[Samba] Create Domain Trust Help Samba-4.3.2
Rowland penny
rpenny at samba.org
Fri Dec 11 16:33:17 UTC 2015
On 11/12/15 15:41, Bob Thomas wrote:
> First, Thank you all for this forum, as I am fairly new at both Ubuntu
> and Samba I have found most the answers to my issues here.
>
> Now correct me if I am wrong but Samba 4.3.2 should be able to support
> Domain Trusts. If so maybe you can help me, here is what I have:
>
> NT4 Domain: adc.com (Holds are production servers and user accounts
> for that domain)
>
> Controller = enterprise.abc.com
>
> Samba Domain: cy.abc.biz
> Two Controllers both Ubuntu 14.04 with Samba 4.3.2 running well (I
> think):
>
> Controllers = pdc.cy.abc.biz & sdc.cy.abc.biz
>
> I can ping "enterprise" from both samba controllers and I can ping
> "pdc" and "sdc" from enterprise.
>
> The two problems I have are first I am unable to create an
> Inter-domain Trust Account:
>
> ####
> root at PDC:/etc# net rpc trustdom add ABC password -U bthomas
> Enter bthomas's password:
> Could not set trust account password: NT_STATUS_ACCESS_DENIED
> ###
>
> and second with samba-tool I get:
>
> #####
> root at PDC:~# samba-tool domain trust create ABC -U bthomas
> LocalDomain Netbios[CY] DNS[cy.abc.biz]
> SID[S-1-5-21-3303530046-412607057-2209094731]
> ERROR: Failed to find a writeable DC for domain 'ABC'
> #####
>
> Here is may smb.conf file:
>
> # Global parameters
> [global]
> workgroup = CY
> realm = CY.ABC.BIZ
> server role = active directory domain controller
> security = USER
> passdb backend = samba_dsdb
> os level = 65
> preferred master = Yes
> domain master = Yes
> wins support = Yes
> winbind nss info = rfc2307
> allow dns updates = nonsecure and secure
> dns forwarder = 10.157.1.178
> server services = dns, s3fs, rpc, nbt, wrepl, ldap, cldap,
> kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
> rpc_server:tcpip = no
> rpc_daemon:spoolssd = embedded
> rpc_server:spoolss = embedded
> rpc_server:winreg = embedded
> rpc_server:ntsvcs = embedded
> rpc_server:eventlog = embedded
> rpc_server:srvsvc = embedded
> rpc_server:svcctl = embedded
> rpc_server:default = external
> winbindd:use external pipes = true
> idmap config cy:range = 10000-29999
> idmap config cy:schema_mode = rfc2307
> idmap config cy:backend = ad
> idmap config *:range = 5000-9999
> kccsrv:samba_kcc = false
> idmap_ldb:use rfc2307 = yes
> idmap config * : backend = tdb
> map archive = No
> map readonly = no
> store dos attributes = Yes
> vfs objects = dfs_samba4 acl_xattr
>
>
> [netlogon]
> path = /var/lib/samba/sysvol/cy.abc.biz/scripts
> read only = No
>
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> ##
>
> My ultimate goal is to move totally off the NT Domain and onto the
> Samba-AD-DC but I need the trust established first so I can go step by
> test moving 18 productions servers one at a time so it can be tested.
> I feel it would be too risky to move everything at once.
>
> Any help to get me going in the right direction would be greatly
> appreciated.
>
> Bob Thomas
>
I think you are going about this the wrong way, you are trying to create
a new AD domain and then set up trusts between your old NT4 domain and
your new AD domain, correct?
I think you should be going down the classic-upgrade path instead i.e.
upgrade your original domain to an AD one. I take it all your users are
in the NT domain, if so and their computers see the new AD, they *will*
not go back to the original NT P/BDC, without a complete re-install.
See here for info about the classic-upgrade:
https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_domain_to_a_Samba_AD_domain_%28classic_upgrade%29
Also, quite a lot of what you have added to your DCs smb.conf shouldn't
be there, I would suggest that you put it back to what it was after the
provision.
I hope you are doing this in a test environment.
Rowland
More information about the samba
mailing list