[Samba] how to join to AD ?

Jason Gerfen jason.gerfen at scl.utah.edu
Wed Nov 25 07:48:10 MST 2009

mistofeles wrote:
> We have a small Ubuntu 9.10 file server in a large Win 2003/2008 domain. 
> There is no X nor web browser in the server.
> I have rights to join machines to the domain, but I'm not an Administrator
> There is about 10 users in this server, who want to authenticate with domain
> passwords when they mount their home directories to WindowsXP workstations.
> The ssh passwords should be local and separated from domain passwords.
> The server should not try to play any master roles.
> Just deliver directories to windows.

ADS server type will allow domain authentication for samba directories
> We have tried this for about a month and gone through many books, web pages
> and forums. 
You will need Samba which provides winbindd, sasl, openldap, kerberos.

Samba should be configured with ads, acl, ldap, kerberos, pam, winbind 
options if you are building from source.

I would configure it with the following options for optimum scalability:
kerberos, acl, caps, cups, ipv6, ldap, pam, python, readline, winbind, 
ads, async, automount, doc, examples, fam, quotas, selinux, swat, syslog.

In gentoo linux the following will give you everything you need:

%> USE="kerberos acl caps cups ipv6 ldap pam python readline winbind ads async automount doc examples fam quotas selinux swat syslog" /
        emerge mit-krb5 pam_krb5 pam_ldap openldap nss_ldap openssl cyrus-sasl ntp samba -va

> After reading Samba documentation we don't even understand what programs we
> need. in some documents we are told to use PAM, LDAP, krb or winbind. In
> some documents you are advised NOT to use this if you are using that.  It is
> a total chaos.
> Is there any example of a working case like this ?
> Is there any script which takes care of the configuration ?
Here is are a few file configuration examples to get you going:


        default_realm = DOMAIN.COM

        UTAH.EDU = {
                kdc = 192.168.xxx.xxx

        .domain.com = DOMAIN.COM

        default = FILE:/var/log/krb5.log

        pam = {
                ticket_lifetime = 365d
                renew_lifetime = 365d
                forwardable = true
                proxiable = false
                retain_after_close = true
                minimum_uid = 0



passwd:      compat winbind
shadow:      compat
group:       compat winbind

# passwd:    db files nis
# shadow:    db files nis
# group:     db files nis

hosts:       files dns wins
networks:    files dns

services:    db files
protocols:   db files
rpc:         db files
ethers:      db files
netmasks:    files
netgroup:    files
bootparams:  files

automount:   files
aliases:     files


Change anything with DOMAIN.COM to match your own domain

        workgroup = DOMAIN
        realm = DOMAIN.COM
        server string = servername.domain.com
        netbios name = servername

        password server = *
        encrypt passwords = true
        security = ads

        lanman auth = no
        ntlm auth = no

        os level = 20

        allow trusted domains = yes
        auth methods = winbind

        interfaces = eth0, lo
        bind interfaces only = yes
        socket options = TCP_NODELAY

        hosts allow = 192.168.xxx.xxx/24 #add more subnets if needed
        hosts deny =

        log level = 40
        log file = /var/log/samba/log.%m
        max log size = 50

        client signing = yes
        client schannel = no
        client use spnego = yes
        client lanman auth = no
        client NTLMv2 auth = yes
        client plaintext auth = no

        preferred master = no
        local master = no
        domain master = no
        wins proxy = no
        dns proxy = No

        obey pam restrictions = yes

        template shell = /bin/bash
        nt acl support = yes
        inherit permissions = yes
        create mask = 0022
        template homedir = /home/Authenticated Users/%U

        winbind uid = 1000-2000000
        winbind gid = 500-2000000
        winbind separator = +
        winbind enum users = yes
        winbind enum groups = yes
        winbind nested groups = yes
        winbind use default domain = yes
        winbind offline logon = true
        winbind nss info = rfc2307

        idmap uid = 1000-2000000
        idmap gid = 500-2000000
        idmap domains = SCL
        idmap config DOMAIN:backend = ad
        idmap config DOMAIN:default = yes
        idmap config DOMAIN:schema_mode = rfc2307
        idmap config DOMAIN:range = 1000 - 300000000

        comment = Class software
        browsable = yes
        writeable = no
        create mask = 0022
        force create mode = 0022
        directory mask = 0022
        force directory mode = 0022
        inherit permissions = yes
        path = /path/to/share

        comment = Staff folders
        browsable = yes
        writeable = yes
        create mask = 0022
        force create mode = 0022
        directory mask = 0022
        force directory mode = 0022
        inherit permissions = yes
        valid users = @DOMAIN+Grouname
        path = /path/to/another/share




auth       required     pam_mount.so
auth       required     pam_env.so
auth       sufficient   pam_winbind.so
auth       sufficient   pam_unix.so try_first_pass likeauth nullok
auth       sufficient   pam_krb5.so use_first_pass
auth       required     pam_deny.so

account    required     pam_unix.so
account    sufficient   pam_krb5.so ignore_root
account    sufficient   pam_winbind.so

password   optional     pam_krb5.so
password   required     pam_mount.so use_authtok
password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3
password   sufficient   pam_unix.so try_first_pass use_authtok nullok md5 shadow
password   required     pam_deny.so

session    required     pam_mkhomedir.so umask=0022 skel=/etc/skel/
session    required     pam_limits.so
session    required     pam_unix.so
session    optional     pam_mount.so use_authtok
session    optional     pam_krb5.so

I hope that helps. Also if you look at the pam configuration above you 
will see some of the best pam modules to install with ubunu package manager.


More information about the samba mailing list