Main Contents

Configure Samba with Domain Security Mode

March 14, 2008

Samba with domain security mode is great if you have an existing Windows domain and you need a samba server for a supplementary file or print server, or just need to access the file system from a Windows desktop on occasion. You don’t need ldap or winbind, you don’t need to maintain separate accounts on your samba and windows servers or keep passwords synced, and in general a lot less administrative overhead. This is how I set it up.

Network details:
Active Directory 2003 domain = dastrup.com
AD primary domain controller = foo
AD secondary domain controller = goo
DNS running on foo and goo
foo ip address = 10.0.0.10
goo ip address = 10.0.0.20
Samba 3.0 server = moo
moo ip address = 10.0.0.30

Moo’s smb.conf file (displaying relevant options only):

[global]
 workgroup = DASTRUP
 security = domain
 password server = FOO, GOO
 encrypt passwords = yes
 local master = no
 domain master = no
 preferred master = no 

[SharedFolder]
 path = /var/SharedFolder
 browseable = yes
 writeable = yes
 guest ok = no

Before starting samba, you need to join it to the domain.

Delete any existing /etc/samba/secrest.tdb and machine.sid file.
Be sure your linux server is using your AD DNS servers in /etc/resolv.conf

# net rpc join -S foo -Uadminstrator%password
Joined domain DASTRUP

You should see a computer object in AD Users & Computers for your samba server.

You can start samba now.

For every AD user that needs to access the samba server, create a linux account with the same name; you don’t need to create samba accounts. Set the passwords to these accounts to anything, but unguessable; the passwords will not be used. These accounts don’t even need local login privileges. All it needs is to match the same name and have privileges to whatever it needs to access on the file system.

Test your setup with something like this:

# smbclient -L foo -Ujames
Password:

Or, from your Windows computer, explore \\moo\SharedFolder. If it all works, you’ll get right in. If you are prompted for a username and password, be sure you created the linux account with your same domain name, and check the permissions on /var/SharedFolder to be sure your account has access.

Filed under: Linux, Windows |

2 Comments

  1. James Dastrup June 16, 2008 @ 12:33 am

    This seems to have broken once I upgraded my domain controller from 2003 to 2008.

  2. CentOS 5.2 and Winbind | Dastrup Tech Logs February 7, 2009 @ 4:01 pm

    [...] CentOS 5.2 and Winbind [...]