Configure Samba to Authenticate Against a Windows 2003 Server Active Directory

Important Note: You may require further consultation on the content of this document. You may not have the in-house expertise or the time to apply the instructions included with this document. Either way, Tecsys can help: just contact our support team at SMBSupport@Tecsys.com with a brief description of your issue(s) and one of our technical specialists will contact you directly.

This is a sample of what to change on a Linux box for Samba to authenticate against a Windows 2003 Active Directory.

In this example the Domain is “abc.local” with a common name of “abc”. The Domain controller is named “server1” and has an IP address of 192.168.100.10

Very Important: Clocks on the Linux box and the Windows server, must be within 3 minutes of each other!

  1. Changes to the /etc/samba/smb.conf file:

      workgroup = abc
      server string = Red Hat Enterprise Server
      security = ADS
      password server = 192.168.100.10

    # add this Realm stuff any where in the global section

      idmap uid = 16777216-33554431
      idmap gid = 16777216-33554431
      template shell = /bin/false
      realm = abc.local
      winbind use default domain = no

  2. Changes to the /etc/krb5.conf file:

    1. #Change this line in the [libdefaults] section
      default_realm = ABC.LOCAL

    2. #Replace EXAMPLE.COM info with your [realm] info
       ABC.LOCAL = {
        kdc = 192.168.100.10
        admin_server = SERVER1.ABC.LOCAL:749
        default_domain = ABC.LOCAL

    3. #Replace this in the [domain_realm] area
        .abc.local = ABC.LOCAL
        abc.local = ABC.LOCAL

  3. Add the domain controller (admin_server) to the /etc/hosts file

      192.168.100.10   server1.abc.local   : server1

  4. Turn off samba and winbind

      service smb stop
      service winbind stop
      (the windbind service was not running on in my test server)

  5. Join the Windows active directory:

      net ads join –U username

      where username is Windows Domain user account which has rights to add workstations to the domain (e.g. administrator)

  6. Restart the SMB service:

      service smb start

Note: Domain controllers are time servers by default. It would be best to set up the NTP (Network Time Protocol) daemon on the Linux server to keep the system time in sync with the Domain.

 
Back