[Samba] Create Domain Trust Help Samba-4.3.2

[Bob Thomas]

First, Thank you all for this forum, as I am fairly new at both Ubuntu
and Samba I have found most the answers to my issues here.

Now correct me if I am wrong but Samba 4.3.2 should be able to support
Domain Trusts. If so maybe you can help me, here is what I have:

NT4 Domain: adc.com (Holds are production servers and user accounts for
that domain)

Controller = enterprise.abc.com

Samba Domain: cy.abc.biz
Two Controllers both Ubuntu 14.04 with Samba 4.3.2 running well (I
think):

Controllers = pdc.cy.abc.biz & sdc.cy.abc.biz

I can ping "enterprise" from both samba controllers and I can ping "pdc"
and "sdc" from enterprise.

The two problems I have are first I am unable to create an Inter-domain
Trust Account:

####
root@PDC:/etc# net rpc trustdom add ABC password -U bthomas
Enter bthomas's password:
Could not set trust account password: NT_STATUS_ACCESS_DENIED
###

and second with samba-tool I get:

#####
root@PDC:~# samba-tool domain trust create ABC -U bthomas
LocalDomain Netbios[CY] DNS[cy.abc.biz]
SID[S-1-5-21-3303530046-412607057-2209094731]
ERROR: Failed to find a writeable DC for domain 'ABC'
#####

Here is may smb.conf file:

# Global parameters
[global]
workgroup = CY
realm = CY.ABC.BIZ
server role = active directory domain controller
security = USER
passdb backend = samba_dsdb
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
winbind nss info = rfc2307
allow dns updates = nonsecure and secure
dns forwarder = 10.157.1.178
server services = dns, s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap config cy:range = 10000-29999
idmap config cy:schema_mode = rfc2307
idmap config cy:backend = ad
idmap config *:range = 5000-9999
kccsrv:samba_kcc = false
idmap_ldb:use rfc2307 = yes
idmap config * : backend = tdb
map archive = No
map readonly = no
store dos attributes = Yes
vfs objects = dfs_samba4 acl_xattr


[netlogon]
path = /var/lib/samba/sysvol/cy.abc.biz/scripts
read only = No


[sysvol]
path = /var/lib/samba/sysvol
read only = No

##

My ultimate goal is to move totally off the NT Domain and onto the
Samba-AD-DC but I need the trust established first so I can go step by
test moving 18 productions servers one at a time so it can be tested. I
feel it would be too risky to move everything at once.

Any help to get me going in the right direction would be greatly
appreciated.

Bob Thomas

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[Rowland penny]

I think you are going about this the wrong way, you are trying to create
a new AD domain and then set up trusts between your old NT4 domain and
your new AD domain, correct?

I think you should be going down the classic-upgrade path instead i.e.
upgrade your original domain to an AD one. I take it all your users are
in the NT domain, if so and their computers see the new AD, they *will*
not go back to the original NT P/BDC, without a complete re-install.

See here for info about the classic-upgrade:
https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_domain_to_a_Samba_AD_domain_%28classic_upgrade%29

Also, quite a lot of what you have added to your DCs smb.conf shouldn't
be there, I would suggest that you put it back to what it was after the
provision.

I hope you are doing this in a test environment.

Rowland

[Bob Thomas]

On 11/12/15 15:41, Bob Thomas wrote:

>/First, Thank you all for this forum, as I am fairly new at both Ubuntu />/and Samba I have found most the answers to my issues here. />//>/Now correct me if I am wrong but Samba 4.3.2 should be able to support />/Domain Trusts. If so maybe you can help me, here is what I have: />//>/NT4 Domain: adc.com (Holds are production servers and user accounts />/for that domain) />//>/Controller = enterprise.abc.com />//>/Samba Domain: cy.abc.biz />/Two Controllers both Ubuntu 14.04 with Samba 4.3.2 running well (I />/think): />//>/Controllers = pdc.cy.abc.biz & sdc.cy.abc.biz />//>/I can ping "enterprise" from both samba controllers and I can ping />/"pdc" and "sdc" from enterprise. />//>/The two problems I have are first I am unable to create an />/Inter-domain Trust Account: />//>/#### />/root at PDC <https://lists.samba.org/mailman/listinfo/samba>:/etc# net
rpc trustdom add ABC password -U bthomas />/Enter bthomas's password: />/Could not set trust account password: NT_STATUS_ACCESS_DENIED />/### />//>/and second with samba-tool I get: />//>/##### />/root at PDC <https://lists.samba.org/mailman/listinfo/samba>:~#
samba-tool domain trust create ABC -U bthomas />/LocalDomain Netbios[CY] DNS[cy.abc.biz] />/SID[S-1-5-21-3303530046-412607057-2209094731] />/ERROR: Failed to find a writeable DC for domain 'ABC' />/##### />//>/Here is may smb.conf file: />//>/# Global parameters />/[global] />/workgroup = CY />/realm = CY.ABC.BIZ />/server role = active directory domain controller />/security = USER />/passdb backend = samba_dsdb />/os level = 65 />/preferred master = Yes />/domain master = Yes />/wins support = Yes />/winbind nss info = rfc2307 />/allow dns updates = nonsecure and secure />/dns forwarder = 10.157.1.178 />/server services = dns, s3fs, rpc, nbt, wrepl, ldap, cldap, />/kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate />/rpc_server:tcpip = no />/rpc_daemon:spoolssd = embedded />/rpc_server:spoolss = embedded />/rpc_server:winreg = embedded />/rpc_server:ntsvcs = embedded />/rpc_server:eventlog = embedded />/rpc_server:srvsvc = embedded />/rpc_server:svcctl = embedded />/rpc_server:default = external />/winbindd:use external pipes = true />/idmap config cy:range = 10000-29999 />/idmap config cy:schema_mode = rfc2307 />/idmap config cy:backend = ad />/idmap config *:range = 5000-9999 />/kccsrv:samba_kcc = false />/idmap_ldb:use rfc2307 = yes />/idmap config * : backend = tdb />/map archive = No />/map readonly = no />/store dos attributes = Yes />/vfs objects = dfs_samba4 acl_xattr />//>//>/[netlogon] />/path = /var/lib/samba/sysvol/cy.abc.biz/scripts />/read only = No />//>//>/[sysvol] />/path = /var/lib/samba/sysvol />/read only = No />//>/## />//>/My ultimate goal is to move totally off the NT Domain and onto the />/Samba-AD-DC but I need the trust established first so I can go step by />/test moving 18 productions servers one at a time so it can be tested. />/I feel it would be too risky to move everything at once. />//>/Any help to get me going in the right direction would be greatly />/appreciated. />//>/Bob Thomas />//

I think you are going about this the wrong way, you are trying to create
a new AD domain and then set up trusts between your old NT4 domain and
your new AD domain, correct?

I think you should be going down the classic-upgrade path instead i.e.
upgrade your original domain to an AD one. I take it all your users are
in the NT domain, if so and their computers see the new AD, they *will*
not go back to the original NT P/BDC, without a complete re-install.

See here for info about the classic-upgrade:
https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_domain_to_a_Samba_AD_domain_%28classic_upgrade%29

Also, quite a lot of what you have added to your DCs smb.conf shouldn't
be there, I would suggest that you put it back to what it was after the
provision.

I hope you are doing this in a test environment.

Rowland

___________

Rowland,

Thank You for the quick response. I am not sure how to post added info or answers here, I tried twice posting a reply at http://www.eenyhelp.com Friday on the subject and verified it. I got the notice that the update would be posted in about a hour but -- nothing. I tried again this morning and still nothing. It that the correct place to post updates?

As for my Issue,

You are correct, I am trying to create a new AD domain and then set up trusts between your old NT4 domain and your new AD domain.

I have looked into the classic-upgrade but not sure it will work for me because my old domain is a MS NT4 domain not Samba. Not to mention, the accounts have been neglected for years and I really don't want to transfer the mess into AD.

As for my smb.conf, my mistake - I posted the output of testparm and not the actual config which is below, If you have any recommended changes please advise:

[global]
workgroup = CY
realm = CY.ABC.BIZ

netbios name = SDC

server role = active directory domain controller

server services = dns, s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate

idmap_ldb:use rfc2307 = yes

allow dns updates = nonsecure

dns forwarder = 10.157.1.178

security = user

kccsrv:samba_kcc = false

wins support = true

idmap config *:backend = tdb

idmap config *:range = 5000-9999

idmap config CY:backend = ad
idmap config CY:schema_mode = rfc2307
idmap config CY:range = 10000-29999

# Use home directory and shell information from AD

winbind nss info = rfc2307

[netlogon]
path = /var/lib/samba/sysvol/cy.abc.biz/scripts
read only = No

[sysvol]
path = /var/lib/samba/sysvol
read only = No

As for the test environment, I have been testing for over two months with the Ubuntu repository Samba version 4.1.6, but just recently upgraded to 4.3.2 hoping I could get the trust relationship working. The MS NT4 domain is our production domain and not sure I could duplicate it in a test environment. So I would like to gradually move Samba into production - Using the domain trust so I can test things as they are moved over.

So back to my original question, Is it possible to create the trust between Samba-AD 4.1.6 and a MS NT4 domain. If so how?

Thank again,

Bob

[Rowland penny]

I think it should be possible now, but I have never tried doing it, a
quick google seems to suggest it is a known AD problem, see here:
https://support.microsoft.com/en-us/kb/889030

I still think you would be better off going down the classic-upgrade
path. If your ultimate aim is to remove all your NT servers, you will
still have to get your users, groups and computers etc into the new
domain from the old domain, this is something that the classic-upgrade
will do for you.

Rowland

[Rowland penny]

OOPs, I really must get a new pair of glasses, I totally missed this lot
in the mess that appeared in my email client :-D

On 14/12/15 15:36, Bob Thomas wrote:
>

> Rowland,
>
> Thank You for the quick response. I am not sure how to post added info
> or answers here, I tried twice posting a reply at
> http://www.eenyhelp.com Friday on the subject and verified it. I got
> the notice that the update would be posted in about a hour but --
> nothing. I tried again this morning and still nothing. It that the
> correct place to post updates?

Just reply to the sambalist, it will do the rest.

>
> As for my Issue,
>
> You are correct, I am trying to create a new AD domain and then set up
> trusts between your old NT4 domain and your new AD domain.
>
> I have looked into the classic-upgrade but not sure it will work for
> me because my old domain is a MS NT4 domain not Samba. Not to
> mention, the accounts have been neglected for years and I really don't
> want to transfer the mess into AD.
>

OK, I understand it better now, you want to lose the NT domain and move
to AD.
Not sure if I would do it the way you are trying, how many computers and
users?

Yes, as I said before, put it back to what it was before you started
adding things to it.

> As for the test environment, I have been testing for over two months
> with the Ubuntu repository Samba version 4.1.6, but just recently
> upgraded to 4.3.2 hoping I could get the trust relationship working.
> The MS NT4 domain is our production domain and not sure I could
> duplicate it in a test environment. So I would like to gradually move
> Samba into production - Using the domain trust so I can test things as
> they are moved over.

I would setup a new domain, extract your users & groups etc from your
old domain, remove anything you no longer require and then create them
in your new domain. Then start adding your computers to the new domain a
few at a time.

>
> So back to my original question, Is it possible to create the trust
> between Samba-AD 4.1.6 and a MS NT4 domain. If so how?
>
>

See my earlier incorrect post.

Rowland