[Samba] AIX 7.1 Samba 3.6.23 Windows 2003 Server AD

[Bob Wyatt]

On 2/16/2015 8:52 PM, Thomas Schulz wrote:
>> On 2/16/2015 10:14 AM, Thomas Schulz wrote:
>>>> My apologies for being too new to this whole process...
>>>>
>>>> Server was AIX 5.3/Samba 2.2.7, authenticating only against the AD. No
>>>> single sign-on, kerberos, or LDAP to my knowledge; smbd processes never
>>>> load kerberos or LDAP libraries. Upgraded to AIX 7.1/Samba 3.3.12, which
>>>> didn't go smoothly; customer is upgrading to Windows Server 2012 AD in a
>>>> couple of months, so upgraded again to Samba 3.6.23 (IBM's version).
>>>>
>>>> User security works fine as a temporary work-around.
>>>>
>>>> Server security seems to fail to find the AD server. So it looks like I
>>>> need to remove the server from the AD, then rejoin. Everything I read,
>>>> though, says I need Kerberos and LDAP, but we still only want to
>>>> authenticate the users against the current Windows Server 2003 AD. We
>>>> don't want single sign-on integration - when a share is mounted (no
>>>> printers involved), the credentials for the user should be checked
>>>> against AD, and that's all we want from the AD today.
>>>>
>>>> Does rejoining the AD sound like the right approach? Or do I really need
>>>> Kerberos and LDAP? Any additional or alternate suggestions or ideas?
>>>> This is a fast deep-dive for me, so please excuse my noobieness.
>>> At some point in going from an early Samba to the later 3.* series
>>> I found that I had to rejoin the domain. I did not have to remove the
>>> machine from the domain first, I just joined again.
>>>
>>> Also, I found it necessary to specify 'password server = ourserver'
>>> dispite the fact that the documentation says that this is not necessary
>>> with 'security = domain'.  I think that this has something to do with
>>> our AD server being a Windows 2000 machine.
>>>
>>> I have not done anything with kerberos or LDAP or any thing special.
>>>
>>> Tom Schulz
>>> Applied Dynamics Intl.
>>> schulz at adi.com
>>>
>> Thank you for this reply, Tom.
>>
>> Did you join the samba server to the domain via:
>>
>> smbpasswd [ - j MYDOMAIN] [ - r PDC ] [-U user-name]
>>
>> Most of the guides I've perused have failed to mention how to join the
>> AIX/Samba server to the domain.
>> I got that from:
>>
>> http://www.onlamp.com/pub/a/onlamp/2008/04/01/step-by-step-using-samba-to-join-a-windows-domain.html
>>
>> It later speaks of using winbind, which I don't think I need. All I want
>> is to forward the user authentication to the AD server - no other
>> functionality is desired.
>>
>> I anticipate that my smb.conf [global] section will look like:
>>
>>       [global]
>>           workgroup=domain.name
>>           encrypt passwords = yes
>>           security = server
>>           password server = ADServer.domain.name    (or it's IP address)
>>
>> This is essentially how it was working in Samba 2.2.7, without winbind,
>> kerberos, or LDAP (that I can tell).
> I use the net command as in
> net join member -W workgroup -S servername -U administrator. That is from
> memory, the exact command I used is on a post-it note in my office, and I
> am not there right now. I believe that you will be prompted for any missing
> information.
>
> I have security = domain, but I think that I had security = server when
> I was running the 3.* versions. I believe that the two act much the same.
> Samba 4.1.* dropped security=server as an option, so security=domain was
> the obvious thing to switch to.
>
> I do not use winbind.
>
> Tom Schulz
> Applied Dynamics Intl.
> schulz at adi.com
>
Tom,

Thanks for the guidance!

What did work for me was server = domain in the config file...
net rpc join -Uadministrator -SADserver -Wworkgroup

There also was an issue in the AD that prevented the join; I don;t know 
what that was, but the admin was able to resolve it.

Thanks again!

Bob