[Samba] Domain trusts with W2003 and SAMBA 3.0.33 on RHEL
Douglas Phillipson
A/D box and our SAMBA domain.
We are using smbldap so we can log in on any of the linux boxes with the
same passwd.
Samba is version 3.0.33 on Redhat Enterprise.
It's easy to create the trust on the Windows side with AD Domains and
Trusts but on the Linux side I'm not sure if I need to put the machine
account locally in smb passwd or use the smbldap passwd on the LDAP
server. Has anyone done this before?
For the sake of example:
My windows A/D domain is WECN
My Linux Domain is LECN
I've tried several putting the machine account both in the local file
and the LDAP passwd file but it just doesn't work. I've got the Samba 3
HowTo book and tried lots of googled suggestions but still can't seem to
make this work. Any suggestions are appreciated. Is there an easier
way to do this? My end result is to map a share on the SAMBA server
from a WinXP client computer thats in a W2003 domain without having to
put in a Linux username/password.
Thanks for your time and suggestions!
Doug P
My smb.conf [global]
--------------------------------------------------------------------------------------------------------------------------------------------------
[global]
dos charset = CP850
unix charset = UTF-8
display charset = LOCALE
workgroup = LECN
realm =
netbios name = RSL-PDC1
netbios aliases =
netbios scope =
server string = Primary RSL Samba Server
interfaces =
bind interfaces only = No
security = USER
auth methods =
encrypt passwords = Yes
update encrypted = No
client schannel = Auto
server schannel = Auto
allow trusted domains = Yes
map to guest = Never
null passwords = No
obey pam restrictions = Yes
password server = *
smb passwd file = /etc/samba/smbpasswd
private dir = /etc/samba
passdb backend = ldapsam:"ldap://127.0.0.1"
algorithmic rid base = 1000
root directory =
guest account = smbguest
passwd chat debug = No
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = "Changing UNIX password for*\nNew password*" %n\n
"*Retype new password*" %n\n"
passwd chat timeout = 2
check password script = /usr/sbin/crackcheck -c -d
/usr/lib/cracklib_dict
username map =
password level = 0
username level = 0
unix password sync = Yes
ntlm auth = Yes
restrict anonymous = Yes
lanman auth = No
;ntlm auth = No
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
preload modules =
use kerberos keytab = No
log level = 3 vfs:1
syslog = 0
syslog only = No
log file = /var/log/samba/%m.log
max log size = 500000
debug timestamp = Yes
debug hires timestamp = No
debug pid = No
debug uid = No
smb ports = 139
large readwrite = Yes
max protocol = NT1
min protocol = CORE
read bmpx = No
read raw = Yes
write raw = Yes
disable netbios = No
acl compatibility =
defer sharing violations = Yes
nt pipe support = Yes
nt status support = Yes
announce version = 4.9
announce as = NT
max mux = 50
max xmit = 65535
name resolve order = wins hosts bcast
max ttl = 259200
max wins ttl = 518400
min wins ttl = 21600
time server = Yes
unix extensions = Yes
use spnego = Yes
client signing = auto
server signing = No
client use spnego = Yes
;change notify timeout = 60
deadtime = 15
getwd cache = Yes
keepalive = 300
kernel change notify = Yes
lpq cache time = 30
max smbd processes = 0
paranoid server security = Yes
max disk size = 0
max open files = 10000
socket options = TCP_NODELAY SO_KEEPALIVE IPTOS_LOWDELAY
use mmap = Yes
hostname lookups = No
name cache timeout = 660
load printers = Yes
printcap cache time = 0
printcap name = cups
cups server =
disable spoolss = No
enumports command =
addprinter command =
deleteprinter command =
show add printer wizard = Yes
os2 driver map =
mangling method = hash2
mangle prefix = 1
stat cache = Yes
machine password timeout = 604800
add user script = /var/lib/samba/sbin/smbldap-useradd.pl -a -m '%u'
delete user script = /var/lib/samba/sbin/smbldap-userdel.pl '%u'
add group script = /var/lib/samba/sbin/smbldap-groupadd.pl -p '%g'
delete group script = /var/lib/samba/sbin/smbldap-groupdel.pl
-p '%g'
add user to group script =
/var/lib/samba/sbin/smbldap-groupmod.pl -m '%u' '%g'
delete user from group script =
/var/lib/samba/sbin/smbldap-groupmod.pl -x '%u' '%g'
set primary group script =
/var/lib/samba/sbin/smbldap-groupmod.pl -g '%u' '%g'
add machine script = /var/lib/samba/sbin/smbldap-useradd.pl -w '%u'
shutdown script =
abort shutdown script =
logon script = logon.bat
logon path = \\%L\Profiles\%U
logon drive = H:
logon home = \\%L\%U
domain logons = Yes
os level = 65
lm announce = Auto
lm interval = 60
preferred master = Yes
local master = Yes
domain master = No
browse list = Yes
enhanced browsing = Yes
dns proxy = No
wins proxy = No
wins server = 172.30.10.107
wins support = No
wins hook =
;wins partners =
kernel oplocks = Yes
;lock spin count = 3
lock spin time = 10
oplock break wait time = 0
ldap admin dn = cn=Manager,dc=oem,dc=doe,dc=gov
ldap delete dn = No
;ldap filter = (uid=%u)
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers
ldap passwd sync = yes
ldap replication sleep = 1000
ldap suffix = dc=oem,dc=doe,dc=gov
ldap ssl = start tls
ldap timeout = 15
ldap user suffix = ou=People
add share command =
change share command =
delete share command =
config file =
preload =
lock directory = /var/cache/samba
pid directory = /var/run
utmp directory =
wtmp directory =
utmp = Yes
default service =
message command =
dfree command =
get quota command =
set quota command =
remote announce =
remote browse sync =
socket address = 0.0.0.0
homedir map = auto.home
afs username map =
time offset = 0
NIS homedir = No
panic action =
host msdfs = No
#enable rid algorithm = Yes
idmap backend = ldap://127.0.0.1
idmap uid = 10000-20000
idmap gid = 10000-20000
template homedir = /home/%D/%U
template shell = /bin/false
#winbind separator = \
winbind cache time = 300
;winbind enable local accounts = No
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = No
winbind trusted domains only = No
winbind nested groups = No
comment =
path =
username =
invalid users = bin daemon adm sync shutdown halt mail news
uucp operator gopher nobody smbguest
valid users =
admin users = root
read list =
write list =
;printer admin =
force user =
force group =
read only = Yes
create mask = 0744
force create mode = 00
security mask = 0777
force security mode = 00
directory mask = 0755
force directory mode = 00
directory security mask = 0777
force directory security mode = 00
force unknown acl user = No
inherit permissions = No
inherit acls = No
guest only = No
guest ok = No
#only user = No
hosts allow = 127.0.0.0/8, 172.30.0.0/16, 172.25.0.0/16,
172.20.0.0/16
hosts deny = 172.30.20.0/24, 172.20.20.0/24
ea support = No
nt acl support = Yes
profile acls = No
map acl inherit = Yes
afs share = No
block size = 1024
max connections = 0
min print space = 0
strict allocate = No
strict sync = No
sync always = No
use sendfile = No max reported print jobs = 0
max print jobs = 1000
printable = No
printing = cups
cups options =
print command =
lpq command =
lprm command =
lppause command =
lpresume command =
queuepause command =
queueresume command =
printer name =
use client driver = No
default devmode = No
force printername = No
default case = lower
case sensitive = Auto
preserve case = Yes
short preserve case = Yes
mangling char = ~
hide dot files = Yes
hide special files = No
hide unreadable = No
hide unwriteable files = No
delete veto files = No
veto files =
hide files =
veto oplock files =
map system = No
map hidden = No
map archive = Yes
mangled names = Yes
#mangled map =
store dos attributes = No
browseable = Yes
blocking locks = Yes
csc policy = manual
fake oplocks = No
locking = Yes
oplocks = Yes
level2 oplocks = Yes
oplock contention limit = 2
posix locking = Yes
strict locking = No
share modes = Yes
#copy =
#include =
preexec =
preexec close = No available = Yes
volume =
fstype = NTFS
set directory = No
wide links = Yes
follow symlinks = Yes
dont descend =
magic script =
magic output =
delete readonly = No
dos filemode = No
dos filetimes = No
dos filetime resolution = No
fake directory create times = No
vfs objects =
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Douglas Phillipson
/var/lib/samba/sbin/smbldap-useradd.pl -a -B 1 -c "Domain Trust" ECN$
I get the following error when adding the machine account:
failed to add entry: at /var/lib/samba/sbin//smbldap_tools.pm line
497, <DATA> line 283.
Thanks
Doug P
Douglas Phillipson
/var/lib/samba/sbin/smbldap-useradd.pl -w -c "Domain Trust" ECN$
Still get error:
failed to add entry: at /var/lib/samba/sbin//smbldap_tools.pm line
497, <DATA> line 283.
DOug P
Gaiseric Vandal
the unix level account domain trust with what ever tools you use to for
ldap accounts. That should help eliminate if the script is just not
running correctly.
When you join local windows machine to the domain, are they adding
correctly? Is the underlying unix account for the machine created?
You could also probably run the script from the command line
/var/lib/samba/sbin/smbldap-useradd.pl -w thedomainname
Daniel Müller
s.html#id2621046"
Problems with LDAP ldapsam and Older Versions of smbldap-tools
If you use the smbldap-useradd script to create a trust account to set up
interdomain trusts, the process of setting up the trust will fail. The
account that was created in the LDAP database will have an account flags
field that has [W ], when it must have [I ] for interdomain trusts to work.
Here is a simple solution. Create a machine account as follows:
root# smbldap-useradd -w domain_name
Then set the desired trust account password as shown here:
root# smbldap-passwd domain_name\$
Using a text editor, create the following file:
dn: uid=domain_name$,ou=People,dc={your-domain},dc={your-top-level-domain}
changetype: modify
sambaAcctFlags: [I ]
Then apply the text file to the LDAP database as follows:
root# ldapmodify -x -h localhost \
-D "cn=Manager,dc={your-domain},dc={your-top-level-domain}" \
-W -f /path-to/foobar
Create a single-sided trust under the NT4 Domain User Manager, then execute:
root# net rpc trustdom establish domain_name <----- important
It works with Samba-3 and NT4 domains, and also with Samba-3 and Windows
200x ADS in mixed mode. Both domain controllers, Samba and NT must have the
same WINS server; otherwise, the trust will never work. <---important
-----------------------------------------------
EDV Daniel Müller
Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mue...@tropenklinik.de
Internet: www.tropenklinik.de
-----------------------------------------------
-----Ursprüngliche Nachricht-----
Von: samba-...@lists.samba.org [mailto:samba-...@lists.samba.org] Im
Auftrag von Gaiseric Vandal
Gesendet: Montag, 11. Oktober 2010 21:17
An: sa...@lists.samba.org
Betreff: Re: [Samba] Domain trusts with W2003 and SAMBA 3.0.33 on RHEL
(Added info)
Douglas Phillipson
machine have to be a domain member also?
Doug P
--
Douglas Phillipson
> To create a "Trust" between Samba and a W2003 AD Domain, does the
> Samba machine have to be a domain member also?
>
> Doug P
>
samba share without having to enter a second set of credentials. So
this is where the trust comes in. Our Samba machine is a PDC of a
different domain that our Win2003 PDC.
I'm told the samba machine has to be a member server in the W2003 domain
for the trust to work. I thought trusts were between PDC's. Can my
samba machine be a PDC and a member server of a W2003 domain?
Confused...
Doug P
Gaiseric Vandal
If you configure a trust so that DomainA trusts DomainB, a "machine"
account for DomainA is created in DomainB- this allows DomainA to
retreive a list of user names that it can trust.
WHen you configure the outgoing trust in Windows (i.e. to you ask
another domain to trust you) Windows will create the machine account.
In samba, you need to create the machine account in unix with useradd
(or the approp command.)
And you have to make sure idmap, nsswitch and winbind are working.
And my experience was that Samba 3.0.x didn't handle play nice with
Windows 2003 anyway. The trusts were set up fine but the idmap caching
was buggy. You may be better off with samba 3.4 or later. (Though I
also had issues with that.)
If Windows 2003 is in native mode you may not get it working with samba
3.0.x.