[Samba] Re: Need some guidance re: two domains sharing the same workstations

Matt Hyclak hyclak at math.ohiou.edu
Mon Dec 18 20:57:29 GMT 2006

On Sun, Dec 17, 2006 at 05:18:47PM +0000, Aidan Dixon enlightened us:
> I've had similar misfortunes too with interdomain trusts.  I think 
> you're working along the right lines since you seem to want to do the 
> same thing as I.
> However the NT_STATUS_UNSUCCESSFUL is an error I always get when trying 
> to connect to the IPC$ share of the PDC of the trusting domain.  In my 
> case the trusting PDC is a Windows 2003 Server.
> I know it's not an issue of credentials but something else; but I don't 
> know what.  Judging by the traffic on this list someone HAS got this to 
> work.  Anyone care to comment.
> Kind regards,
> -a.

In some more diagnosis, here's where I seem to be:

The Interdomain Trust relationship works. I can log into a SW computer with
a SW account, and browse to MATH servers and see files.

If the account name exists in one user database, I can log in with
credentials from the other Domain. Specifically, I've got an account
(hyclak) which exists in both the MATH and SOCIALWORK domains. I can log
into a SW computer with my MATH credentials no problem, but if I use an
account that isn't in both domains, I can only log into machines in the
associated domain.

This leads me to believe either:

1. I need to use a single LDAP tree for all the accounts - feasible, but I'd
   rather avoid

2. There is some problem with my configuration (winbind?) that is not
   allowing the accounts to be looked up enough to see if the credentials in
   the other domain is correct.

Can anyone help with 2, or should I just give it up and go with 1?


> samba-request at lists.samba.org wrote:
> >Subject:
> >[Samba] Need some guidance re: two domains sharing the same workstations
> >From:
> >Matt Hyclak <hyclak at math.ohiou.edu>
> >Date:
> >Fri, 15 Dec 2006 09:08:52 -0500
> >To:
> >samba at lists.samba.org
> >
> >To:
> >samba at lists.samba.org
> >
> >
> >I fought with this a few months back, and was never able to resolve it, so
> >I'm back at it trying to get things to work before classes start again in
> >January. Here's a brief summary of the situation:
> >
> >I am responsible for 2 departments, Math and Socialwork, which are located
> >in the same building and share the same network. Each department has its 
> >own
> >samba server (RHEL4/CentOS4) and domain MATH and SOCIALWORK, respectively.
> >
> >There is one lab which both departments share, so I would like for users in
> >either domain to be able to log in to the workstation using the credentials
> >for their own domain. The way to do this *seems* to be with an Interdomain
> >Trust.
> >
> >I have followed the how-to chapter (19. Interdomain Trusts), and configured
> >the trust. I added a socialwork$ user to the Math LDAP server, and vice
> >versa. Ran the 'net rpc trustdom establish OTHERDOMAIN' command, and the
> >relationship is established, however there seems to be a problem with the
> >"Trusting domains" area. I get the following:
> >
> >Trusting domains list:
> >
> >[2006/12/15 09:01:02, 0] utils/net_rpc.c:rpc_trustdom_list(4688)
> >  Couldn't enumerate accounts. Error was: NT_STATUS_UNSUCCESSFUL
> >  
> >
> >I have googled this error and have seen it come up only a couple times with
> >no solutions. The relevant sections of smb.conf are as follows:
> >
> >  ldap suffix = dc=math,dc=ohiou,dc=edu
> >  ldap group suffix = ou=Group
> >  ldap machine suffix = ou=Computers
> >  ldap user suffix = ou=People
> >  ldap idmap suffix = ou=Idmap
> >  ldap admin dn = cn=Manager,dc=math,dc=ohiou,dc=edu
> >  ldap passwd sync = yes
> >  ldap delete dn = no
> >  passdb backend = ldapsam:ldaps://bing.math.ohiou.edu
> >  idmap backend = ldap:ldaps://bing.math.ohiou.edu
> >  
> >  idmap uid = 10000-20000
> >  idmap gid = 10000-20000
> >  winbind use default domain = no
> >  winbind enum groups = yes
> >  winbind enum users = yes
> >
> >So, if someone could let me know if I'm moving in the right direction, I'd
> >really appreciate it, or if there's a better way to do this (putting
> >everyone in the same LDAP tree? - I'd like to avoid that, but it's a
> >possibility).
> >  
> >Thanks in advance,
> >Matt

Matt Hyclak
Department of Mathematics 
Department of Social Work
Ohio University
(740) 593-1263

More information about the samba mailing list