Join Samba 3 to Your Active Directory Domain

If you're dependent on Active Directory but want the power and economy of Samba, too, our guide to joining Samba 3 to an Active Directory domain will show you how to interoperate your way to central management and single-sign on.

By Carla Schroder | Posted Mar 2, 2005
Page 1 of 3
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

A popular thing to do with Samba these days is to join a Samba 3 host to a Windows Active Directory domain. You may freely set up any number of Samba servers in a Windows network without joining them to the domain. The advantages of domain membership are central management and authentication, and single sign-on. Using Winbind allows Linux clients to log on to the AD domain without requiring local Linux system accounts, which is a lovely time- and hassle-saver.

Presumably you already have a functioning Active Directory domain, and know how to run it. AD is very dependent on DNS (domain name system) so I'll assume your DNS house is also in order. On your Linux box you'll need Samba 3, version 3.0.8 or newer. Plus MIT Kerberos 5, version 1.3.1 or newer, and OpenLDAP. (The Samba documentation states that Heimdal Kerberos, version 0.6.3 or newer, also works. The examples in this article use MIT Kerberos.) Debian users need the krb5-user, krb5-config, krb5-doc, and libkrb53 packages. Red Hat and Fedora users need the krb5 and krb5-client RPMs.

First you should verify that your Samba installation has been compiled to support Kerberos, LDAP, Active Directory, and Winbind. Most likely it has, but you need to make sure. The smbd command has a switch for printing build information. You will see a lot more lines of output than are shown here:

root@windbag:/usr/sbin# cd /usr/sbin
root@windbag:/usr/sbin# smbd -b | grep LDAP

HAVE_LDAP_H
HAVE_LDAP
HAVE_LDAP_DOMAIN2HOSTLIST
...
root@windbag:/usr/sbin# smbd -b | grep KRB
HAVE_KRB5_H
HAVE_ADDRTYPE_IN_KRB5_ADDRESS
HAVE_KRB5
...
root@windbag:/usr/sbin# smbd -b | grep ADS
WITH_ADS
WITH_ADS
root@windbag:/usr/sbin# smbd -b | grep WINBIND
WITH_WINBIND
WITH_WINBIND

If you are in the unfortunate position of missing any of these, which will be indicated by a blank line, you need to recompile Samba. See Chapter 37 of the The Official Samba-3 HOWTO and Reference Guide.

Configure and Test Kerberos

Let's say our Active Directory domain server is bigserver.domain.net, and the Samba server is named samba1. This is the absolute minimum Kerberos configuration file, /etc/krb5.conf, for connecting to this domain:

'libdefaults'
        default_realm = DOMAIN.NET

'realms'         DOMAIN.NET = {
        kdc = bigserver.domain.net
        }

'domain_realms'
        .kerberos.server = DOMAIN.NET

Use uppercase where it shows. Now try to connect, and mind your cases:

# kinit Administrator@DOMAIN.NET
Password for Administrator@DOMAIN.NET

Configure /etc/hosts

Even if your DNS servers are perfect in every way, it is a good idea to add important servers to your local /etc/hosts file. It speeds up lookups and provides a fallback in case the DNS servers go down:

192.168.10.5     bigserver.domain.net     bigserver

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter