two way trust between samba tng pdc and nt pdc

Elrond elrond at samba.org
Thu Jun 29 18:46:08 GMT 2000 

On Fri, Jun 30, 2000 at 12:46:18AM +1000, kill -9 wrote:
> Thanks a heap for you clarification. Things are starting to work already.
> I will get back with more info later. For now though, could you or someone
> please clarify the format of the 'trusted domains=' line?
> The way you mentioned it confused me a little. For example, my samba
> domain is lxind, and my samba domain pdc is lxfsind. The nt domain is
> ntfsind, and the nt pdc is fsind. Do I do trusted domains=ntfsind
> or do I do something else? Thanks again.

trusted domains = ntfsind=fsind

Samba needs to know the name of a DC in that domain.

... Yes.. it could ask the wins server... but it currently
doesn't do that. And it would need to somehow cache the
answer, since otherwise, anything related to the other
domain will involve a wins-query... well... speed isn't
currently realy of any interest. ;)

    Elrond


> On Thu, 29 Jun 2000, Elrond wrote:
> 
> > On Wed, Jun 28, 2000 at 01:09:56AM +1000, kill -9 wrote:
> > > I have been able to create a trust relationship between my tng samba pdc
> > > box and my nt pdc box, with samba as the trusted and nt as the trusting.
> > > I did this by creating a machine account in samba using the -i option,
> > > with the name of the trusting domain, and a machine account in samba with
> > > the name of the nt pdc machine. I then used user manager for domains on
> > > the nt pdc to create the trust using the password I gave to the trust
> > > account on the samba pdc. This seems to have worked. Now I want to go the
> > 
> > Nice, that you described this awkward process here.
> > I've gone through it too.
> > 
> > What I have to note:
> > 
> > The nt pdc will change the pw every some weeks and it will
> > only change the pw for the account with the domain-name, so
> > you have to copy the pw over to the account for the
> > pdc-name.
> > 
> > I'm thinking of fixing this by using the trusting domain
> > variable, but I currently want to get CVS TNG more
> > stable... before starting to play again.
> > 
> > 
> > > other way, and I'm a little lost. I have 'permitted the samba pdc to
> > > trust' on the nt pdc, and from what I've gleaned, this should create an
> > > inter-domain-trust account on the nt pdc with a machine name equal to
> > > my samba pdc domain. This is where I get stuck. How do I actually create
> > > the trust on the samba pdc? What is the significance of the 'trusted
> > > domains' and 'trusting domains' values in smb.conf? I noticed when I moved
> > > to CVS 2.5 GOOD that if I included the 'trusted domains' lines that most
> > > of the daemons would not start properly. It's okay to include the
> > > 'trusting domain' line however. Thanks for ANY help or info.
> > 
> > You've gone the right way here.
> > You've to do the following too:
> > 
> > add the domain to the trusted domains-list:
> > trusted domains = "domain=pdc,bdc"
> > 
> > Then you have to do something like
> > 	smbpasswd -j NTDOMAIN
> > (hope, I remember that correctly...)
> > 
> > The other way is to find out the domain sid of the nt
> > domain (rpcclient -S ntpdc -U % -c 'lsaq') and create a
> > NTDOMAIN.SID next to your SAMBADOMAIN.SID file, with the
> > SID as contents.
> > 
> > The next problem is, that samba needs a unix-user for each
> > nt-user... you might want to investigate winbind, or create
> > them all by hand...
> > 
> > Please tell us, how far you get and especialy, if
> > interactive login from the "other domain" works in both
> > domains, I mean:
> > 
> > Go, and sit in front of some nt-box, that is a member in
> > the NTDOMAIN and try to login as a user from the
> > SAMBADOMAIN. If that doesn't work, please try to find some
> > indications in the logs.
> > 
> >     Elrond
> > 
> 
> ----------------------------------------------------------------------------
> Alex West
> A&M Communications - Tech Guru
> BioControl Technology Inc., MIS Administrator
> kill-9 at warbeast.com | kill-9 at ipost.net
> Visit Third Eye Digital Productions - http://www.indiana-emall.com/thirdeye
> Check out my band and FREE music at ***  www.mp3.com/snowpants  ***
> ----------------------------------------------------------------------------

More information about the samba-ntdom mailing list