[Samba] Trusted domain user login

Jay Santillan nasyaj at gmail.com
Fri Jan 25 15:35:37 GMT 2008


We are currently experiencing logon problems with a trusted domain user(s).

Example: We have DomainA and DomainB
DomainA and DomainB both have workstations joined on their respective
DomainA and DomainB both have trust relationships. DomainA trusts DomainB
and vise versa.
DomainA is where being served by a Samba PDC, while DomainB has a PDC using
Windows NT 4.0 Server

When users from DomainA logs in to DomainA using the workstation joined
under DomainA and/or DomainB, they can login without any problems.
The problem occurs when users from DomainB logs in to a workstation joined
under DomainA. The logon script is not executed and the user profile is not
This problem does not occur when users logs in from DomainB workstations.
(their logon script is executed and profiles are loaded properly)

-We've checked that DomainB user can access the netlogon share from the
workstation (DomainA). Running it manually works.
-We've checked that DomainB user can access the profile share from the
workstation (DomainA).
-Tried different user and workstation but still same problems.
-We've tried updating samba to 3.0.28 but still same problem (we went back
to 3.0.23c please see reason below).
-Tried searching the net for same issue and tried some solutions, but still
did not work.
-Tried looking at log files, but could not find obvious errors.

The Samba version were using is 3.0.23c
The server is running CentOS 5.1 x86_64 version.
The original Samba version (3.0.25b) which came with the distro had some
problems. Changing passwords from Windows does not seem to fix it.
Downgrading to 3.0.23c seems to work.

If posting of the log files is needed, please tell us which log file to
Thank you very much for taking time to read this post.


Below is our smb.conf file


   netbios name = aphrodite
   workgroup = RLDP_DESIGN3A
   server string = ""
   security = user

   passdb backend = ldapsam:ldap://ldapserver
   enable privileges = yes
   encrypt passwords = yes
   allow trusted domains = yes
   host msdfs = no

   browse list = true
   os level = 65
   preferred master = yes
   domain master = yes
   local master = yes
   domain logons = yes
   logon path = \\%L\profiles\%U
   logon drive = G:
   logon home = \\%L\home\%U
   logon script = default.bat

   log level = 3
   log file = /var/log/samba/%m.log
   max log size = 100

   wins server =
   dns proxy = no
   name resolve order = wins host bcast

   ldap suffix = dc=design3,dc=rldp,dc=com
   ldap machine suffix = ou=computers
   ldap user suffix = ou=People
   ldap group suffix = ou=group
   ldap idmap suffix = ou=idmap
   ldap admin dn = cn=root,dc=design3,dc=rldp,dc=com
   ldap passwd sync = only
   idmap backend = ldap:ldap://ldapserver
   idmap uid = 50000-65000
   idmap gid = 50000-65000
   template shell = /bin/bash
   winbind use default domain = no

   add user script = /opt/smbldap-tools/smbldap-useradd -m "%u"
   delete user script = /opt/smbldap-tools/smbldap-userdel "%u"
   add group script = /opt/smbldap-tools/smbldap-groupadd -p "%g"
   delete group script = /opt/smbldap-tools/smbldap-groupdel "%g"
   add user to group script = /opt/smbldap-tools/smbldap-groupmod -m "%u"
   delete user from group script = /opt/smbldap-tools/smbldap-groupmod -x
"%u" "%g"
   set primary group script = /opt/smbldap-tools/smbldap-usermod -g "%g"
   add machine script = /opt/smbldap-tools/smbldap-useradd -w "%u"

   printer admin = administrator

#============================ Share Definitions

     path = /smbshare/netlogon
     read only = yes

     path = /smbshare/profile
     read only = no
     create mask = 0600
     directory mask = 0700

     path = /smbshare/profile_data
     read only = no
     create mask = 0600
     directory mask = 0700

     path = /smbshare/home
     read only = no
     create mask = 0600
     directory mask = 0700

     path = /smbshare/workdir
     read only = no
     create mask = 0660
     directory mask = 0770

# NOTE: If you have a BSD-style print system there is no need to
# specifically define each individual printer
   comment = All Printers
   path = /var/spool/samba
   browseable = no
# Set public = yes to allow user 'guest account' to print
   guest ok = no
   writable = no
   printable = yes

   path = /smbshare/print_drivers
   browseable = yes
   guest ok = no
   read only = yes
   write list = administrator

More information about the samba mailing list