[Samba] adding samba3 to Active Directory Domain

Michael Davidson mdavidson at mountwashington.org
Wed Aug 16 19:37:52 GMT 2006

I found this page to be extremely helpful when I joined several FC Linux
boxes to a Win 2k3 domain:

Also, if you're using the [homes] share and want to have shared home
directories created on the fly for first time users, put "obey pam
restrictions = yes" in your smb.conf and 
"session  required  /lib/security/pam_mkhomedir.so
skel=<your/skeleton/directory> umask=<your_umask>" in the appropriate file
in /etc/pam.d

It took me a looong time to find that out.


-----Original Message-----
From: samba-bounces+mdavidson=mountwashington.org at lists.samba.org
[mailto:samba-bounces+mdavidson=mountwashington.org at lists.samba.org] On
Behalf Of Steven Cardinal
Sent: Wednesday, August 16, 2006 2:26 PM
To: samba at lists.samba.org; KGowan at assisecurity.com
Subject: [Samba] Re: adding samba3 to Active Directory Domain

On 8/16/06, Kevin Gowan <KGowan at assisecurity.com> wrote:
> To Whom It May Concern:
> I really admire the dedication and effort your group has.  I am glad more
> and more people aren't buying into the Microsoft licensing schemes.  Keep
> the good work!
> I would like to add the server I have installed to our Active Directory
> Domain.  We have one Win2003 PDC no subnets very basic stuff.  I have read
> many chapters in the official how to guide and would like to zero in on
> appropriate section/s that will allow me to configure this
> appropriately.  All my supervisor would like me to do is create a
> where no one has to type in their user name and password again when they
> click on any of the shares.  I have tried (on the test bed) configurations
> from different chapters and I still get user name and password when I
> on the server or share.  The Server I have installed is Suse
> I would appreciate any help that you can provide.  Thank you for your time
> and I look forward to hearing from you soon!
> Best regards,
> Kevin G

Hey Kevin,

We are using our Samba server in the same way - File/Print in a W2K3 AD
single forest/domain. Definitely look at the AD section. I found the Samba-3
By Example book to be very helpful, too - Section 9.3.3 covers a file server
in an AD domain. Here's our config that is working just fine:

        unix charset = LOCALE
        workgroup = MYDOMAIN
        realm = MYDOMAIN.INT
        server string = Production File Server
        security = ADS
        allow trusted domains = No
        enable privileges = Yes
        username map = /etc/samba/smbusers
        log level = 1
        log file = /var/log/samba/%m
        max log size = 50
        deadtime = 15
        printcap name = cups
        wins server =
        ldap ssl = no
        idmap backend = idmap_rid:MYDOMAIN=10000-50000
        idmap uid = 10000-50000
        idmap gid = 10000-50000
        template shell = /bin/bash
        winbind separator = +
        cups options = raw

The only thing to be aware of is, for our config, I chose to use the
idmap_rid since I will end up having multuple servers and wanted to ensure
that the uids remain consistent. For this I needed to rebuild the Suse
10.0RPM to enable this. Make sure the server is correctly listed in
record in the AD domain) prior to adding it to the domain with the net ads
join command. Also ensure that ntp is running and keeping time in sync.

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list