[Samba] Re: what's good for security=ads ?

Andreas Ladanyi knuffiandy at web.de
Tue Sep 16 20:42:27 GMT 2008

d tbsky schrieb:
> hi:
>    we have a 2003 R2 domain. it is running on 2003 native mode. we
> want to setup some samba member file servers. our client is windows
> xp.
>    i try samba 3.2 with "security = domain" and "idmap backend = rid".
> it seems fine. but i saw there are more advanced options in samba like
> "security = ads" and even parameter about "rfc2307"  to mix windows
> and samba. they are complex settings and i wonder what benefits they
> bring to us.
>     our situation is:  we want to use samba as file server for windows
> xp,and we have one single 2003 R2 domain. we may want to migrate to
> samba 4.0 when it is ready.
>     is simple "security = domain" enough?, or we should setup
> "security = ads" to prepare for the future?
>     thanks a lot for your help!!

Shortly ! The difference between "domain" and "ads" as i understand:

domain = NT4 style domain membership

In my experience it should be enough unless using Vista clients.

ads = like NT4 + kerberos

If you want to use "ads" you have to setup a little kerberos client 
configuration on your samba server. This is a little bit more work.


We had issues from windows Vista client to connect to samba server 
unless we changed from "domain" to "ads" mode, but i dont know the 
exactly background.

But maybe it help to set:

client ntlmv2 auth = yes

in smb.conf for SMB auth negotiatening with the vista client without 
changing from "domain" to "ads".

Before using Vista "domain" membership works very well with 2003 R2 
(native mode), Windows XP and winbind.


This is a schemata extension (part of 2003 R2) for ActiveDirectory to 
make it possible to put posix information to an existing Windows user/group.

This information are read out by winbind if:

winbind nss info = rfc2307

is set !

I hope i could help you. If i type something wrong please correct me. 
I'am writing about my experience and tests.

More information about the samba mailing list