Configuring Samba 3.0 To Use The ADS Security Mode (CentOS)

This is the first line in the Samba 3.0 release notes:

“Active Directory support. Samba 3.0 is now able to join an ADS (Active Directory Service) realm as a member server and authenticate users using LDAP/Kerberos.”

The intent of this article is to show you how to configure your Linux machine and Samba server to participate in a Windows 2003 Active Directory domain as a Member Server using Kerberos authentication. This involves using the security = ADS security mode in Samba.

Why would you want to do this? This eliminates the need to create separate Samba user accounts on your Linux server so your Windows users can access the Samba shares. Besides eliminating a lot of administrative overhead, without this, you would need to try to keep the password for the Samba user account synched with the password for the user in the AD domain. If you didn’t and a Windows user changed his password, he would be prompted for a password every time he accessed a Samba share.

Probably the main advantage to the security = ADS security mode is if you are running a Win2003 AD domain in native mode and your security policy prohibits the use of NT-compatible authentication protocols. All of your workstations would be Windows 2000 or XP Professional. In this case, Samba was not previously able to act as a Domain Member server in the domain.

If you want to be able to use winbind (discussed in another article), your Samba server MUST be a domain Member Server.

If you’re not familiar with the different AD modes, here’s a brief explanation. In mixed mode, all windows clients are able to authenticate to the domain including Win9x, NT4, Win2k, and XP Pro. Samba could also be a Member Server of this domain.

Active Directory in native mode perfectly allows NT4-style Domain Members. This is contrary to popular belief.

Active Directory in native mode prohibits only the use of Backup Domain Controllers running MS Windows NT4. Using AD in native mode and restricting the use of the NT-compatible authentication protocols (i.e., using Kerberos authentication), only Win2k and XP Pro clients can belong to the domain. If you have a network with just Win2k and XP Pro clients, this is the preferred and most secure mode.


1. Network Setup
2. Installing Kerberos
3. Installing Samba 3.0
4. Configure Kerberos
5. Configure Samba



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s