22.6.2. Domain Member Server
220.127.116.11. Active Directory Domain Member Server
smb.conffile shows a sample configuration needed to implement an Active Directory domain member server. In this example, Samba authenticates users for services being run locally but is also a client of the Active Directory. Ensure that your kerberos
realmparameter is shown in all caps (for example
realm = EXAMPLE.COM). Since Windows 2000/2003 requires Kerberos for Active Directory authentication, the
realmdirective is required. If Active Directory and Kerberos are running on different servers, the
password serverdirective may be required to help the distinction.
[global] realm = EXAMPLE.COM security = ADS encrypt passwords = yes # Optional. Use only if Samba cannot determine the Kerberos server automatically. password server = kerberos.example.com
- Configuration of the
smb.conffile on the member server
- Configuration of Kerberos, including the
/etc/krb5.conffile, on the member server
- Creation of the machine account on the Active Directory domain server
- Association of the member server to the Active Directory domain
kinitcommand is a Kerberos initialization script that references the Active Directory administrator account and Kerberos realm. Since Active Directory requires Kerberos tickets,
kinitobtains and caches a Kerberos ticket-granting ticket for client/server authentication. For more information on Kerberos, the
/etc/krb5.conffile, and the
kinitcommand, refer to Section 48.6, “Kerberos”.
net ads join -S windows1.example.com -U administrator%password
windows1was automatically found in the corresponding Kerberos realm (the
kinitcommand succeeded), the
netcommand connects to the Active Directory server using its required administrator account and password. This creates the appropriate machine account on the Active Directory and grants permissions to the Samba domain member server to join the domain.
security = adsand not
security = useris used, a local password backend such as
smbpasswdis not needed. Older clients that do not support
security = adsare authenticated as if
security = domainhad been set. This change does not affect functionality and allows local users not previously in the domain.