20.3.2.2 Configuring Samba as a Member of an ADS Domain

In the Activity Directory Server (ADS) security model, Samba acts as a domain member server in an ADS realm, and clients use Kerberos tickets for Active Directory authentication. You must configure Kerberos and join the server to the domain, which creates a machine account for your server on the domain controller.

To add a Samba server to an Active Directory domain:

  1. Edit /etc/samba/smb.conf and configure the [global] section to use ADS:

    [global]
    security = ADS
    realm = KERBEROS.REALM

    It might also be necessary to specify the password server explicitly if different servers support AD services and Kerberos authentication:

    password server = kerberos_server.your_domain
  2. Install the krb5-server package:

    # yum install krb5-server
  3. Create a Kerberos ticket for the Administrator account in the Kerberos domain, for example:

    # kinit Administrator@MYDOMAIN.COM

    This command creates the Kerberos ticket that is required to join the server to the AD domain.

  4. Join the server to the AD domain:

    # net ads join -S winads.mydom.com -U Administrator%password

    In this example, the AD server is winads.mydom.com and password is the password for the Administrator account.

    The command creates a machine account in Active Directory for the Samba server and allows it to join the domain.

  5. Restart the smb service:

    # service smb restart