[Samba] Interdomain Trust between Samba3 and 2000 AD

Alex Ferrara alex at receptiveit.com.au
Mon Oct 12 06:41:05 MDT 2009

I am having some trouble creating a two-way domain trust account  
between Samba3 and Windows 2000 Server.

The Windows 2000 server is an AD domain controller, and my Samba 3  
server has an LDAP backend and is running on Ubuntu 9.04 64bit. Samba  
3 is acting as the WINS server, and the Windows server has been  
pointed to the samba server for WINS in the TCP/IP settings on the  
network adapter.

I have created the interdomain trust accounts on the Linux side by  
issuing the following commands.

 > net rpc trustdom add W2KDOMAIN password -Uroot
Enter root's password:********
 > net rpc trustdom add SAMBADOMAIN password -S W2KSERVER -U  
Enter administrator's password:********
[2009/10/12 13:46:15,  0] utils/net_rpc.c:rpc_trustdom_add_internals 
   Could not set trust account password: NT_STATUS_ACCESS_DENIED

Once performing those commands, I can see that a user called w2kdomain 
$ has been created in LDAP, and a user called SAMBADOMAIN$ has been  
created in active directory. Since the error message concerning the  
trust password appeared, I will manually change the password of the  
user sambadomain$ in AD Users and Computers.

At this stage, if I execute

 > net rpc trustdom list
Enter root's password:
Trusted domains list:


Trusting domains list:

Unable to find a suitable server for domain W2KDOMAIN
domain controller is not responding: NT_STATUS_UNSUCCESSFUL

If I go into AD Domains and Trusts on the Windows server, and create a  
"Domains trusted by this domain", it works as advertised.  At this  
point I seem to be able to connect to shares located on the windows  
domain from computers on the samba domain.

If I create a "Domains that trust this domain", ask it to verify the  
trust and supply the samba root password, I get a message that "Active  
Directory cannot verify the trust" blah blah "The error returned was:  
The specified domain either does not exist or could not be contacted"

That error implies that the Windows server does not know how to  
contact the samba domain controller, but if I go to a command prompt  
and run "net view /domain:SAMBADOMAIN", it shows the domain, and the  
samba domain controller.

I am a little unsure as to how to proceed. I am sure the documentation  
out there will make complete sense once I figure it out, but at the  
moment, I am struggling.

Any help would be appreciated.

More information about the samba mailing list