Another Bug and Temporary Fix (LDAP Trust Account)

[Matt Roberts]

Developers,

I hope I am not giving you another item that is already resolved in CVS
somewhere (my CVS skills are rusty), but here is what I have found with
respect to a trust relationship using an LDAP backend with 3.0a21.

I have this:

   1.  NT Domain: NTDOMAIN
   2.  Samba Domain: SMBDOMAIN

I want my NT domain to trust my SAMBA domain.  So I create the user account
(posixAccount objectClass only) for my NT domain in the LDAP directory:

   dn: uid=NTDOMAIN$, dc=example, dc=org
   objectclass: top
   objectclass: posixAccount
   uid: NTDOMAIN$
   uidNumber: ...
   gidNumber: ...

and so on.  I tell Samba to setup this as a new trust:

   net rpc trustdom add COMMUNICATION -U Administrator

Which succeeds and updates the above LDIF with the usual sambaAccount
attributes, including this one:

   acctFlags: [I         ]

I tell Samba to set the initial password for this account:

   $ smbpasswd NTDOMAIN$
   New Password: ...

Which also succeeds.  Then I go to my NT domain controller, fire up User
Manager, and tell it to trust my SMBDOMAIN system, which appears to succeed
but gives me a warning about verification of the trust failing.

But the trust doesn't work just yet.  If I look at my LDIF again at this
point, I see that 'acctFlags' has been changed to:

   acctFlags: [U         ]

So I go in with my favorite tool and change it back to:

   acctFlags: [I         ]

And now my trust works.  But I had to make that last manual change to the
LDAP entry for NTDOMAIN$ to make the trust actually function.

Did I do something wrong in my setup, or should the 'smbd' that received the
trust request from my NT PDC have not changed that flag from 'I' to 'U'?

Thanks again,
Matt