Trust problem with Samba 2.0.5a domain security

Spock spock at spk.hp.com
Wed Oct 27 15:34:42 GMT 1999 

	First, I must appologize for not being completely knowledgeable on
how NT domain controllers work with each other.

	I am running samba 2.0.5a under HP-UX 10.20 on an HP9000 model C3000.
The NT users on our site belong, if I understand this correctly, to a user
domain called COL-SPRINGS.  All NT servers on the site, and my samba server,
smbasvr, are members of a resource domain called SPK.  There is a primary
domain controller for both the COL-SPRINGS domain (COL-SPRINGS-PDC.atl) and
the SPK domain (spkps1).  There is a backup domain controller for the SPK
domain (CS-BDC-SP).  There is some kind of trust relationship between the 
primary and backup domain controllers which are used for user authentication.

	I used the command "smbpasswd -j SPK -r spkps1" to join the SPK
domain.  Set the parameters "workgroup = SPK", "security = domain",
"encrypt passwords = yes", and "password server = CS-BDC-SP COL-SPRINGS-PDC.atl"
in smb.conf and started smbd.  (previous to this, we had been operating with
security = server and having intermittent connection problems by NT clients.)

	The problem I now see in the log file for an NT PC trying to connect
is the following:

"cli_net_auth2: Error NT_STATUS_NO_TRUST_SAM_ACCOUNT
[1999/10/27 08:16:42, 0] rpc_client/cli_login.c:cli_nt_setup_creds(72)
cli_nt_setup_creds: auth2 challenge failed
[1999/10/27 08:16:42, 0] smbd/password.c:domain_client_validate(1351)
 domain_client_validate: unable to setup the PDC credentials to machine CS-BDC-
SP. Error was : NT_STATUS_NO_TRUST_SAM_ACCOUNT."

	My questions are:

		1.  Is the problem that the backup domain controller
CS-BDC-SP does not trust my samba server?  Or is it the other way around?

		2.  What can be done to establish the required trust?

		3.  Have I joined my samba server to the correct domain?  
(In an earlier attempt at domain security, I had smbasvr made a member of the
COL-SPRINGS domain and joined it.  However, in that mode, the samba logs 
would indicate that the machines trying to connect were rejected because they
were not members of the COL-SPRINGS domain. )

	If anyone can help me solve this problem, I will be very grateful.

Ken Laird
 ___________________________________________________________________________
|                                                                           |
| Ken Laird                                 unix: spock at vulcan.spk.hp.com   |
| Hewlett Packard                           cc:Mail : none                  |
| Spokane Division                          AT&T:   (509) 921-3656          |
| 24001 E. Mission, Liberty Lake, WA 99019  Telnet: 1-921-3656              |
|___________________________________________________________________________|

More information about the samba-ntdom mailing list