[Samba] Join an ADS Domain and provide simple password security

Rowland Penny rowlandpenny at googlemail.com
Sat Oct 11 03:37:51 MDT 2014

On 11/10/14 10:02, Ingo Krabbe wrote:
> Hi,
> I'm used to share some files and trees with samba from linux boxes, using simple password security for a few selected accounts, by using `smbpasswd` and `security=user`. Now I sometimes want to enter a domain in my company office network.
> But I could not use `net ads join` as long as I haven't changed `security=user` to `security=ads`.
> I'm a bit confused now:
> I joined a domain with security=ads and started winbindd with this setting. Now I moved my samba configuration back to `security=user` so I can use my local user accounts.
> Still winbind echoes the domain users and smbtree shows the domain hosts, but the share server now works in another domain, that is local to the system it runs on.
> Is this configuration valid, or will it fail?


> What is the idea of joining a domain anyway?

Centralisation of authentication of users, groups etc. You only need to 
add users etc in one place and they are available everywhere in the domain.

> Can I join an ads domain with the linux host and provide 'security = user' shares on the same machine? If yes, how?

If you join a samba machine to a domain it will look to the domain 
server for authentication, samba will ignore any local users, so the 
answer to your question is very probably 'No'. There may be some way of 
making it work, but it will involve some contorted way of doing things 
that I am not aware of and will probably be not recommended.

You originally seemed to be running a 'workgroup', this is a simple way 
of sharing directories etc and the users need to be both Unix and samba 
users, when you join a domain, all the users are just 'domain' users. 
Once you have joined a domain, you can only go back if you stop samba, 
remove all the samba databases, reset smb.conf and then restart samba, 
you will then need to re-add all your local users to samba.

Why do you need to connect to the domain ? if this was known, there may 
be another way round this.


> Regards,
> Ingo Krabbe

More information about the samba mailing list