When meshing Linux machines into a Windows environment that is apart of an Active Directory Domain you will most likely run into the question “How do I join my samba client to the AD domain?”. Well this can be easily answered and solved with a little bit of time and configuration on your Linux machine.

First make sure that an entry for your AD domain server resides the /etc/hosts file.

When meshing Linux machines into a Windows environment that is apart of an Active Directory Domain you will most likely run into the question “How do I join my samba client to the AD domain?”. Well this can be easily answered and solved with a little bit of time and configuration on your Linux machine.

First make sure that an entry for your AD domain server resides the /etc/hosts file.

Now make sure that you have support for Winbind, AD, Kerberos and LDAP within your samba installation. In most cases this support is already enabled but to verify that you can issue the following commands:

smbd –b | grep LDAP
smbd –b | grep KRB
smbd –b | grep ADS
smbd –b | grep WINBIND

If you do not receive output from any of these four commands then you will need to reinstall (possibly manually) samba to make sure there is support for these four protocols.

You will now need to configure Kerberos. Below you will find a sample configuration where the AD domain server is ad.sample.com. This configuration would be stored in the /etc/krb5.conf file.

[libdefaults]
default_realm = SAMPLE.COM

[relams] SAMPLE.COM = {
kdc = ad.sample.com
}

[domain_realms]
.kerberos.server = SAMPLE.COM

You can now test the connection by using the following command, if you do not get prompted for a password then the connection is not working properly:

kinit Administrator@SAMPLE.COM

Now you will need to make sure that samba is configured properly within the smb.conf file. Here is a sample configuration file based on the same domain listed above:

[global]
workgroup = AD
realm = SAMPLE.COM
preferred master = no
server string = Samba server
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
winbind support = +
idmap uid = 10000-20000
idmap gid = 10000-20000

[myshare]
comment = Sample Share
read only = yes
browseable = no

Please keep in mind that the workgroup parameter is the name of your AD domain server. Now simply use testparm to make sure it is syntactically correct and then finally you can try joining your machine to the AD domain with the following command:

net ads join –U Administrator

After entering your password you should receive a message stating “Joined ‘xxxx’ to realm ‘xxxxx’”, if you do then you now have successfully join the AD domain.

Enjoy,
Josh Diakun
http://www.joshd.ca