[Samba] Domain trusts with W2003 and SAMBA 3.0.33 on RHEL

Douglas Phillipson phillipd at oem.doe.gov
Mon Oct 11 10:53:54 MDT 2010


I'm trying to establish a two way non-transitive trust between a W2003 
A/D box and our SAMBA domain.

We are using smbldap so we can log in on any of the linux boxes with the 
same passwd.
Samba is version 3.0.33 on Redhat Enterprise.

It's easy to create the trust on the Windows side with AD Domains and 
Trusts but on the Linux side I'm not sure if I need to put the machine 
account locally in smb passwd or use the smbldap passwd on the LDAP 
server.  Has anyone done this before?

For the sake of example:

My windows A/D domain is WECN
My Linux Domain is LECN

I've tried several putting the machine account both in the local file 
and the LDAP passwd file but it just doesn't work.  I've got the Samba 3 
HowTo book and tried lots of googled suggestions but still can't seem to 
make this work.  Any suggestions are appreciated.  Is there an easier 
way to do this?  My end result is to map a share on the SAMBA server 
from a WinXP client computer thats in a W2003 domain without having to 
put in a Linux username/password.

Thanks for your time and suggestions!
Doug P

My smb.conf [global]
--------------------------------------------------------------------------------------------------------------------------------------------------
[global]
         dos charset = CP850
         unix charset = UTF-8
         display charset = LOCALE
         workgroup = LECN
         realm =
         netbios name = RSL-PDC1
         netbios aliases =
         netbios scope =
         server string = Primary RSL Samba Server
         interfaces =
         bind interfaces only = No
         security = USER
         auth methods =
         encrypt passwords = Yes
         update encrypted = No
         client schannel = Auto
         server schannel = Auto
         allow trusted domains = Yes


         map to guest = Never
         null passwords = No

         obey pam restrictions = Yes
         password server = *
         smb passwd file = /etc/samba/smbpasswd
         private dir = /etc/samba
         passdb backend = ldapsam:"ldap://127.0.0.1"
         algorithmic rid base = 1000
         root directory =
         guest account = smbguest

         passwd chat debug = No
         passwd program = /usr/sbin/smbldap-passwd -u %u
         passwd chat = "Changing UNIX password for*\nNew password*" %n\n 
"*Retype new password*" %n\n"
         passwd chat timeout = 2
         check password script = /usr/sbin/crackcheck -c -d  
/usr/lib/cracklib_dict
         username map =
         password level = 0
         username level = 0
         unix password sync = Yes
         ntlm auth = Yes
         restrict anonymous = Yes
         lanman auth = No
         ;ntlm auth = No
         client NTLMv2 auth = Yes
         client lanman auth = No
         client plaintext auth = No
         preload modules =
         use kerberos keytab = No

         log level = 3 vfs:1
         syslog = 0
         syslog only = No
         log file = /var/log/samba/%m.log
         max log size = 500000
         debug timestamp = Yes
         debug hires timestamp = No
         debug pid = No
         debug uid = No
         smb ports = 139
         large readwrite = Yes
         max protocol = NT1
         min protocol = CORE
         read bmpx = No
         read raw = Yes
         write raw = Yes
         disable netbios = No
         acl compatibility =
         defer sharing violations = Yes
         nt pipe support = Yes
         nt status support = Yes
         announce version = 4.9
         announce as = NT
         max mux = 50
         max xmit = 65535
         name resolve order = wins hosts bcast
         max ttl = 259200
         max wins ttl = 518400
         min wins ttl = 21600
         time server = Yes
         unix extensions = Yes
         use spnego = Yes
         client signing = auto
         server signing = No
         client use spnego = Yes
         ;change notify timeout = 60
         deadtime = 15
         getwd cache = Yes
         keepalive = 300
         kernel change notify = Yes
         lpq cache time = 30
         max smbd processes = 0
         paranoid server security = Yes
         max disk size = 0
         max open files = 10000
         socket options = TCP_NODELAY SO_KEEPALIVE IPTOS_LOWDELAY
         use mmap = Yes
         hostname lookups = No
         name cache timeout = 660
         load printers = Yes
         printcap cache time = 0
         printcap name = cups
         cups server =
         disable spoolss = No
         enumports command =
         addprinter command =
         deleteprinter command =
         show add printer wizard = Yes
         os2 driver map =
         mangling method = hash2
         mangle prefix = 1
         stat cache = Yes
         machine password timeout = 604800
         add user script = /var/lib/samba/sbin/smbldap-useradd.pl -a -m '%u'
         delete user script = /var/lib/samba/sbin/smbldap-userdel.pl '%u'
         add group script = /var/lib/samba/sbin/smbldap-groupadd.pl -p '%g'
         delete group script = /var/lib/samba/sbin/smbldap-groupdel.pl 
-p '%g'
         add user to group script = 
/var/lib/samba/sbin/smbldap-groupmod.pl -m '%u' '%g'
         delete user from group script = 
/var/lib/samba/sbin/smbldap-groupmod.pl -x '%u' '%g'
         set primary group script = 
/var/lib/samba/sbin/smbldap-groupmod.pl -g '%u' '%g'
         add machine script = /var/lib/samba/sbin/smbldap-useradd.pl -w '%u'
         shutdown script =
         abort shutdown script =
         logon script = logon.bat
         logon path = \\%L\Profiles\%U
         logon drive = H:
         logon home = \\%L\%U
         domain logons = Yes
         os level = 65
         lm announce = Auto
         lm interval = 60
         preferred master = Yes
         local master = Yes
         domain master = No
         browse list = Yes
         enhanced browsing = Yes
         dns proxy = No
         wins proxy = No
         wins server = 172.30.10.107
         wins support = No
         wins hook =
         ;wins partners =
         kernel oplocks = Yes
         ;lock spin count = 3
         lock spin time = 10
         oplock break wait time = 0
         ldap admin dn = cn=Manager,dc=oem,dc=doe,dc=gov
         ldap delete dn = No
         ;ldap filter = (uid=%u)
         ldap group suffix = ou=Groups
         ldap idmap suffix = ou=Idmap
         ldap machine suffix = ou=Computers
         ldap passwd sync = yes
         ldap replication sleep = 1000
         ldap suffix = dc=oem,dc=doe,dc=gov
         ldap ssl = start tls
         ldap timeout = 15
         ldap user suffix = ou=People
         add share command =
         change share command =
         delete share command =
         config file =
         preload =
         lock directory = /var/cache/samba
         pid directory = /var/run
         utmp directory =
         wtmp directory =
         utmp = Yes
         default service =
         message command =
         dfree command =
         get quota command =
         set quota command =
         remote announce =
         remote browse sync =
         socket address = 0.0.0.0
         homedir map = auto.home
         afs username map =
         time offset = 0
         NIS homedir = No
         panic action =
         host msdfs = No
         #enable rid algorithm = Yes
         idmap backend = ldap://127.0.0.1
         idmap uid = 10000-20000
         idmap gid = 10000-20000
         template homedir = /home/%D/%U
         template shell = /bin/false
         #winbind separator = \
         winbind cache time = 300
         ;winbind enable local accounts = No
         winbind enum users = Yes
         winbind enum groups = Yes
         winbind use default domain = No
         winbind trusted domains only = No
         winbind nested groups = No
         comment =
         path =
         username =
         invalid users = bin daemon adm sync shutdown halt mail news 
uucp operator gopher nobody smbguest
         valid users =
         admin users = root
         read list =
         write list =
         ;printer admin =
         force user =
         force group =
         read only = Yes
         create mask = 0744
         force create mode = 00
         security mask = 0777
         force security mode = 00
         directory mask = 0755
         force directory mode = 00
         directory security mask = 0777
         force directory security mode = 00
         force unknown acl user = No
         inherit permissions = No
         inherit acls = No
         guest only = No
         guest ok = No
         #only user = No
         hosts allow = 127.0.0.0/8, 172.30.0.0/16, 172.25.0.0/16, 
172.20.0.0/16
         hosts deny = 172.30.20.0/24, 172.20.20.0/24
         ea support = No
         nt acl support = Yes
         profile acls = No
         map acl inherit = Yes
         afs share = No
         block size = 1024
         max connections = 0
         min print space = 0
         strict allocate = No
         strict sync = No
         sync always = No
         use sendfile = No        max reported print jobs = 0
         max print jobs = 1000
         printable = No
         printing = cups
         cups options =
         print command =
         lpq command =
         lprm command =
         lppause command =
         lpresume command =
         queuepause command =
         queueresume command =
         printer name =
         use client driver = No
         default devmode = No
         force printername = No
         default case = lower
         case sensitive = Auto
         preserve case = Yes
         short preserve case = Yes
         mangling char = ~
         hide dot files = Yes
         hide special files = No
         hide unreadable = No
         hide unwriteable files = No
         delete veto files = No
         veto files =
         hide files =
         veto oplock files =
         map system = No
         map hidden = No
         map archive = Yes
         mangled names = Yes
         #mangled map =
         store dos attributes = No
         browseable = Yes
         blocking locks = Yes
         csc policy = manual
         fake oplocks = No
         locking = Yes
         oplocks = Yes
         level2 oplocks = Yes
         oplock contention limit = 2
         posix locking = Yes
         strict locking = No
         share modes = Yes
         #copy =
         #include =
         preexec =
         preexec close = No        available = Yes
         volume =
         fstype = NTFS
         set directory = No
         wide links = Yes
         follow symlinks = Yes
         dont descend =
         magic script =
         magic output =
         delete readonly = No
         dos filemode = No
         dos filetimes = No
         dos filetime resolution = No
         fake directory create times = No
         vfs objects =




More information about the samba mailing list