Interdomain Trusts

John H Terpstra jht at
Wed May 28 15:37:38 GMT 2008

When setting up interdomain trusts under Windows NT4 the name of the trust 
account was purely optional.  

In other words, in setting up a one-way trust from DomA to DomB, one could go 
into the NT4 Domain User Manager to set up a trust account called "GoodGuyA" 
and then on DomB complete the trust simply by specifying the name "GoodGuyA" 
and the password previously used on DomA.

It appears that the "net rpc trustdom establish" command insists on using the 
actual domain name and not any arbitrary name for the trust relationship. 
Even use of the -W or -S command line arguments does not permit the use of 
valid alternative interdomain trust names.

Is there a particular reason for enforcing this semantic on this tool?  In 
other words, is there a protocol-specific factor that excludes the ability to 
do what NT4 allows?  Could this have anything to do with AD interdomain 

This horrible question has emerged out of trying to help a site to resolve 
HIPA and SOX regulartory compliance issues.  The current behavior of "net rpc 
trustdom establish" prevents them from using a solution that would fit within 
their current LDAP director framework while still meeting these aweful legal 

Does anyone have a comment or solution to offer - or just some insight to the 
issues? I will be revising the Interdomain trust documentation and the 
Winbindd documention in the HOWTO over the next few days and would like to 
close out a lot of grey-areas that have come to light from trying to help a 
couple of Samba admins.


- John T.

More information about the samba-technical mailing list