When Samba is operating in security = domain mode, the Samba server has a domain security trust account (a machine account) and causes all authentication requests to be passed through to the Domain Controllers. In other words, this configuration makes the Samba server a Domain Member server.
Samba as a Domain Member Server
This method involves addition of the following parameters in the smb.conf file:
security = domain
workgroup = MIDEARTH
In order for this method to work, the Samba server needs to join the MS Windows NT security domain. This is done as follows:
On the MS Windows NT Domain Controller, using the Server Manager, add a machine account for the Samba server.
On the UNIX/Linux system execute:
root# net rpc join -U administrator%password
Samba-2.2.4 and later can auto-join a Windows NT4-style Domain just by executing:
root# smbpasswd -j DOMAIN_NAME -r PDC_NAME -U Administrator%password
Samba-3 can do the same by executing:
root# net rpc join -U Administrator%password
It is not necessary with Samba-3 to specify the DOMAIN NAME or the PDC NAME as it figures this out from the smb.conf file settings.
Use of this mode of authentication does require there to be a standard UNIX account for each user in order to assign a UID once the account has been authenticated by the remote Windows DC. This account can be blocked to prevent logons by clients other than MS Windows through means such as setting an invalid shell in the /etc/passwd entry.
An alternative to assigning UIDs to Windows users on a Samba member server is presented in Chapter 20, Winbind: Use of Domain Accounts.
This is an excerpt from Samba-3 Server Types and Security Modes. For more information regarding Domain Membership, see Chapter 6, Domain Membership in The Official Samba 3: How to and Reference Guide.