Miscellaneous: Samba: Authenticating with Win2003 AD
(last edit: 2006-04-21)
                   
Introduction
Scenario: You have a Windows 2003 server with Active Directory (AD) in your network and 
use this for authenticating users in your network. Now you want to hook Samba to AD so 
you can use it to authenticate to samba.

This acticle assumes you know how to setup AD and Samba.

Installing software
Install Samba 3 (that's a THREE), this is the only version that supports AD. Make sure
you add AD support (when installing from the ports this is one of the options in the
menu you'll get). You will need Kerberos but it shoul be on your system already so you
don't need to install this.

Configuring AD
You don't need to change anything on the Win2003 server. If you have
installed/configured extra security options like firewalls etc you do need to review
these :-)

Configuring Samba
After doing the normal configuration of Samba you need to add/change the below in
the 'global' section:

   security = ADS
   password server = YOU.SERVER.HERE
   ldap ssl = no
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   winbind separator = /
   winbind use default domain = yes
   realm = YOUR.REALM.HERE
   socket options = TCP_NODELAY
   unix charset = LOCALE

You can use usernames and/or groups in your shares like this:

[temp]
   valid users = @Users, @"Domain Admins"

Configuring 'the rest'
There are two more config files you need to setup/check:

/etc/nsswitch.conf
group:         files winbind
group_compat:  nis
hosts:         files dns
networks:      files
passwd:        files winbind
passwd_compat: nis
shells:        files

And for kerberos:

/etc/krb5.conf
[libdefaults]
default_realm = YOUR.REALM.HERE
[realms]
YOUR.REALM.HERE = {
kdc = YOUR.SERVER.HERE
admin_server = YOUR.SERVER.HERE
}
[domain_realm]
.soe.siue.edu = YOUR.REALM.HERE
soe.siue.edu = YOUR.REAL.HERE
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log

Putting it all together
Oke everything should be configured now, now you need to start a few things:

#kinit [username]@YOUR.REALM.HERE
#net ads join "MyBusiness/Computers/SBSComputers" -U [username]

Substitute [username] with a user that has permissions to add to AD.

Now start Samba and check all log files! Your server should be visible in AD and you
should be able to authenticate with AD

Thanks
Thanks to Bonno Nachtegaal for his input and time on this subject.