# What's a 'domain' in SMB/CIFS?

## dE_logics

What's a 'domain' in a CIFS networks? I don't have any DNS servers in my network except the 1 in the router... I don't understand how 'domain' fits in a CIFS networks. Can someone please explain?

----------

## vaxbrat

The domain parameter in mount.cifs applies if you are mounting a filesystem from an Active Directory domain member.  ADS is fundamentally based on a DNS domain, and you will see either the long form or short form in your /etc/krb5.conf and /etc/samba/smb.conf files when your Linux is a domain member.

----------

## GES

For example, the job of achieving ActiveDirectory fstab entry:

//mywinmachine.addomain.myfirm.hu/share /mnt/mywinmachine cifs domain=addomain,username=adusername,password=adpassword 0 0

----------

## dE_logics

Apparently I ain't familiarly with active directory, so I'll see to this issue later.

----------

## dE_logics

 *wiki wrote:*   

> The Lightweight Directory Access Protocol (LDAP;  /ˈɛldæp/) is an application protocol for reading and editing directories over an IP network.

 

So why does CIFS require LDAP? Does SMB provide a 'service' of LDAP?

Finally what's the advantage of LDAP over normal file sharing protocols?

Is LDAP a database?

----------

## vaxbrat

ldap provides a way to maintain a central repository of information about users, computers, devices, etc that can be queried over your network.  In an Active Directory network, the domain controllers act as ldap servers.  The gui that Windows administrators use "Active Directory Users and Computers" manages this database.  So, among other things, your windows username and password that may be necessary to gain access to a CIFS share is sitting in an ldap database that must be queried.

A Samba domain member will be able to gain access to that database through one of three possible routes.  The first is to implement an openldap client and use that to lookup the info (high implementation curve), number 2 is to use kerberos to exchange session keys with the dc since that also acts as a kerberos key distribution center that references its ldap database.  The third (and easiest to roll out) is to enable winbind in Samba.  That abstracts all the session management with the dc when looking up users and passwords and makes the AD user and group list appear as if they were just additional users and groups to the Linux system.

All three of those methods go through PAM and the config files in /etc/pam.d starting with the system-auth file in there.  There's an excellent book on Samba published by O'Reilly, and they also publish ones on ldap and kerberos that are useful.  I've never really seen one about PAM since I've just picked it from bits of info here and there over the years.

----------

## dE_logics

Thanks for the info... that clears things up. And looks very badly modeled by no other than Microsoft.

----------

