[Samba] how to join to AD ?

Thu Nov 26 00:57:39 MST 2009

> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-
> bounces at lists.samba.org] On Behalf Of mistofeles
> Sent: Wednesday, November 25, 2009 1:52 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] how to join to AD ?
> 
> 
> 
> Jason Gerfen-2 wrote:
> >
> > ADS server type will allow domain authentication for samba
> directories
> > You will need Samba which provides winbindd, sasl, openldap,
> kerberos.
> > Samba should be configured with ads, acl, ldap, kerberos, pam,
> winbind
> > options if you are building from source.
> > I would configure it with the following options for optimum
> scalability:
> > kerberos, acl, caps, cups, ipv6, ldap, pam, python, readline,
> winbind,
> > ads, async, automount, doc, examples, fam, quotas, selinux, swat,
> syslog.
> >
> 
> - Huh. In the beginning I tought all that is needed is packed to samba
> packet, which is installed with 'apt-get install samba'. Your list
> contains
> an unbelievable long list of packets and options I have seen no mention
> anywhere. Now it seems that I got to rip the packet open and check it
> thoroughly ?!?

Probably not. Samba should already be compiled correctly on most distributions. It's actually not all that bad. The remaining packages are simply packages that Samba uses. I don't know about your distribution, but OpenSuSE (and most other distribution) will automatically pull in all the required packages as dependencies.

Winbindd is part of Samba itself (but often split into a separate package). Kerberos and sasl are required because Active Directory uses Kerberos for authentication. Rather than reimplement it, Samba uses the Kerberos and sasl libraries others already wrote. Similarly, openldap is what everybody in the Linux world uses to access LDAP servers - Active Directory is an LDAP server.

The remaining items Jason mentioned are configurations for recompiling Samba.

> The only thing I'm sure, I will not include, is this damned IPv6.

You might want to rethink this. Expect in about two years a cutover on the Internet, similar to the recent conversion of broadcast TV to HDTV. We are getting very close to the point where Internet providers won't give you IPv4 addresses any more but IPv6 addresses.

Right now, IPv4 is still the better choice (because Windows XP and Samba both only have limited IPv6 support). Of course you can still run IPv4 on your private network, but at some point it will be as quaint as trying to run IPX today.

Windows already uses IPv6 as the primary protocol; Microsoft actually implements most new features as IPv6-only.

> It seems odd in my eyes, that you can set samba make the tasks we ask
> it
> just editing the smb.conf file, if we set 'security = user', but
> checking
> the passwords from an external server needs editing and installing so
> many
> files.
> I'm not very enthusiastic to compile anything.

In my experience (OpenSUSE) no compiling necessary, but you do have to tell Kerberos where to look for authentication. I also had to configure PAM, but I think that was for something different, not Samba.