How to join a win2k-domain using Samba 2.*

Boyce, Nick nick.boyce at eds.com
Wed Sep 24 19:29:38 GMT 2003 

On 21.Sept.2003, Ville Jutnik wrote :

> The documentation that I found regarding this issue wasn't that good 
> - it didn't help me that much. Later on I managed to join the 
> win2k-domain after a lot of work

I've joined many Samba 2.2.x servers to our NT4 domain, and for us it all
works just as documented in the "DOMAIN_MEMBER.html" document supplied in
the Samba source distro :
   root# smbpasswd -j DOM -r DOMPDC -UAdministrator%password
or, to avoid entering the password on the command line, omit the password
part of the -U argument :
   root# smbpasswd -j DOM -r DOMPDC -UAdministrator
which will cause a "password:" prompt.

> Samba 2.* doesn't support AD (3.* does though) you have to make 
> sure that your PDC allows you to join the domain without using AD 
> (using NT-style trust relationship). Therefore I think that the server 
> has to be in something called "mixed" mode

Erm - Active Directory "mixed mode" is required if you need to have a
mixture of fully native ADS domain controllers and pre-Win2K domain
controllers, but *not* AFAIK to allow ordinary member servers to participate
in the "domain" ("tree", "forest", whatever).  I'm just quoting what I've
read - we have no W2K ADS here.

However, I can well imagine that, as you describe, it's necessary to
pre-create the member server accounts in the ADS, and mark them as "Allow
pre-Windows 2000 computers to use this account".  Interesting ... thanks for
the pointer.

> I was using samba-2.2.3a (debian package) 

If you need the cutting-edge Samba domain-management features then I
strongly advise you don't do that - instead, use the Samba 2.2.8a Debian
package available using this apt source line :
   deb http://people.debian.org/~peloy/samba/ woody main
This is the latest Samba release, packaged for Debian Woody, rather than the
functionally old Samba with security fixes applied ("backported"), that is
officially part of Woody - and should work better for people with complex
needs.  It may be unofficial, but it's packaged by one of the Debian Samba
package maintainers ...

I found 2.2.8a gave us a better effect with "winbind" functionality.

> I anyone has any clue about this I would be greatfull if he/she 
> could drop me a line

Sorry, I have no idea why you have to run the second "-m" smbpasswd call in
your scenario - maybe it's an ADS thing, or maybe it's a buggette in Samba
2.2.3a secure channels protocol handling ;-)

Nick Boyce
EDS, Bristol, UK

More information about the samba-technical mailing list