prerequisites: join the machine to the domain using realm join (see 'join to active directory.txt') 1. Install samba: apt-get install samba smbclient 2. Edit /etc/samba/smb.conf to include the following settings: ## Browsing/Identification ### workgroup = MYDOMAINLOCAL realm = mydomain.local ####### Authentication ####### server role = member server security = ads encrypt passwords = yes client signing = yes kerberos method = secrets and keytab client use spnego = yes unix password sync = no ############ Misc ############ usershare allow guests = no load printers = no # prevent annoying log messages about printing printcap name = /dev/null Also comment out any '[printers]' and '[print$]' sections. 3. At the end of smb.conf, define a share: [sharename] guest ok = no comment = Example Share path = /path/to/share read only = yes valid users = @"domain admins@mydomain.local" @"enterprise admins@mydomain.local" 4. Ensure samba's utilities can find ldap info for the domain: net ads info output should be something like: LDAP server: 10.0.0.11 LDAP server name: domaincontroller.mydomain.local Realm: MYDOMAIN.LOCAL Bind Path: dc=MYDOMAIN,dc=LOCAL LDAP port: 389 Server time: Mon, 27 Nov 2017 13:20:59 PST KDC server: 10.0.0.11 Server time offset: 0 5. Tell samba to be domain-joined: net ads join -k if that doesn't work, authenticate as a domain admin user instead: net ads join -U domainadmin_user 6. Verify that the domain join worked: net ads testjoin Then reboot, and verify again to ensure the join is persistent. 7. Allow samba through the firewall. For iptables using netfilter-persistent, this involves inserting these lines in the appropriate place in /etc/iptables/rules.v4 and reloading the netfilter-persistent service: -A INPUT -p tcp --dport 445 -j ACCEPT -A INPUT -p tcp --dport 139 -j ACCEPT -A INPUT -p udp --dport 138 -j ACCEPT -A INPUT -p udp --dport 137 -j ACCEPT ## Troubleshooting: add this line to /etc/samba/smb.conf: log level = 3