[Samba] password authentification

BeefStu BeefStu beefstu350 at hotmail.com
Mon Jun 8 18:33:10 GMT 2009

Since I am totally lost can somebody please walk me through this? My goal is to use AD to do password

authentification and NOT need a password file with in SAMBA. The reason being is we have a policy that

our domain password expires every 60 days and I don't want to keep 2 passwords files in sync. 


I am curretly running samba on an AIX 5.3 machine.

# uname -a
AIX diamond 3 5 000C86CF4C00


This is the what I think I need in my smb.conf file in order to use AD for password validation.

Is this okay? Am I missing some settings?


        workgroup = hshhp
        security = DOMAIN
        auth methods = ntdomain
        password server = ttndc3
        max xmit = 65535
        socket options = TCP_NODELAY IPTOS_LOWDELAY
        ldap ssl = no
        oplocks = no

Assume that this is all I have setup so far, what next? In the email below, it mentions winbind? Can I dowload

that for AIX 5.3, does this come with the OS (if so do I have to install it from a particular module). I only care about

AIX since that is where my SAMBA is running.


Next, in the article below I see all this talk about Kerbos, do I need that? I was under the impression that samba had

Kerbos compiled into its executable. Am I mistaken.


Basically, what I am looking for is a step by step instrucution or detailed documentaiton on how to get this to work on AIX.

Thanks to all who answer.




Date: Mon, 8 Jun 2009 12:17:29 -0500
From: dale at BriannasSaladDressing.com
To: beefstu350 at hotmail.com
CC: samba at lists.samba.org
Subject: Re: [Samba] password authentification

You will need winbind.  Easy to understand 2-part howto for linux/AD following:

Choose the idmap backend that works for you.  I'm partial to RID.

And SWAT is a good way to fine-tune your setup.  There are links to each parameter and what each of them does (if Samba docs are installed).

Good luck,

BeefStu BeefStu wrote: 


Thanks, but I have a few more questions. I took a working example of a smb.conf from another machine and placed this into my smb.cnf (see below in red). This is the only thing I did on the UNIX end.


To use AD for password verification, I will follow your directions below, 

but is there anything else I need to do on the UNIX end?


What I am trying to say, is how will samba get the password now if there is no password file. I know it will get it from AD, but can you take me through step by step as to what happens. 


Lets assume I want to map a drive. By doing a join does samba actually go into AD with my login (it must be cached some how right) and look up my password?


Current working version

        workgroup = hshhp
        server string = Samba
        smb passwd file = /var/samba/private/smbpasswd
        log file = /usr/local/samba/var/log.%m
        mangle case = Yes


New version

        workgroup = hshhp
        security = DOMAIN
        auth methods = ntdomain
        password server = ttndc3
        max xmit = 65535
        socket options = TCP_NODELAY IPTOS_LOWDELAY
        ldap ssl = no
        oplocks = No

For example, I see things like this (see below) do I need all this?


The smbpasswd File 
For security reasons we will place the smbpasswd file in a private directory using the following commands: cd /etc/samba
mkdir private
cd private
touch smbpasswd
chmod 600 smbpasswd
cd ..
chmod 500 private

Now we will add a dummy entry to the smbpasswd file. To do this, first create a user account for yourself on the Linux server [unless one already exists], then execute the following commands: cd /etc/samba/private
cat /etc/passwd | mksmbpasswd.sh  > smbpasswdSetting up winbind?  


From: samba at nedharvey.com
To: beefstu350 at hotmail.com; samba at lists.samba.org
Date: Sat, 6 Jun 2009 07:03:54 -0400
Subject: RE: [Samba] password authentification

I am trying to setup samba so that it uses the password from my AD
instead of having a password file in SAMBA.

Can somebody tell me what I have to do on the windows 2003 side to make

this work. I am guessing I have to setup a samaba acct in AD but not to
sure. Can somebody please verify and maybe send me a screen print.
There are a million and one ways to do what you're trying to do.  The simplest way that I know of - you don't need to do anything on the Windows side.  You join the domain with the samba server, and that will create a computer account in AD for you, just as if you were joining AD with some windows laptop.  Here's how I do that on my systems:
I don't mess with the smb.conf file.  I admin the whole thing via SWAT, as follows:
1.  Enable SWAT.  Browse to http://localhost:901  (note: by default in the xinetd.d config, this interface is only enabled for localhost; by default you can’t browse to this web interface across the network; you must use localhost or change the xinetd.d config)
2.  Go to Wizard.
a.  Server type:  Domain member
b.  Commit
3.  Edit Parameter Values
a.  Workgroup:  MYDOMAIN
b.  Realm:      MYDOMAIN.COM     (all caps)
c.  Commit changes
4.  Go to the command prompt.
net join –w MYDOMAIN –U administrator
(It’s normal to get an error, as long as it says “joined” in the end and the computer account was created in AD)
5.  Restart samba
Lauren found her dream laptop. Find the PC that’s right for you.
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Windows Live™ SkyDrive™: Get 25 GB of free online storage.

More information about the samba mailing list