[Samba] Joining a domain

Rowland Penny rowlandpenny at googlemail.com
Thu Mar 12 03:25:12 MDT 2015

On 11/03/15 23:57, Chris Stankevitz wrote:
> Marc,
> Thank you for taking the time to give me some complete answers.  When
> writing to lists like these I often struggle with how much or little
> detail to give.... and I am eager to add more detail where you have
> explicitly asked.
> On Tue, Mar 10, 2015 at 2:13 PM, Marc Muehlfeld <mmuehlfeld at samba.org> wrote:
>>> 1. Must "net join" be used?
>> If you want to join the domain, yes.
> I'm sorry for being so daft, but I am asking you if I need/want to
> join the domain.  I do not know the answer.  Reminder of my scenario:
> samba is sharing files and users provide their Active Directory
> usernames and passwords to log into to samba.  I will call this
> "Scenario A".

If you want to use usernames & passwords then you can do this at least 
two ways:
A) create all the required users on the computer and run it as a 
standalone server
B) join the computer to the domain and use the DC's for authentication

Either way, files etc can be owned by whoever creates them, but there is 
yet another way in which the files are available by anybody who connects 
to the server. This would entail setting up the computer with samba, 
using 'security = user' and 'map to guest = Bad User', if set up this 
way, anybody that the computer doesn't know would be mapped to guest and 
allowed access.

>>> 2. Under what circumstances will samba (and family) require an
>>> explicit "net join"?
>> See 1.
>> What do you mean with "and family"?
> By "and family" I was conceding that I do not know what software it is
> that is requires domain join.  Maybe it's samba or windbindd or
> something else.  I can see already your response "no software requires
> that you join a domain -- that is a personal decision up to a human
> and not up to a computer." Which brings us back to my original
> question number 1 above.

You do not need to use samba if all your other clients are Unix based, 
you could use NFS, but if you have windows clients then you have to use 
something like samba (there are others available). Winbindd is part of 
samba, but it doesn't have to be used, you could use sssd or nlscd 
instead, but as this is a samba mailing list we will stick to 
recommending winbindd.

>>> 3a. Is a file added to the hard drive?
>> It's written into secrets.tdb for domain members. For DCs more happen in
>> the background, when joining the domain.
> Thank you this is the secret sauce I was not able to devine from
> reading Oreilly Chapter 10.  Is there a tool I can use to query the
> secrets.tdb file to see what is the current "state" respect to domain
> membership?  Perhaps it is "wbinfo -t".
> I ask this question because I often find myself sitting at a Samba
> server that is failing to do "Scenario A" and I wonder "Well, has this
> computer been joined to the domain?"  (Not that I even know whether or
> not the question is important).

Well you could use 'wbinfo -t', but I use the 'net' command, more 
specifically 'net ads testjoin' run by root, if the machine is joined to 
the domain, it prints the reassuring message 'Join is OK'.

>>> Chapter 10 of the Oreilly 3rd edition book describes domain
>>> membership, but it leaves me wanting to understand more.  For example,
>>> "net join" has never worked well (generally spews some kind of
>>> complaint) but things still work.
>> Never had problems to join a Samba host yet. Examples?
> I wish I had a setup that was not working right now to dissect (and
> learn from) but I do not.  However, in the past I have had:
> net join -U XXXXX\\cstankevitz
> The command returned what appears to be an error:
> kerberos_kinit_password XXXXX\cstankevitz at XXXXX.CORP failed: Client
> not found in Kerberos database
> Failed to join domain: failed to connect to AD: Client not found in
> Kerberos database
> ADS join did not work, falling back to RPC...
> Unable to find a suitable server for domain XXXXX
> Unable to find a suitable server for domain XXXXX
> Thank you again,
> Chris

That could just be because the command is 'net ads join -U 
Administrator' or it could be more involved, but without seeing the 
smb.conf you used, I cannot tell.


More information about the samba mailing list