[Samba] Trust not working - long

Gustavo Lima listas at opendf.com.br
Tue Oct 19 14:26:45 GMT 2004

        Hi All,

I have a network with 23 PDCs. One in my main building and other 22 all over the country connected over 256k Frame-relay links.

Well, these 22 PDCs are trusting and are trusted by my main PDC and vice-versa. I was using Windows WINS over NT4 doing replication in each places, but trying to solve my problem I´m using now a unique box dedicated to run WINS on SAMBA.

All teh problems begin when I try to map or connect to a trusted machine on a remote node. I have three kind of situations.

1. The trust works fine.
2. The remote machine ask me for password to log in like there is no trust.
3. The remote machine sends back an error saying there´s no trust between the my personal machine and the remote host.

Doing the same thing at the remote node trying to map or connect to a Windows or Samba server here in the main facility gives us the same three problems.

Other curious thing is that sometimes you can map some servers and not others.

These servers I´m trying to map are Windows and Samba and the problem occurs on both.

The confs are all the same and the network conditions too. The old NT4 PDCs still are connected to the network as BDCs as we can´t took them of the network. As possible we are demoting them to member servers but this could be done in only one remote node. Even the main facility has it´s old PDC running as BDC.

One more important information is when I create my trust I always get:

Could not connect to server SERVERB
Trust to domain DOMAINB established

On saturday all the trusts seem to work fine but on monday it became a caos.

There goes a sample conf of my servers:

I would appreciate any help so it can save my skin.



# Global parameters
        workgroup = COMPANY
        netbios name = mainserver
        admin users= @"Domain Admins"
        server string = Samba Server %v
        security = user
        encrypt passwords = Yes
        min passwd length = 6
        obey pam restrictions = No
        ldap passwd sync = Yes
        log level = 1
        syslog = 100
        log file = /var/log/samba/log.%m
        max log size = 100000
        time server = Yes
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        name resolve order = wins lmhosts host
        idmap backend = ldap:ldap://
        remote announce =
        remote browse sync =
        mangling method = hash2
        Dos charset = 850
        Unix charset = ISO8859-1

        logon script = logon.bat
        logon drive = H:
        logon home =
        logon path =

        domain logons = Yes
        os level = 255
        preferred master = Yes
        domain master = Yes
        wins server =
        passdb backend = smbpasswd ldapsam:ldap://
        # ldap filter = (&(objectclass=sambaSamAccount)(uid=%u))
        ldap admin dn = cn=admin,dc=company,dc=com,dc=br
        ldap suffix = dc=matriz,dc=company,dc=com,dc=br
        ldap group suffix = ou=grupos
        ldap user suffix = ou=usuarios
        ldap machine suffix = ou=maquinas
        ldap idmap suffix = ou=Idmap
        ldap ssl = no
        add user script = /usr/local/sbin/smbldap-useradd -m "%u"
        ldap delete dn = Yes
        #delete user script = /usr/local/sbin/smbldap-userdel "%u"
        add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
        add group script = /usr/local/sbin/smbldap-groupadd -p "%g" 
        #delete group script = /usr/local/sbin/smbldap-groupdel "%g"
        add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
        delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g"
        set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"

        # printers configuration
        printer admin = @"Print Operators"
        load printers = Yes
        create mask = 0640
        directory mask = 0750
        nt acl support = No
        printing = cups
        printcap name = cups
        deadtime = 10
        guest account = nobody
        map to guest = Bad User
        dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
        show add printer wizard = yes
        ; to maintain capital letters in shortcuts in any of the profile folders:
        preserve case = yes
        short preserve case = yes
        case sensitive = no

        comment = Pasta pessoal de %U, %u
        read only = No
        create mask = 0644
        directory mask = 0775
        browseable = No

        path = /home/netlogon/
        browseable = No
        read only = yes

        path = /home/profiles
        read only = no
        create mask = 0600
        directory mask = 0700
        browseable = No
        guest ok = Yes
        profile acls = yes
        csc policy = disable
        # next line is a great way to secure the profiles 
        force user = %U 
        # next line allows administrator to access all profiles 
        valid users = %U "Domain Admins"

        comment = Network Printers
        printer admin = @"Print Operators"
        guest ok = yes 
        printable = yes
        path = /home/spool/
        browseable = No
        read only  = Yes
        printable = Yes
        print command = /usr/bin/lpr -P%p -r %s
        lpq command = /usr/bin/lpq -P%p
        lprm command = /usr/bin/lprm -P%p %j

        path = /home/printers
        guest ok = No
        browseable = Yes
        read only = Yes
        valid users = @"Print Operators"
        write list = @"Print Operators"
        create mask = 0664
        directory mask = 0775

        comment = Pasta publica
        path = /home/public
        browseable = Yes
        guest ok = Yes
        read only = No
        directory mask = 0775
        create mask = 0664

More information about the samba mailing list