[Samba] Yelling for help on interdomain Trust (a long one)

Simon Leung skmleung at hkucc.hku.hk
Wed Sep 14 06:16:42 GMT 2005

Hi there,

Domain A: Win2000Server(PDC)(DC1) + Win2003Server (DC2)
Domain B:Samba 3.0.20 (compiled with the patches from
Where Domain A is the TRUSTED domain whereas Domain B is the TRUSTING

And here is part of my smb.conf:


# Global parameters

## NETBIOS / Domain Server Settings

	workgroup = SAMBA
	netbios name = SAMBA3
	server string = Samba-LDAP Server %v PDC
	security = user
      preferred master = yes
	domain master = yes
	os level = 65
	allow trusted domains = yes
	domain logons = Yes
	local master = yes
	encrypt passwords = Yes
	admin users = @"Domain Admins"
	Time server = yes
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

## USER / LDAP Settings
	ldap port = 389
	ldap suffix = dc=mydomain,dc=com
	ldap machine suffix = ou=Computers
	ldap user suffix = ou=Users
	ldap group suffix = ou=Groups
	ldap idmap suffix = ou=Users
	ldap admin dn = cn=Manager,dc=mydomain,dc=com
	ldap ssl = no
	ldap passwd sync = yes
      passdb backend = ldapsam:ldap://
	admin users = administrator
	guest account = nobody
	obey pam restrictions = No

	#add user script = /usr/local/sbin/smbldap-useradd -m "%u"
	add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
	#add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
	#add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u"
	#set primary group script = /usr/local/sbin/smbldap-usermod -g "%g"

## WINS / DNS settings
	wins support = yes
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	winbind use default domain = no
	winbind cache time = 15
	winbind enum users = yes
	winbind enum groups = yes
	winbind uid = 10000-20000
	winbind gid = 10000-20000
	winbind trusted domains only = yes
	template shell = /bin/false
	name resolve order = wins hosts bcast
	smb ports = 139 445
	hosts allow = "IP addresses under my network"
	utmp = yes
	syslog = 0
	log level = 3 passdb:0 auth:2 winbind:5
	panic action = /usr/share/samba/panic-action %d
	max log size = 50
	log file = /var/log/samba/log.%m

## MISC Files/Directories			
	nt acl support = yes
	map acl inherit = yes
	dos charset = CP950
	unix charset = BIG5
	case sensitive = no
	directory mask = 0750
	hide dot files = yes
	hide unreadable = yes
	oplocks = Yes
	level2 oplocks = Yes

## Profile
	logon script = logon.bat
	logon path = 
	logon drive =
	logon home = 	
## MISC Other
	mangling method = hash2
	deadtime = 10
	#client schannel = no
	#client schannel = auto
        #server schannel = yes
        #client signing = auto
        #server signing = no


My journey to setting up the trust:
1. Create Domain A account in Openldap --> smbldap-useradd -I "Name of
Domain A"
2. Create trust on Domain A (DC2) --> added "Name of Domain B" and assigned
password and valid the trust --> No error message
3. establish the trust on Samba --> net rpc trustdom establish "DomainA" -U
administrator, then password

My problem:

1. I was prompted with the following error:

	Could not connect to server DC1
      Trust to domain DomainA established

2. joined a workstation (WinXP SP2) to Domain B, can see Domain A and Domain
B in the list. Logged on as DomainA users

3. Some of the workstations can log on, but no login script from Domain A is
loaded (error log Event view said that cannot contact DC1), but can manually
mount the network share

4. Some of them simply blue screen to death with winlogon.exe error 

5. No problems from Users in Domain B, network shares/printers (from Domain
B) is working fine

Some more info:

1. The trust was working before until Win2k3 was introduced to Domain A

2. Samba.3.0.14a + Win2000Server combination was OK

3. The trust worked once under Win2k3 SP1 + Samba.3.0.20 with "client
schannel = no" but malfunction when I came back to office after the weekend.

Hope someone (especially the SAMBA Team) can help me out.

THX and appreicate with the help



More information about the samba mailing list