Another Bug and Temporary Fix (LDAP Trust Account)

Matt Roberts mattro at
Wed Dec 18 17:20:22 GMT 2002


I hope I am not giving you another item that is already resolved in CVS
somewhere (my CVS skills are rusty), but here is what I have found with
respect to a trust relationship using an LDAP backend with 3.0a21.

I have this:

   1.  NT Domain: NTDOMAIN
   2.  Samba Domain: SMBDOMAIN

I want my NT domain to trust my SAMBA domain.  So I create the user account
(posixAccount objectClass only) for my NT domain in the LDAP directory:

   dn: uid=NTDOMAIN$, dc=example, dc=org
   objectclass: top
   objectclass: posixAccount
   uid: NTDOMAIN$
   uidNumber: ...
   gidNumber: ...

and so on.  I tell Samba to setup this as a new trust:

   net rpc trustdom add COMMUNICATION -U Administrator

Which succeeds and updates the above LDIF with the usual sambaAccount
attributes, including this one:

   acctFlags: [I         ]

I tell Samba to set the initial password for this account:

   $ smbpasswd NTDOMAIN$
   New Password: ...

Which also succeeds.  Then I go to my NT domain controller, fire up User
Manager, and tell it to trust my SMBDOMAIN system, which appears to succeed
but gives me a warning about verification of the trust failing.

But the trust doesn't work just yet.  If I look at my LDIF again at this
point, I see that 'acctFlags' has been changed to:

   acctFlags: [U         ]

So I go in with my favorite tool and change it back to:

   acctFlags: [I         ]

And now my trust works.  But I had to make that last manual change to the
LDAP entry for NTDOMAIN$ to make the trust actually function.

Did I do something wrong in my setup, or should the 'smbd' that received the
trust request from my NT PDC have not changed that flag from 'I' to 'U'?

Thanks again,

More information about the samba-technical mailing list