|
Create the Computer Account
As a user who has write permission on the Samba private directory (usually root), run:
root#
net ads join -U Administrator%password
The Administrator account can be any account that has been designated in the ADS domain security settings with
permission to add machines to the ADS domain. It is, of course, a good idea to use an account other than Administrator.
On the UNIX/Linux system, this command must be executed by an account that has UID=0 (root).
When making a Windows client a member of an ADS domain within a complex organization, you
may want to create the machine trust account within a particular organizational unit. Samba-3 permits
this to be done using the following syntax:
root#
kinit [email protected]
root#
net ads join "organizational_unit"
Your ADS manager will be able to advise what should be specified for the "organizational_unit" parameter.
For example, you may want to create the machine trust account in a container called “Servers”
under the organizational directory “Computers\BusinessUnit\Department,” like this:
root#
net ads join "Computers\BusinessUnit\Department\Servers"
This command will place the Samba server machine trust account in the container
Computers\BusinessUnit\Department\Servers. The container should exist in the ADS directory
before executing this command.
-
ADS support not compiled in
-
Samba must be reconfigured (remove config.cache) and recompiled (make clean all install) after the
Kerberos libraries and headers files are installed.
-
net ads join prompts for user name
-
You need to log in to the domain using
kinit
USERNAME
@
REALM
.
USERNAME
must be a user who has rights to add a machine to the domain.
-
Unsupported encryption/or checksum types
-
Make sure that the /etc/krb5.conf is correctly configured
for the type and version of Kerberos installed on the system.
|
