Description of problem: Samba has added a new objectClass sambaTrustedDomainPassword containing two new attributes sambaClearTextPassword and sambaTrustedDomainPassword in version 3.2 for storing the domaintrust. The samba3-schema 60samba3.ldif does not include these, what makes it impossible to establish the domaintrust without adding a custom ldif. How reproducible: net rpc trustdom establish DOMAIN -d10 throws an error about missing objectClass sambaTrustedDomainPassword Actual results: sambaTrustedDomainPassword is not present, net rpc trustdom establish dies with an error Expected results: sambaTrustedDomainPassword is present, net rpc trustdom establish works Additional info: Adding following custom schema created from the samba3-schema provided with samba3 for openldap resolves the problem. # ################################################################################ # dn: cn=schema # ################################################################################ # attributeTypes: ( 1.3.6.1.4.1.7165.2.1.68 NAME 'sambaClearTextPassword' DESC 'Clear text password (used for trusted domain passwords)' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) # ################################################################################ # attributeTypes: ( 1.3.6.1.4.1.7165.2.1.69 NAME 'sambaPreviousClearTextPassword' DESC 'Previous clear text password (used for trusted domain passwords)' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) # ################################################################################ # objectClasses: ( 1.3.6.1.4.1.7165.2.2.15 NAME 'sambaTrustedDomainPassword' DESC 'Samba Trusted Domain Password' SUP top STRUCTURAL MUST ( sambaDomainName $ sambaSID $ sambaClearTextPassword $ sambaPwdLastSet ) MAY ( sambaPreviousClearTextPassword ) ) # ################################################################################ # Problem also exists on Red Hat Directory Server 8.2, but fixing it upstream in 389 Directory Server will result also in a fix downstream, I hope.
Upstream ticket: https://fedorahosted.org/389/ticket/29
Fixed in 389-ds-base-1.2.10.rc1 now in Fedora/EPEL Testing