[Samba] Attempt #2 :Interdomain Trust

Simon Leung skmleung at hkucc.hku.hk
Mon Sep 26 07:54:23 GMT 2005 

Dear All,

I have posted the following "HELP" recently, and seems like no response
afterwards. Anyway, I try to make it short again here:

As instrcuted from the Samba3-HOWTO.pdf Ch 18.4.2:

[root at samba3 var]# net rpc trustdom establish DomainA
Password:
Could not connect to server "DomainA-PDC"
Trust to domain DomainA established 

Then, a workstation (WinXP SP2) had successfully joined DomainB (with Domain
A listed on the "Log on to"). Users in Domain A can login but found an error
from the event viewer

Event ID:15
Source: AutoEnrollment
Type Error:
Description: Automatic certificate enrollment for local system failed to
contact the active directory (0x8007054b). The specified domain either does
not exist or could not be contacted. Enrollment will not be performed.  


another problem is when Domain A user logon the workstation from Domain B, a
"blue screen to death" was prompted where the error from winlogon.exe
(msgina.dll)


I hope someone can help.

With a BIG THX

Simon



> _____________________________________________ 
> From: 	Simon Leung [mailto:skmleung at hkucc.hku.hk] 
> Sent:	Wednesday, September 14, 2005 2:17 PM
> To:	'samba at lists.samba.org'
> Subject:	Yelling for help on interdomain Trust (a long one)
> 
> Hi there,
> 
> Scenario:
> Domain A: Win2000Server(PDC)(DC1) + Win2003Server (DC2)
> Domain B:Samba 3.0.20 (compiled with the patches from
> http://us1.samba.org/samba/patches/)
> Where Domain A is the TRUSTED domain whereas Domain B is the TRUSTING
> domain.
> 
> And here is part of my smb.conf:
> 
> ---------------------Starts------------------
> 
> # Global parameters
> [global]
> 
> ## NETBIOS / Domain Server Settings
> 
> 	workgroup = SAMBA
> 	netbios name = SAMBA3
> 	server string = Samba-LDAP Server %v PDC
> 	security = user
>       preferred master = yes
> 	domain master = yes
> 	os level = 65
> 	allow trusted domains = yes
> 	domain logons = Yes
> 	local master = yes
> 	encrypt passwords = Yes
> 	admin users = @"Domain Admins"
> 	Time server = yes
> 	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> 	
> 
> ## USER / LDAP Settings
> 	
> 	ldap port = 389
> 	ldap suffix = dc=mydomain,dc=com
> 	ldap machine suffix = ou=Computers
> 	ldap user suffix = ou=Users
> 	ldap group suffix = ou=Groups
> 	ldap idmap suffix = ou=Users
> 	ldap admin dn = cn=Manager,dc=mydomain,dc=com
> 	ldap ssl = no
> 	ldap passwd sync = yes
>       passdb backend = ldapsam:ldap://127.0.0.1
> 	admin users = administrator
> 	guest account = nobody
> 	obey pam restrictions = No
> 
> 	#add user script = /usr/local/sbin/smbldap-useradd -m "%u"
> 	add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
> 	#add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
> 	#add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u"
> "%g"
> 	#set primary group script = /usr/local/sbin/smbldap-usermod -g "%g"
> "%u"
> 	
> 
> ## WINS / DNS settings
> 	
> 	wins support = yes
> 	idmap uid = 10000-20000
> 	idmap gid = 10000-20000
> 	winbind use default domain = no
> 	winbind cache time = 15
> 	winbind enum users = yes
> 	winbind enum groups = yes
> 	winbind uid = 10000-20000
> 	winbind gid = 10000-20000
> 	winbind trusted domains only = yes
> 	template shell = /bin/false
> 	name resolve order = wins hosts bcast
> 	smb ports = 139 445
> 	hosts allow = "IP addresses under my network"
> 	
> ## LOGGING
> 	
> 	utmp = yes
> 	syslog = 0
> 	log level = 3 passdb:0 auth:2 winbind:5
> 	panic action = /usr/share/samba/panic-action %d
> 	max log size = 50
> 	log file = /var/log/samba/log.%m
> 
>  	
> ## MISC Files/Directories			
> 	
> 	nt acl support = yes
> 	map acl inherit = yes
> 	dos charset = CP950
> 	unix charset = BIG5
> 	case sensitive = no
> 	directory mask = 0750
> 	hide dot files = yes
> 	hide unreadable = yes
> 	oplocks = Yes
> 	level2 oplocks = Yes
> 
> 
> ## Profile
> 	
> 	logon script = logon.bat
> 	logon path = 
> 	logon drive =
> 	logon home = 	
> 	
> ## MISC Other
> 	
> 	mangling method = hash2
> 	deadtime = 10
> 	#client schannel = no
> 	#client schannel = auto
>         #server schannel = yes
>         #client signing = auto
>         #server signing = no
> 
> -------------END-------------
> 
> 
> My journey to setting up the trust:
> 1. Create Domain A account in Openldap --> smbldap-useradd -I "Name of
> Domain A"
> 2. Create trust on Domain A (DC2) --> added "Name of Domain B" and
> assigned password and valid the trust --> No error message
> 3. establish the trust on Samba --> net rpc trustdom establish "DomainA"
> -U administrator, then password
> 
> 
> My problem:
> 
> 1. I was prompted with the following error:
> 
> 	Could not connect to server DC1
>       Trust to domain DomainA established
> 
> 2. joined a workstation (WinXP SP2) to Domain B, can see Domain A and
> Domain B in the list. Logged on as DomainA users
> 
> 3. Some of the workstations can log on, but no login script from Domain A
> is loaded (error log Event view said that cannot contact DC1), but can
> manually mount the network share
> 
> 4. Some of them simply blue screen to death with winlogon.exe error 
> 
> 5. No problems from Users in Domain B, network shares/printers (from
> Domain B) is working fine
> 
> 
> Some more info:
> 
> 1. The trust was working before until Win2k3 was introduced to Domain A
> 
> 2. Samba.3.0.14a + Win2000Server combination was OK
> 
> 3. The trust worked once under Win2k3 SP1 + Samba.3.0.20 with "client
> schannel = no" but malfunction when I came back to office after the
> weekend.
> 
> 
> Hope someone (especially the SAMBA Team) can help me out.
> 
> 
> THX and appreicate with the help
> 
> Simon
> 
>    	
> 
> 
>

More information about the samba mailing list