Greetings Sambistas! I can't seem to get domain trusts to work in both directions. Details follow.
I have a network running many OSes on four geographically separate sites with an OpenLDAP authentication backbone. Desktops are windows XP authenticating to samba 3.0.25b servers which in turn are configured to use LDAP. Our net has been running samba in various flavors and versions for over ten years, and we have been running OpenLDAP for about seven years. Each physical site is a separate samba domain but all use the same LDAP backend data. All linux samba servers are running 3.0.25b, some of them using Red Hat native packages on RHEL5 and others using my own backported RPMs of the same. HP-UX servers run HP's CIFS9000 product which is essentially a samba fork. Each samba server has a local LDAP replica and a local slave BIND DNS server. PAM, NSS, and samba are all configured for automatic LDAP failover, this is tested and working. We use unencrypted LDAP on 127.0.0.1 as the primary (for speed) and LDAPS to the master server as secondary (for security). If I kill the local LDAP daemon samba continues to work fine, drawing passwords etc. from the master server over SSL. From the main site, I can do this: # net rpc trustdom list -Udomadmin Password: Trusted domains list: LA S-1-5-21-laSIDredacted MD S-1-5-21-mdSIDredacted MA S-1-5-21-maSIDredacted none Trusting domains list: MAIN S-1-5-21-LocalSIDredacted MA S-1-5-21-maSIDredacted LA S-1-5-21-laSIDredacted MD S-1-5-21-mdSIDredacted But, from the MD server, if I issue the same command, I get this: # net rpc trustdom list -Umdadmin Password: Trusted domains list: MAIN S-1-5-21-LocalSIDredacted MA S-1-5-21-maSIDredacted LA S-1-5-21-laSIDredacted none Trusting domains list: [2008/05/07 16:35:35, 0] utils/net_rpc.c:rpc_trustdom_list(6208) Couldn't enumerate accounts. Error was: NT_STATUS_ACCESS_DENIED I have been unable to find anything on the net that details the LDAP entries for interdomain trust accounts. I do not know if a single LDAP dn can be used to establish the trust in both directions or if I need two for each link in the mesh. If anyone could post examples of working LDAP accounts used for interdomain trust purposes I would be tremendously grateful! Thanks, --Charlie -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
