[Samba] Samba / AD integration

[Eric Roseme]

Check out this paper:

http://www.docs.hp.com/en/7212/ADSJoinMinimumPerms.pdf

I wrote it about 3 years ago, so the Samba version was 3.0.7.  Things 
may have changed.  It refers to HP-UX CIFS Server but at the time held 
true for Opensource too.

Eric Roseme

Brian Foddy wrote:
> I have a quick question on hooking Samba to a large AD domain.  
> Following the excellent recipe at:
> 
> http://wiki.samba.org/index.php/Samba_&_Active_Directory
> 
> I see it states about half way down to join the machine to AD
> 
> "Now to join your machine to the active directory. You will need the 
> user-name and password to a Domain Administrator account to do this. The 
> command you need to join the domain is net ads join -U sadwrn. This 
> should then ask you for a password, and print a domain join notice."
> 
> Is this required to use a Domain Administrator account, or can any 
> normal user AD account be used?  I know AD doesn't allow anonymous 
> browsing, but can a normal non-admin account be used?  As I read through 
> it, I don't see any other special admin access required other the root 
> on the Linux machine.
> 
> 
> My goal is this...  We have a very large AD system, 80.000+ users, and 
> we want to activate Samba on two servers for a very small user group 
> (maybe 12 users) but validate userid/passwords against AD.  If Samba can 
> be setup with little or no AD changes, or involvement from the AD 
> administrators, but with some simple config from the UNIX admins, then 
> we have a much better chance of getting this approved.  But if it 
> requires a lot of heavy involvement of the AD support group, ongoing 
> maintenance, etc, then the odds are slim.  Largely political, the UNIX 
> admins are much more open to open source solutions than the Windows side 
> of the fence.  So if this can be sold as "just another AD client app" 
> not requiring any special AD domain permissions, we have a chance.
> 
> Thanks for any help/advice.
> Brian
>