Correction To DOMAIN_MEMBER.html

Boyce, Nick nick.boyce at
Thu Nov 14 20:53:01 GMT 2002

[this is almost too trivial to bother with, but in the interests of accuracy

I just converted a Samba 2.2.3a-for-Debian server from being a stand-alone
workgroup member using plain-text passwords into a full NT-administered
domain member using encrypted passwords and security=domain.  This being the
first server we've done this with, I paid attention to the apparent
authoritative document on the subject, "DOMAIN_MEMBER.html" in
"docs/htmldocs".  It runs pretty much like this :

====================< cut >====================
In order to join the domain, first stop all Samba daemons and run the

root# smbpasswd -j DOM -r DOMPDC -UAdministrator%password


Now, before restarting the Samba daemons you must edit your smb.conf(5) file
to tell Samba it should now use domain security.

Change (or add) your security = line in the [global] section of your
smb.conf to read:

security = domain

Next change the workgroup = line in the [global] section to read: 

workgroup = DOM

as this is the name of the domain we are joining. 

You must also have the parameter "encrypt passwords" set to yes in order for
your users to authenticate to the NT PDC.
====================< cut >====================

So, in plodder fashion, that's the order I tried to do things in.
Unfortunately, unless you edit smb.conf to set "encrypt passwords = yes"
*first*, you can't run the smbpasswd domain-joining call - it fails with :

  SAMBABOX:/etc/samba# smbpasswd -j MYDOMAIN -r MYPDC
  Error connecting to MYPDC
  Unable to join domain MYDOMAIN.

I just thought it might help other folks, to document this explicitly.  I
spent a couple of hours trying to figure out what I was doing wrong, jacking
up the Samba debug level, getting Ethereal traces of the join operation,
etc. ...

I checked, and it's still the same in the version posted on the
website, although there's also "Samba-HOWTO-Collection.html" which has a
section "Make Samba a member of an MS Windows NT security domain" which
documents the same thing in a somewhat different and perhaps less confusing

I'd have gladly produced an edited version of DOMAIN_MEMBER.html for
consideration, but I know the project uses Docbook for this stuff, and I
don't know the first thing about that :(


Nick Boyce
EDS, Bristol, UK

More information about the samba-technical mailing list