[Samba] Samba & Active Directory Trust

Phillip Cockrell pcockrel at rackspace.com
Mon Feb 6 22:33:47 GMT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello All,

I'm having an issue creating a two-way trust relationship between my  
Samba Domain and a Windows 2003 Active Directory Domain. Here is a  
summary of my environment:

Samba 3.0.14a
OpenLDAP 2.0.23-7
Debian Woody

Active Directory 2003 (running in mixed mode)
Windows 2003

The trust works fine from AD -> Samba:

[root at samba-1 root]$ net rpc trustdom list
Password:
Trusted domains list:

none

Trusting domains list:

FOOBAR

[root at samba-1 root]$


But when I try to establish the trust the other way, I get  
NT_STATUS_ACCESS_DENIED:

[root at samba-1 root]$ net -d 3 -I 10.6.24.44 rpc trustdom establish  
FOOBAR
[2006/02/06 16:27:03, 3] param/loadparm.c:lp_load(3915)
   lp_load: refreshing parameters
[2006/02/06 16:27:03, 3] param/loadparm.c:init_globals(1329)
   Initialising global parameters
[2006/02/06 16:27:03, 3] param/params.c:pm_process(573)
   params.c:pm_process() - Processing configuration file "/etc/samba/ 
smb.conf"
[2006/02/06 16:27:03, 3] param/loadparm.c:do_section(3417)
   Processing section "[global]"
[2006/02/06 16:27:03, 2] lib/interface.c:add_interface(81)
   added interface ip=10.6.15.10 bcast=10.6.15.255 nmask=255.255.255.0
Password:
[2006/02/06 16:27:07, 3] libsmb/cliconnect.c:cli_start_connection(1406)
   Connecting to host=DC01
[2006/02/06 16:27:07, 3] lib/util_sock.c:open_socket_out(752)
   Connecting to 10.6.24.44 at port 445
[2006/02/06 16:27:07, 3] libsmb/cliconnect.c:cli_session_setup_spnego 
(708)
   Doing spnego session setup (blob length=104)
[2006/02/06 16:27:07, 3] libsmb/cliconnect.c:cli_session_setup_spnego 
(733)
   got OID=1 2 840 48018 1 2 2
[2006/02/06 16:27:07, 3] libsmb/cliconnect.c:cli_session_setup_spnego 
(733)
   got OID=1 2 840 113554 1 2 2
[2006/02/06 16:27:07, 3] libsmb/cliconnect.c:cli_session_setup_spnego 
(733)
   got OID=1 2 840 113554 1 2 2 3
[2006/02/06 16:27:07, 3] libsmb/cliconnect.c:cli_session_setup_spnego 
(733)
   got OID=1 3 6 1 4 1 311 2 2 10
[2006/02/06 16:27:07, 3] libsmb/cliconnect.c:cli_session_setup_spnego 
(740)
   got principal=dc01$@RACK2.CORP
[2006/02/06 16:27:07, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(869)
   Got challenge flags:
[2006/02/06 16:27:07, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
   Got NTLMSSP neg_flags=0x62890215
[2006/02/06 16:27:07, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(891)
   NTLMSSP: Set final flags:
[2006/02/06 16:27:07, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
   Got NTLMSSP neg_flags=0x60080215
[2006/02/06 16:27:07, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319)
   NTLMSSP Sign/Seal - Initialising with flags:
[2006/02/06 16:27:07, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
   Got NTLMSSP neg_flags=0x60080215
[2006/02/06 16:27:07, 3] libsmb/cliconnect.c:cli_session_setup(861)
   SPNEGO login failed: No logon interdomain trust account
[2006/02/06 16:27:07, 1] libsmb/cliconnect.c:cli_full_connection(1494)
   failed session setup with NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT
Could not connect to server DC01
[2006/02/06 16:27:07, 3] libsmb/cliconnect.c:cli_start_connection(1406)
   Connecting to host=DC01
[2006/02/06 16:27:07, 3] lib/util_sock.c:open_socket_out(752)
   Connecting to 10.6.24.44 at port 445
[2006/02/06 16:27:07, 0] utils/net_rpc.c:rpc_trustdom_establish(4663)
   NetServerEnum2 error: Couldn't find primary domain  
controller                  for domain FOOBAR
[2006/02/06 16:27:07, 0] rpc_client/cli_pipe.c:cli_nt_session_open(1451)
   cli_nt_session_open: cli_nt_create failed on pipe \wkssvc to  
machine DC01.  Error was NT_STATUS_ACCESS_DENIED
[2006/02/06 16:27:07, 0] utils/net_rpc.c:rpc_trustdom_establish(4672)
   Couldn't not initialise wkssvc pipe
[2006/02/06 16:27:07, 2] utils/net.c:main(897)
   return code = -1
[root at samba-1 root]$

The trust "account" is set up on the AD side and I am using the same  
password on both ends. Is there some issue that I don't know about?

Thanks in advance,

Phillip Cockrell
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFD587PfnIftn7ju/IRAlTVAJ9OochufB3i2F0LvBEIs3vPa12NewCgip9I
V6hrm/u/9D76VaC253c03Ho=
=B3Wv
-----END PGP SIGNATURE-----


More information about the samba mailing list