-   Linux - Networking (
-   -   unified steps on howto Samba with 2003 AD (

m2azer 01-04-2007 08:59 AM

unified steps on howto Samba with 2003 AD

I been trying to get samba to join windows 2003 as a domain member however I am not able to find a single accurate document on how to do it. when searching google or yahoo you get alot of docs however each have different steps and different required software, pam, winbind, krb5 etc.. ) and different way of setting it up.

My question have anyone come across any single really good step by step that works on howto join samba to 2003 AD.

believe me i spent a good amount of time on google and yahoo changing configuration according to each doc i read but it really seem like each doc has it own way of doing it and that there is no set of rule or steps that are unified to do it

musicman_ace 01-05-2007 04:21 AM

Gentoo-wiki has a really good document which takes you through the configuration of each file. You'll either have to download the source or use YUM? to get the packages. One of the main reasons I use gentoo is that their documentation can't be beat.

m2azer 01-05-2007 01:52 PM

thanks for the info but we are using Redhat

musicman_ace 01-06-2007 03:18 AM

If you understand the concepts it describes, you can apply it to any distro. I've used it in several offices where they were running various linux distros. The configurations aren't gentoo specific. The only difference as stated is that you'll be used the redhat package manager which I believe is YUM.

Give it a shot and post back if you encounter issues.

Au_Squirrel 01-06-2007 09:52 AM

Go to and checkout the How to guide. It has all the stuff about how to join an ADS domain.


m2azer 01-06-2007 12:09 PM

My samba conf
Thank you all for your replies. i have read the samba docs and followed it to the letter - as requested i have supplied my configurations please let me know if i am missing anything -

workgroup = CAD
netbios name = itbox
hosts allow = 192.168.1. 192.168.0. 127.
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind cache time = 10
template homedir = /home/%D/%U
template shell = /bin/bash
security = ADS
password server = vdc2.CAD.TESTDOMAIN
encrypt passwords = yes
log file = /var/log/samba/%m.log
log level = 10
max log size= 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

comment = Home Directories
valid users = %S
read only = No
browseable = No
directory mask = 0700
create mask = 0700

comment = Doc Samba Server
path = /data
read only = yes
guest only = yes

passwd: files winbind
shadow: files winbind
group: files winbind

default_realm = CAD.TESTDOMAIN

kdc = vdc2.cad.testdomain

.kerberos.server = CAD.TESTDOMAIN

auth required
auth sufficient
auth sufficient use_first_pass
auth required service=system-auth
auth required
account sufficient
account required service=system-auth
password required service=system-auth
session required service=system-auth
session optional

auth required
auth required service=system-auth
account required service=system-auth
session required service=system-auth
password required service=system-auth

[mina@itbox pam.d]$ wbinfo -t
checking the trust secret via RPC calls succeeded

[mina@itbox pam.d]$ wbinfo -m

[mina@itbox pam.d]$ getent passwd admin_mina
admin_mina:*:10001:10002:admin mina:/home/CAD/admin_mina:/bin/bash

[root@itbox pam.d]# /usr/bin/net ads join -Uadministrator
administrator's password:
Using short domain name -- CAD
Joined 'ITBOX' to realm 'CAD.TESTDOMAIN'

wbinfo -u, wbinfo -g all work fine

ps aux | grep winbind
root 2965 0.0 0.3 10188 2848 ? Ss Jan05 0:00 winbindd
root 2966 0.0 0.4 10676 3292 ? S Jan05 0:00 winbindd

smbclient -L itbox
session setup failed: NT_STATUS_LOGON_FAILURE

when i use a xp client machine to login i see the share, data and home directory, i am able to open data however when i click on homedir windows logon screen comes up requesting username and password - always says wrong username and password please try again

any help will be apprciatted.

m2azer 01-06-2007 08:07 PM

pam login or system_auth
when setting winbind to auth windows 2003 AD users do i need to configure pam.d/login or pam.d/system_auth?

Au_Squirrel 01-08-2007 03:21 AM

It sounds like you are not getting the samba server to authenticate users against the ADS. I don't know how to do that because I ensure that the users have accounts created on the samba server.

As a test you may wish to create an smb account on the samba server by using the smbpasswd -a "anexistingsure. Use the same name as the linux account you are using. Next try the smb command.

If this works it means that locally created users can access the samba shares. Then it may be as you suggest, that the linux samba server is not using the ADS/kerboros server for authentication

All times are GMT -5. The time now is 02:57 AM.