HOW TO: Samba as an AD Domain Member

There are probably a million and one articles about how to make Samba 3 an Active Directory domain member. But with all of that, this process still seems to require hours of research. So I've decided to compile my latest experiences here.

The domain member box is running Gentoo Linux. So you may need to adjust the steps to fit your flavor. Make sure the USE flags kerberos, ldap, samba, ssl, and winbind are set. Start by installing an NTP client.

$ emerge ntp

The purpose of NTP is to keep your computer's clock in-sync with the domain controller. Edit your /etc/ntp.conf file to use your domain controller as the time server. Then sync your clock, start the NTP client, and install Samba:

$ ntpdate
$ /etc/init.d/ntpd start
$ rc-update add ntpd default
$ emerge samba

Now you can configure kerberos. Open your /etc/krb5.conf file and make it look like this:

ticket_lifetime = 600
default_realm = RIT.EDU
clockskew = 120

  kdc =
  default_domain = RIT.EDU

[domain_realm] = RIT.EDU = RIT.EDU

Test your kerberos setup by requesting a ticket from your domain controller.

$ kinit administrator
$ klist
$ kdestroy

Edit your Samba configuration.

workgroup = RIT
realm = RIT.EDU
server string =

log file = /var/log/samba/log.%m
max log size = 50

hosts allow =
hosts deny =
security = ADS
allow trusted domains = yes
password server =
encrypt passwords = yes
min protocol = NT1

winbind enum users = yes
winbind enum groups = yes
winbind cache time = 600
winbind use default domain = yes
template homedir = /home/%U
obey pam restrictions = yes
template shell = /bin/bash

socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
domain master = no
local master = no

idmap uid = 10000-99999
idmap gid = 10000-99999

Add winbind to the daemon_list variable in /etc/conf.d/samba.

daemon_list="smbd nmbd winbind"

Join the domain and start Samba.

$ net ads join -U administrator
$ /etc/init.d/samba start

Add winbind to the passwd and group lines in /etc/nsswitch.conf.

passwd: compat winbind
shadow: compat
group: compat winbind

Test user resolution and add Samba to the startup:

$ getent passwd administrator
$ rc-update add samba default

Add the bolded lines to your /etc/pam.d/system-auth file.

auth required
auth sufficient
auth sufficient likeauth nullok use_first_pass
auth required

account required
account sufficient
account required

password required difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password sufficient nullok md5 shadow use_authtok
password required

session required
session required
session required

That's it! Now all you need to do is start samba and your box is an AD domain member.