[Samba] Samba 3 Trust Relationship with Win2008 AD problem

Woon K S woonks at ioigroup.com
Wed Mar 26 02:47:10 GMT 2008 

I am trying to establish 2 way trust relationship between samba domain and 
Win2008 AD domain. The trust relationship is established and even verified 
by both side, but when I try to access samba resources from win2008 domain, 
it prompts for username and password. However, I can access the win2008 
resources from the samba domain without the prompting of username and 
password.

My win2008 is the RTM version, domain functional level in win2003 mode, DNS 
and WINS enabled. The trust SID filtering is disabled. Samba version is 
samba-3.0.28a-0.fc8, server DNS and samba WINS IP pointing to my win2008, 
winbind disabled.

I also tweak all available options in samba (security, winbind settings, dns 
proxy, wins enable, etc), it is still the same.

Below are the error messages:

[2008/03/25 20:31:39, 0] 
rpc_client/cli_pipe.c:cli_rpc_pipe_open_schannel(2641)
  cli_rpc_pipe_open_schannel: failed to get schannel session key from server 
WIN2008SRV for domain WIN2008AD.
[2008/03/25 20:31:39, 0] 
auth/auth_domain.c:connect_to_domain_password_server(119)
  connect_to_domain_password_server: unable to open the domain client 
session to machine WIN2008SVR. Error was : NT code 0xc0000388.
[2008/03/25 20:31:39, 0] auth/auth_domain.c:domain_client_validate(220)
  domain_client_validate: Domain password server not available.

Below is my smb.conf :

[global]

   workgroup = ITDOM
   netbios name = RUMBA
   passdb backend = tdbsam
   server string = Rumba Server
   printcap name = /etc/printcap
   load printers = yes
   printing = lprng
   log file = /var/log/samba/%m.log
   max log size = 0
   security = user
   password level = 6
   username level = 4
   username map = /etc/samba/smbusers
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   local master = yes
   os level = 64
   domain master = yes
   preferred master = yes
   domain logons = yes
   logon script = %U.bat
   logon path = \\%L\Profiles\%U
   wins server = 192.168.1.100 (win2008 AD server IP)
[homes]
   comment = Home
   browseable = no
   writable = yes
   valid users = %S
   create mode = 0664
   directory mode = 0775
 [netlogon]
   comment = Network Logon Service
   path = /home/netlogon
   guest ok = yes
   writable = no
   share modes = yes
   write list = +administrator,+root
[Profiles]
    path = /home/profiles
    browseable = yes
    writable = yes
    guest ok = yes
    write list = +administrator,+root
[printers]
   comment = All Printers
   path = /var/spool/samba
   browseable = no
   guest ok = no
   writable = no
   printable = yes


Below are some diagnostic report:

[root at webmail samba]# net rpc trustdom list
Password:
Trusted domains list:

WIN2008AD               S-1-5-21-3371021750-61790888-841837805
none

Trusting domains list:

WIN2008AD               S-1-5-21-3371021750-61790888-841837805


>From the win2008 "Active Directory Trusts and Domains", when i validate the 
2 way trust, I get the message "The trust has been validated.It is in place 
and active." The trusts are good. 




Notice:

Please be advised that the email domain address of this sender has been changed to xyz at ioigroup.com from xyz at ioi.po.my with effect from 1st September 2006. The sender's name prefix remains unchanged. This sender invites you to update your e-mail address book accordingly.

More information about the samba mailing list