15:58 UTC
[Samba] Interdomain Trust between Samba3 and 2000 AD
Is your domain controller in mixed mode? (i.e. for backward compatibility with NT4 machines?) I am not 100% certain, but I think this is required. From the perspective of a Windows machine, Samba is an NT4 server. I have had limited success with trusts with a Win 2003 AD DC was in mixed mode. I was not able to set up trusts with a Win 2008 DC in "2003" mode (i.e. support for Win 2003 but not for NT4.) On Mon, Oct 12, 2009 at 8:41 AM, Alex Ferrara <alex at receptiveit.com.au> wrote:> I am having some trouble creating a two-way domain trust account between > Samba3 and Windows 2000 Server. > > The Windows 2000 server is an AD domain controller, and my Samba 3 server > has an LDAP backend and is running on Ubuntu 9.04 64bit. Samba 3 is acting > as the WINS server, and the Windows server has been pointed to the samba > server for WINS in the TCP/IP settings on the network adapter. > > I have created the interdomain trust accounts on the Linux side by issuing > the following commands. > >> net rpc trustdom add W2KDOMAIN password -Uroot > Enter root's password:******** >> net rpc trustdom add SAMBADOMAIN password -S W2KSERVER -U administrator > Enter administrator's password:******** > [2009/10/12 13:46:15, ?0] utils/net_rpc.c:rpc_trustdom_add_internals(5277) > ?Could not set trust account password: NT_STATUS_ACCESS_DENIED > > Once performing those commands, I can see that a user called w2kdomain$ has > been created in LDAP, and a user called SAMBADOMAIN$ has been created in > active directory. Since the error message concerning the trust password > appeared, I will manually change the password of the user sambadomain$ in AD > Users and Computers. > > At this stage, if I execute > >> net rpc trustdom list > Enter root's password: > Trusted domains list: > > none > > Trusting domains list: > > Unable to find a suitable server for domain W2KDOMAIN > domain controller is not responding: NT_STATUS_UNSUCCESSFUL > W2KDOMAIN > > If I go into AD Domains and Trusts on the Windows server, and create a > "Domains trusted by this domain", it works as advertised. ?At this point I > seem to be able to connect to shares located on the windows domain from > computers on the samba domain. > > If I create a "Domains that trust this domain", ask it to verify the trust > and supply the samba root password, I get a message that "Active Directory > cannot verify the trust" blah blah "The error returned was: The specified > domain either does not exist or could not be contacted" > > That error implies that the Windows server does not know how to contact the > samba domain controller, but if I go to a command prompt and run "net view > /domain:SAMBADOMAIN", it shows the domain, and the samba domain controller. > > I am a little unsure as to how to proceed. I am sure the documentation out > there will make complete sense once I figure it out, but at the moment, I am > struggling. > > Any help would be appreciated. > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: ?https://lists.samba.org/mailman/options/samba >
The Windows 2000 server is indeed in mixed mode. I probably should have mentioned that. I'm pretty sure it has something to do with browsing/WINS. I have both machines pointing to the same WINS server, but my gut feeling tells me that is where the problem lyes. aF