[Samba] Samba3 joining W2k3 as member server

Pieter De Wit pieter at insync.za.net
Fri Dec 21 15:36:45 MST 2012

On 18/12/2012 10:47, Andrew Bartlett wrote:
> On Mon, 2012-12-17 at 17:00 +1300, Pieter De Wit wrote:
>> Hi list,
>> I have tried with all my might to get a samba3 server (Ubuntu 12.04.1 LTS) to join a Windows 2003 domain as a member server, without any luck. I have used,from memory, the official way of doing this (aka, from the samba.org website). No matter what settings I use in smb.conf, the server always joins as a domain controller. This doesn't seem to break the domain how ever. All I am after is that my users do not need to enter a username/password for access from a domain PC to shares on my Linux box.
>> Any pointers please or is this intended as the server does single sign?
> If you can list exactly the steps you took, we might be able to help.
> But to answer your question:  Yes, Samba will happily join Windows 2003
> as a domain member.  The key command is 'net ads join'.
> Andrew Bartlett
Hi Andrew,

Sorry for the delay in my reply, things has been hectic closing down for 
the holidays. In a nut shell, there is what I do/did:

1) apt-get install samba winbindd krb5-user
2) Configure smb.conf as per :


    workgroup = WORK
    realm = WORK.LOCAL
    preferred master = no
    server string = Linux Test Machine
    security = ADS
    encrypt passwords = yes
    log level = 3
    log file = /var/log/samba/%m
    max log size = 50
    printcap name = cups
    printing = cups
#   winbind enum users = Yes
#   winbind enum groups = Yes
#   winbind use default domain = Yes
    winbind nested groups = Yes
    winbind separator = +
    idmap uid = 2000-20000
    idmap gid = 2000-20000
    template shell = /bin/bash
    veto files = lost+found

3) Configure krb5.conf:
         default_realm = WORK.LOCAL


4) Restart Samba/Winbind
5) In /etc/nsswitch.conf add winbind to passwd and group
5) Join the domain : net ads join -U <my_admin_account>
6) kinit <my_admin_account>

 From then, users can connect to the shares on the server using Single 
Sign On. The "issue" is that if I look under my Active Directory, the 
server will state that it is a "Domain Controller". Running the usual DC 
Info tools they seem to think the domain is ok. I would prefer to have 
the server say Member server, rather than DC :)

I would like to send you a screenshot of what "Active Directory Users 
and Computers" shows but this will be hard to do remotely.



P.S. Good work on the AD integration btw, I am using the above for Squid 
aswell and it's pretty neat ! :)

More information about the samba mailing list