[Samba] NT4 to Samba Migration and Trusted Domains

Nick Couchman nick-lists at seakr.com
Tue Oct 17 18:43:13 GMT 2006

Well, I'm attempting to migrate my old NT4-based domain to Samba3.  I've
got Samba set up with an LDAP backend, I've extended my NDS schema, and
I've got users in this new domain set up successfully and authenticating. 
I've decided that the best, most seamless way to migrate my domain is to
create a new domain which will run alongside the old domain.  A
two-way trust relationship between the two domains should allow me share
folders on servers located on either domain with users on either domain. 
This way, I'll be able to migrate users, groups, and computers at my
leisure from one domain to another.

So, I've also successfully configured the trust relationship (I think).  I
go to a Windows machine that is a member of my original domain (DOMA) and
I can log in with a user on either DOMA or my new domain (DOMB).  I can
also modify file shares on these computers and give users on either domain
access to my files, etc.

I have a multi-subnet environment, so my Windows NT4 machines are running
WINS to make sure that all computers in the domain can find a logon
server.  I've configured my new Samba servers to point to these WINS
servers for now to reduce the number of things that I have to deal with
migrating at one time.

The issue that I'm running into is this: my Samba servers on DOMA (my
primary file servers for the entire company) don't want to authenticate
users on DOMB.  Users from DOMA can successfully authenticate, but users
from DOMB get the following message from smbclient:
session setup failed: NT_STATUS_NO_LOGON_SERVERS

If I look at the log file on the Samba server, I see the following

[2006/10/17 11:50:05, 0] auth/auth_domain.c:domain_client_validate(242)
  domain_client_validate: unable to validate password for user USER in
domain DOMB to Domain controller DOMA-PDC. Error was

It seems that Samba is connecting to the domain controller for which it is
a member (DOMA) and trying to authenticate the user from DOMB.  Obviously
this fails, and it seems that Samba doesn't know how to go find a
different domain controller for the correct domain and authenticate.

Some additional info - the Samba server having this issue is running Samba
3.0.22 on SuSE 10.1 Pro.  The usernames on DOMA and DOMB are exactly the
same, and the Samba server is getting username info from the same LDAP
directory that services the DOMB PDC and that Samba on that PDC points to
for its user information.  Here's the smb.conf file from one of the Samba
servers experiencing this problem:

        workgroup = DOMA
        security = domain
        wins server =
        allow trusted domains = yes
        password server = *
        # auth methods = trustdomain
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        template primary group = "Domain Users"
        template shell = "/bin/bash"
        log level = 3

        path = /tmp
        comment = Temp Directory

I can provide more detailed log files, if necessary.


More information about the samba mailing list