Is your domain controller in mixed mode? (i.e. for backward compatibility with NT4 machines?) I am not 100% certain, but I think this is required. From the perspective of a Windows machine, Samba is an NT4 server. I have had limited success with trusts with a Win 2003 AD DC was in mixed mode. I was not able to set up trusts with a Win 2008 DC in "2003" mode (i.e. support for Win 2003 but not for NT4.)
On Mon, Oct 12, 2009 at 8:41 AM, Alex Ferrara <[email protected]> wrote: > I am having some trouble creating a two-way domain trust account between > Samba3 and Windows 2000 Server. > > The Windows 2000 server is an AD domain controller, and my Samba 3 server > has an LDAP backend and is running on Ubuntu 9.04 64bit. Samba 3 is acting > as the WINS server, and the Windows server has been pointed to the samba > server for WINS in the TCP/IP settings on the network adapter. > > I have created the interdomain trust accounts on the Linux side by issuing > the following commands. > >> net rpc trustdom add W2KDOMAIN password -Uroot > Enter root's password:******** >> net rpc trustdom add SAMBADOMAIN password -S W2KSERVER -U administrator > Enter administrator's password:******** > [2009/10/12 13:46:15, 0] utils/net_rpc.c:rpc_trustdom_add_internals(5277) > Could not set trust account password: NT_STATUS_ACCESS_DENIED > > Once performing those commands, I can see that a user called w2kdomain$ has > been created in LDAP, and a user called SAMBADOMAIN$ has been created in > active directory. Since the error message concerning the trust password > appeared, I will manually change the password of the user sambadomain$ in AD > Users and Computers. > > At this stage, if I execute > >> net rpc trustdom list > Enter root's password: > Trusted domains list: > > none > > Trusting domains list: > > Unable to find a suitable server for domain W2KDOMAIN > domain controller is not responding: NT_STATUS_UNSUCCESSFUL > W2KDOMAIN > > If I go into AD Domains and Trusts on the Windows server, and create a > "Domains trusted by this domain", it works as advertised. At this point I > seem to be able to connect to shares located on the windows domain from > computers on the samba domain. > > If I create a "Domains that trust this domain", ask it to verify the trust > and supply the samba root password, I get a message that "Active Directory > cannot verify the trust" blah blah "The error returned was: The specified > domain either does not exist or could not be contacted" > > That error implies that the Windows server does not know how to contact the > samba domain controller, but if I go to a command prompt and run "net view > /domain:SAMBADOMAIN", it shows the domain, and the samba domain controller. > > I am a little unsure as to how to proceed. I am sure the documentation out > there will make complete sense once I figure it out, but at the moment, I am > struggling. > > Any help would be appreciated. > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
