[Samba] Interdomain Trust between Samba3 and 2000 AD

Gaiseric Vandal gaiseric.vandal at gmail.com
Mon Oct 12 09:58:03 MDT 2009

Is your domain controller in mixed mode? (i.e. for backward
compatibility with NT4 machines?)   I am not 100% certain, but I think
this is required.  From the perspective of a Windows machine, Samba is
an NT4 server.    I have had limited success with trusts with a Win
2003  AD DC was in mixed mode.  I was not able to set up trusts with a
Win 2008 DC in "2003" mode (i.e. support for Win 2003 but not for

On Mon, Oct 12, 2009 at 8:41 AM, Alex Ferrara <alex at receptiveit.com.au> wrote:
> I am having some trouble creating a two-way domain trust account between
> Samba3 and Windows 2000 Server.
> The Windows 2000 server is an AD domain controller, and my Samba 3 server
> has an LDAP backend and is running on Ubuntu 9.04 64bit. Samba 3 is acting
> as the WINS server, and the Windows server has been pointed to the samba
> server for WINS in the TCP/IP settings on the network adapter.
> I have created the interdomain trust accounts on the Linux side by issuing
> the following commands.
>> net rpc trustdom add W2KDOMAIN password -Uroot
> Enter root's password:********
>> net rpc trustdom add SAMBADOMAIN password -S W2KSERVER -U administrator
> Enter administrator's password:********
> [2009/10/12 13:46:15,  0] utils/net_rpc.c:rpc_trustdom_add_internals(5277)
>  Could not set trust account password: NT_STATUS_ACCESS_DENIED
> Once performing those commands, I can see that a user called w2kdomain$ has
> been created in LDAP, and a user called SAMBADOMAIN$ has been created in
> active directory. Since the error message concerning the trust password
> appeared, I will manually change the password of the user sambadomain$ in AD
> Users and Computers.
> At this stage, if I execute
>> net rpc trustdom list
> Enter root's password:
> Trusted domains list:
> none
> Trusting domains list:
> Unable to find a suitable server for domain W2KDOMAIN
> domain controller is not responding: NT_STATUS_UNSUCCESSFUL
> If I go into AD Domains and Trusts on the Windows server, and create a
> "Domains trusted by this domain", it works as advertised.  At this point I
> seem to be able to connect to shares located on the windows domain from
> computers on the samba domain.
> If I create a "Domains that trust this domain", ask it to verify the trust
> and supply the samba root password, I get a message that "Active Directory
> cannot verify the trust" blah blah "The error returned was: The specified
> domain either does not exist or could not be contacted"
> That error implies that the Windows server does not know how to contact the
> samba domain controller, but if I go to a command prompt and run "net view
> /domain:SAMBADOMAIN", it shows the domain, and the samba domain controller.
> I am a little unsure as to how to proceed. I am sure the documentation out
> there will make complete sense once I figure it out, but at the moment, I am
> struggling.
> Any help would be appreciated.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list