[Samba] Samba3 joining W2k3 as member server

Thu Dec 27 14:34:14 MST 2012

On 23/12/2012 03:31, Carlos R. Pena Evertsz wrote:
> Hi Pieter,
>
> I need to do the same, join a Ubuntu 12.04 samba server to an existing 
> Win2k3.
>
> Could you post an example of the shares configuration (users and group 
> read and write permitions) to be used in your example of a samba 
> server as a domain member?
>
> Thanks.
>
> Carlos Pena
> Santo Domingo, Dominican Republic
>
>
>
> On 12/21/2012 5:36 PM, Pieter De Wit wrote:
>> On 18/12/2012 10:47, Andrew Bartlett wrote:
>>> On Mon, 2012-12-17 at 17:00 +1300, Pieter De Wit wrote:
>>>> Hi list,
>>>>
>>>> I have tried with all my might to get a samba3 server (Ubuntu 
>>>> 12.04.1 LTS) to join a Windows 2003 domain as a member server, 
>>>> without any luck. I have used,from memory, the official way of 
>>>> doing this (aka, from the samba.org website). No matter what 
>>>> settings I use in smb.conf, the server always joins as a domain 
>>>> controller. This doesn't seem to break the domain how ever. All I 
>>>> am after is that my users do not need to enter a username/password 
>>>> for access from a domain PC to shares on my Linux box.
>>>>
>>>> Any pointers please or is this intended as the server does single 
>>>> sign?
>>> If you can list exactly the steps you took, we might be able to help.
>>>
>>> But to answer your question:  Yes, Samba will happily join Windows 2003
>>> as a domain member.  The key command is 'net ads join'.
>>>
>>> Andrew Bartlett
>>>
>> Hi Andrew,
>>
>> Sorry for the delay in my reply, things has been hectic closing down 
>> for the holidays. In a nut shell, there is what I do/did:
>>
>> 1) apt-get install samba winbindd krb5-user
>> 2) Configure smb.conf as per :
>>
>> [global]
>>
>>    workgroup = WORK
>>    realm = WORK.LOCAL
>>    preferred master = no
>>    server string = Linux Test Machine
>>    security = ADS
>>    encrypt passwords = yes
>>    log level = 3
>>    log file = /var/log/samba/%m
>>    max log size = 50
>>    printcap name = cups
>>    printing = cups
>> #   winbind enum users = Yes
>> #   winbind enum groups = Yes
>> #   winbind use default domain = Yes
>>    winbind nested groups = Yes
>>    winbind separator = +
>>    idmap uid = 2000-20000
>>    idmap gid = 2000-20000
>>    template shell = /bin/bash
>>    veto files = lost+found
>>
>> 3) Configure krb5.conf:
>> [libdefaults]
>>         default_realm = WORK.LOCAL
>>
>> [realms]
>>         YPG.LOCAL={
>>         kdc=DC.WORK.LOCAL
>>         }
>> [domain_realm]
>>         .kerberos.server=WORK.LOCAL
>>
>> 4) Restart Samba/Winbind
>> 5) In /etc/nsswitch.conf add winbind to passwd and group
>> 5) Join the domain : net ads join -U <my_admin_account>
>> 6) kinit <my_admin_account>
>>
>> From then, users can connect to the shares on the server using Single 
>> Sign On. The "issue" is that if I look under my Active Directory, the 
>> server will state that it is a "Domain Controller". Running the usual 
>> DC Info tools they seem to think the domain is ok. I would prefer to 
>> have the server say Member server, rather than DC :)
>>
>> I would like to send you a screenshot of what "Active Directory Users 
>> and Computers" shows but this will be hard to do remotely.
>>
>> Thanks,
>>
>> Pieter
>>
>> P.S. Good work on the AD integration btw, I am using the above for 
>> Squid aswell and it's pretty neat ! :)
>
Hi Carlos,

My shares are create like normal shares. The only part that changes is 
the ref to Domain users. They are "WORK+<USERNAME>", using a previous 
naming setup, my user account would be as follow:

WORK+dewitp

So I could have something like:

[dump]
    comment=Data Dump
    read only=no
    browseable=yes
    path=/srv/exports/dump
    valid user=WORK+user1,WORK+user2

I also noted that if you have ext4 (havn't tried the rest) and you 
create user permissions on a folder, it is added as extended attribs - 
WELL DONE SAMBA ! :)

HTH,

Pieter