Joining an NT4-type Domain with Samba-3
Assumptions lists names that are used in the remainder of this chapter.
|Samba DMS NetBIOS name:
|Windows 200x/NT domain name:
|Domain's PDC NetBIOS name:
|Domain's BDC NetBIOS names:
||DOMBDC1 and DOMBDC2
First, you must edit your
smb.conf file to tell Samba it should now use domain security.
Change (or add) your
security line in the [global] section
smb.conf to read:
Note that if the parameter
security = user
is used, this machine would function as a
standalone server and not as a domain member server. Domain security mode causes Samba to work within the
domain security context.
Next change the
workgroup line in the
section to read:
This is the name of the domain we are joining.
You must also have the parameter
yes in order for your users to authenticate to the NT PDC.
This is the default setting if this parameter is not specified. There is no need to specify this
parameter, but if it is specified in the
smb.conf file, it must be set to
Finally, add (or modify) a
password server line in the [global]
section to read:
password server = DOMPDC DOMBDC1 DOMBDC2
These are the PDC and BDCs Samba
will attempt to contact in order to authenticate users. Samba will
try to contact each of these servers in order, so you may want to
rearrange this list in order to spread out the authentication load
among Domain Controllers.
Alternatively, if you want smbd to determine automatically the list of domain controllers to use for
authentication, you may set this line to be:
This method allows Samba to use exactly the same mechanism that NT does. The
method either uses broadcast-based name resolution, performs a WINS database
lookup in order to find a domain controller against which to authenticate,
or locates the domain controller using DNS name resolution.
To join the domain, run this command:
net rpc join -S DOMPDC -U
-S DOMPDC argument is not given, the domain name will be obtained from
the NetBIOS name of the PDC will be obtained either using a WINS lookup or via NetBIOS broadcast based name
The machine is joining the domain DOM, and the PDC for that domain (the only machine
that has write access to the domain SAM database) is DOMPDC; therefore, use the
is the login name and
password for an account that has the necessary privilege to add machines to the
domain. If this is successful, you will see the following message in your terminal window.
Where the older NT4-style domain architecture is used:
Joined domain DOM.
Where Active Directory is used, the command used to join the ADS domain is:
root# net ads join -U
And the following output is indicative of a successful outcome:
Joined SERV1 to realm MYREALM.
Refer to the
man page and to
the chapter on remote
administration for further information.
This process joins the server to the domain without separately having to create the machine
trust account on the PDC beforehand.
This command goes through the machine account password change protocol, then writes the new (random) machine
account password for this Samba server into a file in the same directory in which a smbpasswd file would be
normally stored. The trust account information that is needed by the DMS is written into the file
This file is created and owned by root and is not readable by any other user. It is
the key to the domain-level security for your system and should be treated as carefully
as a shadow password file.
Finally, restart your Samba daemons and get ready for clients to begin using domain
security. The way you can restart your Samba daemons depends on your distribution,
but in most cases the following will suffice:
root# /etc/init.d/samba restart