[Samba] Re: Need some guidance re: two domains sharing the same workstations

Sun Dec 17 17:18:47 GMT 2006

Hello Matt,

I've had similar misfortunes too with interdomain trusts.  I think 
you're working along the right lines since you seem to want to do the 
same thing as I.

However the NT_STATUS_UNSUCCESSFUL is an error I always get when trying 
to connect to the IPC$ share of the PDC of the trusting domain.  In my 
case the trusting PDC is a Windows 2003 Server.

I know it's not an issue of credentials but something else; but I don't 
know what.  Judging by the traffic on this list someone HAS got this to 
work.  Anyone care to comment.

Kind regards,
-a.

samba-request at lists.samba.org wrote:

> Subject:
> [Samba] Need some guidance re: two domains sharing the same workstations
> From:
> Matt Hyclak <hyclak at math.ohiou.edu>
> Date:
> Fri, 15 Dec 2006 09:08:52 -0500
> To:
> samba at lists.samba.org
> 
> To:
> samba at lists.samba.org
> 
> 
> I fought with this a few months back, and was never able to resolve it, so
> I'm back at it trying to get things to work before classes start again in
> January. Here's a brief summary of the situation:
> 
> I am responsible for 2 departments, Math and Socialwork, which are located
> in the same building and share the same network. Each department has its own
> samba server (RHEL4/CentOS4) and domain MATH and SOCIALWORK, respectively.
> 
> There is one lab which both departments share, so I would like for users in
> either domain to be able to log in to the workstation using the credentials
> for their own domain. The way to do this *seems* to be with an Interdomain
> Trust.
> 
> I have followed the how-to chapter (19. Interdomain Trusts), and configured
> the trust. I added a socialwork$ user to the Math LDAP server, and vice
> versa. Ran the 'net rpc trustdom establish OTHERDOMAIN' command, and the
> relationship is established, however there seems to be a problem with the
> "Trusting domains" area. I get the following:
> 
> Trusting domains list:
> 
> [2006/12/15 09:01:02, 0] utils/net_rpc.c:rpc_trustdom_list(4688)
>   Couldn't enumerate accounts. Error was: NT_STATUS_UNSUCCESSFUL
>   
> 
> I have googled this error and have seen it come up only a couple times with
> no solutions. The relevant sections of smb.conf are as follows:
> 
>   ldap suffix = dc=math,dc=ohiou,dc=edu
>   ldap group suffix = ou=Group
>   ldap machine suffix = ou=Computers
>   ldap user suffix = ou=People
>   ldap idmap suffix = ou=Idmap
>   ldap admin dn = cn=Manager,dc=math,dc=ohiou,dc=edu
>   ldap passwd sync = yes
>   ldap delete dn = no
>   passdb backend = ldapsam:ldaps://bing.math.ohiou.edu
>   idmap backend = ldap:ldaps://bing.math.ohiou.edu
>   
>   idmap uid = 10000-20000
>   idmap gid = 10000-20000
>   winbind use default domain = no
>   winbind enum groups = yes
>   winbind enum users = yes
> 
> So, if someone could let me know if I'm moving in the right direction, I'd
> really appreciate it, or if there's a better way to do this (putting
> everyone in the same LDAP tree? - I'd like to avoid that, but it's a
> possibility).
>   
> Thanks in advance,
> Matt