[this is almost too trivial to bother with, but in the interests of accuracy ..]
I just converted a Samba 2.2.3a-for-Debian server from being a stand-alone workgroup member using plain-text passwords into a full NT-administered domain member using encrypted passwords and security=domain. This being the first server we've done this with, I paid attention to the apparent authoritative document on the subject, "DOMAIN_MEMBER.html" in "docs/htmldocs". It runs pretty much like this : ====================< cut >==================== In order to join the domain, first stop all Samba daemons and run the command: root# smbpasswd -j DOM -r DOMPDC -UAdministrator%password [...] Now, before restarting the Samba daemons you must edit your smb.conf(5) file to tell Samba it should now use domain security. Change (or add) your security = line in the [global] section of your smb.conf to read: security = domain Next change the workgroup = line in the [global] section to read: workgroup = DOM as this is the name of the domain we are joining. You must also have the parameter "encrypt passwords" set to yes in order for your users to authenticate to the NT PDC. ====================< cut >==================== So, in plodder fashion, that's the order I tried to do things in. Unfortunately, unless you edit smb.conf to set "encrypt passwords = yes" *first*, you can't run the smbpasswd domain-joining call - it fails with : SAMBABOX:/etc/samba# smbpasswd -j MYDOMAIN -r MYPDC -Uadminuser%adminpassword Error connecting to MYPDC Unable to join domain MYDOMAIN. I just thought it might help other folks, to document this explicitly. I spent a couple of hours trying to figure out what I was doing wrong, jacking up the Samba debug level, getting Ethereal traces of the join operation, etc. ... I checked, and it's still the same in the version posted on the Samba.org website, although there's also "Samba-HOWTO-Collection.html" which has a section "Make Samba a member of an MS Windows NT security domain" which documents the same thing in a somewhat different and perhaps less confusing manner. I'd have gladly produced an edited version of DOMAIN_MEMBER.html for consideration, but I know the project uses Docbook for this stuff, and I don't know the first thing about that :( Cheers Nick Boyce EDS, Bristol, UK
