[Samba] Problem establishing interdomain trust

Richard Foltyn richard.foltyn at gmail.com
Mon Aug 4 00:58:04 GMT 2008 

Hello group,

I have 2 Samba PCDs w/ LDAP + winbind called FILESERVER and FUNDUS-SRV for
the domains PROFICON and FUNDUS, respectively.

In PROFICON I created a trust account for FUNDUS using
net rpc trustdom add FUNDUS <passwd> -U proficon\\administrator
which creates the LDAP entry:

dn: uid=FUNDUS$,ou=Computers,dc=office,dc=proficon,dc=sk
uid: FUNDUS$
sambaSID: S-1-5-21-1419647580-1448962253-3507612647-1036
displayName: Computer
objectClass: sambaSamAccount
objectClass: account
sambaNTPassword: <passwd>
sambaPasswordHistory:
00000000000000000000000000000000000000000000000000000000
 00000000
sambaPwdLastSet: 1217810123
sambaAcctFlags: [I          ]

When I try to establish the relationship on the FUNDUS PDC with
net rpc trustdom establish PROFICON

I get the following error:
[root at fundus-srv samba]# net rpc trustdom establish proficon
Enter FUNDUS$'s password:
Could not connect to server FILESERVER
[2008/08/04 02:31:25,  0] utils/net_rpc.c:rpc_trustdom_establish(5836)
  Storing password for trusted domain failed.

Also, the /var/log/samba/fundus-srv.log on FILESERVER reads:

[2008/08/04 02:31:25,  5] auth/auth_util.c:make_user_info_map(178)
  make_user_info_map: Mapping user [PROFICON]\[FUNDUS$] from workstation
[FUNDUS-SRV]
[2008/08/04 02:31:25,  5] auth/auth_util.c:is_trusted_domain(2021)
  is_trusted_domain: Checking for domain trust with [PROFICON]
[2008/08/04 02:31:25,  2] lib/smbldap.c:smbldap_open_connection(796)
  smbldap_open_connection: connection opened
[2008/08/04 02:31:25,  5] auth/auth_util.c:make_user_info(92)
  attempting to make a user_info for FUNDUS$ (FUNDUS$)
[2008/08/04 02:31:25,  5] auth/auth_util.c:make_user_info(102)
  making strings for FUNDUS$'s user_info struct
[2008/08/04 02:31:25,  5] auth/auth_util.c:make_user_info(134)
  making blobs for FUNDUS$'s user_info struct
[2008/08/04 02:31:25,  3] auth/auth.c:check_ntlm_password(220)
  check_ntlm_password:  Checking password for unmapped user
[PROFICON]\[FUNDUS$]@[FUNDUS-SRV] with the new password interface
[2008/08/04 02:31:25,  3] auth/auth.c:check_ntlm_password(223)
  check_ntlm_password:  mapped user is: [PROFICON]\[FUNDUS$]@[FUNDUS-SRV]
[2008/08/04 02:31:25,  2] passdb/pdb_ldap.c:init_sam_from_ldap(571)
  init_sam_from_ldap: Entry found for user: fundus$
[2008/08/04 02:31:25,  2] passdb/pdb_ldap.c:init_group_from_ldap(2344)
  init_group_from_ldap: Entry found for group: 513
[2008/08/04 02:31:25,  5] passdb/pdb_interface.c:lookup_global_sam_rid(1499)
  lookup_global_sam_rid: looking up RID 513.
[2008/08/04 02:31:25,  4] passdb/pdb_ldap.c:ldapsam_getsampwsid(1613)
  ldapsam_getsampwsid: Unable to locate SID
[S-1-5-21-1419647580-1448962253-3507612647-513] count=0
[2008/08/04 02:31:25,  2] passdb/pdb_ldap.c:init_group_from_ldap(2344)
  init_group_from_ldap: Entry found for group: 513
[2008/08/04 02:31:25,  5]
passdb/pdb_interface.c:pdb_default_lookup_rids(1621)
  lookup_rids: Domain Users:2
[2008/08/04 02:31:25,  4] libsmb/ntlm_check.c:ntlm_password_check(328)
  ntlm_password_check: Checking NT MD4 password
[2008/08/04 02:31:25,  4] auth/auth_sam.c:sam_account_ok(137)
  sam_account_ok: Checking SMB password for user fundus$
[2008/08/04 02:31:25,  5] auth/auth_sam.c:logon_hours_ok(119)
  logon_hours_ok: user fundus$ allowed to logon at this time (Mon Aug  4
00:31:25 2008
  )
[2008/08/04 02:31:25,  2] auth/auth_sam.c:sam_account_ok(223)
  sam_account_ok: Domain trust account fundus$ denied by server
[2008/08/04 02:31:25,  5] auth/auth.c:check_ntlm_password(272)
  check_ntlm_password: sam authentication for user [FUNDUS$] FAILED with
error NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT
[2008/08/04 02:31:25,  3] auth/auth_winbind.c:check_winbind_security(54)
  check_winbind_security: Not using winbind, requested domain [PROFICON] was
for this SAM.
[2008/08/04 02:31:25,  2] auth/auth.c:check_ntlm_password(318)
  check_ntlm_password:  Authentication for user [FUNDUS$] -> [FUNDUS$]
FAILED with error NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT
[2008/08/04 02:31:25,  5] auth/auth_util.c:free_user_info(1951)


Any ideas why the password for the trusted domain cannot be stored?

TIA

More information about the samba mailing list