[Samba] Create Domain Trust Help Samba-4.3.2

Bob Thomas bthomas at cybernetics.com
Fri Dec 11 15:41:06 UTC 2015

First, Thank you all for this forum, as I am fairly new at both Ubuntu 
and Samba I have found most the answers to my issues here.

Now correct me if I am wrong but Samba 4.3.2 should be able to support 
Domain Trusts. If so maybe you can help me, here is what I have:

NT4 Domain: adc.com (Holds are production servers and user accounts for 
that domain)

     Controller = enterprise.abc.com

Samba Domain: cy.abc.biz
     Two Controllers both Ubuntu 14.04 with Samba 4.3.2 running well (I 

     Controllers = pdc.cy.abc.biz & sdc.cy.abc.biz

I can ping "enterprise" from both samba controllers and I can ping "pdc" 
and "sdc" from enterprise.

The two problems I have are first I am unable to create an Inter-domain 
Trust Account:

root at PDC:/etc# net rpc trustdom add ABC password -U bthomas
Enter bthomas's password:
Could not set trust account password: NT_STATUS_ACCESS_DENIED

and second with samba-tool I get:

root at PDC:~# samba-tool domain trust create ABC -U bthomas
LocalDomain Netbios[CY] DNS[cy.abc.biz] 
ERROR: Failed to find a writeable DC for domain 'ABC'

Here is may smb.conf file:

# Global parameters
         workgroup = CY
         realm = CY.ABC.BIZ
         server role = active directory domain controller
         security = USER
         passdb backend = samba_dsdb
         os level = 65
         preferred master = Yes
         domain master = Yes
         wins support = Yes
         winbind nss info = rfc2307
         allow dns updates = nonsecure and secure
         dns forwarder =
         server services = dns, s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbindd, ntp_signd, kcc, dnsupdate
         rpc_server:tcpip = no
         rpc_daemon:spoolssd = embedded
         rpc_server:spoolss = embedded
         rpc_server:winreg = embedded
         rpc_server:ntsvcs = embedded
         rpc_server:eventlog = embedded
         rpc_server:srvsvc = embedded
         rpc_server:svcctl = embedded
         rpc_server:default = external
         winbindd:use external pipes = true
         idmap config cy:range = 10000-29999
         idmap config cy:schema_mode = rfc2307
         idmap config cy:backend = ad
         idmap config *:range = 5000-9999
         kccsrv:samba_kcc = false
         idmap_ldb:use rfc2307 = yes
         idmap config * : backend = tdb
         map archive = No
         map readonly = no
         store dos attributes = Yes
         vfs objects = dfs_samba4 acl_xattr

         path = /var/lib/samba/sysvol/cy.abc.biz/scripts
         read only = No

         path = /var/lib/samba/sysvol
         read only = No


My ultimate goal is to move totally off the NT Domain and onto the 
Samba-AD-DC but I need the trust established first so I can go step by 
test moving 18 productions servers one at a time so it can be tested.  I 
feel it would be too risky to move everything at once.

Any help to get me going in the right direction would be greatly 

Bob Thomas

More information about the samba mailing list