[Samba] Joining Samba 3.0 to a "pure" Active Directory

[Antti Tikkanen]

On Thu, 20 Feb 2003, Alexander Skwar wrote:

> Hello.
>
> I'd like to join a Samba 3.0 alpha 21 server running on RedHat 8.0 to an
> Active Directory.  This AD does NOT support Windows NT 4.0 Domains.
>
> In a previous mail, I've been asked if I already have Kerberos setup and
> tested.  I don't.  How do I test if Kerberos is working correctly for me?

As someone suggested, use 'kinit username at REALM'. You asked in another
post how to find out your KDC server: every domain controller is also a
KDC, so you should use that. If you get a Kerberos TGT, you have Kerberos
working.

> If everything is working fine, I'd like the Samba server to join the AD
> "europe.delphiauto.net".  For this, I should type "net ads join".  How
> do I specify, which AD is to be joined?

In your smb.conf, you should have the lines:

  security = ADS
  realm = YOUR_KERBEROS_REALM.EXAMPLE.COM
  ads server = your_domain_controller.example.com

> And if this is also working, I'd like to be able to login to the Samba
> server with a username/password which is ONLY in the AD.  Do I need any
> special privileges in the AD for the server?

I don't know what you mean by "special privileges", but I think not. When
doing 'net ads join', you must have a TGT for a user that has the required
privileges to add a machine account and alter some attributes (a Domain
Admin account will do).

> When this is also working, I'd like offer shares.  However, not every
> user should be allowed to "mount" every share - IOW: restriction should
> be done on a per user basis.  If I maintain a local smbpasswd, I know
> that this shouldn't be a problem - but what if I use AD to do the
> authentication?

Restrictions can be done on a per user basis, see 'man smb.conf',
especially things such as 'valid users'. When you use 'security = ADS',
this is also not a problem.

Antti

-- 

Antti.Tikkanen at hut.fi
Helsinki University of Technology
Computing Centre