[Samba] Create Domain Trust Help Samba-4.3.2

Rowland penny rpenny at samba.org
Fri Dec 11 16:33:17 UTC 2015


On 11/12/15 15:41, Bob Thomas wrote:
> First, Thank you all for this forum, as I am fairly new at both Ubuntu 
> and Samba I have found most the answers to my issues here.
>
> Now correct me if I am wrong but Samba 4.3.2 should be able to support 
> Domain Trusts. If so maybe you can help me, here is what I have:
>
> NT4 Domain: adc.com (Holds are production servers and user accounts 
> for that domain)
>
>     Controller = enterprise.abc.com
>
> Samba Domain: cy.abc.biz
>     Two Controllers both Ubuntu 14.04 with Samba 4.3.2 running well (I 
> think):
>
>     Controllers = pdc.cy.abc.biz & sdc.cy.abc.biz
>
> I can ping "enterprise" from both samba controllers and I can ping 
> "pdc" and "sdc" from enterprise.
>
> The two problems I have are first I am unable to create an 
> Inter-domain Trust Account:
>
> ####
> root at PDC:/etc# net rpc trustdom add ABC password -U bthomas
> Enter bthomas's password:
> Could not set trust account password: NT_STATUS_ACCESS_DENIED
> ###
>
> and second with samba-tool I get:
>
> #####
> root at PDC:~# samba-tool domain trust create ABC -U bthomas
> LocalDomain Netbios[CY] DNS[cy.abc.biz] 
> SID[S-1-5-21-3303530046-412607057-2209094731]
> ERROR: Failed to find a writeable DC for domain 'ABC'
> #####
>
> Here is may smb.conf file:
>
> # Global parameters
> [global]
>         workgroup = CY
>         realm = CY.ABC.BIZ
>         server role = active directory domain controller
>         security = USER
>         passdb backend = samba_dsdb
>         os level = 65
>         preferred master = Yes
>         domain master = Yes
>         wins support = Yes
>         winbind nss info = rfc2307
>         allow dns updates = nonsecure and secure
>         dns forwarder = 10.157.1.178
>         server services = dns, s3fs, rpc, nbt, wrepl, ldap, cldap, 
> kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
>         rpc_server:tcpip = no
>         rpc_daemon:spoolssd = embedded
>         rpc_server:spoolss = embedded
>         rpc_server:winreg = embedded
>         rpc_server:ntsvcs = embedded
>         rpc_server:eventlog = embedded
>         rpc_server:srvsvc = embedded
>         rpc_server:svcctl = embedded
>         rpc_server:default = external
>         winbindd:use external pipes = true
>         idmap config cy:range = 10000-29999
>         idmap config cy:schema_mode = rfc2307
>         idmap config cy:backend = ad
>         idmap config *:range = 5000-9999
>         kccsrv:samba_kcc = false
>         idmap_ldb:use rfc2307 = yes
>         idmap config * : backend = tdb
>         map archive = No
>         map readonly = no
>         store dos attributes = Yes
>         vfs objects = dfs_samba4 acl_xattr
>
>
> [netlogon]
>         path = /var/lib/samba/sysvol/cy.abc.biz/scripts
>         read only = No
>
>
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
>
> ##
>
> My ultimate goal is to move totally off the NT Domain and onto the 
> Samba-AD-DC but I need the trust established first so I can go step by 
> test moving 18 productions servers one at a time so it can be tested.  
> I feel it would be too risky to move everything at once.
>
> Any help to get me going in the right direction would be greatly 
> appreciated.
>
> Bob Thomas
>

I think you are going about this the wrong way, you are trying to create 
a new AD domain and then set up trusts between your old NT4 domain and 
your new AD domain, correct?

I think you should be going down the classic-upgrade path instead i.e. 
upgrade your original domain to an AD one. I take it all your users are 
in the NT domain, if so and their computers see the new AD, they *will* 
not go back to the original NT P/BDC, without a complete re-install.

See here for info about the classic-upgrade:
https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_domain_to_a_Samba_AD_domain_%28classic_upgrade%29

Also, quite a lot of what you have added to your DCs smb.conf shouldn't 
be there, I would suggest that you put it back to what it was after the 
provision.

I hope you are doing this in a test environment.

Rowland




More information about the samba mailing list