Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Mail Systems
Eclipse Documentation

How To Guides
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Problem Solutions
Privacy Policy




Samba HowTo Guide
Prev Home Next

Joining an NT4-type Domain with Samba-3

Assumptions lists names that are used in the remainder of this chapter.


Samba DMS NetBIOS name: SERV1
Windows 200x/NT domain name: MIDEARTH
Domain's PDC NetBIOS name: DOMPDC
Domain's BDC NetBIOS names: DOMBDC1 and DOMBDC2

First, you must edit your smb.conf file to tell Samba it should now use domain security.

Change (or add) your security line in the [global] section of your smb.conf to read:

security = domain

Note that if the parameter security = user is used, this machine would function as a standalone server and not as a domain member server. Domain security mode causes Samba to work within the domain security context.

Next change the workgroup line in the [global] section to read:

workgroup = MIDEARTH

This is the name of the domain we are joining.

You must also have the parameter encrypt passwords set to yes in order for your users to authenticate to the NT PDC. This is the default setting if this parameter is not specified. There is no need to specify this parameter, but if it is specified in the smb.conf file, it must be set to Yes.

Finally, add (or modify) a password server line in the [global] section to read:

password server = DOMPDC DOMBDC1 DOMBDC2

These are the PDC and BDCs Samba will attempt to contact in order to authenticate users. Samba will try to contact each of these servers in order, so you may want to rearrange this list in order to spread out the authentication load among Domain Controllers.

Alternatively, if you want smbd to determine automatically the list of domain controllers to use for authentication, you may set this line to be:

password server = *

This method allows Samba to use exactly the same mechanism that NT does. The method either uses broadcast-based name resolution, performs a WINS database lookup in order to find a domain controller against which to authenticate, or locates the domain controller using DNS name resolution.

To join the domain, run this command:


net rpc join -S DOMPDC -U

If the -S DOMPDC argument is not given, the domain name will be obtained from smb.conf and the NetBIOS name of the PDC will be obtained either using a WINS lookup or via NetBIOS broadcast based name look up.

The machine is joining the domain DOM, and the PDC for that domain (the only machine that has write access to the domain SAM database) is DOMPDC; therefore, use the -S option. The Administrator%password is the login name and password for an account that has the necessary privilege to add machines to the domain. If this is successful, you will see the following message in your terminal window. Where the older NT4-style domain architecture is used:

Joined domain DOM.

Where Active Directory is used, the command used to join the ADS domain is:

root#  net ads join -U

And the following output is indicative of a successful outcome:

Joined SERV1 to realm MYREALM.

Refer to the net man page and to the chapter on remote administration for further information.

This process joins the server to the domain without separately having to create the machine trust account on the PDC beforehand.

This command goes through the machine account password change protocol, then writes the new (random) machine account password for this Samba server into a file in the same directory in which a smbpasswd file would be normally stored. The trust account information that is needed by the DMS is written into the file /usr/local/samba/private/secrets.tdb or /etc/samba/secrets.tdb.

This file is created and owned by root and is not readable by any other user. It is the key to the domain-level security for your system and should be treated as carefully as a shadow password file.

Finally, restart your Samba daemons and get ready for clients to begin using domain security. The way you can restart your Samba daemons depends on your distribution, but in most cases the following will suffice:

root# /etc/init.d/samba restart

Samba HowTo Guide
Prev Home Next

  Published under the terms fo the GNU General Public License Design by Interspire