John H Terpstra
jht at samba.org
Wed May 28 15:37:38 GMT 2008
When setting up interdomain trusts under Windows NT4 the name of the trust
account was purely optional.
In other words, in setting up a one-way trust from DomA to DomB, one could go
into the NT4 Domain User Manager to set up a trust account called "GoodGuyA"
and then on DomB complete the trust simply by specifying the name "GoodGuyA"
and the password previously used on DomA.
It appears that the "net rpc trustdom establish" command insists on using the
actual domain name and not any arbitrary name for the trust relationship.
Even use of the -W or -S command line arguments does not permit the use of
valid alternative interdomain trust names.
Is there a particular reason for enforcing this semantic on this tool? In
other words, is there a protocol-specific factor that excludes the ability to
do what NT4 allows? Could this have anything to do with AD interdomain
This horrible question has emerged out of trying to help a site to resolve
HIPA and SOX regulartory compliance issues. The current behavior of "net rpc
trustdom establish" prevents them from using a solution that would fit within
their current LDAP director framework while still meeting these aweful legal
Does anyone have a comment or solution to offer - or just some insight to the
issues? I will be revising the Interdomain trust documentation and the
Winbindd documention in the HOWTO over the next few days and would like to
close out a lot of grey-areas that have come to light from trying to help a
couple of Samba admins.
- John T.
More information about the samba-technical