[Samba] Samba interdomain trust with Win2008 AD

Dilandau dilandau at gmail.com
Sat Oct 10 03:36:31 MDT 2009 

Greetings,

I've been having some issues establishing a two way interdomain trust
between a samba server and an win2k8 active directory server. I've
established a trust password and object and was able to create a trust
relationship from the AD server to the samba server but I'm unable to from
the Samba server to the AD server.  The purpose of this is to enable ADMT to
migrate the user accounts over to AD. While I have been able to query the
ldap backend via ldifde and import the users it is only a last resort
measure to do that. My aim is to bring the users over with the SID value
stored in the AD SIDHistory attribute.

(irrelevant details changed)

net rpc trustdom list -S sambasvr -Usuper
Password:

Trusted domains list:

none

Trusting domains list:

WIN2k8 S-1-5-21-954781686-2318084328-821430687

The issue is, to establish a trust from the samba server to the win2k8
server I end up with:

net rpc trustdom establish WIN2K8

[2009/10/09 16:41:22, 0] rpc_client/cli_pipe.c:cli_nt_session_open(1451)
cli_nt_session_open: cli_nt_create failed on pipe \wkssvc to machine WIN2K8.
Error was NT_STATUS_ACCESS_DENIED
[2009/10/09 16:41:22, 0] utils/net_rpc.c:rpc_trustdom_establish(4672)
Couldn't not initialise wkssvc pipe

That is after it asks for the trust account password which I provide
correctly but if I dont do it correctly it will give the error "password
incorrect" which says to me that its authenticating correctly and can tell
the difference but there is something else preventing the samba server from
trusting the AD server. I'd give the version that i'm using but i'm not able
to see that currently from where I am. Its a Samba 3 of at least an age of 3
years at the very least.

If it was the version that was causing the issue the next steps I will take
is to extract the ldap accounts into an ldif file and use that file on
another more recent release of samba 3 on a server seperate from the main
network and attempt to establish the trust relationship two way that way. I
can't fiddle too much with the original samba/ldap server due to it being a
critical server.


If I could be pointed in the right direction or advised on what might be the
cause of the error I'd be very much appreciated.


Ben W

More information about the samba mailing list