The Samba-Bugzilla – Bug 6234
Cannot Create One-Way Incoming Trust to Windows 2003 R2 AD
Last modified: 2009-03-30 10:49:32 UTC
I have attempted to create a one-way trust between Samba 4 - alpha 7 and Windows Server 2003 R2 AD in native mode.
Configured Samba with defaults on RHEL 5.3. Created Samba domain "example.com".
Installed Windows Server 2003 R2 AD native mode as domain "active.com".
Configured root and com name server on RHEL.
Tested both Samba and AD using Vista clients with Windows Server 2003 R2 administration tools installed. Created users accessed shares logged on and off. All successful.
Attempted to create both ends of the one-way trust from AD. Using the domain and Trusts MMC snap-in. Right-clicked on the domain name and then selected Properties. From properties selected the Trusts tab. Clicked New Trust and then entered the domain name of the SAmba 4 domain controlled. Choose a one-way out-going trust and then entered the administrator account details and password for the Samba 4 DC administrator.
This appeared to be successful. I could view the trust in AD but not verify it.
However, using the Domain and Trusts administration tool against Samba 4 I could not see not see the trust. But the trust account was in the LDAP directory ( ACTIVE$ that is the DN dc=active,dc=Users,dc=example,dc=com).
Testing the trust failed by logging into a member machine (Vista) in the AD domain as an account in the Samba domain gave the following error "The trust relationship between the primary domain and the trusted domain failed".
I set the passwords manually at both ends using different tools. AD I used GUI and netdom. On Samba 4 I used net password set. Still could not see the trust in Domain and Trusts MMC for Samba 4. Neither could I login using an account from the SAmba domain.
By the way Metze did say "And now w2k3 trust samba4 just fine:-)" in commit http://gitweb.samba.org/?p=samba.git;a=commit;h=0f74de3d37cdb03f622d9cdc1cdcc4aa6ede5ce3
I assumed that he meant a one-way trust!
I can provide traces debugs etc. Any pointers for what I should look for would be useful. Let me know what you need.
*** Bug 6233 has been marked as a duplicate of this bug. ***
I have now been able to get this to work.
I cleaned out the trust accounts at both ends AD and S4.
I recreated the trust this time from the AD end as an outgoing trust. What I had been doing wrong was giving the account with privileges to create the trust on the other end as "administrator" when I put "email@example.com" it worked. Where "example.com" is the S4 domain.
Verify does not work. But the trust does.