Trusting NT accounts with samba's PDC server

Andrea Zolnhofer & Michael Ott ZolnOtt at
Fri Jun 2 22:10:57 GMT 2000


If you read "Teach Yourself Samba in 24 hours", vou can read, that the trust is
not implemented.
Which whitch version of Samba do you work. Try it with a alpha-version, like
samba-tng-2.1 or higher. It can be downloaded from the page It
had try it also with cvs but I became an older version (2.0.4)

Bye Michael

> Am Fre, 02 Jun 2000 schrieben Sie:
> I'm trying to set up a Samba domain with
> one way trust to another domain run by a NT server.
> I'm trying to have it so that accounts on the NT server domain
> have access to shares within the Samba domain.
> This is where am at...
> I'm using Samba from the CVS tree downloaded
> from 5/25/2000.
> I have a NT workstation within my Samba domain.
> Some important attributes in my smb.conf:
> [global]
> workgroup = NA5
> netbios name = NEVETS
> security = SERVER
> encrypt passwords = Yes
> map to guest = Bad User
> null passwords = Yes
> password server = grouper  # this is the name of the NT PDC.
> domain logons = Yes
> perferred master = Yes
> domain master = Yes
> wins support = Yes  # not used
> guest account = guest
> [tmp]
> path = /tmp/samba
> username = pdctest
> read only = No
> I left out log info and misc stuff.
> My NT workstation in my domain is called dilbert.
> in my passwd file I have:
> dilbert$:*:9000:99:Machine:/dev/null:/bin/fakesh
> pdctest:*:9001:99:PDC test:/dev/null:/bin/fakesh
> I added dilbert with
> smbpasswd -m dilbert
> Note: pdctest is NOT in the smbpasswd file (purposely)
> What works:
> I can access resources on dilbert using accounts only on my Samba PDC.
> So dilbert is in the domain ok.
> I can access resources on the Samba PDC from dilbert.
> I can access resources on the Samba PDC from the NT domain using
> the pdctest account.
> I've tested with good and bad passwords and everything seems
> to work. So I believe that the trust between Samba and the
> NT account is ok.
> What doesn't work:
> I cannot access resources on the NT workstation from the NT domain
> using the pdctest account.
> I set the debug level to 5 and walked through some of the samba code
> and I noticed that in srv_netlog.c that it searches through the smbpasswd
> and if not found that it sets the status.
> I don't know the samba code that well since I only looked at this today,
> but this seems to be causing the connection to fail.
> I figure that if I can get the NT workstation to connect to the Samba box
> and the samba box to trust the NT domain, I should be able to authenticate
> the NT workstation by using the NT domain.  It just seems to be missing
> a little code.
> Am I on the right track? or am I just out there?
> Any help would be appreciated.  Thanks.
> I'm willing to hack at the code a little too, but I'm warning you
> I'm not that familiar with the SMB protocol, I only know what
> I've read in "Using Samba" and "Teach Yourself Samba in 24 hours"
> (both excellent books!)
> Thanks 
> Steven Rostedt

More information about the samba-ntdom mailing list