[Samba] Create Domain Trust Help Samba-4.3.2

Bob Thomas bthomas at cybernetics.com
Mon Dec 14 15:36:43 UTC 2015

On 11/12/15 15:41, Bob Thomas wrote:
>/First, Thank you all for this forum, as I am fairly new at both Ubuntu />/and Samba I have found most the answers to my issues here. />//>/Now correct me if I am wrong but Samba 4.3.2 should be able to support />/Domain Trusts. If so maybe you can help me, here is what I have: />//>/NT4 Domain: adc.com (Holds are production servers and user accounts />/for that domain) />//>/Controller = enterprise.abc.com />//>/Samba Domain: cy.abc.biz />/Two Controllers both Ubuntu 14.04 with Samba 4.3.2 running well (I />/think): />//>/Controllers = pdc.cy.abc.biz & sdc.cy.abc.biz />//>/I can ping "enterprise" from both samba controllers and I can ping />/"pdc" and "sdc" from enterprise. />//>/The two problems I have are first I am unable to create an />/Inter-domain Trust Account: />//>/#### />/root at PDC <https://lists.samba.org/mailman/listinfo/samba>:/etc# net 
rpc trustdom add ABC password -U bthomas />/Enter bthomas's password: />/Could not set trust account password: NT_STATUS_ACCESS_DENIED />/### />//>/and second with samba-tool I get: />//>/##### />/root at PDC <https://lists.samba.org/mailman/listinfo/samba>:~# 
samba-tool domain trust create ABC -U bthomas />/LocalDomain Netbios[CY] DNS[cy.abc.biz] />/SID[S-1-5-21-3303530046-412607057-2209094731] />/ERROR: Failed to find a writeable DC for domain 'ABC' />/##### />//>/Here is may smb.conf file: />//>/# Global parameters />/[global] />/workgroup = CY />/realm = CY.ABC.BIZ />/server role = active directory domain controller />/security = USER />/passdb backend = samba_dsdb />/os level = 65 />/preferred master = Yes />/domain master = Yes />/wins support = Yes />/winbind nss info = rfc2307 />/allow dns updates = nonsecure and secure />/dns forwarder = />/server services = dns, s3fs, rpc, nbt, wrepl, ldap, cldap, />/kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate />/rpc_server:tcpip = no />/rpc_daemon:spoolssd = embedded />/rpc_server:spoolss = embedded />/rpc_server:winreg = embedded />/rpc_server:ntsvcs = embedded />/rpc_server:eventlog = embedded />/rpc_server:srvsvc = embedded />/rpc_server:svcctl = embedded />/rpc_server:default = external />/winbindd:use external pipes = true />/idmap config cy:range = 10000-29999 />/idmap config cy:schema_mode = rfc2307 />/idmap config cy:backend = ad />/idmap config *:range = 5000-9999 />/kccsrv:samba_kcc = false />/idmap_ldb:use rfc2307 = yes />/idmap config * : backend = tdb />/map archive = No />/map readonly = no />/store dos attributes = Yes />/vfs objects = dfs_samba4 acl_xattr />//>//>/[netlogon] />/path = /var/lib/samba/sysvol/cy.abc.biz/scripts />/read only = No />//>//>/[sysvol] />/path = /var/lib/samba/sysvol />/read only = No />//>/## />//>/My ultimate goal is to move totally off the NT Domain and onto the />/Samba-AD-DC but I need the trust established first so I can go step by />/test moving 18 productions servers one at a time so it can be tested. />/I feel it would be too risky to move everything at once. />//>/Any help to get me going in the right direction would be greatly />/appreciated. />//>/Bob Thomas />//
I think you are going about this the wrong way, you are trying to create
a new AD domain and then set up trusts between your old NT4 domain and
your new AD domain, correct?

I think you should be going down the classic-upgrade path instead i.e.
upgrade your original domain to an AD one. I take it all your users are
in the NT domain, if so and their computers see the new AD, they *will*
not go back to the original NT P/BDC, without a complete re-install.

See here for info about the classic-upgrade:

Also, quite a lot of what you have added to your DCs smb.conf shouldn't
be there, I would suggest that you put it back to what it was after the

I hope you are doing this in a test environment.




Thank You for the quick response. I am not sure how to post added info or answers here, I tried twice posting a reply at http://www.eenyhelp.com Friday on the subject and verified it.  I got the notice that the update would be posted in about a hour but -- nothing.  I tried again this morning and still nothing. It that the correct place to post updates?

As for my Issue,

You are correct, I am trying to create a new AD domain and then set up trusts between your old NT4 domain and your new AD domain.

I have looked into the classic-upgrade but not sure it will work for me because my old domain is a MS NT4 domain not Samba.  Not to mention, the accounts have been neglected for years and I really don't want to transfer the mess into AD.

As for my smb.conf, my mistake - I posted the output of testparm and not the actual config which is below, If you have any recommended changes please advise:

         workgroup = CY
         realm = CY.ABC.BIZ
         netbios name = SDC
         server role = active directory domain controller
         server services = dns, s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
         idmap_ldb:use rfc2307 = yes
         allow dns updates = nonsecure
         dns forwarder =

         security = user

         kccsrv:samba_kcc = false

         wins support = true

         idmap config *:backend = tdb
         idmap config *:range = 5000-9999
         idmap config CY:backend = ad
         idmap config CY:schema_mode = rfc2307
         idmap config CY:range = 10000-29999

         # Use home directory and shell information from AD
         winbind nss info = rfc2307

         path = /var/lib/samba/sysvol/cy.abc.biz/scripts
         read only = No

         path = /var/lib/samba/sysvol
         read only = No

As for the test environment, I have been testing for over two months with the Ubuntu repository Samba version 4.1.6, but just recently upgraded to 4.3.2 hoping I could get the trust relationship working.  The MS NT4 domain is our production domain and not sure I could duplicate it in a test environment.  So I would like to gradually move Samba into production - Using the domain trust so I can test things as they are moved over.

So back to my original question, Is it possible to create the trust between Samba-AD 4.1.6 and a MS NT4 domain.  If so how?

Thank again,


More information about the samba mailing list