Miscellaneous: Samba: Authenticating with Win2003 AD

(last edit: 2006-04-21)


Scenario: You have a Windows 2003 server with Active Directory (AD) in your network and use this for authenticating users in your network. Now you want to hook Samba to AD so you can use it to authenticate to samba. This acticle assumes you know how to setup AD and Samba.

Installing software

Install Samba 3 (that's a THREE), this is the only version that supports AD. Make sure you add AD support (when installing from the ports this is one of the options in the menu you'll get). You will need Kerberos but it shoul be on your system already so you don't need to install this.

Configuring AD

You don't need to change anything on the Win2003 server. If you have installed/configured extra security options like firewalls etc you do need to review these :-)

Configuring Samba

After doing the normal configuration of Samba you need to add/change the below in the 'global' section: security = ADS password server = YOU.SERVER.HERE ldap ssl = no idmap uid = 10000-20000 idmap gid = 10000-20000 winbind separator = / winbind use default domain = yes realm = YOUR.REALM.HERE socket options = TCP_NODELAY unix charset = LOCALE You can use usernames and/or groups in your shares like this: [temp] valid users = @Users, @"Domain Admins"

Configuring 'the rest'

There are two more config files you need to setup/check: /etc/nsswitch.conf group: files winbind group_compat: nis hosts: files dns networks: files passwd: files winbind passwd_compat: nis shells: files And for kerberos: /etc/krb5.conf [libdefaults] default_realm = YOUR.REALM.HERE [realms] YOUR.REALM.HERE = { kdc = YOUR.SERVER.HERE admin_server = YOUR.SERVER.HERE } [domain_realm] .soe.siue.edu = YOUR.REALM.HERE soe.siue.edu = YOUR.REAL.HERE [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log

Putting it all together

Oke everything should be configured now, now you need to start a few things: #kinit [username]@YOUR.REALM.HERE #net ads join "MyBusiness/Computers/SBSComputers" -U [username] Substitute [username] with a user that has permissions to add to AD. Now start Samba and check all log files! Your server should be visible in AD and you should be able to authenticate with AD


Thanks to Bonno Nachtegaal for his input and time on this subject.

Click here to go back to the index.