[Samba] domain trusts in samba3 with openLDAP

Charlie medievalist at gmail.com
Wed May 7 20:43:22 GMT 2008 

Greetings Sambistas!

  I can't seem to get domain trusts to work in both directions.  Details follow.

  I have a network running many OSes on four geographically separate
sites with an OpenLDAP authentication backbone.  Desktops are windows
XP authenticating to samba 3.0.25b servers which in turn are
configured to use LDAP.  Our net has been running samba in various
flavors and versions for over ten years, and we have been running
OpenLDAP for about seven years.

  Each physical site is a separate samba domain but all use the same
LDAP backend data.  All linux samba servers are running 3.0.25b, some
of them using Red Hat native packages on RHEL5 and others using my own
backported RPMs of the same.  HP-UX servers run HP's CIFS9000 product
which is essentially a samba fork.

  Each samba server has a local LDAP replica and a local slave BIND
DNS server.  PAM, NSS, and samba are all configured for automatic LDAP
failover, this is tested and working.  We use unencrypted LDAP on
127.0.0.1 as the primary (for speed) and LDAPS to the master server as
secondary (for security).  If I kill the local LDAP daemon samba
continues to work fine, drawing passwords etc. from the master server
over SSL.

  From the main site, I can do this:

# net rpc trustdom list  -Udomadmin
Password:

Trusted domains list:

LA              S-1-5-21-laSIDredacted
MD             S-1-5-21-mdSIDredacted
MA             S-1-5-21-maSIDredacted
none

Trusting domains list:

MAIN             S-1-5-21-LocalSIDredacted
MA                S-1-5-21-maSIDredacted
LA                 S-1-5-21-laSIDredacted
MD                S-1-5-21-mdSIDredacted

But, from the MD server, if I issue the same command, I get this:

# net rpc trustdom list -Umdadmin
Password:
Trusted domains list:

MAIN             S-1-5-21-LocalSIDredacted
MA                S-1-5-21-maSIDredacted
LA                 S-1-5-21-laSIDredacted
none

Trusting domains list:

[2008/05/07 16:35:35, 0] utils/net_rpc.c:rpc_trustdom_list(6208)
  Couldn't enumerate accounts. Error was: NT_STATUS_ACCESS_DENIED

I have been unable to find anything on the net that details the LDAP
entries for interdomain trust accounts.  I do not know if a single
LDAP dn can be used to establish the trust in both directions or if I
need two for each link in the mesh.  If anyone could post examples of
working LDAP accounts used for interdomain trust purposes I would be
tremendously grateful!

Thanks,
--Charlie

More information about the samba mailing list