[Samba] AIX 7.1 Samba 3.6.23 Windows 2003 Server AD

Thomas Schulz schulz at adi.com
Mon Feb 16 08:14:52 MST 2015

> My apologies for being too new to this whole process...
> Server was AIX 5.3/Samba 2.2.7, authenticating only against the AD. No 
> single sign-on, kerberos, or LDAP to my knowledge; smbd processes never 
> load kerberos or LDAP libraries. Upgraded to AIX 7.1/Samba 3.3.12, which 
> didn't go smoothly; customer is upgrading to Windows Server 2012 AD in a 
> couple of months, so upgraded again to Samba 3.6.23 (IBM's version).
> User security works fine as a temporary work-around.
> Server security seems to fail to find the AD server. So it looks like I 
> need to remove the server from the AD, then rejoin. Everything I read, 
> though, says I need Kerberos and LDAP, but we still only want to 
> authenticate the users against the current Windows Server 2003 AD. We 
> don't want single sign-on integration - when a share is mounted (no 
> printers involved), the credentials for the user should be checked 
> against AD, and that's all we want from the AD today.
> Does rejoining the AD sound like the right approach? Or do I really need 
> Kerberos and LDAP? Any additional or alternate suggestions or ideas? 
> This is a fast deep-dive for me, so please excuse my noobieness.

At some point in going from an early Samba to the later 3.* series
I found that I had to rejoin the domain. I did not have to remove the
machine from the domain first, I just joined again.

Also, I found it necessary to specify 'password server = ourserver'
dispite the fact that the documentation says that this is not necessary
with 'security = domain'.  I think that this has something to do with
our AD server being a Windows 2000 machine.

I have not done anything with kerberos or LDAP or any thing special.

Tom Schulz
Applied Dynamics Intl.
schulz at adi.com

More information about the samba mailing list