[Samba] samba NT4 domain trusting samba AD domain: ephimeral

Francesco Malvezzi francesco.malvezzi at unimore.it
Fri Dec 29 11:28:26 UTC 2017

hi all,

thanks to Rowland advice, I checked the net trustdom way to establish
trust between domains.

In my setup I have a samba-4.7.4 NT4 domain named TRUSTING which needs
to have a trusting (outgoing)[1] with samba-4.7.4 AD domain named ATENEOAD.

As far as I know it is very similar to:

I added the lmhosts entries on both servers for the peer.
`net lookup` works and resolves both.

Next I should add a interdomain account named TRUSTING$ on ATENEOAD AD

Unfortunately neither:
smbpasswd -i -a TRUSTING
net rpc trustdom add TRUSTING
work. Error is:

Failed to modify record CN=TRUSTING$,CN=Users,DC=ad,DC=EXAMPLE,DC=org:
Failed to modify CN=TRUSTING$,CN=Users,DC=ad,DC=EXAMPLE,DC=org: Updating
the UF_INTERDOMAIN_TRUST_ACCOUNT bit in userAccountControl is not
permitted over LDAP.  This bit is restricted to the LSA
CreateTrustedDomain interface

On the other hand, the following works:
/opt/samba$ sudo ./bin/net rpc trust create
other_netbios_domain=TRUSTING otherdomain=TRUSTING trustpw=aPassword
(as Rowland said).

Was there a better way to do it?

Now on TRUSTING PDC I should issue a:
abnormal$ net rpc trustdom establish ATENEOAD

after asking me the trustpw, it works: Trust to domain ATENEOAD established

I was even able to login once as ATENEOAD\francesco on TRUSTING:
francesco at abnormal:/opt/samba$ ./bin/smbclient -UATENEOAD\\francesco -L
Enter ATENEOAD\francesco's password:

	Sharename       Type      Comment
	---------       ----      -------
	IPC$            IPC       IPC Service (Samba 4.7.4)
Reconnecting with SMB1 for workgroup listing.

	Server               Comment
	---------            -------
	ABNORMAL             Samba 4.7.4

	Workgroup            Master
	---------            -------

But very soon the trust somehow breaks:
./bin/smbclient -UATENEOAD\\francesco -L localhost
Enter ATENEOAD\francesco's password:
session setup failed: NT_STATUS_NO_LOGON_SERVERS

And the logs on ATENEOAD AD controller:
  Got NTLMSSP neg_flags=0x62088215
[2017/12/29 12:02:33.086963,  3]
  Got user=[ABNORMAL$] domain=[TRUSTING] workstation=[ABNORMAL] len1=24
[2017/12/29 12:02:33.087059,  3]
  auth_check_password_send: Checking password for unmapped user
  auth_check_password_send: user is: [TRUSTING]\[ABNORMAL$]@[ABNORMAL]
[2017/12/29 12:02:33.092876,  2]
  auth_check_password_recv: sam_failtrusts authentication for user
[2017/12/29 12:02:33.093003,  2]
  Auth: [SMB2,NTLMSSP] user [TRUSTING]\[ABNORMAL$] at [ven, 29 dic 2017
12:02:33.092978 CET] with [NTLMv2] status
[NT_STATUS_NO_TRUST_LSA_SECRET] workstation [ABNORMAL] remote host
[ipv4:] mapped to [TRUSTING]\[ABNORMAL$]. local host
[2017/12/29 12:02:33.093333,  2] ../auth/auth_log.c:220(log_json)
  JSON Authentication: {"timestamp": "2017-12-29T12:02:33.093121+0100",
"type": "Authentication", "Authentication": {"version": {"major": 1,
"minor": 0}, "status": "NT_STATUS_NO_TRUST_LSA_SECRET", "localAddress":
"ipv4:", "remoteAddress": "ipv4:",
"serviceDescription": "SMB2", "authDescription": "NTLMSSP",
"clientDomain": "TRUSTING", "clientAccount": "ABNORMAL$", "workstation":
"ABNORMAL", "becameAccount": null, "becameDomain": null, "becameSid":
"(NULL SID)", "mappedAccount": "ABNORMAL$", "mappedDomain": "TRUSTING",
"netlogonComputer": null, "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": "(NULL SID)", "passwordType": "NTLMv2"}}
[2017/12/29 12:02:33.093436,  3]
  get_auth_event_server: Failed to find 'auth_event' registered on the
message bus to send JSON authentication events to:

(abnormal is the TRUSTING PDC hostname)

What is going on?

It looks abnormal expects to have joined ATENEOAD as a client. But it's
of course failing, because there is no machine account named abnormal$

I am really frustrated because the trust did work, briefly.

What was wrong in my procedure?

As a starting point, can anybody confirm a similar trust relation can be

really thank you all, starting from Rowland,


[1] users from ATENEOAD should access resources on TRUSTING

More information about the samba mailing list