trust between two samba-tng pdcs?

Lauri Mylläri rez at
Mon Jul 3 20:45:09 GMT 2000

On Sat, Jul 01, 2000 at 01:38:33AM +1000, kill -9 wrote:
> Create an account on domain1 pdc with the name of the other domain
> (domain2$), and use the -i option (createuser -i domain2$ -p password)
> (I think this is the format). Then create another account but with the
> name of domain2's pdc, ex. (createuser domain2pdc$ -p password)
> Do this but in reverse on the othe pdc. Unix accounts would have to be
> done too on both. Then, I think you could just follow Elrond's
> instructions, and use either smbpasswd -j domainname, or get the
> domain sid for each domain using rpcclient -S otherpdc -U % -c 'lsaq', and
> copy that SID into a file named DOMAIN1.SID. Do this for each domain.
> Then I think you could use the trusting and trusted domains lines in each
> smb.conf file. Sorry if this is unclear. As I said, I'm guessing, and
> I've never really done this with 2 samba pdcs. 

Thank you for these instructions. I got to the point where pdc1 is
trying to ask pdc2 for authentication, but fails with the following
in log.netlogon (ip obfuscated on purpose):

TODO: verify that the rid exists
error connecting to (Connection refused)
LSA_OPENSECRET: unknown error

smbpasswd -j is not available anymore (suggests using samedit), so
I used the rpcclient to get the SIDs manually.

> >   btw, I have a somewhat weird (but working solution) for keeping the
> > account and group information updated on my samba pdc, samba servers, unix
> > servers and workstations.
> Thhat prog you speak of sounds very usefull. I would sure be interested in
> seeing it available.

I got a few replies to this, so I'm starting to prepare for a GPL release.
I'll have to get final permission from higher powers :) and get the
source cleaned up.

More information about the samba-ntdom mailing list