[Samba] Yelling for help on interdomain Trust (a long one)
Simon Leung
skmleung at hkucc.hku.hk
Wed Sep 14 06:16:42 GMT 2005
Hi there,
Scenario:
Domain A: Win2000Server(PDC)(DC1) + Win2003Server (DC2)
Domain B:Samba 3.0.20 (compiled with the patches from
http://us1.samba.org/samba/patches/)
Where Domain A is the TRUSTED domain whereas Domain B is the TRUSTING
domain.
And here is part of my smb.conf:
---------------------Starts------------------
# Global parameters
[global]
## NETBIOS / Domain Server Settings
workgroup = SAMBA
netbios name = SAMBA3
server string = Samba-LDAP Server %v PDC
security = user
preferred master = yes
domain master = yes
os level = 65
allow trusted domains = yes
domain logons = Yes
local master = yes
encrypt passwords = Yes
admin users = @"Domain Admins"
Time server = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
## USER / LDAP Settings
ldap port = 389
ldap suffix = dc=mydomain,dc=com
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Users
ldap admin dn = cn=Manager,dc=mydomain,dc=com
ldap ssl = no
ldap passwd sync = yes
passdb backend = ldapsam:ldap://127.0.0.1
admin users = administrator
guest account = nobody
obey pam restrictions = No
#add user script = /usr/local/sbin/smbldap-useradd -m "%u"
add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
#add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
#add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u"
"%g"
#set primary group script = /usr/local/sbin/smbldap-usermod -g "%g"
"%u"
## WINS / DNS settings
wins support = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind use default domain = no
winbind cache time = 15
winbind enum users = yes
winbind enum groups = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind trusted domains only = yes
template shell = /bin/false
name resolve order = wins hosts bcast
smb ports = 139 445
hosts allow = "IP addresses under my network"
## LOGGING
utmp = yes
syslog = 0
log level = 3 passdb:0 auth:2 winbind:5
panic action = /usr/share/samba/panic-action %d
max log size = 50
log file = /var/log/samba/log.%m
## MISC Files/Directories
nt acl support = yes
map acl inherit = yes
dos charset = CP950
unix charset = BIG5
case sensitive = no
directory mask = 0750
hide dot files = yes
hide unreadable = yes
oplocks = Yes
level2 oplocks = Yes
## Profile
logon script = logon.bat
logon path =
logon drive =
logon home =
## MISC Other
mangling method = hash2
deadtime = 10
#client schannel = no
#client schannel = auto
#server schannel = yes
#client signing = auto
#server signing = no
-------------END-------------
My journey to setting up the trust:
1. Create Domain A account in Openldap --> smbldap-useradd -I "Name of
Domain A"
2. Create trust on Domain A (DC2) --> added "Name of Domain B" and assigned
password and valid the trust --> No error message
3. establish the trust on Samba --> net rpc trustdom establish "DomainA" -U
administrator, then password
My problem:
1. I was prompted with the following error:
Could not connect to server DC1
Trust to domain DomainA established
2. joined a workstation (WinXP SP2) to Domain B, can see Domain A and Domain
B in the list. Logged on as DomainA users
3. Some of the workstations can log on, but no login script from Domain A is
loaded (error log Event view said that cannot contact DC1), but can manually
mount the network share
4. Some of them simply blue screen to death with winlogon.exe error
5. No problems from Users in Domain B, network shares/printers (from Domain
B) is working fine
Some more info:
1. The trust was working before until Win2k3 was introduced to Domain A
2. Samba.3.0.14a + Win2000Server combination was OK
3. The trust worked once under Win2k3 SP1 + Samba.3.0.20 with "client
schannel = no" but malfunction when I came back to office after the weekend.
Hope someone (especially the SAMBA Team) can help me out.
THX and appreicate with the help
Simon
More information about the samba
mailing list