Another Bug and Temporary Fix (LDAP Trust Account)
Matt Roberts
mattro at grda.com
Wed Dec 18 17:20:22 GMT 2002
Developers,
I hope I am not giving you another item that is already resolved in CVS
somewhere (my CVS skills are rusty), but here is what I have found with
respect to a trust relationship using an LDAP backend with 3.0a21.
I have this:
1. NT Domain: NTDOMAIN
2. Samba Domain: SMBDOMAIN
I want my NT domain to trust my SAMBA domain. So I create the user account
(posixAccount objectClass only) for my NT domain in the LDAP directory:
dn: uid=NTDOMAIN$, dc=example, dc=org
objectclass: top
objectclass: posixAccount
uid: NTDOMAIN$
uidNumber: ...
gidNumber: ...
and so on. I tell Samba to setup this as a new trust:
net rpc trustdom add COMMUNICATION -U Administrator
Which succeeds and updates the above LDIF with the usual sambaAccount
attributes, including this one:
acctFlags: [I ]
I tell Samba to set the initial password for this account:
$ smbpasswd NTDOMAIN$
New Password: ...
Which also succeeds. Then I go to my NT domain controller, fire up User
Manager, and tell it to trust my SMBDOMAIN system, which appears to succeed
but gives me a warning about verification of the trust failing.
But the trust doesn't work just yet. If I look at my LDIF again at this
point, I see that 'acctFlags' has been changed to:
acctFlags: [U ]
So I go in with my favorite tool and change it back to:
acctFlags: [I ]
And now my trust works. But I had to make that last manual change to the
LDAP entry for NTDOMAIN$ to make the trust actually function.
Did I do something wrong in my setup, or should the 'smbd' that received the
trust request from my NT PDC have not changed that flag from 'I' to 'U'?
Thanks again,
Matt
More information about the samba-technical
mailing list