two way trust between samba tng pdc and nt pdc

Elrond elrond at
Wed Jun 28 16:45:16 GMT 2000

On Wed, Jun 28, 2000 at 01:09:56AM +1000, kill -9 wrote:
> I have been able to create a trust relationship between my tng samba pdc
> box and my nt pdc box, with samba as the trusted and nt as the trusting.
> I did this by creating a machine account in samba using the -i option,
> with the name of the trusting domain, and a machine account in samba with
> the name of the nt pdc machine. I then used user manager for domains on
> the nt pdc to create the trust using the password I gave to the trust
> account on the samba pdc. This seems to have worked. Now I want to go the

Nice, that you described this awkward process here.
I've gone through it too.

What I have to note:

The nt pdc will change the pw every some weeks and it will
only change the pw for the account with the domain-name, so
you have to copy the pw over to the account for the

I'm thinking of fixing this by using the trusting domain
variable, but I currently want to get CVS TNG more
stable... before starting to play again.

> other way, and I'm a little lost. I have 'permitted the samba pdc to
> trust' on the nt pdc, and from what I've gleaned, this should create an
> inter-domain-trust account on the nt pdc with a machine name equal to
> my samba pdc domain. This is where I get stuck. How do I actually create
> the trust on the samba pdc? What is the significance of the 'trusted
> domains' and 'trusting domains' values in smb.conf? I noticed when I moved
> to CVS 2.5 GOOD that if I included the 'trusted domains' lines that most
> of the daemons would not start properly. It's okay to include the
> 'trusting domain' line however. Thanks for ANY help or info.

You've gone the right way here.
You've to do the following too:

add the domain to the trusted domains-list:
trusted domains = "domain=pdc,bdc"

Then you have to do something like
	smbpasswd -j NTDOMAIN
(hope, I remember that correctly...)

The other way is to find out the domain sid of the nt
domain (rpcclient -S ntpdc -U % -c 'lsaq') and create a
NTDOMAIN.SID next to your SAMBADOMAIN.SID file, with the
SID as contents.

The next problem is, that samba needs a unix-user for each
nt-user... you might want to investigate winbind, or create
them all by hand...

Please tell us, how far you get and especialy, if
interactive login from the "other domain" works in both
domains, I mean:

Go, and sit in front of some nt-box, that is a member in
the NTDOMAIN and try to login as a user from the
SAMBADOMAIN. If that doesn't work, please try to find some
indications in the logs.


More information about the samba-ntdom mailing list