[Samba] Create Domain Trust Help Samba-4.3.2

Rowland penny rpenny at samba.org
Mon Dec 14 16:00:12 UTC 2015

On 14/12/15 15:36, Bob Thomas wrote:
> On 11/12/15 15:41, Bob Thomas wrote:
>> /First, Thank you all for this forum, as I am fairly new at both 
>> Ubuntu />/and Samba I have found most the answers to my issues here. 
>> />//>/Now correct me if I am wrong but Samba 4.3.2 should be able to 
>> support />/Domain Trusts. If so maybe you can help me, here is what I 
>> have: />//>/NT4 Domain: adc.com (Holds are production servers and 
>> user accounts />/for that domain) />//>/Controller = 
>> enterprise.abc.com />//>/Samba Domain: cy.abc.biz />/Two Controllers 
>> both Ubuntu 14.04 with Samba 4.3.2 running well (I />/think): 
>> />//>/Controllers = pdc.cy.abc.biz & sdc.cy.abc.biz />//>/I can ping 
>> "enterprise" from both samba controllers and I can ping />/"pdc" and 
>> "sdc" from enterprise. />//>/The two problems I have are first I am 
>> unable to create an />/Inter-domain Trust Account: />//>/#### />/root 
>> at PDC <https://lists.samba.org/mailman/listinfo/samba>:/etc# net 
> rpc trustdom add ABC password -U bthomas />/Enter bthomas's password: 
> />/Could not set trust account password: NT_STATUS_ACCESS_DENIED 
> />/### />//>/and second with samba-tool I get: />//>/##### />/root at 
> PDC <https://lists.samba.org/mailman/listinfo/samba>:~# samba-tool 
> domain trust create ABC -U bthomas />/LocalDomain Netbios[CY] 
> DNS[cy.abc.biz] />/SID[S-1-5-21-3303530046-412607057-2209094731] 
> />/ERROR: Failed to find a writeable DC for domain 'ABC' />/##### 
> />//>/Here is may smb.conf file: />//>/# Global parameters />/[global] 
> />/workgroup = CY />/realm = CY.ABC.BIZ />/server role = active 
> directory domain controller />/security = USER />/passdb backend = 
> samba_dsdb />/os level = 65 />/preferred master = Yes />/domain master 
> = Yes />/wins support = Yes />/winbind nss info = rfc2307 />/allow dns 
> updates = nonsecure and secure />/dns forwarder = 
> />/server services = dns, s3fs, rpc, nbt, wrepl, ldap, cldap, />/kdc, 
> drepl, winbindd, ntp_signd, kcc, dnsupdate />/rpc_server:tcpip = no 
> />/rpc_daemon:spoolssd = embedded />/rpc_server:spoolss = embedded 
> />/rpc_server:winreg = embedded />/rpc_server:ntsvcs = embedded 
> />/rpc_server:eventlog = embedded />/rpc_server:srvsvc = embedded 
> />/rpc_server:svcctl = embedded />/rpc_server:default = external 
> />/winbindd:use external pipes = true />/idmap config cy:range = 
> 10000-29999 />/idmap config cy:schema_mode = rfc2307 />/idmap config 
> cy:backend = ad />/idmap config *:range = 5000-9999 
> />/kccsrv:samba_kcc = false />/idmap_ldb:use rfc2307 = yes />/idmap 
> config * : backend = tdb />/map archive = No />/map readonly = no 
> />/store dos attributes = Yes />/vfs objects = dfs_samba4 acl_xattr 
> />//>//>/[netlogon] />/path = /var/lib/samba/sysvol/cy.abc.biz/scripts 
> />/read only = No />//>//>/[sysvol] />/path = /var/lib/samba/sysvol 
> />/read only = No />//>/## />//>/My ultimate goal is to move totally 
> off the NT Domain and onto the />/Samba-AD-DC but I need the trust 
> established first so I can go step by />/test moving 18 productions 
> servers one at a time so it can be tested. />/I feel it would be too 
> risky to move everything at once. />//>/Any help to get me going in 
> the right direction would be greatly />/appreciated. />//>/Bob Thomas 
> />//
> I think you are going about this the wrong way, you are trying to create
> a new AD domain and then set up trusts between your old NT4 domain and
> your new AD domain, correct?
> I think you should be going down the classic-upgrade path instead i.e.
> upgrade your original domain to an AD one. I take it all your users are
> in the NT domain, if so and their computers see the new AD, they *will*
> not go back to the original NT P/BDC, without a complete re-install.
> See here for info about the classic-upgrade:
> https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_domain_to_a_Samba_AD_domain_%28classic_upgrade%29 
> Also, quite a lot of what you have added to your DCs smb.conf shouldn't
> be there, I would suggest that you put it back to what it was after the
> provision.
> I hope you are doing this in a test environment.
> Rowland
> ___________
> Rowland,
> Thank You for the quick response. I am not sure how to post added info 
> or answers here, I tried twice posting a reply at 
> http://www.eenyhelp.com Friday on the subject and verified it.  I got 
> the notice that the update would be posted in about a hour but -- 
> nothing.  I tried again this morning and still nothing. It that the 
> correct place to post updates?
> As for my Issue,
> You are correct, I am trying to create a new AD domain and then set up 
> trusts between your old NT4 domain and your new AD domain.
> I have looked into the classic-upgrade but not sure it will work for 
> me because my old domain is a MS NT4 domain not Samba.  Not to 
> mention, the accounts have been neglected for years and I really don't 
> want to transfer the mess into AD.
> As for my smb.conf, my mistake - I posted the output of testparm and 
> not the actual config which is below, If you have any recommended 
> changes please advise:
> [global]
>         workgroup = CY
>         realm = CY.ABC.BIZ
>         netbios name = SDC
>         server role = active directory domain controller
>         server services = dns, s3fs, rpc, nbt, wrepl, ldap, cldap, 
> kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
>         idmap_ldb:use rfc2307 = yes
>         allow dns updates = nonsecure
>         dns forwarder =
>         security = user
>         kccsrv:samba_kcc = false
>         wins support = true
>         idmap config *:backend = tdb
>         idmap config *:range = 5000-9999
>         idmap config CY:backend = ad
>         idmap config CY:schema_mode = rfc2307
>         idmap config CY:range = 10000-29999
>         # Use home directory and shell information from AD
>         winbind nss info = rfc2307
> [netlogon]
>         path = /var/lib/samba/sysvol/cy.abc.biz/scripts
>         read only = No
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> As for the test environment, I have been testing for over two months 
> with the Ubuntu repository Samba version 4.1.6, but just recently 
> upgraded to 4.3.2 hoping I could get the trust relationship working.  
> The MS NT4 domain is our production domain and not sure I could 
> duplicate it in a test environment.  So I would like to gradually move 
> Samba into production - Using the domain trust so I can test things as 
> they are moved over.
> So back to my original question, Is it possible to create the trust 
> between Samba-AD 4.1.6 and a MS NT4 domain.  If so how?
> Thank again,
> Bob

I think it should be possible now, but I have never tried doing it, a 
quick google seems to suggest it is a known AD problem, see here: 

I still think you would be better off going down the classic-upgrade 
path. If your ultimate aim is to remove all your NT servers, you will 
still have to get your users, groups and computers etc into the new 
domain from the old domain, this is something that the classic-upgrade 
will do for you.


More information about the samba mailing list