Notes on RedHat / Oracle Enterprise Linux, ADS und Samba

January 17, 2008 by Michael

Recently i needed windows clients to access a directory on the database server from which CLOBs where created. Since the server is an Oracle Enterprise Linux, i could follow the steps explained behind the following link to get Samba up and running with the Active Directory run by a Windows 2k3 server:

Which steps must be done to run Samba with AD-Integration

In short:

Setup Kerberos:

default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
default_realm = WINDOWS.JARA23.CO.UK
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
   kdc =
   admin_server =
   default_domain =
.kerberos.server = WINDOWS.JARA23.CO.UK = WINDOWS.JARA23.CO.UK
profile = /var/kerberos/krb5kdc/kdc.conf
pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false

Test this with

kinit admin@WINDOWS.JARA23.CO.UK

After entering a valid password, this command should give no error.

Setup a minimal Samba configuration:

   workgroup = MIDGARD
   realm = WINDOWS.JARA23.CO.UK
   preferred master = no
   server string = Linux Test Machine
   security = ADS
   encrypt passwords = yes
   log level = 3
   log file = /var/log/samba/%m
   max log size = 50
   printcap name = cups
   printing = cups
   winbind enum users = Yes
   winbind enum groups = Yes
   winbind use default domain = Yes
   winbind nested groups = Yes
   winbind separator = +
   idmap uid = 600-20000
   idmap gid = 600-20000
   ;template primary group = "Domain Users"
   template shell = /bin/bash
   comment = Home Direcotries
   valid users = %S
   read only = No
   browseable = No
   comment = All Printers
   path = /var/spool/cups
   browseable = no
   printable = yes
   guest ok = yes

Enable winbind, pam and other parameters with system-config-authentication.

Start Samba and join the domain with:

net ads join -U Administrator

No comments yet

Post a Comment

Your email is never published. We need your name and email address only for verifying a legitimate comment. For more information, a copy of your saved data or a request to delete any data under this address, please send a short notice to from the address you used to comment on this entry.
By entering and submitting a comment, wether with or without name or email address, you'll agree that all data you have entered including your IP address will be checked and stored for a limited time by Automattic Inc., 60 29th Street #343, San Francisco, CA 94110-4929, USA. only for the purpose of avoiding spam. You can deny further storage of your data by sending an email to, with subject “Deletion of Data stored by Akismet”.
Required fields are marked *