On 2/16/2015 10:14 AM, Thomas Schulz wrote:>> My apologies for being too new to this whole process...
>>
>> Server was AIX 5.3/Samba 2.2.7, authenticating only against the AD. No
>> single sign-on, kerberos, or LDAP to my knowledge; smbd processes never
>> load kerberos or LDAP libraries. Upgraded to AIX 7.1/Samba 3.3.12,
which
>> didn't go smoothly; customer is upgrading to Windows Server 2012 AD
in a
>> couple of months, so upgraded again to Samba 3.6.23 (IBM's
version).
>>
>> User security works fine as a temporary work-around.
>>
>> Server security seems to fail to find the AD server. So it looks like I
>> need to remove the server from the AD, then rejoin. Everything I read,
>> though, says I need Kerberos and LDAP, but we still only want to
>> authenticate the users against the current Windows Server 2003 AD. We
>> don't want single sign-on integration - when a share is mounted (no
>> printers involved), the credentials for the user should be checked
>> against AD, and that's all we want from the AD today.
>>
>> Does rejoining the AD sound like the right approach? Or do I really
need
>> Kerberos and LDAP? Any additional or alternate suggestions or ideas?
>> This is a fast deep-dive for me, so please excuse my noobieness.
> At some point in going from an early Samba to the later 3.* series
> I found that I had to rejoin the domain. I did not have to remove the
> machine from the domain first, I just joined again.
>
> Also, I found it necessary to specify 'password server = ourserver'
> dispite the fact that the documentation says that this is not necessary
> with 'security = domain'. I think that this has something to do
with
> our AD server being a Windows 2000 machine.
>
> I have not done anything with kerberos or LDAP or any thing special.
>
> Tom Schulz
> Applied Dynamics Intl.
> schulz at adi.com
>
Thank you for this reply, Tom.
Did you join the samba server to the domain via:
smbpasswd [ - j MYDOMAIN] [ - r PDC ] [-U user-name]
Most of the guides I've perused have failed to mention how to join the
AIX/Samba server to the domain.
I got that from:
http://www.onlamp.com/pub/a/onlamp/2008/04/01/step-by-step-using-samba-to-join-a-windows-domain.html
It later speaks of using winbind, which I don't think I need. All I want
is to forward the user authentication to the AD server - no other
functionality is desired.
I anticipate that my smb.conf [global] section will look like:
[global]
workgroup=domain.name
encrypt passwords = yes
security = server
password server = ADServer.domain.name (or it's IP address)
This is essentially how it was working in Samba 2.2.7, without winbind,
kerberos, or LDAP (that I can tell).