samba - Feb 2015 - AIX 7.1 Samba 3.6.23 Windows 2003 Server AD

> My apologies for being too new to this whole process...
> 
> Server was AIX 5.3/Samba 2.2.7, authenticating only against the AD. No 
> single sign-on, kerberos, or LDAP to my knowledge; smbd processes never 
> load kerberos or LDAP libraries. Upgraded to AIX 7.1/Samba 3.3.12, which 
> didn't go smoothly; customer is upgrading to Windows Server 2012 AD in
a
> couple of months, so upgraded again to Samba 3.6.23 (IBM's version).
> 
> User security works fine as a temporary work-around.
> 
> Server security seems to fail to find the AD server. So it looks like I 
> need to remove the server from the AD, then rejoin. Everything I read, 
> though, says I need Kerberos and LDAP, but we still only want to 
> authenticate the users against the current Windows Server 2003 AD. We 
> don't want single sign-on integration - when a share is mounted (no 
> printers involved), the credentials for the user should be checked 
> against AD, and that's all we want from the AD today.
> 
> Does rejoining the AD sound like the right approach? Or do I really need 
> Kerberos and LDAP? Any additional or alternate suggestions or ideas? 
> This is a fast deep-dive for me, so please excuse my noobieness.
At some point in going from an early Samba to the later 3.* series
I found that I had to rejoin the domain. I did not have to remove the
machine from the domain first, I just joined again.

Also, I found it necessary to specify 'password server = ourserver'
dispite the fact that the documentation says that this is not necessary
with 'security = domain'.  I think that this has something to do with
our AD server being a Windows 2000 machine.

I have not done anything with kerberos or LDAP or any thing special.

Tom Schulz
Applied Dynamics Intl.
schulz at adi.com

On 2/16/2015 10:14 AM, Thomas Schulz wrote:
>> My apologies for being too new to this whole process...
>>
>> Server was AIX 5.3/Samba 2.2.7, authenticating only against the AD. No
>> single sign-on, kerberos, or LDAP to my knowledge; smbd processes never
>> load kerberos or LDAP libraries. Upgraded to AIX 7.1/Samba 3.3.12,
which
>> didn't go smoothly; customer is upgrading to Windows Server 2012 AD
in a
>> couple of months, so upgraded again to Samba 3.6.23 (IBM's
version).
>>
>> User security works fine as a temporary work-around.
>>
>> Server security seems to fail to find the AD server. So it looks like I
>> need to remove the server from the AD, then rejoin. Everything I read,
>> though, says I need Kerberos and LDAP, but we still only want to
>> authenticate the users against the current Windows Server 2003 AD. We
>> don't want single sign-on integration - when a share is mounted (no
>> printers involved), the credentials for the user should be checked
>> against AD, and that's all we want from the AD today.
>>
>> Does rejoining the AD sound like the right approach? Or do I really
need
>> Kerberos and LDAP? Any additional or alternate suggestions or ideas?
>> This is a fast deep-dive for me, so please excuse my noobieness.
> At some point in going from an early Samba to the later 3.* series
> I found that I had to rejoin the domain. I did not have to remove the
> machine from the domain first, I just joined again.
>
> Also, I found it necessary to specify 'password server = ourserver'
> dispite the fact that the documentation says that this is not necessary
> with 'security = domain'.  I think that this has something to do
with
> our AD server being a Windows 2000 machine.
>
> I have not done anything with kerberos or LDAP or any thing special.
>
> Tom Schulz
> Applied Dynamics Intl.
> schulz at adi.com
>
Thank you for this reply, Tom.

Did you join the samba server to the domain via:

smbpasswd [ - j MYDOMAIN] [ - r PDC ] [-U user-name]

Most of the guides I've perused have failed to mention how to join the 
AIX/Samba server to the domain.
I got that from:

http://www.onlamp.com/pub/a/onlamp/2008/04/01/step-by-step-using-samba-to-join-a-windows-domain.html

It later speaks of using winbind, which I don't think I need. All I want 
is to forward the user authentication to the AD server - no other 
functionality is desired.

I anticipate that my smb.conf [global] section will look like:

     [global]
         workgroup=domain.name
         encrypt passwords = yes
         security = server
         password server = ADServer.domain.name    (or it's IP address)

This is essentially how it was working in Samba 2.2.7, without winbind, 
kerberos, or LDAP (that I can tell).