I have a quick question on hooking Samba to a large AD domain. Following the excellent recipe at: http://wiki.samba.org/index.php/Samba_&_Active_Directory I see it states about half way down to join the machine to AD "Now to join your machine to the active directory. You will need the user-name and password to a Domain Administrator account to do this. The command you need to join the domain is net ads join -U sadwrn. This should then ask you for a password, and print a domain join notice." Is this required to use a Domain Administrator account, or can any normal user AD account be used? I know AD doesn't allow anonymous browsing, but can a normal non-admin account be used? As I read through it, I don't see any other special admin access required other the root on the Linux machine. My goal is this... We have a very large AD system, 80.000+ users, and we want to activate Samba on two servers for a very small user group (maybe 12 users) but validate userid/passwords against AD. If Samba can be setup with little or no AD changes, or involvement from the AD administrators, but with some simple config from the UNIX admins, then we have a much better chance of getting this approved. But if it requires a lot of heavy involvement of the AD support group, ongoing maintenance, etc, then the odds are slim. Largely political, the UNIX admins are much more open to open source solutions than the Windows side of the fence. So if this can be sold as "just another AD client app" not requiring any special AD domain permissions, we have a chance. Thanks for any help/advice. Brian
On Tue, Aug 05, 2008 at 10:50:21AM -0500, Brian Foddy wrote:> I have a quick question on hooking Samba to a large AD domain. > Following the excellent recipe at: > > http://wiki.samba.org/index.php/Samba_&_Active_Directory > > I see it states about half way down to join the machine to AD > > "Now to join your machine to the active directory. You will need the > user-name and password to a Domain Administrator account to do this. The > command you need to join the domain is net ads join -U sadwrn. This > should then ask you for a password, and print a domain join notice." > > Is this required to use a Domain Administrator account, or can any > normal user AD account be used? I know AD doesn't allow anonymous > browsing, but can a normal non-admin account be used? As I read through > it, I don't see any other special admin access required other the root > on the Linux machine.Any account with the ability to join a machine to a domain can be used. You only need this for the join operation, in daily use no extra permission is needed (it acts the same way as a Windows box in the domain). Jeremy.
Check out this paper: http://www.docs.hp.com/en/7212/ADSJoinMinimumPerms.pdf I wrote it about 3 years ago, so the Samba version was 3.0.7. Things may have changed. It refers to HP-UX CIFS Server but at the time held true for Opensource too. Eric Roseme Brian Foddy wrote:> I have a quick question on hooking Samba to a large AD domain. > Following the excellent recipe at: > > http://wiki.samba.org/index.php/Samba_&_Active_Directory > > I see it states about half way down to join the machine to AD > > "Now to join your machine to the active directory. You will need the > user-name and password to a Domain Administrator account to do this. The > command you need to join the domain is net ads join -U sadwrn. This > should then ask you for a password, and print a domain join notice." > > Is this required to use a Domain Administrator account, or can any > normal user AD account be used? I know AD doesn't allow anonymous > browsing, but can a normal non-admin account be used? As I read through > it, I don't see any other special admin access required other the root > on the Linux machine. > > > My goal is this... We have a very large AD system, 80.000+ users, and > we want to activate Samba on two servers for a very small user group > (maybe 12 users) but validate userid/passwords against AD. If Samba can > be setup with little or no AD changes, or involvement from the AD > administrators, but with some simple config from the UNIX admins, then > we have a much better chance of getting this approved. But if it > requires a lot of heavy involvement of the AD support group, ongoing > maintenance, etc, then the odds are slim. Largely political, the UNIX > admins are much more open to open source solutions than the Windows side > of the fence. So if this can be sold as "just another AD client app" > not requiring any special AD domain permissions, we have a chance. > > Thanks for any help/advice. > Brian >