Samba-TNG                                               DOMAIN-TRUSTS
-------------------------------------------------------------------------

How to configure bidirectional domain trusts

Basically we've got two possible situations:

1.) TNG being trusted by another domain
2.) TNG trusting another domain


1.) TNG being trusted by another domain

This is the most tested variant.

If you want to add a domain which TNG should trust, you have to add
an [I       ] - type account. This looks like a machine account
(for example domain GATOR will need an account GATOR$) with ACB-bits
set to [I        ] (which means "Interdomain trust account"). Do not
forget that you will need a unix user as well, as we know it from 
users and machines!

To achive this you have these possibilities:

	- with rpcclient:
		rpcclient S . on your TNG domain controller
		createuser DOMAIN$ -i -p <secret>
	- with usrmgr.exe:
		If you have correctly configured "add user script" and
		"delete user script" you can add/remove those trusts
		with usrmgr.exe (logged in as root!).

IMPORTANT NOTICE: Write all domain names in capital letters! 
		  Only use passwords with 8 characters length!

2.) TNG trusting another domain

This is a bit more complicated, but if you follow these steps, you 
hopefully won't fail:

	- add a line like this in your smb.conf file:
		trusted domains = "DOMAIN:domain-controller"
	- get the domain-SID of the domain that should trust you:
		rpcclint -S domain-controller -U user%password -c 'lsaquery'
	- copy this string (beginning with S-...) into a file in your 
		private - directory:
		This file must be called DOMAIN.SID where DOMAIN must be 
		replaced with the name of the trusting domain in uppercase 
		(e.g. GATOR.SID).
		You will find the .SID file for your existing domain in 
		private - directory anyway.
	- restart TNG
	- create the secrets and install them:	
		Open rpcclient -S . on your TNG domain controller.
		createsecret G$$DOMAIN
		setsecret G$$DOMAIN <secret>
		Where DOMAIN must be replaced with the the name of the trusting
		domain (e.g. createsecret G$$GATOR and 
		setsecret G$$GATOR <secret>).
	- Add the trust on the foreign DC with this secret.
	

If you need more trusts, simply add multiple space seperated entries to
your smb.conf file, e.g. trusted domains = "DOMAIN1:DC1" "DOMAIN2:DC2"

IMPORTANT NOTICE:  Write all domain names in capital letters!
		   Only use passwords with 8 characters length!

		   And secondly: Some of these things will change in future
		   versions, so this is all a bit preliminary.

And don't forget to configure the other DC (Windows NT/2000 with microsoft 
user manager oder TNG this way) to make and accept the trusts!

EOF