[Samba] addtnl info: checking trust secret failed for interdomain trust

[Dolf Andringa]

I tested some more and have some additional info.
Creating the trust accounts works. Doing a wins query on redmoon for bluemoon and psw works (nmblookup -U 127.0.0.1 -R bluemoon/ -R psw/ -R -M psw/etc), and also the other way around on bluemoon querying redmoon and pswindwg. So it's not wins I guess. Doing wbinfo -a PSW\<username>%<passwd> on redmoon also works, so users are authenticated correctly. Also smbclient -L 127.0.0.1 -U <username> -WPSW works on redmoon. 
THe problem only arises when I do wbinfo -t or I try to add groups or users from the PSW domain to groups of the PSWINDWG domain (net rpc group addmem indwg 'PSW\kantoor' -Uroot%<password>).

wbinfo -t returns :
checking the trust seret via RPC calls failed
Error code was NT_STATUS_INTERNAL_ERROR (0xc00000e5)
Could not check secret

and net rpc group addmem indwg 'PSW\jack' -Uroot%<passwd> returns
COuld not add PSW\jack to indwg: NT_STATUS_ACCESS_DENIED

At the moment I do not see any relevant messages in the logs on redmoon or bluemoon.
Any ideas?

Thanks,

Dolf.

Dolf Andringa wrote:
> Hi samba members,
> 
> I've searched through google, the archives and RTFM but I can't figure this out.
> I've got a setup of two different offices with both their own samba PDC, wins, etc. Via OpenVPN i've set up an interdomain trust between the two domains (for now one way, but this will become two ways).
> One domain is called PSW with bluemoon as PDC, the other PSWINDWG with redmoon as PDC. PSW is the trusted domain and PSWINDWG is the trusting domain. Both networks are on separate subnets and both PDC's are the domain master browsers for their own subnet/domain.
> 
> I added a trustaccount on redmoon with "net rpc trustdom add PSWINDWG <pw> -U<creds>"
> I established the trust on redmoon with "net rpc trustdom establish PSW". This returns:
> Could not connect to server BLUEMOON
> Trust to domain PSW established
> 
> So far so good. net rpc trustdom list shows up ok on both servers. When trying to add a group of the PSW domain to a group of the PSWINDWG domain this does not work. I get an error NT_STATUS_ACCESS_DENIED
> log.winbindd shows "get_trust_pw: could not fetch trust account password for my domain PSWINDWG".
> wbinfo -u and -g on redmoon show all the users and groups of the PSW domain correctly and also wbinfo -m shows PSW as the trusted domain, but wbinfo -t returns
> 
> checking the trust seret via RPC calls failed
> Error code was NT_STATUS_INTERNAL_ERROR (0xc00000e5)
> Could not check secret
> 
> A nmap from both servers to the other showed UDP 137 and 138 and TCP 139 and 445 open, in both directions so that should not be the problem. NSCD is also not running on any of the two servers.
> I am running samba 3.0.14a-Debian on both servers with a 2.6.8-2-386 kernel.
> 
> I have no idea where to look for the solution. If anybody could point me in the right direction that would be greatly appreciated! 
> 
> Oh, and I tried to post this message through the regular mailinglist,  but it keeps coming back because it was refused by /usr/bin/stopspam on the postfix mailserver of lists.samba.org. The message is completely the same, I wander why it is treated as spam.
> 
> Thanks,
> 
> Dolf.
>