[Samba] Create Domain Trust Help Samba-4.3.2

Rowland penny rpenny at samba.org
Mon Dec 14 16:25:52 UTC 2015

OOPs, I really must get a new pair of glasses, I totally missed this lot 
in the mess that appeared in my email client :-D

On 14/12/15 15:36, Bob Thomas wrote:
> Rowland,
> Thank You for the quick response. I am not sure how to post added info 
> or answers here, I tried twice posting a reply at 
> http://www.eenyhelp.com Friday on the subject and verified it.  I got 
> the notice that the update would be posted in about a hour but -- 
> nothing.  I tried again this morning and still nothing. It that the 
> correct place to post updates?

Just reply to the sambalist, it will do the rest.

> As for my Issue,
> You are correct, I am trying to create a new AD domain and then set up 
> trusts between your old NT4 domain and your new AD domain.
> I have looked into the classic-upgrade but not sure it will work for 
> me because my old domain is a MS NT4 domain not Samba.  Not to 
> mention, the accounts have been neglected for years and I really don't 
> want to transfer the mess into AD.

OK, I understand it better now, you want to lose the NT domain and move 
to AD.
Not sure if I would do it the way you are trying, how many computers and 

> As for my smb.conf, my mistake - I posted the output of testparm and 
> not the actual config which is below, If you have any recommended 
> changes please advise:
> [global]
>         workgroup = CY
>         realm = CY.ABC.BIZ
>         netbios name = SDC
>         server role = active directory domain controller
>         server services = dns, s3fs, rpc, nbt, wrepl, ldap, cldap, 
> kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
>         idmap_ldb:use rfc2307 = yes
>         allow dns updates = nonsecure
>         dns forwarder =
>         security = user
>         kccsrv:samba_kcc = false
>         wins support = true
>         idmap config *:backend = tdb
>         idmap config *:range = 5000-9999
>         idmap config CY:backend = ad
>         idmap config CY:schema_mode = rfc2307
>         idmap config CY:range = 10000-29999
>         # Use home directory and shell information from AD
>         winbind nss info = rfc2307
> [netlogon]
>         path = /var/lib/samba/sysvol/cy.abc.biz/scripts
>         read only = No
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No

Yes, as I said before, put it back to what it was before you started 
adding things to it.

> As for the test environment, I have been testing for over two months 
> with the Ubuntu repository Samba version 4.1.6, but just recently 
> upgraded to 4.3.2 hoping I could get the trust relationship working.  
> The MS NT4 domain is our production domain and not sure I could 
> duplicate it in a test environment.  So I would like to gradually move 
> Samba into production - Using the domain trust so I can test things as 
> they are moved over.

I would setup a new domain, extract your users & groups etc from your 
old domain, remove anything you no longer require and then create them 
in your new domain. Then start adding your computers to the new domain a 
few at a time.

> So back to my original question, Is it possible to create the trust 
> between Samba-AD 4.1.6 and a MS NT4 domain.  If so how?

See my earlier incorrect post.


More information about the samba mailing list