Windows Active Directory users on File Server appliance

jgab's picture

Hi, sorry for my newbie question, but is it possible to use windows AD users on the File Server appliance?

Thanks and regards.

Alon Swartz's picture

According to the Samba documentation, Samba cannot "interact with Windows DC's in the same domain".

But, looking through my notes I have managed to join an Active Directory domain in the past, unfortunately I don't recall in what capacity the connection works. Below is a dump of my notes in hope that they can help, but I cannot provide much support on this issue.

Good luck!

joining active directory
resources for setting up samba+kerberos -> AD dependencies
apt-get install winbind apt-get install krb5-user apt-get install ntpdate files to configure
note: uppercase matters! /etc/hosts     ad /etc/krb5.conf     [libdefaults]         default_realm = EXAMPLE.COM     [realms]         EXAMPLE.COM = {         kdc =         }     [domain_realm] = EXAMPLE.COM /etc/samba/smb.conf     [global]         workgroup = EXAMPLE                 # required when joining domain         realm = EXAMPLE.COM         preferred master = no         security = ADS         encrypt passwords = yes         password server =    # shouldn't be req.         winbind separator = +         idmap uid = 10000-20000         idmap gid = 10000-20000         client use spnego = yes             # win2003 requires SMB signing /etc/hosts nas /etc/nsswitch.conf     first 3 lines are most important, other vary according to the system    passwd:     compat winbind     group:      compat winbind     shadow:     compat     hosts:      files dns wins     networks:   files dns sync time with AD
kerberos is dependent on "the clock" its recommended to sync with the active directory     ntpdate gotcha: on win2ksrv the ntp server is disabled (use regedit) System Key: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters] Value Name: LocalNTP Data Type: REG_DWORD (DWORD Value) Value Data: (0 = disabled, 1 = enabled) tips:     - timezones are calculated, including daylight saving     - ntp is 123/udp     - win2ksrv will deny NTP service if its clock hasn't sync'ed with a       NTP server in a while         net (stop|start) w32time         net time /     - ntpdate -d (debug) restarting services
i found that winbind must be started before samba     but the docs say the opposite... authenticate using kerberos
kinit Administrator@EXAMPLE.COM join the domain
net ads join -U Administrator -S - its recommended to change the Administrator password on win2k after   first joining (regenerates the kerberos settings or something, not   sure...) testing
# smbclient -k -L # wbinfo -u EXAMPLE+administrator EXAMPLE+guest EXAMPLE+tsinternetuser EXAMPLE+iusr_ad EXAMPLE+iwam_ad EXAMPLE+krbtgt # wbinfo -g BUILTIN+administrators BUILTIN+users EXAMPLE+domain computers EXAMPLE+domain controllers EXAMPLE+schema admins EXAMPLE+enterprise admins EXAMPLE+cert publishers EXAMPLE+domain admins EXAMPLE+domain users EXAMPLE+domain guests EXAMPLE+group policy creator owners EXAMPLE+dnsupdateproxy



Guest's picture

Post new comment