Trusting NT accounts with samba's PDC server

Rostedt, Steven steven.rostedt at
Fri Jun 2 21:03:19 GMT 2000

I'm trying to set up a Samba domain with
one way trust to another domain run by a NT server.
I'm trying to have it so that accounts on the NT server domain
have access to shares within the Samba domain.

This is where am at...

I'm using Samba from the CVS tree downloaded
from 5/25/2000.

I have a NT workstation within my Samba domain.

Some important attributes in my smb.conf:

workgroup = NA5
netbios name = NEVETS
security = SERVER
encrypt passwords = Yes
map to guest = Bad User
null passwords = Yes
password server = grouper  # this is the name of the NT PDC.
domain logons = Yes
perferred master = Yes
domain master = Yes
wins support = Yes  # not used
guest account = guest

path = /tmp/samba
username = pdctest
read only = No

I left out log info and misc stuff.

My NT workstation in my domain is called dilbert.

in my passwd file I have:

pdctest:*:9001:99:PDC test:/dev/null:/bin/fakesh

I added dilbert with
smbpasswd -m dilbert

Note: pdctest is NOT in the smbpasswd file (purposely)

What works:

I can access resources on dilbert using accounts only on my Samba PDC.
So dilbert is in the domain ok.

I can access resources on the Samba PDC from dilbert.

I can access resources on the Samba PDC from the NT domain using
the pdctest account.
I've tested with good and bad passwords and everything seems
to work. So I believe that the trust between Samba and the
NT account is ok.

What doesn't work:

I cannot access resources on the NT workstation from the NT domain
using the pdctest account.

I set the debug level to 5 and walked through some of the samba code
and I noticed that in srv_netlog.c that it searches through the smbpasswd
and if not found that it sets the status.

I don't know the samba code that well since I only looked at this today,
but this seems to be causing the connection to fail.

I figure that if I can get the NT workstation to connect to the Samba box
and the samba box to trust the NT domain, I should be able to authenticate
the NT workstation by using the NT domain.  It just seems to be missing
a little code.

Am I on the right track? or am I just out there?

Any help would be appreciated.  Thanks.
I'm willing to hack at the code a little too, but I'm warning you
I'm not that familiar with the SMB protocol, I only know what
I've read in "Using Samba" and "Teach Yourself Samba in 24 hours"
(both excellent books!)

Steven Rostedt

More information about the samba-ntdom mailing list