Samba & Active Directory Trust
- From: Phillip Cockrell <pcockrel (at) rackspace.com>
- Date: Mon, 6 Feb 2006 16:33:47 -0600
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello All,
I'm having an issue creating a two-way trust relationship between my
Samba Domain and a Windows 2003 Active Directory Domain. Here is a
summary of my environment:
Samba 3.0.14a
OpenLDAP 2.0.23-7
Debian Woody
Active Directory 2003 (running in mixed mode)
Windows 2003
The trust works fine from AD -> Samba:
[root (at) samba-1 root]$ net rpc trustdom list
Password:
Trusted domains list:
none
Trusting domains list:
FOOBAR
[root (at) samba-1 root]$
But when I try to establish the trust the other way, I get
NT_STATUS_ACCESS_DENIED:
[root (at) samba-1 root]$ net -d 3 -I 10.6.24.44 rpc trustdom establish
FOOBAR
[2006/02/06 16:27:03, 3] param/loadparm.c:lp_load(3915)
lp_load: refreshing parameters
[2006/02/06 16:27:03, 3] param/loadparm.c:init_globals(1329)
Initialising global parameters
[2006/02/06 16:27:03, 3] param/params.c:pm_process(573)
params.c:pm_process() - Processing configuration file "/etc/samba/
smb.conf"
[2006/02/06 16:27:03, 3] param/loadparm.c:do_section(3417)
Processing section "[global]"
[2006/02/06 16:27:03, 2] lib/interface.c:add_interface(81)
added interface ip=10.6.15.10 bcast=10.6.15.255 nmask=255.255.255.0
Password:
[2006/02/06 16:27:07, 3] libsmb/cliconnect.c:cli_start_connection(1406)
Connecting to host=DC01
[2006/02/06 16:27:07, 3] lib/util_sock.c:open_socket_out(752)
Connecting to 10.6.24.44 at port 445
[2006/02/06 16:27:07, 3] libsmb/cliconnect.c:cli_session_setup_spnego
(708)
Doing spnego session setup (blob length=104)
[2006/02/06 16:27:07, 3] libsmb/cliconnect.c:cli_session_setup_spnego
(733)
got OID=1 2 840 48018 1 2 2
[2006/02/06 16:27:07, 3] libsmb/cliconnect.c:cli_session_setup_spnego
(733)
got OID=1 2 840 113554 1 2 2
[2006/02/06 16:27:07, 3] libsmb/cliconnect.c:cli_session_setup_spnego
(733)
got OID=1 2 840 113554 1 2 2 3
[2006/02/06 16:27:07, 3] libsmb/cliconnect.c:cli_session_setup_spnego
(733)
got OID=1 3 6 1 4 1 311 2 2 10
[2006/02/06 16:27:07, 3] libsmb/cliconnect.c:cli_session_setup_spnego
(740)
got principal=dc01$ (at) RACK2.CORP
[2006/02/06 16:27:07, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(869)
Got challenge flags:
[2006/02/06 16:27:07, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
Got NTLMSSP neg_flags=0x62890215
[2006/02/06 16:27:07, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(891)
NTLMSSP: Set final flags:
[2006/02/06 16:27:07, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
Got NTLMSSP neg_flags=0x60080215
[2006/02/06 16:27:07, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319)
NTLMSSP Sign/Seal - Initialising with flags:
[2006/02/06 16:27:07, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
Got NTLMSSP neg_flags=0x60080215
[2006/02/06 16:27:07, 3] libsmb/cliconnect.c:cli_session_setup(861)
SPNEGO login failed: No logon interdomain trust account
[2006/02/06 16:27:07, 1] libsmb/cliconnect.c:cli_full_connection(1494)
failed session setup with NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT
Could not connect to server DC01
[2006/02/06 16:27:07, 3] libsmb/cliconnect.c:cli_start_connection(1406)
Connecting to host=DC01
[2006/02/06 16:27:07, 3] lib/util_sock.c:open_socket_out(752)
Connecting to 10.6.24.44 at port 445
[2006/02/06 16:27:07, 0] utils/net_rpc.c:rpc_trustdom_establish(4663)
NetServerEnum2 error: Couldn't find primary domain
controller for domain FOOBAR
[2006/02/06 16:27:07, 0] rpc_client/cli_pipe.c:cli_nt_session_open(1451)
cli_nt_session_open: cli_nt_create failed on pipe \wkssvc to
machine DC01. Error was NT_STATUS_ACCESS_DENIED
[2006/02/06 16:27:07, 0] utils/net_rpc.c:rpc_trustdom_establish(4672)
Couldn't not initialise wkssvc pipe
[2006/02/06 16:27:07, 2] utils/net.c:main(897)
return code = -1
[root (at) samba-1 root]$
The trust "account" is set up on the AD side and I am using the same
password on both ends. Is there some issue that I don't know about?
Thanks in advance,
Phillip Cockrell
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
iD8DBQFD587PfnIftn7ju/IRAlTVAJ9OochufB3i2F0LvBEIs3vPa12NewCgip9I
V6hrm/u/9D76VaC253c03Ho=
=B3Wv
-----END PGP SIGNATURE-----
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba