trust between two samba-tng pdcs?

Elrond elrond at
Wed Jul 5 14:32:20 GMT 2000

On Wed, Jul 05, 2000 at 09:20:33PM +1000, Luke Kenneth Casson Leighton wrote:
> On Tue, 4 Jul 2000, Elrond wrote:
> > On Tue, Jul 04, 2000 at 06:48:18AM +1000, Lauri Mylläri wrote:
> > [...]
> > > TODO: verify that the rid exists
> > > error connecting to (Connection refused)
> > > LSA_OPENSECRET: unknown error
> > > 
> > > 
> > > smbpasswd -j is not available anymore (suggests using samedit), so
> > 
> > Luke, what's the right way to get tng to "join" (realy,
> > trust) another domain from rpcclient?
> > 
> > Or how do you do a normal join to a domain, when you don't
> > have admin-access to the pdc and so can't use rpcclient
> > "createuser -j"?
> if you don't have the admin access to the pdc, you can't do *anything*
> that's the whole point of domain security.

Well, for interdom trusts you don't need _direct_ admin
acces. You give the admin of the other pdc a phone call, he
sets up the other side and gives you a pw for the trust,
then you setup your side with that pw.

Okay, let's say, we have ntdom with ntpdc and sambadom with

In these examples here, we want the sambapdc to trust the
ntpdc. So what happens:

sambaadmin asks the ntadmin to do his stuff.

ntadmin does the stuff in the usrmgr, what effectively
happens is:
ntpdc> createuser -i sambadom$ -p foosecret

sambaadmin now knows the pw.

he must 
a) create a NTDOM.SID
b) setup the lsasecret to contain the pw (foosecret), so
   samba can use the trust-relationship.

So? How to do that from rpcclient?

You can do that from usrmgr, you just select "add a new
domain, that we trust", enter the domain name and the pw.
that's all. (But I don't think, we have yet decoded all the
stuff, that's needed for that, and I'm currently not realy
in the position to test that all properly.)

The same question arises when you want to join a domain and
use the "unsecure" way (pw==machinename).


More information about the samba-ntdom mailing list