15.4 Configuring Samba NT-Style Domain Trusts

This description is meant to be a fairly short introduction about how to set up a Samba server so that it can participate in interdomain trust relationships. Trust relationship support in Samba is at an early stage, so do not be surprised if something does not function as it should.

Each of the procedures described below assumes the peer domain in the trust relationship is controlled by a Windows NT4 server. However, the remote end could just as well be another Samba-3 domain. It can be clearly seen, after reading this document, that combining Samba-specific parts of what's written below leads to trust between domains in a purely Samba environment.

15.4.1 Samba as the Trusted Domain

In order to set the Samba PDC to be the trusted party of the relationship, you first need to create a special account for the domain that will be the trusting party. To do that, you can use the smbpasswd utility. Creating the trusted domain account is similar to creating a trusted machine account. Suppose, your domain is called SAMBA, and the remote domain is called RUMBA. The first step will be to issue this command from your favorite shell:

 root# smbpasswd -a -i rumba New SMB password: XXXXXXXX Retype SMB password: XXXXXXXX Added user rumba$ 

where -a means to add a new account into the passdb database and -i means: " create this account with the InterDomain trust flag ".

The account name will be " rumba$ " (the name of the remote domain). If this fails, you should check that the trust account has been added to the system password database ( /etc/passwd ). If it has not been added, you can add it manually and then repeat the step above.

After issuing this command, you will be asked to enter the password for the account. You can use any password you want, but be aware that Windows NT will not change this password until seven days following account creation. After the command returns successfully, you can look at the entry for the new account (in the standard way as appropriate for your configuration) and see that account's name is really RUMBA$ and it has the " I " flag set in the flags field. Now you are ready to confirm the trust by establishing it from Windows NT Server.

Open User Manager for Domains and from the Policies menu, select Trust Relationships... . Beside the Trusted domains list box click the Add... button. You will be prompted for the trusted domain name and the relationship password. Type in SAMBA, as this is the name of the remote domain and the password used at the time of account creation. Click on OK and, if everything went without incident, you will see the Trusted domain relationship successfully established message.

15.4.2 Samba as the Trusting Domain

This time activities are somewhat reversed . Again, we'll assume that your domain controlled by the Samba PDC is called SAMBA and the NT-controlled domain is called RUMBA.

The very first step is to add an account for the SAMBA domain on RUMBA's PDC.

Launch the Domain User Manager, then from the menu select Policies , Trust Relationships . Now, next to the Trusted Domains box press the Add button and type in the name of the trusted domain (SAMBA) and the password to use in securing the relationship.

The password can be arbitrarily chosen . It is easy to change the password from the Samba server whenever you want. After confirming the password your account is ready for use. Now its Samba's turn .

Using your favorite shell while being logged in as root, issue this command:

 root# net rpc trustdom establish rumba 

You will be prompted for the password you just typed on your Windows NT4 Server box. An error message 'NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT' that may be reported periodically is of no concern and may safely be ignored. It means the password you gave is correct and the NT4 Server says the account is ready for interdomain connection and not for ordinary connection. After that, be patient; it can take a while ( especially in large networks), but eventually you should see the Success message. Congratulations! Your trust relationship has just been established.

N OTE You have to run this command as root because you must have write access to the secrets.tdb file.