Samba 3 in MS Active Directory domain
 

Hi,

I have an MS AD domain with mostly windows clients but, I'm looking to port my web server(and other services) to linux.

At the moment i have a windows server running Apache. This makes it extremely easy for my users to 'copy and paste' files into their web directories. I'd like to keep this same ease-of-use but, run on a linux box. It seems Samba 3 now has Active Directory support. Can anyone tell me the capabilities Samba has in a Native AD environment?

Can I create shares on the Samba server and have users drag-n-drop their files into permission protected directories?

Does Samba3 recognize AD domain users and groups?

Can Samba act like a domain controller?

Also, is it possible to have email services like IMAP/POP(S), SMTP authentication use Samba to authenticate users?

What about synching OpenLDAP users/passwords with those of AD?

Any tips on how to get this working would be appreciated.

Thanks,

For starters, you'll need to make sure that your samba setup was built with kerberos and LDAP support. (I'm cheating here, redaing from John H. Terpstra's "Samba-3 By Example", a great tutorial and reference on the subject)

check for Kerberos support... and do a grep for LDAP in the same manner.

Next you need to determine which version of kerberos you're using. You will need at least MIT Kerberos 1.3.1

Check these items first, and then drop in and we'll see what the next step is.

Well I'm not ready to try to install this yet. I just want to know before I spend some
considerable amount of time trying to get it to work the way I want it to that it indeed
works.

Namely, to have email services like IMAP/POP(S), SMTP authentication use AD passwords AND be updatable via Windows.
Also would the Samba server recognize domain groups and users on local file permissions?

Thanks,

Samba in AD Domain
 

I'm in a simular situation, so let me jump in! My query is simular, I'm a bit further however than the origional poster... But perhaps it may help. As I research all this, I keep comming across good posts here...

Like the orig. poster, I'm putting together a test Suse 9 server for a intranet server I will be creating. We are mostly a Windows based network, with an Win 2k3 AD domain.

While I've used Linux (prev. Red Hat) and Samba for a long time, I've never jumped into Samba 2 or 3's newer features (I've been living in the v1 feature set). I'm sick of multiple user sets, one set on each box, and matching passwords. My test box now is configured this way, Samba ver 1 features only.

I followed the excellent how-to here (why don't the distrib make it this clear!):

http://www.linuxquestions.org/questi...with+Microsoft

I had success up until the PAM portions. Winbind sees my Windows accounts (my test environment here at home is a Win 2k server), but I can't log into them. In Yast I don't see them (maybe I never will).

I'm not sure of the origional posters final needs, but I would assume he'll have to do simular.

My interests are the following. And before I go towards actually implimenting it, I'm a bit unclear how it will work, or if it can be done.

1. I'm not interested necessarily in having my Linux box "log into" the Windows domain. I'm happy with local accounts. To get what I need to work, this may be part of how it is however.

2. I do however want Windows users (groups) to be able to access shares I create on the Linux box. In terms of administrating, I want to be able to assign rights to the shares, and permissions as Windows groups so I'm not playing the multiple matched account games anymore. This is Windbind's purpose as I understand it.

3. I have no need to AD/LDAP data unless its necessary for the requirements above. The intranet server will not be using AD data, such as printer lists, etc.

My questions at this point are:

Are my requirements feasible at the present state of Samba/AD integration?

Are there any weak points, say password changes being a problem, etc?

Once I have my "links" between Win + Samba working, how do you create shares and apply permissions to Windows groups? (I've found no details on how this works).