Zimbra Samba PDC with a Trust Relationship to AD

[kurt.oconnor]

I have followed the "detailed HOWTO" and have Zimbra and Samba flyin' high. Ya, that was fun. Now I need to create a Outgoing Trust Relationship between my existing AD (Active Directory for the searchers) so that users of Zimbra can logon to windows machines in the AD domain.

I go to yon AD Domains and Trusts, and add a trust for my new domain. Fantastic, works great, EXCEPT, validation fails. Did a little research and we might need a Samba user, with the Interdomain Trust Account option selected, named the same as the domain we are trying to setup trust with, and with the same password we entered in the AD trust wizard. I then created such a user through the Zimbra UI, but I still continue to get this dialog on my AD server after attempting to verify the trust.

Code:

The verification of the outgoing trust failed with the following error(s):
The trust password verification failed with error 5: Access is denied.
A secure channel reset will be attempted.
The secure channel reset failed with error 5: Access is denied.

I verified on my samba server that the user does indeed exist and have the expected Account Flags. Samba is running normally as I can see all the homedrives on it from any windows machine on the same subnet. Any one ever have a Samba PDC in a trust relationship with 2003 AD? Maybe I should take this to Samba forums and mailing lists.

[DVan]

If you are trying to setup a Trust relationship with Samba make sure you have the option security = ads in your samba.conf file additionally you'll want to setup Kerberos on your samba server.

I was sucessful in setting up a trust relationship that worked just fine with our Windows 2003 servers, but decided to go with a full Samba PDc implementation instead.

I found this walkthrough for Debian that worked like a charm for me. Depending on the OS Samba is running on your mileage may vary as far as the package (Core Software) installation goes, but the setup examples should be sound regardless of OS type.

Debian Administration :: Using Samba on Debian Linux

[kurt.oconnor]

Hey, thanks a bunch for the quick response. I really appreciate it. I will look at the links for sure. I am not quite sure I understand what you mean by full Samba PDC. I plan to have Samba PDC for sub.mydomain.com and AD already is security for mydomain.com. I simply would like users from sub.mydomain.com to be able to login to windows machines that are members of mydomain.com.

[DVan]

I think I probably misunderstood your scenario at first. By Full PDC I meant using the Samba server to authenticate users and computers and acting as the PDC for Windows machines by joining them to the samba server domain. In your scenario you will NOT want to use security = ads as I stated.

The howto I pointed you to only details using Samba as a member server within the same domain as the Windows Active Directory servers, but you will probably still see a benefit in using the Kerberos portion of that.

You should be able to setup a domain trust between the two using the net commands built into samba :

Chapter*13.*Remote and Local Management: The Net Command

You will want to skip ahead to the InterDomain Trust section on that page and particularly concentrate on the part apart adding the trust account with the samba domain so that way you can create a trust from the Windows server to the Samba server.

[fajarpri]

Hello guys,
I'm glad I found this thread. I have a very similar setup.
My Zimba Samba PDC is zimbraubuntu.pluto.com and my W2k DC is test.test.com.

Adding trust is OK, but verifying is failed.
This is the error I've got:

Code:

The secure channel (SC) query on domain controller \\UBUNTUZIMBRA of domain PLUTO.COM to domain TEST failed with error: The specified domain either does not exist or could not be contacted. An SC reset will now be attempted

Verification of the trust between the domain test.test.com and the domain PLUTO.COM was unsuccessful because: The specified domain either does not exist or could not be contacted. 

To repair a trust to a pre-Windows 2000 domain you must remove and re-add the trust on both sides.

This is my Samba log:

Code:

Jul 10 09:10:21 ubuntuzimbra slapd[3863]: is_entry_objectclass("", "2.5.6.1") no objectClass attribute 
Jul 10 09:10:21 ubuntuzimbra slapd[3863]: is_entry_objectclass("", "2.5.6.1") no objectClass attribute 
Jul 10 09:10:36 ubuntuzimbra smbd[12141]: [2007/07/10 09:10:36, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) 
Jul 10 09:10:36 ubuntuzimbra smbd[12141]:   init_sam_from_ldap: Entry found for user: administrator 
Jul 10 09:10:36 ubuntuzimbra slapd[3863]: <= bdb_equality_candidates: (uniqueMember) index_param failed (18) 
Jul 10 09:10:36 ubuntuzimbra smbd[12141]: [2007/07/10 09:10:36, 2] auth/auth.c:check_ntlm_password(307) 
Jul 10 09:10:36 ubuntuzimbra smbd[12141]:   check_ntlm_password:  authentication for user [Administrator] -> [Administrator] -> [administrator] succeeded 
Jul 10 09:10:36 ubuntuzimbra smbd[12141]: [2007/07/10 09:10:36, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) 
Jul 10 09:10:36 ubuntuzimbra smbd[12141]:   init_sam_from_ldap: Entry found for user: test$ 
Jul 10 09:10:44 ubuntuzimbra smbd[12141]: [2007/07/10 09:10:44, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) 
Jul 10 09:10:44 ubuntuzimbra smbd[12141]:   init_sam_from_ldap: Entry found for user: test$ 
Jul 10 09:11:45 ubuntuzimbra smbd[12141]: [2007/07/10 09:11:45, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) 
Jul 10 09:11:45 ubuntuzimbra smbd[12141]:   init_sam_from_ldap: Entry found for user: test$ 
Jul 10 09:11:52 ubuntuzimbra smbd[12141]: [2007/07/10 09:11:52, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) 
Jul 10 09:11:52 ubuntuzimbra smbd[12141]:   init_sam_from_ldap: Entry found for user: test$

This is the result of net command in samba:

Code:

sudo net rpc trustdom list
Password:
Password:
net: /opt/zimbra/cyrus-sasl/lib/libsasl2.so.2: no version information available (required by /usr/lib/libldap_r.so.2)
Password:
Trusted domains list:

none

Trusting domains list:

TEST                S-1-5-21-1220945662-2111687655-682003330

Have you resolved the situation? Please, I'd be very grateful for any help.
Thank you very much.

[kurt.oconnor]

At the moment, no. I have other projects come up that have taken precedence unfortunately. My next steps were going to be to setup a stripped down Samba PDC, possibly samba-tng and see if I could setup a trust relationship to work. Then build in more complexity from there.

[samba_pk]

Hi
i have windows 2003 pdc to autenticate users now i also establish a samba pdc. but when we register a windows domain on client then samba domain disappear and similarly when register samba domian then windows domain disappear. therer is any possible solution that we can keep both domians on single client. on client side we are using Windows XP.

[DVan]

In to have more than one domain listed in the Domain logon option win Windows, you NEED to have an esatablished domain trust relationship. Check the links above on how to set it up.

Essentially, you'll need a two way trust in place if you want any client joined to the Windows domain to authenticate against samba (Windows trusts Samba), and for Samba domain computers to authenticate against the windows domain (Samba Trusts windows).

Depending on your version of Samba, and security features enable on Windows your mileage may vary. So you may only be successful in authenticating one way or the other.