Assumptions lists names that are used in the remainder of this chapter.

First, you must edit your smb.conf file to tell Samba it should now use domain security.

Change (or add) your security line in the [global] section of your smb.conf to read:

Note that if the parameter security = user is used, this machine would function as a standalone server and not as a domain member server. Domain security mode causes Samba to work within the domain security context.

Next change the workgroup line in the [global] section to read:

This is the name of the domain we are joining.

You must also have the parameter encrypt passwords set to yes in order for your users to authenticate to the NT PDC. This is the default setting if this parameter is not specified. There is no need to specify this parameter, but if it is specified in the smb.conf file, it must be set to Yes.

Finally, add (or modify) a password server line in the [global] section to read:

These are the PDC and BDCs Samba will attempt to contact in order to authenticate users. Samba will try to contact each of these servers in order, so you may want to rearrange this list in order to spread out the authentication load among Domain Controllers.

Alternatively, if you want smbd to determine automatically the list of domain controllers to use for authentication, you may set this line to be:

This method allows Samba to use exactly the same mechanism that NT does. The method either uses broadcast-based name resolution, performs a WINS database lookup in order to find a domain controller against which to authenticate, or locates the domain controller using DNS name resolution.

To join the domain, run this command:

root# 

net rpc join -S DOMPDC -U
Administrator%password

If the -S DOMPDC argument is not given, the domain name will be obtained from smb.conf and the NetBIOS name of the PDC will be obtained either using a WINS lookup or via NetBIOS broadcast based name look up.

The machine is joining the domain DOM, and the PDC for that domain (the only machine that has write access to the domain SAM database) is DOMPDC; therefore, use the -S option. The Administrator%password is the login name and password for an account that has the necessary privilege to add machines to the domain. If this is successful, you will see the following message in your terminal window. Where the older NT4-style domain architecture is used:

Joined domain DOM.

Where Active Directory is used, the command used to join the ADS domain is:

root#  net ads join -U
Administrator%password

And the following output is indicative of a successful outcome:

Joined SERV1 to realm MYREALM.

Refer to the net man page and to the chapter on remote administration for further information.

This process joins the server to the domain without separately having to create the machine trust account on the PDC beforehand.

This command goes through the machine account password change protocol, then writes the new (random) machine account password for this Samba server into a file in the same directory in which a smbpasswd file would be normally stored. The trust account information that is needed by the DMS is written into the file /usr/local/samba/private/secrets.tdb or /etc/samba/secrets.tdb.

This file is created and owned by root and is not readable by any other user. It is the key to the domain-level security for your system and should be treated as carefully as a shadow password file.

Finally, restart your Samba daemons and get ready for clients to begin using domain security. The way you can restart your Samba daemons depends on your distribution, but in most cases the following will suffice:

root# /etc/init.d/samba restart