Windows domains are based on centralized authentication services provided by domain controllers. A moderately sized domain has a limited number of DCs, but can possibly host hundreds of file and print servers. The number of servers in a large domain can exceed this amount by a factor of 10 or more.
In many networks, Samba is leveraging these domain authentication services and standing side by side with Windows. First introduced in 1998, Samba's support for participating in Windows domains as a member server has helped administrators integrate Unix servers with Windows clients. In 2003, Samba 3.0 advanced this feature by adding support for Kerberos authentication and LDAP directory services, yielding improved integration with Microsoft Active Directory domains.
Chapter 5 began by discussing the concepts of authentication and authorization. These tasks apply not only to local users but also to domain member servers. For all but the smallest domain, manual synchronization of user and group account information between Unix hosts and Windows domains can consume a large portion of your time. Our focus in this chapter is on decreasing the amount of effort necessary to deploy Samba member servers by leveraging both the authentication and authorization data maintained by Windows domain controllers. We address the steps necessary for Samba to join and participate in both Windows NT 4.0 and Active Directory domains, including how to configure any required external software dependencies such as the Kerberos client libraries, time synchronization, and the DNS client resolver. We also examine Winbind's account management features and its benefits to member servers.