Search A-Z index Help
University of Cambridge Home Physics Dept Home Mike Roses' Home Page TCM Group Home

Samba HowTos

Windows 2003 file-server with linux computer as an ADS member mounting Windows home directories with ssh login to Linux PC using pam_mount, samba, winbind

Joining a Samba Server (version 2) to a Windows 2000 domain

1) On the 2000 primary master, add the Samba host to the domain

2) On the Samba host, configure the smb.conf file thus:
security = domain
workgroup = DOM
as this is the name of the domain we are joining.
You must also have the parameter encrypt passwords set to yes in order for your users to authenticate to the NT PDC.
Finally, add (or modify) a password server = line in the [global] section to read:
password server = DOMPDC DOMBDC1 DOMBDC2


password server = *

4) Execute:

smbpasswd -j mydomain -r mydomain_dc

WITHOUT specifying the login account name!  This results in:

2004/05/05 15:07:26 : change_trust_account_password: Changed password for do
Joined domain MYDOMAIN.

Samba will now start.  Domain users that access the Samba host now
result in the a login event on behalf of the user coming from the
Samba host appearing in the security log of the domain controller
specified in the smb.conf file.
You can also see what is going on by looking in /var/log/messages

Using Winbind to authenticate a Linux client computer against a samba PDC (version 3) so users have one account for windows and Linux and one home directory

Instructions here are pretty good, but I needed to do a few things differently: Samba-HOWTO-Collection : winbind

What follows is a summary of what I did to get a few linux workstations to authenticate from a samba server and get their home directories from the samba server using nfs.

Install samba + winbind. My smb.conf is:

# separate domain and username with '\', like DOMAIN\username
winbind separator = +
# use uids from 10000 to 20000 for domain users
idmap uid = 10000-20000
# use gids from 10000 to 20000 for domain groups
idmap gid = 10000-20000
# allow enumeration of winbind users and groups
winbind enum users = yes
winbind enum groups = yes
# give winbind users a real shell (only needed if they have telnet access)
template homedir = /u/theserver/%U
template shell = /bin/bash
winbind cache time = 600
winbind trusted domains only = yes

security = domain
workgroup = THEDOMAIN
password server = theserver
encrypt passwords = yes

# to remove domain from username
winbind use default domain = yes
obey pam restrictions = Yes

Install amd (you could use autofs, but we like amd for auto mounting). Our amd.users is:

# AMD map file for mounting the user directories as /u/nthomes/XX

/defaults       opts:=intr,rsize=8192,wsize=8192,nosuid,nodev,proto=udp

bioserver       type:=nfs;rhost:=theserver;rfs:=/samba/nthomes

Our amd.conf:


# Don't do NIS or other silly things
map_type = file

# Our maps are in /etc
search_path = /etc

# Reduce logging
log_options = noinfo,error,fatal,warn,nouser
#log_options = info,error,fatal,warn
log_file = syslog

# Inherit volumes already mounted
restart_mounts = yes
unmount_on_exit = no

# We want a pid file
print_pid = yes
pid_file = /var/run/

# Don't unmount too vigourously
cache_duration = 720

[ /u ]
map_name = amd.users

[ /misc ]
map_name = amd.misc

Relevant bits from /etc/nsswitch.conf:

passwd:     files winbind
shadow:     files
group:      files winbind

Now as I am just running a few workstations I decided to distribute the passwd map by just putting it into /etc/passwd on each computer. The reason for this is that winbind will create a UID for each samba user and these can end up different on each linux workstation which is pretty bad for NFS. If I was running more linux workstations I would probably use NIS or NIS+ for the passwd and group maps. The magic bits in the smb.conf are:

winbind trusted domains only = yes
# to remove domain from username
winbind use default domain = yes
obey pam restrictions = Yes

Example entry in /etc/passwd:


Every time a user is added to THEDOMAIN on the samba server I have to add that user to the /etc/passwd file on each linux workstation.

Put computer into /etc/passwd file on PDC (samba server)
Create machine account on PDC:

smbpasswd -a -m computer_name
Join domain using:
net join MEMBER -S bioserver
root's password: 
Joined domain DOMAIN.

If you have not created the machine trust account on the server then you might get:

# wbinfo -t
checking the trust secret via RPC calls failed
error code was  (0x0)
Could not check secret
# wbinfo -u
Error looking up domain users
# wbinfo -g


start winbind
wbinfo -t
checking the trust secret via RPC calls succeeded

getent passwd
should list the passwd map

Now you will want other things to work like sshd, login, rlogin, xlock and X11. In /etc/pam.d/ you will find a bunch of files that configure how PAM does authentication for different programs. You need to add in lines like:

auth     sufficient
account  sufficient

to each of the relevant files. This is what I did (that works):

/etc/pam.d$ grep winbind *
login:auth     sufficient
login:account  sufficient
other:auth       sufficient
other:account    sufficient
passwd:auth       sufficient
passwd:account    sufficient
rlogin:auth     sufficient
rpasswd:auth       sufficient
rpasswd:account    sufficient
sshd:auth       sufficient
sshd:account    sufficient
xdm:auth       sufficient
xdm:account    sufficient
xlock:auth       sufficient

You should now find that most things work (login on the console, xlock, rlogin, etc.), BUT ssh will probably not work. I found an undocumented parameter that tells sshd to use PAM, and I had to change the setting of another parameter so that sshd would work:

UsePAM yes
PasswordAuthentication no

To change user passwd from Linux:

smbpasswd -r theserver

Create a simple home directory creation script on the samba server that also puts example login scripts into their home directory (.basrc, etc.).

Mounting an smb share on a linux computer as a normal user with fstab

If you can:

mount -t smbfs -o username=USER,port=139 //computer.domain/USER /mntpoint

then you should be able to put this entry into your /etc/fstab:

//computer.domain/USER /mntpoint    smbfs    username=USER,port=139,user,noauto 0 0

Then you need to make a few adjustments so that a normal user can user smbmnt:

# chown USER /mntpoint
# ls -ld /mntpoint
drwxr-xr-x  2 USER root 4096 Sep  9 12:46 /mntpoint
# chmod u+s /usr/bin/smbmnt

Then the USER should be able to: mount /mntpoint

You might have noticed that port=139 is specified, well we needed this cause we block port 445. smbmount reckons it uses port=139 by default, but I think it actually uses port=445.

For diagnosis it is rather useful to be able to:

#to see what shares are available:
net rpc share -S computer.domain -U USER
#to see what network connections there are:
netstat -n
#to do command line Windows drive mapping (Windows command prompt):
net use
#and also from the Windows command prompt you can view shares:
net view
#(put a question mark after a net command to get the syntax:
net view ?

Annoyingly under RH9 (and 7.3) only root can umount this mount (yes the user did mount it). With Suse 9 the problem is worse and when trying to use /etc/fstab you get:

mount error: Invalid argument
Please refer to the smbmnt(8) manual page
smbmnt failed: 255

If you google you will find plenty of people with this problem, such as here.

Time to submit a bug to suse I guess.

These things do work as a non-root user:

smbmount //COMPUTER/SHARE /mnt -o username=USER,port=139

/sbin/mount.smbfs //COMPUTER/SHARE /mnt -o username=USER,port=139

Mounting smb share from Windows 2003 server (SP1)

This worked for me (Suse 9.1 Pro):
mount -t cifs -o username="$user" //server.domain/sharename /mntpoint
I was getting this error message when trying to use smb:
mount -t smbfs -o username=$user,port=4139 //server.domain/sharename /mntpoint
cli_negprot: SMB signing is mandatory and we have disabled it.
12400: protocol negotiation failed
SMB connection failed

Suse 9.1 and Samba config - compiling your own samba

We prefer to compile samba ourselves (most installation and configuration done as a non-root user). Interestingly the magic machine adding command which is usually:

add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u
add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u
, but useradd under Suse 9.1 does not like /dev/null so:
add user script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u
add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u
Now this works, but you'll get some error messages in /var/log/samba/smb/log if you have changed your /etc/passwd file a bit:
useradd: Unknown group `dialout'.
useradd: Unknown group `video'.
useradd: Unknown group `audio'.
vim /etc/default/useradd
and remove the groups that do not exist.

man useradd says " -g, --gid gid The group name or number of the user's main group. The group name or number must refer to an already existing group. If not specified, the default from /etc/default/useradd is used. ".

My settings:


Without sorting this out when you try and add (on the fly) a Windows computers to your samba domain you will get an error message something like "The following error occured attempting to join the domain XXXX: The username not found"

Windows ADS on Windows 2003 Server with Linux file-server and linux clients as part of Windows domain

This could also be called: "IDMAP ADS Using ADS with SFU3.5"

If you want to put your linux authentication and directory information into ADS and have your linux computers as part of a Windows ADS then this does work.

Configure Windows 2003 Server
Install SFU3.5 - default is fine, to extend ADS
schema to include UNIX attributes - on a Windows 2003 Server
running as a Domain Controller.
Free download from the Microsoft website.

Create a test user with UNIX attributes of:
home directory
default shell

Make sure that the Windows ADS group/s this user is a member of
also have UNIX attributes. In particular the gid of the test user
needs to correspond to an ADS group with a UNIX gid.

Linux Computer
/etc/resolve.conf needs to point to the DNS server with all of the
ADS entries in it - so that samba can find AD. So if you have a
Windows domain controller called "sd1" (IP=
then /etc/resolv.conf can be:

search domain

ldap + libraries + devel
kerberos + libraries + devel
openssl devel
pam libraries
cyrus-sasl libraries
acl libraries

For Suse9.1 these are the packages (rpms) that I needed:

Compile samba
This is an example of how to compile samba without too much root action:

as root:
mkdir /usr/local/samba/
chown mr /usr/local/samba/

as mr:
./configure --prefix=/usr/local/samba/ --with-ldap --with-ads --with-krb5 --with-pam --with-winbind --with-shared-modules=idmap_ad --with-acl-support --with-quotas

Note: DO scan the config.log for errors. For example if you do not have libcap
installed samba will still build, but winbind will crash everytime you try
a "getent passwd". Mind you I still have a few errors in config.log, but they
don't seem to matter... 

make install

Note: --with-shared-modules=idmap_ad is currently the only way to get the
idmap_ad module built

/usr/local/samba/lib/idmap$ ln -s ./

To pick up users and groups from ADS you'll need to (as root):
cd samba-3.0.20/source/nsswitch
cp /lib
cp /lib

You might also want samba to startup on boot, so create a startup script.
For linux this is typically in /etc/init.d

Create your smb.conf. Best advice is to do this with a very simple
configuration to start with:
winbind separator = '\'
#idmap uid = 100-20000
#idmap gid = 100-20000
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 600
winbind use default domain = yes
allow trusted domains = yes
idmap backend = ad
winbind nss info = sfu
workgroup = short_domain_name
realm = domain
security = ADS
encrypt passwords = yes
password server = winserver1.domain, winserver2.domain
obey pam restrictions = Yes

Use testparm to check it:
testparm -s

Note: if things do not work then you'll end up with default mappings to uid
and gid for users created on the fly by winbind. These go into a file in:

Now to join the domain. Several ways you can do this, such as:
net ads join "\unix_workstations"

edit /etc/nsswitch.conf:
passwd:     files winbind
shadow:     files
group:      files winbind

Restart samba (smbd, nmbd) and winbind

Some testing:
wbinfo -t
should give:
checking the trust secret via RPC calls succeeded

wbinfo -u

wbinfo -g
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Domain Admins
Domain Users
Domain Guests
Group Policy Creator Owners

Now the following should work:
getent passwd
getent group
getent passwd test
(where test is a test user)

Well there will likely be problems. Take your time and do not panic. Think
carefully about where the problem actually is. The Windows event log can be
slightly useful (showing you security information about logins, etc.). The
winbind log can be VERY useful. You can easily turn debuggin information up
a fair bit:
/etc/init.d/winbind stop
winbindd -D 5
/usr/local/samba/var is where to look, with this example installation, for
the log files.

Note: if you do not get uid and gid values for the AD users and groups then it 
will NOT work. Un-comment this stuff in smb.conf:
idmap uid = 100-20000
idmap gid = 100-20000
and you'll get mappings that you can, later, get rid of.

If you end up with uid:gid set for users by winbindd choosing consecutive
numbers and the values not coming from ADS then you can stop winbindd, nmbd
and delete (argh!) the idmap database file. Usually in:
I think it is these files:

NOT recommended on a live server.

startup winbind and the "on-the-fly" idmap-ings will be gone.

Useful Links

I wanted a samba print-server (also with lpd for UNIX) that would simply use host-based access control and allow users to manipulate print jobs.

I used this command to give printer management rights to guest users (you need to give the password for the samba root user):

net rpc rights grant 'nobody' SePrintOperatorPrivilege
To check it has worked:
net rpc rights list nobody
Or you can be even more generous with:
net rpc rights grant 'Everyone' SePrintOperatorPrivilege
To list rights for all accounts:
net rpc rights list accounts

The smb.conf for samba-3.0.21 is:

server string = Print1 the XXX print server
printing = lprng
load printers = yes
printcap name = /etc/printcap
use client driver = no
wins server = IP_address
log file = /var/log/samba/%m.log
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
wide links = No
max log size = 0
log level = 0
# mainly to allow visiting computers to print via our server.
guest account = nobody
map to guest = Bad User
hosts allow = IP, IP, IP, localhost
hosts deny = 0
security = USER
paranoid server security = no
workgroup = THING
show add printer wizard = yes
domain master = no
enhanced browsing = no
local master = no
preferred master = no
enable privileges = yes
print command = /usr/bin/lpr -r -P'%p' %s
lpq command = /usr/bin/lpq -P'%p'
lprm command = /usr/bin/lprm -P'%p' %j
lppause command = /usr/bin/lpc hold '%p' %j
lpresume command = /usr/bin/lpc release '%p' %j
queuepause command = /usr/bin/lpc stop '%p'
queueresume command = /usr/bin/lpc start '%p'

comment = Printers
path = /var/spool/samba
printable = yes
guest ok = yes
browseable = no
read only = yes
writable = no 

comment = Printer Driver Download Area
path = /usr/local/samba/drivers
browseable = yes
guest ok = yes
read only = yes
write list = @ntadmin, root