[Samba] AIX 7.1 Samba 3.6.23 Windows 2003 Server AD

Thomas Schulz schulz at adi.com
Mon Feb 16 18:52:12 MST 2015

> On 2/16/2015 10:14 AM, Thomas Schulz wrote:
>>> My apologies for being too new to this whole process...
>>> Server was AIX 5.3/Samba 2.2.7, authenticating only against the AD. No
>>> single sign-on, kerberos, or LDAP to my knowledge; smbd processes never
>>> load kerberos or LDAP libraries. Upgraded to AIX 7.1/Samba 3.3.12, which
>>> didn't go smoothly; customer is upgrading to Windows Server 2012 AD in a
>>> couple of months, so upgraded again to Samba 3.6.23 (IBM's version).
>>> User security works fine as a temporary work-around.
>>> Server security seems to fail to find the AD server. So it looks like I
>>> need to remove the server from the AD, then rejoin. Everything I read,
>>> though, says I need Kerberos and LDAP, but we still only want to
>>> authenticate the users against the current Windows Server 2003 AD. We
>>> don't want single sign-on integration - when a share is mounted (no
>>> printers involved), the credentials for the user should be checked
>>> against AD, and that's all we want from the AD today.
>>> Does rejoining the AD sound like the right approach? Or do I really need
>>> Kerberos and LDAP? Any additional or alternate suggestions or ideas?
>>> This is a fast deep-dive for me, so please excuse my noobieness.
>> At some point in going from an early Samba to the later 3.* series
>> I found that I had to rejoin the domain. I did not have to remove the
>> machine from the domain first, I just joined again.
>> Also, I found it necessary to specify 'password server = ourserver'
>> dispite the fact that the documentation says that this is not necessary
>> with 'security = domain'.  I think that this has something to do with
>> our AD server being a Windows 2000 machine.
>> I have not done anything with kerberos or LDAP or any thing special.
>> Tom Schulz
>> Applied Dynamics Intl.
>> schulz at adi.com
> Thank you for this reply, Tom.
> Did you join the samba server to the domain via:
> smbpasswd [ - j MYDOMAIN] [ - r PDC ] [-U user-name]
> Most of the guides I've perused have failed to mention how to join the 
> AIX/Samba server to the domain.
> I got that from:
> http://www.onlamp.com/pub/a/onlamp/2008/04/01/step-by-step-using-samba-to-join-a-windows-domain.html
> It later speaks of using winbind, which I don't think I need. All I want 
> is to forward the user authentication to the AD server - no other 
> functionality is desired.
> I anticipate that my smb.conf [global] section will look like:
>      [global]
>          workgroup=domain.name
>          encrypt passwords = yes
>          security = server
>          password server = ADServer.domain.name    (or it's IP address)
> This is essentially how it was working in Samba 2.2.7, without winbind, 
> kerberos, or LDAP (that I can tell).

I use the net command as in
net join member -W workgroup -S servername -U administrator. That is from
memory, the exact command I used is on a post-it note in my office, and I
am not there right now. I believe that you will be prompted for any missing

I have security = domain, but I think that I had security = server when
I was running the 3.* versions. I believe that the two act much the same.
Samba 4.1.* dropped security=server as an option, so security=domain was
the obvious thing to switch to.

I do not use winbind.

Tom Schulz
Applied Dynamics Intl.
schulz at adi.com

More information about the samba mailing list