[Samba] Samba 4 "Classic PDC" trusts fail with Win 2012 domain but succeed Win 2008

Rowland Penny rpenny at samba.org
Tue Nov 22 17:43:11 UTC 2016

See inline comments:

On Tue, 22 Nov 2016 12:04:57 -0500
Gaiseric Vandal via samba <samba at lists.samba.org> wrote:

> I am trying to configuring  Samba 4 classic PDC to trust  Windows
> 2012 domain "DomainB" -  the PDC is running Windows 2012 but the
> forest and domain functional levels are still Windows 2008.  On the
> Win 2012 PDC I try to set up an incoming trust, but it fails with
> "The local security authority is unable to obtain an RPC connection
> to the active directory domain controller SAMBAPDC .  "

Can we confirm what I think the above means:

You have a NT4-style PDC
You have 'DomainB' in which there is a Windows 2012 AD DC running as
domain functional level 2008 (This is NOT a PDC)
You are trying to set up a trust between the PDC and the AD DC

> I have an third domain "DomainC"  -   the PDC is running Windows
> 2008 , and  the forest and domain functional levels are still Windows
> 2008. On that PDC I am able to configure and verify an incoming trust.

Again, you have an AD DC running windows 2008 and you can configure a
trust, but you don't say between what.
> I am guessing some recent security patch that applies to Windows 2012 
> but not to Windows 2008 is the issue?

Sounds like it.
> Since samba is a configured as a classic domain, I would have
> expected the Windows 2012 DC to see the samba domain as an NT4 domain.

Should do, but microsoft seems to be trying to make it harder, see


> I have tried setting the following in smb.conf
>     server services = +smb -s3fs
>     dcerpc endpoint servers = +winreg +srvsvc

They will not do anything on a PDC, they are meant for an AD DC


More information about the samba mailing list