[Samba] Domain trusts with W2003 and SAMBA 3.0.33 on RHEL
Douglas Phillipson
phillipd at oem.doe.gov
Mon Oct 11 10:53:54 MDT 2010
I'm trying to establish a two way non-transitive trust between a W2003
A/D box and our SAMBA domain.
We are using smbldap so we can log in on any of the linux boxes with the
same passwd.
Samba is version 3.0.33 on Redhat Enterprise.
It's easy to create the trust on the Windows side with AD Domains and
Trusts but on the Linux side I'm not sure if I need to put the machine
account locally in smb passwd or use the smbldap passwd on the LDAP
server. Has anyone done this before?
For the sake of example:
My windows A/D domain is WECN
My Linux Domain is LECN
I've tried several putting the machine account both in the local file
and the LDAP passwd file but it just doesn't work. I've got the Samba 3
HowTo book and tried lots of googled suggestions but still can't seem to
make this work. Any suggestions are appreciated. Is there an easier
way to do this? My end result is to map a share on the SAMBA server
from a WinXP client computer thats in a W2003 domain without having to
put in a Linux username/password.
Thanks for your time and suggestions!
Doug P
My smb.conf [global]
--------------------------------------------------------------------------------------------------------------------------------------------------
[global]
dos charset = CP850
unix charset = UTF-8
display charset = LOCALE
workgroup = LECN
realm =
netbios name = RSL-PDC1
netbios aliases =
netbios scope =
server string = Primary RSL Samba Server
interfaces =
bind interfaces only = No
security = USER
auth methods =
encrypt passwords = Yes
update encrypted = No
client schannel = Auto
server schannel = Auto
allow trusted domains = Yes
map to guest = Never
null passwords = No
obey pam restrictions = Yes
password server = *
smb passwd file = /etc/samba/smbpasswd
private dir = /etc/samba
passdb backend = ldapsam:"ldap://127.0.0.1"
algorithmic rid base = 1000
root directory =
guest account = smbguest
passwd chat debug = No
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = "Changing UNIX password for*\nNew password*" %n\n
"*Retype new password*" %n\n"
passwd chat timeout = 2
check password script = /usr/sbin/crackcheck -c -d
/usr/lib/cracklib_dict
username map =
password level = 0
username level = 0
unix password sync = Yes
ntlm auth = Yes
restrict anonymous = Yes
lanman auth = No
;ntlm auth = No
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
preload modules =
use kerberos keytab = No
log level = 3 vfs:1
syslog = 0
syslog only = No
log file = /var/log/samba/%m.log
max log size = 500000
debug timestamp = Yes
debug hires timestamp = No
debug pid = No
debug uid = No
smb ports = 139
large readwrite = Yes
max protocol = NT1
min protocol = CORE
read bmpx = No
read raw = Yes
write raw = Yes
disable netbios = No
acl compatibility =
defer sharing violations = Yes
nt pipe support = Yes
nt status support = Yes
announce version = 4.9
announce as = NT
max mux = 50
max xmit = 65535
name resolve order = wins hosts bcast
max ttl = 259200
max wins ttl = 518400
min wins ttl = 21600
time server = Yes
unix extensions = Yes
use spnego = Yes
client signing = auto
server signing = No
client use spnego = Yes
;change notify timeout = 60
deadtime = 15
getwd cache = Yes
keepalive = 300
kernel change notify = Yes
lpq cache time = 30
max smbd processes = 0
paranoid server security = Yes
max disk size = 0
max open files = 10000
socket options = TCP_NODELAY SO_KEEPALIVE IPTOS_LOWDELAY
use mmap = Yes
hostname lookups = No
name cache timeout = 660
load printers = Yes
printcap cache time = 0
printcap name = cups
cups server =
disable spoolss = No
enumports command =
addprinter command =
deleteprinter command =
show add printer wizard = Yes
os2 driver map =
mangling method = hash2
mangle prefix = 1
stat cache = Yes
machine password timeout = 604800
add user script = /var/lib/samba/sbin/smbldap-useradd.pl -a -m '%u'
delete user script = /var/lib/samba/sbin/smbldap-userdel.pl '%u'
add group script = /var/lib/samba/sbin/smbldap-groupadd.pl -p '%g'
delete group script = /var/lib/samba/sbin/smbldap-groupdel.pl
-p '%g'
add user to group script =
/var/lib/samba/sbin/smbldap-groupmod.pl -m '%u' '%g'
delete user from group script =
/var/lib/samba/sbin/smbldap-groupmod.pl -x '%u' '%g'
set primary group script =
/var/lib/samba/sbin/smbldap-groupmod.pl -g '%u' '%g'
add machine script = /var/lib/samba/sbin/smbldap-useradd.pl -w '%u'
shutdown script =
abort shutdown script =
logon script = logon.bat
logon path = \\%L\Profiles\%U
logon drive = H:
logon home = \\%L\%U
domain logons = Yes
os level = 65
lm announce = Auto
lm interval = 60
preferred master = Yes
local master = Yes
domain master = No
browse list = Yes
enhanced browsing = Yes
dns proxy = No
wins proxy = No
wins server = 172.30.10.107
wins support = No
wins hook =
;wins partners =
kernel oplocks = Yes
;lock spin count = 3
lock spin time = 10
oplock break wait time = 0
ldap admin dn = cn=Manager,dc=oem,dc=doe,dc=gov
ldap delete dn = No
;ldap filter = (uid=%u)
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers
ldap passwd sync = yes
ldap replication sleep = 1000
ldap suffix = dc=oem,dc=doe,dc=gov
ldap ssl = start tls
ldap timeout = 15
ldap user suffix = ou=People
add share command =
change share command =
delete share command =
config file =
preload =
lock directory = /var/cache/samba
pid directory = /var/run
utmp directory =
wtmp directory =
utmp = Yes
default service =
message command =
dfree command =
get quota command =
set quota command =
remote announce =
remote browse sync =
socket address = 0.0.0.0
homedir map = auto.home
afs username map =
time offset = 0
NIS homedir = No
panic action =
host msdfs = No
#enable rid algorithm = Yes
idmap backend = ldap://127.0.0.1
idmap uid = 10000-20000
idmap gid = 10000-20000
template homedir = /home/%D/%U
template shell = /bin/false
#winbind separator = \
winbind cache time = 300
;winbind enable local accounts = No
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = No
winbind trusted domains only = No
winbind nested groups = No
comment =
path =
username =
invalid users = bin daemon adm sync shutdown halt mail news
uucp operator gopher nobody smbguest
valid users =
admin users = root
read list =
write list =
;printer admin =
force user =
force group =
read only = Yes
create mask = 0744
force create mode = 00
security mask = 0777
force security mode = 00
directory mask = 0755
force directory mode = 00
directory security mask = 0777
force directory security mode = 00
force unknown acl user = No
inherit permissions = No
inherit acls = No
guest only = No
guest ok = No
#only user = No
hosts allow = 127.0.0.0/8, 172.30.0.0/16, 172.25.0.0/16,
172.20.0.0/16
hosts deny = 172.30.20.0/24, 172.20.20.0/24
ea support = No
nt acl support = Yes
profile acls = No
map acl inherit = Yes
afs share = No
block size = 1024
max connections = 0
min print space = 0
strict allocate = No
strict sync = No
sync always = No
use sendfile = No max reported print jobs = 0
max print jobs = 1000
printable = No
printing = cups
cups options =
print command =
lpq command =
lprm command =
lppause command =
lpresume command =
queuepause command =
queueresume command =
printer name =
use client driver = No
default devmode = No
force printername = No
default case = lower
case sensitive = Auto
preserve case = Yes
short preserve case = Yes
mangling char = ~
hide dot files = Yes
hide special files = No
hide unreadable = No
hide unwriteable files = No
delete veto files = No
veto files =
hide files =
veto oplock files =
map system = No
map hidden = No
map archive = Yes
mangled names = Yes
#mangled map =
store dos attributes = No
browseable = Yes
blocking locks = Yes
csc policy = manual
fake oplocks = No
locking = Yes
oplocks = Yes
level2 oplocks = Yes
oplock contention limit = 2
posix locking = Yes
strict locking = No
share modes = Yes
#copy =
#include =
preexec =
preexec close = No available = Yes
volume =
fstype = NTFS
set directory = No
wide links = Yes
follow symlinks = Yes
dont descend =
magic script =
magic output =
delete readonly = No
dos filemode = No
dos filetimes = No
dos filetime resolution = No
fake directory create times = No
vfs objects =
More information about the samba
mailing list