[Samba] Samba 4 "Classic PDC" trusts fail with Win 2012 domain but succeed Win 2008
Rowland Penny
rpenny at samba.org
Tue Nov 22 17:43:11 UTC 2016
See inline comments:
On Tue, 22 Nov 2016 12:04:57 -0500
Gaiseric Vandal via samba <samba at lists.samba.org> wrote:
> I am trying to configuring Samba 4 classic PDC to trust Windows
> 2012 domain "DomainB" - the PDC is running Windows 2012 but the
> forest and domain functional levels are still Windows 2008. On the
> Win 2012 PDC I try to set up an incoming trust, but it fails with
> "The local security authority is unable to obtain an RPC connection
> to the active directory domain controller SAMBAPDC . "
Can we confirm what I think the above means:
You have a NT4-style PDC
You have 'DomainB' in which there is a Windows 2012 AD DC running as
domain functional level 2008 (This is NOT a PDC)
You are trying to set up a trust between the PDC and the AD DC
>
>
>
> I have an third domain "DomainC" - the PDC is running Windows
> 2008 , and the forest and domain functional levels are still Windows
> 2008. On that PDC I am able to configure and verify an incoming trust.
>
Again, you have an AD DC running windows 2008 and you can configure a
trust, but you don't say between what.
> I am guessing some recent security patch that applies to Windows 2012
> but not to Windows 2008 is the issue?
>
Sounds like it.
> Since samba is a configured as a classic domain, I would have
> expected the Windows 2012 DC to see the samba domain as an NT4 domain.
>
Should do, but microsoft seems to be trying to make it harder, see
here:
https://social.technet.microsoft.com/Forums/en-US/f2bf83d8-6dcc-45de-a99d-fe5d83a83e12/can-i-join-an-nt4-workstation-to-a-windows-2012-domain?forum=winserverDS
>
> I have tried setting the following in smb.conf
>
> server services = +smb -s3fs
> dcerpc endpoint servers = +winreg +srvsvc
They will not do anything on a PDC, they are meant for an AD DC
Rowland
More information about the samba
mailing list