1. ENSURE your samba box has an A record and associated PTR in DNS.
2. On your DC, disable signing: Run Domain Controller Policy tool and edit Account Policies -> Security Options -> Microsoft network client: Digitally sign communications (always) Set this to Disabled. Do the same in the Domain Policy tool. Note, you will need to reboot the server for this step, though it won't tell you to. Disable on your samba server as well with the following in smb.conf
client signing = no client use spnego = no3. On your samba server, install kerberos5, and edit /etc/krb5.conf. It should contain:
[libdefaults]
default_realm = YOUR.ADS.DOMAIN
dns_lookup_kdc = false
dns_lookup_realm = false[domain_realm]
.your.domain.name=YOUR.ADS.DOMAIN
your.domain.name=YOUR.ADS.DOMAIN[realms]
YOUR.ADS.DOMAIN = {
default_domain = your.domain.name
kdc = IP.OF.THE.DC
}4. Ensure smb.conf contains realm = YOUR.ADS.DOMAIN workgroup = YOUR security = ADS5. Get a ticket using kerberos: kinit administrator (enter the administrator password when prompted). The klist command should then list a ticket.
6. Join the domain using 'net ads join'. This should use the credentials in your kerberos ticket.
7. Set up winbind - ensure the following is in smb.conf
winbind uid = 10000-20000 winbind gid = 10000-20000 winbind enum groups = yes winbind enum users = yes8. store your winbind credentials with wbinfo --set-auth-user=DOMAIN\\administrator%password
9. modify /etc/pam.d/samba (on woody) or the appropriate pam file to add "sufficient" for auth and account using pam_winbind.so. These need to go BEFORE the pam_unix.so calls for samba. My /etc/pam.d/samba is as follows:
auth sufficient pam_winbind.so auth required pam_unix.so nullok account sufficient pam_winbind.so account required pam_unix.so session required pam_unix.so password required pam_unix.so10. Modify /etc/nsswitch.conf with the following:
passwd: winbind compat group: winbind compat shadow: winbind compat11. Restart samba and winbind.
12. All should work. :) Browse your server and see...
