[Samba] Joining a domain

Rowland Penny rowlandpenny at googlemail.com
Thu Mar 12 10:59:31 MDT 2015 

On 12/03/15 16:39, Chris Stankevitz wrote:
> On Thu, Mar 12, 2015 at 2:25 AM, Rowland Penny
> <rowlandpenny at googlemail.com> wrote:
>>> I'm sorry for being so daft, but I am asking you if I need/want to
>>> join the domain.  I do not know the answer.  Reminder of my scenario:
>>> samba is sharing files and users provide their Active Directory
>>> usernames and passwords to log into to samba.  I will call this
>>> "Scenario A".
>>>
>> If you want to use usernames & passwords then you can do this at least two
>> ways:
>> A) create all the required users on the computer and run it as a standalone
>> server
>> B) join the computer to the domain and use the DC's for authentication
> Thank you for educating me.
>
> I have my samba setup working as you have described, but I will ask a
> question for "academic" purposes -- just so I can better understand
> what is happening.  Please feel free to refer me to a
> book/site/article/source_code that spells out what is happening.
>
> Couldn't samba act as a "proxy", not join the windows domain, but
> still authenticate via AD?

No, to authenticate via AD, it has to be an AD member.

>
> 1. samba shares files without joining AD.
>
> 2. A user "logs in" to samba by presenting an AD username/password

This user would then be an unknown user and 'map to guest = Bad User' 
would then be needed to allow the unknown user to connect.

>
> 3. samba, not being joined to the domain still finds a "domain
> controller" and submits the credentials.

If the computer is not joined to the domain, it may be able to find a 
DC, but it would not be able to connect to it for authentication.

> 4. the "domain controller" responds PASS or FAIL

It would respond 'FAIL'

> 5. samba allows access as appropriate, perhaps mapping to a valid UID

Samba would not allow access, unless 'security = user' & 'map to guest = 
Bad User' are both set in smb.conf.

> I am trying to understand what is happening, I am not trying to insult
> samba or it's code or its way of doing things.

I didn't think you were, I just thought you were asking very basic 
questions.

Rowland

> Thank you,
>
> Chris

More information about the samba mailing list