Joining filer to a Samba NT 4 domain

I know that there are other customers that have joined their filer's to a Samba PDC, even though the documents I found on the NOW site say that it isn't supported.  How can this be done?

Do you have any further guidance? We are using Samba Version 3.0.24-7 with an Open Ldap backend. We could probably connect the filer to the LDAP database directly, but I'm thinking that my windows users will have to re-authenticate when trying to view their shares. Any information would be appreciated.


Matt Gaskin

Re: Joining filer to a Samba NT 4 domain

Hi Matt,

Quick answer is that it does work. I've got a few filers running 7.3.1 authing against Samba 3.0.10 (old production boxes, I know).

The difference from windows clients is that you have to pre create the trusted machine accounts for the filers. Basically create a user account for your machine in whatever passdb backend you're using. For the account name use `hostname` with a trailing $, such as "FILER01$". Then reset the account to be a trusted machine account with "smbpasswd -a -m FILER01$" as root. After this try to follow the standard cifs setup for joining an NT4 domain.

Also a heads up for using LDAP auth. I seem to recall the NOW docs saying that LDAP authentication requires plaintext passwords from the clients. For windows machines that requires a change in the registry to enable it.

Re: Joining filer to a Samba NT 4 domain

Sorry for the zombie thread, but this is the first search result for "samba domain" so I thought I'd clarify a few things.

I'm working on setting up a similar situation, and from what I've read so far, you can have the filer join the domain like any other domain, provided you have an account mapped to the "Domain Admins" group in the Samba domain. How this works with the various back-ends (i.e., LDAP), however, is something I'm still working out.

Also, the requirement for plaintext passwords when using LDAP is only if you're using the "native" LDAP support on the filer, (option 4 in cifs setup). But since you'll be using AD authentication, the full gamut of authentication mechanisms should be supported.