[Samba] Need some guidance re: two domains sharing the same workstations

Matt Hyclak hyclak at math.ohiou.edu
Fri Dec 15 14:08:52 GMT 2006

I fought with this a few months back, and was never able to resolve it, so
I'm back at it trying to get things to work before classes start again in
January. Here's a brief summary of the situation:

I am responsible for 2 departments, Math and Socialwork, which are located
in the same building and share the same network. Each department has its own
samba server (RHEL4/CentOS4) and domain MATH and SOCIALWORK, respectively.

There is one lab which both departments share, so I would like for users in
either domain to be able to log in to the workstation using the credentials
for their own domain. The way to do this *seems* to be with an Interdomain

I have followed the how-to chapter (19. Interdomain Trusts), and configured
the trust. I added a socialwork$ user to the Math LDAP server, and vice
versa. Ran the 'net rpc trustdom establish OTHERDOMAIN' command, and the
relationship is established, however there seems to be a problem with the
"Trusting domains" area. I get the following:

Trusting domains list:

[2006/12/15 09:01:02, 0] utils/net_rpc.c:rpc_trustdom_list(4688)
  Couldn't enumerate accounts. Error was: NT_STATUS_UNSUCCESSFUL

I have googled this error and have seen it come up only a couple times with
no solutions. The relevant sections of smb.conf are as follows:

  ldap suffix = dc=math,dc=ohiou,dc=edu
  ldap group suffix = ou=Group
  ldap machine suffix = ou=Computers
  ldap user suffix = ou=People
  ldap idmap suffix = ou=Idmap
  ldap admin dn = cn=Manager,dc=math,dc=ohiou,dc=edu
  ldap passwd sync = yes
  ldap delete dn = no
  passdb backend = ldapsam:ldaps://bing.math.ohiou.edu
  idmap backend = ldap:ldaps://bing.math.ohiou.edu
  idmap uid = 10000-20000
  idmap gid = 10000-20000
  winbind use default domain = no
  winbind enum groups = yes
  winbind enum users = yes

So, if someone could let me know if I'm moving in the right direction, I'd
really appreciate it, or if there's a better way to do this (putting
everyone in the same LDAP tree? - I'd like to avoid that, but it's a
Thanks in advance,

Matt Hyclak
Department of Mathematics 
Department of Social Work
Ohio University
(740) 593-1263

More information about the samba mailing list