$ sudo /usr/local/samba/bin/samba-tool domain trust create winlocal.net --direction="both" --type="external" --quarantined="no" --create-location="both" --skip-validation -UAdministrator@winlocal.net -d 10 INFO: Current debug levels: all: 10 tdb: 10 printdrivers: 10 lanman: 10 smb: 10 rpc_parse: 10 rpc_srv: 10 rpc_cli: 10 passdb: 10 sam: 10 auth: 10 winbind: 10 vfs: 10 idmap: 10 quota: 10 acls: 10 locking: 10 msdfs: 10 dmapi: 10 registry: 10 scavenger: 10 dns: 10 ldb: 10 tevent: 10 auth_audit: 10 auth_json_audit: 10 kerberos: 10 drs_repl: 10 smb2: 10 smb2_credits: 10 dsdb_audit: 10 dsdb_json_audit: 10 dsdb_password_audit: 10 dsdb_password_json_audit: 10 dsdb_transaction_audit: 10 dsdb_transaction_json_audit: 10 dsdb_group_audit: 10 dsdb_group_json_audit: 10 lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf Processing section "[global]" Processing section "[sysvol]" Processing section "[netlogon]" pm_process() returned Yes GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'ncalrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'http_negotiate' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Using binding ncalrpc:AL-R-DC1[,auth_type=ncalrpc_as_system] Mapped to DCERPC endpoint EPMAPPER added interface eth0 ip=10.1.188.15 bcast=10.1.191.255 netmask=255.255.252.0 added interface eth0 ip=10.1.188.15 bcast=10.1.191.255 netmask=255.255.252.0 Starting GENSEC mechanism ncalrpc_as_system gensec_update_send: ncalrpc_as_system[0x2154d00]: subreq: 0x20ce4b0 gensec_update_done: ncalrpc_as_system[0x2154d00]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x20ce4b0/../../auth/gensec/ncalrpc.c:100]: state[2] error[0 (0x0)] state[struct gensec_ncalrpc_update_state (0x20ce690)] timer[(nil)] finish[../../auth/gensec/ncalrpc.c:116] dcerpc_pull_auth_trailer: auth_pad_length 0 gensec_update_send: ncalrpc_as_system[0x2154d00]: subreq: 0x21a19c0 gensec_update_done: ncalrpc_as_system[0x2154d00]: NT_STATUS_OK tevent_req[0x21a19c0/../../auth/gensec/ncalrpc.c:100]: state[2] error[0 (0x0)] state[struct gensec_ncalrpc_update_state (0x21a1ba0)] timer[(nil)] finish[../../auth/gensec/ncalrpc.c:116] rpc request data: [0000] 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 02 00 00 00 41 00 00 00 41 00 00 00 ........ A...A... [0020] 04 00 13 00 0D 78 57 34 12 34 12 CD AB EF 00 01 .....xW4 .4...... [0030] 23 45 67 89 AB 00 00 02 00 00 00 13 00 0D 04 5D #Eg..... .......] [0040] 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 ........ ..+.H`.. [0050] 02 00 00 00 01 00 0C 02 00 00 00 01 00 10 01 00 ........ ........ [0060] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0070] 00 00 00 00 00 00 00 00 01 00 00 00 ........ .... rpc reply data: [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 ........ ........ [0020] 01 00 00 00 03 00 00 00 48 00 00 00 48 00 00 00 ........ H...H... [0030] 04 00 13 00 0D 78 57 34 12 34 12 CD AB EF 00 01 .....xW4 .4...... [0040] 23 45 67 89 AB 00 00 02 00 00 00 13 00 0D 04 5D #Eg..... .......] [0050] 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 ........ ..+.H`.. [0060] 02 00 00 00 01 00 0C 02 00 00 00 01 00 10 08 00 ........ ........ [0070] 44 45 46 41 55 4C 54 00 00 00 00 00 DEFAULT. .... Mapped to DCERPC endpoint DEFAULT added interface eth0 ip=10.1.188.15 bcast=10.1.191.255 netmask=255.255.252.0 added interface eth0 ip=10.1.188.15 bcast=10.1.191.255 netmask=255.255.252.0 Starting GENSEC mechanism ncalrpc_as_system gensec_update_send: ncalrpc_as_system[0x21b2d60]: subreq: 0x20ce4b0 gensec_update_done: ncalrpc_as_system[0x21b2d60]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x20ce4b0/../../auth/gensec/ncalrpc.c:100]: state[2] error[0 (0x0)] state[struct gensec_ncalrpc_update_state (0x20ce690)] timer[(nil)] finish[../../auth/gensec/ncalrpc.c:116] dcerpc_pull_auth_trailer: auth_pad_length 0 gensec_update_send: ncalrpc_as_system[0x21b2d60]: subreq: 0x21a19c0 gensec_update_done: ncalrpc_as_system[0x21b2d60]: NT_STATUS_OK tevent_req[0x21a19c0/../../auth/gensec/ncalrpc.c:100]: state[2] error[0 (0x0)] state[struct gensec_ncalrpc_update_state (0x21a1ba0)] timer[(nil)] finish[../../auth/gensec/ncalrpc.c:116] rpc request data: [0000] 00 00 02 00 01 00 00 00 00 00 00 00 01 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0020] 00 00 00 00 00 00 00 00 04 00 02 00 0C 00 00 00 ........ ........ [0030] 02 00 01 00 00 00 00 00 01 00 00 00 01 00 00 00 ........ ........ [0040] 01 00 00 00 01 00 00 00 ........ rpc reply data: [0000] 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ........ ........ [0010] 00 00 00 00 94 E9 EA DA F8 16 9B 48 B0 69 8B C7 ........ ...H.i.. [0020] 4E 82 93 EB 00 00 00 00 N....... rpc request data: [0000] 00 00 00 00 94 E9 EA DA F8 16 9B 48 B0 69 8B C7 ........ ...H.i.. [0010] 4E 82 93 EB 0C 00 N..... rpc reply data: [0000] 00 00 02 00 0C 00 00 00 10 00 12 00 04 00 02 00 ........ ........ [0010] 18 00 1A 00 08 00 02 00 18 00 1A 00 0C 00 02 00 ........ ........ [0020] 43 8D FF DB EC FF 76 44 8F 0A 9A CC D6 AE 06 F5 C.....vD ........ [0030] 10 00 02 00 09 00 00 00 00 00 00 00 08 00 00 00 ........ ........ [0040] 53 00 4D 00 42 00 4C 00 4F 00 43 00 41 00 4C 00 S.M.B.L. O.C.A.L. [0050] 0D 00 00 00 00 00 00 00 0C 00 00 00 73 00 6D 00 ........ ....s.m. [0060] 62 00 6C 00 6F 00 63 00 61 00 6C 00 2E 00 6E 00 b.l.o.c. a.l...n. [0070] 65 00 74 00 0D 00 00 00 00 00 00 00 0C 00 00 00 e.t..... ........ [0080] 73 00 6D 00 62 00 6C 00 6F 00 63 00 61 00 6C 00 s.m.b.l. o.c.a.l. [0090] 2E 00 6E 00 65 00 74 00 04 00 00 00 01 04 00 00 ..n.e.t. ........ [00A0] 00 00 00 05 15 00 00 00 19 A1 52 FC 33 04 9C F4 ........ ..R.3... [00B0] 71 AD 41 99 00 00 00 00 q.A..... LocalDomain Netbios[SMBLOCAL] DNS[smblocal.net] SID[S-1-5-21-4233273625-4103865395-2571218289] added interface eth0 ip=10.1.188.15 bcast=10.1.191.255 netmask=255.255.252.0 added interface eth0 ip=10.1.188.15 bcast=10.1.191.255 netmask=255.255.252.0 added interface eth0 ip=10.1.188.15 bcast=10.1.191.255 netmask=255.255.252.0 added interface eth0 ip=10.1.188.15 bcast=10.1.191.255 netmask=255.255.252.0 finddcs: searching for a DC by DNS domain winlocal.net finddcs: looking for SRV records for _ldap._tcp.winlocal.net resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.winlocal.net<0x0> startlmhosts: Can't open lmhosts file /usr/local/samba/etc/lmhosts. Error was No such file or directory dns_lookup_send_next: Sending DNS request #0 to 10.1.188.15 dns_cli_request_send: Asking 10.1.188.15 for _ldap._tcp.winlocal.net./1/33 via UDP [0000] 5C B9 01 00 00 01 00 00 00 00 00 00 05 5F 6C 64 \....... ....._ld [0010] 61 70 04 5F 74 63 70 08 77 69 6E 6C 6F 63 61 6C ap._tcp. winlocal [0020] 03 6E 65 74 00 00 21 00 01 .net..!. . [0000] 5C B9 81 80 00 01 00 01 00 00 00 01 05 5F 6C 64 \....... ....._ld [0010] 61 70 04 5F 74 63 70 08 77 69 6E 6C 6F 63 61 6C ap._tcp. winlocal [0020] 03 6E 65 74 00 00 21 00 01 C0 0C 00 21 00 01 00 .net..!. ....!... [0030] 00 02 58 00 12 00 00 00 64 01 85 09 77 69 6E 2D ..X..... d...win- [0040] 72 2D 64 63 31 C0 17 C0 3B 00 01 00 01 00 00 0E r-dc1... ;....... [0050] 10 00 04 0A 01 BC 0A ....... finddcs: DNS SRV response 0 at '10.1.188.10' finddcs: performing CLDAP query on 10.1.188.10 &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX command : LOGON_SAM_LOGON_RESPONSE_EX (23) sbz : 0x0000 (0) server_type : 0x0003f3fd (259069) 1: NBT_SERVER_PDC 1: NBT_SERVER_GC 1: NBT_SERVER_LDAP 1: NBT_SERVER_DS 1: NBT_SERVER_KDC 1: NBT_SERVER_TIMESERV 1: NBT_SERVER_CLOSEST 1: NBT_SERVER_WRITABLE 1: NBT_SERVER_GOOD_TIMESERV 0: NBT_SERVER_NDNC 0: NBT_SERVER_SELECT_SECRET_DOMAIN_6 1: NBT_SERVER_FULL_SECRET_DOMAIN_6 1: NBT_SERVER_ADS_WEB_SERVICE 1: NBT_SERVER_DS_8 1: NBT_SERVER_DS_9 1: NBT_SERVER_DS_10 0: NBT_SERVER_HAS_DNS_NAME 0: NBT_SERVER_IS_DEFAULT_NC 0: NBT_SERVER_FOREST_ROOT domain_uuid : 2f35bb21-b39c-429b-a95b-a7b7a6c6da1d forest : 'winlocal.net' dns_domain : 'winlocal.net' pdc_dns_name : 'WIN-R-DC1.winlocal.net' domain_name : 'WINLOCAL' pdc_name : 'WIN-R-DC1' user_name : '' server_site : 'Default-First-Site-Name' client_site : 'Default-First-Site-Name' sockaddr_size : 0x00 (0) sockaddr: struct nbt_sockaddr sockaddr_family : 0x00000000 (0) pdc_ip : (null) remaining : DATA_BLOB length=0 next_closest_site : NULL nt_version : 0x00000005 (5) 1: NETLOGON_NT_VERSION_1 0: NETLOGON_NT_VERSION_5 1: NETLOGON_NT_VERSION_5EX 0: NETLOGON_NT_VERSION_5EX_WITH_IP 0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE 0: NETLOGON_NT_VERSION_AVOID_NT4EMUL 0: NETLOGON_NT_VERSION_PDC 0: NETLOGON_NT_VERSION_IP 0: NETLOGON_NT_VERSION_LOCAL 0: NETLOGON_NT_VERSION_GC lmnt_token : 0xffff (65535) lm20_token : 0xffff (65535) finddcs: Found matching DC 10.1.188.10 with server_type=0x0003f3fd RemoteDC Netbios[WIN-R-DC1] DNS[WIN-R-DC1.winlocal.net] ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,GOOD_TIMESERV,FULL_SECRET_DOMAIN_6,ADS_WEB_SERVICE,DS_8,DS_9,DS_10,__unknown_00020000__] Using binding ncacn_np:WIN-R-DC1.winlocal.net Mapped to DCERPC endpoint \pipe\lsarpc added interface eth0 ip=10.1.188.15 bcast=10.1.191.255 netmask=255.255.252.0 added interface eth0 ip=10.1.188.15 bcast=10.1.191.255 netmask=255.255.252.0 resolve_lmhosts: Attempting lmhosts lookup for name WIN-R-DC1.winlocal.net<0x20> startlmhosts: Can't open lmhosts file /usr/local/samba/etc/lmhosts. Error was No such file or directory socket options: SO_KEEPALIVE=0, SO_REUSEADDR=0, SO_BROADCAST=0, TCP_NODELAY=1, TCP_KEEPCNT=9, TCP_KEEPIDLE=7200, TCP_KEEPINTVL=75, IPTOS_LOWDELAY=0, IPTOS_THROUGHPUT=0, SO_REUSEPORT=0, SO_SNDBUF=87040, SO_RCVBUF=131072, SO_SNDLOWAT=1, SO_RCVLOWAT=1, SO_SNDTIMEO=0, SO_RCVTIMEO=0, TCP_QUICKACK=1, TCP_DEFER_ACCEPT=0, TCP_USER_TIMEOUT=0 Starting GENSEC mechanism spnego Starting GENSEC submechanism gssapi_krb5 Password for [Administrator@winlocal.net]: Received smb_krb5 packet of length 196 Received smb_krb5 packet of length 96 kinit for Administrator@winlocal.net succeeded gensec_update_send: gssapi_krb5[0x21b3960]: subreq: 0x21a19c0 gensec_update_send: spnego[0x21b6420]: subreq: 0x21a5010 gensec_update_done: gssapi_krb5[0x21b3960]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x21a19c0/../../source4/auth/gensec/gensec_gssapi.c:1117]: state[2] error[0 (0x0)] state[struct gensec_gssapi_update_state (0x21a1ba0)] timer[(nil)] finish[../../source4/auth/gensec/gensec_gssapi.c:1127] gensec_update_done: spnego[0x21b6420]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x21a5010/../../auth/gensec/spnego.c:1616]: state[2] error[0 (0x0)] state[struct gensec_spnego_update_state (0x21a51f0)] timer[(nil)] finish[../../auth/gensec/spnego.c:2100] gensec_gssapi: NO credentials were delegated GSSAPI Connection will be cryptographically signed gensec_update_send: gssapi_krb5[0x21b3960]: subreq: 0x20ce4b0 gensec_update_send: spnego[0x21b6420]: subreq: 0x21a5010 gensec_update_done: gssapi_krb5[0x21b3960]: NT_STATUS_OK tevent_req[0x20ce4b0/../../source4/auth/gensec/gensec_gssapi.c:1117]: state[2] error[0 (0x0)] state[struct gensec_gssapi_update_state (0x20ce690)] timer[(nil)] finish[../../source4/auth/gensec/gensec_gssapi.c:1134] gensec_update_done: spnego[0x21b6420]: NT_STATUS_OK tevent_req[0x21a5010/../../auth/gensec/spnego.c:1616]: state[2] error[0 (0x0)] state[struct gensec_spnego_update_state (0x21a51f0)] timer[(nil)] finish[../../auth/gensec/spnego.c:2100] signed SMB2 message (sign_algo_id=1) signed SMB2 message (sign_algo_id=1) signed SMB2 message (sign_algo_id=1) rpc request data: [0000] 00 00 02 00 01 00 00 00 00 00 00 00 01 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0020] 00 00 00 00 00 00 00 00 04 00 02 00 0C 00 00 00 ........ ........ [0030] 02 00 01 00 00 00 00 00 01 00 00 00 01 00 00 00 ........ ........ [0040] 01 00 00 00 01 00 00 00 ........ signed SMB2 message (sign_algo_id=1) rpc fault: DCERPC_FAULT_ACCESS_DENIED ERROR: REMOTE_DC[WIN-R-DC1.winlocal.net]: failed to query LSA_POLICY_INFO_DNS - ERROR(0xC0000022) - {Access Denied} A process has requested access to an object but has not been granted those access rights. File "/usr/local/samba/lib/python3.7/site-packages/samba/netcmd/domain/trust.py", line 958, in run ) = self.get_lsa_info(remote_lsa, remote_policy_access) File "/usr/local/samba/lib/python3.7/site-packages/samba/netcmd/domain/trust.py", line 225, in get_lsa_info policy_access File "/usr/local/samba/lib/python3.7/site-packages/samba/lsa_utils.py", line 57, in OpenPolicyFallback in_revision_info signed SMB2 message (sign_algo_id=1)