Working Samba 3 config serving files with proper permissions via ADS security + Request for samba experts in the UK

Gémes Géza geza at
Sun Jul 22 09:06:55 MDT 2012


The things you intend to do doesn't really correlate: joining AD can be 
justified by the intention of authenticating against it.
Authenticating against passwd/shadow suppose sending plaintext passwords 
on the wire, a practice which (possible with some registry hacking on 
Windows 98, maybe 2000, not sure that would work with newer versions)


Geza Gemes
> The scenario I am trying to implement is one where samba is joined to ADS
> (done successfully) - but the machine doesn't authenticate logons via ADS -
> I was it to use local /etc/passwd without the the /etc/passwd mirroring
> accounts on the ADS.
> Is this even possible?
> Hafeez
> On Sat, Jul 21, 2012 at 10:04 PM, Daniele Dario <d.dario76 at> wrote:
>> Hi Hafeez,
>> On Fri, 2012-07-20 at 11:00 +0100, Hafeez Bana wrote:
>>> Hi Guys,
>>> Does anyone have samba3 working by joining it to a domain with ADS
>> security
>>> enabled (with no local accounts mirroring the AD accounts)? If so could
>> you
>>> post your config and details of your setup? I've followed the guide but
>>> whenever I try to access the share, I keep getting username/password
>>> prompts which I know I am filling out correctly.
>>> Also if you are are a samba (both 3 and 4) expert and located in the UK -
>>> would love to be able to tap into your expertise for a fee. Please get in
>>> touch.
>>> Regards.
>>> Hafeez
>> don't know if it could help (I'm not a developer nor have a deep
>> knowledge on that) but I managed to have 2 working AD DC with samba4
>> (for now without s3fs enabled) and 2 samba3 servers joined to their
>> domain with ADS security.
>> All of the servers are ubuntu (10.04, 10.10 or 11.04 all 32 bit).
>> The samba3 smb.conf looks like the examples you can find on the
>> internet. Now I'm out of the office and without a good connection so I
>> can't pick up a copy (I'll post it next if you want).
>> The rules I followed are the ones in the wiki
>> What I had to note you is:
>>       1. assert you can see your dns server(s) or try adding it(them)
>>          directly to your /etc/hosts
>>       2. assert kinit allows you to authenticate on DC(s)
>>       3. double check nsswitch configuration to be like the one in the
>>          wiki
>>       4. during join (for me) I was not able to add dns record (so I had
>>          to add them by hand on AD dns zones).
>> Regards,
>> Daniele.

More information about the samba-technical mailing list