Configure Samba to Authenticate Against a Windows 2003 Server Active Directory

This is a sample of what to change on a Linux box for Samba to authenticate against a Windows 2003 Active Directory.

In this example the Domain is “abc.local” with a common name of “abc”. The Domain controller is named “server1” and has an IP address of 192.168.100.10

Very Important: Clocks on the Linux box and the Windows server, must be within 3 minutes of each other!

1. Changes to the /etc/samba/smb.conf file:
   workgroup = abc
   server string = Red Hat Enterprise Server
   security = ADS
   password server = 192.168.100.10

   # add this Realm stuff any where in the global section

   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   template shell = /bin/false
   realm = abc.local
   winbind use default domain = no

2. Changes to the /etc/krb5.conf file:
   1. #Change this line in the [libdefaults] section
      default_realm = ABC.LOCAL

   2. #Replace EXAMPLE.COM info with your [realm] info
       ABC.LOCAL = {
        kdc = 192.168.100.10
        admin_server = SERVER1.ABC.LOCAL:749
        default_domain = ABC.LOCAL

   3. #Replace this in the [domain_realm] area
        .abc.local = ABC.LOCAL
        abc.local = ABC.LOCAL

3. Add the domain controller (admin_server) to the /etc/hosts file
   192.168.100.10   server1.abc.local   : server1

4. Turn off samba and winbind
   service smb stop
   service winbind stop (the windbind service was not running on in my test server)

5. Join the Windows active directory:
   net ads join –U username

   where username is Windows Domain user account which has rights to add workstations to the domain (e.g. administrator)

6. Restart the SMB service:
   service smb start

Note: Domain controllers are time servers by default. It would be best to set up the NTP (Network Time Protocol) daemon on the Linux server to keep the system time in sync with the Domain.