Setting up an Active Directory Domain Controller using Samba 4 on Ubuntu 14.04

EDIT: There is an updated version of this article for Ubuntu 16.04 here.

I love to mess around with Linux in my home lab and I like to check out the state of Samba from time to time. I have documented the steps that I took to get Samba 4 working as a Active Directory Domain Controller and also made a screencast that I have cross-posted on YouTube. I chose Ubuntu because they have pretty recent packages of Samba, more info about binary packages for different Distributions on the Samba Wiki. If you are following this as a guide, I’m assuming that you have already installed Ubuntu 14.04. If you do watch the screencast, it is best viewed in HD!

This is the setup:

This is just a reference as some of these will be unique to your setup.

AD DC Hostname:                    DC1

AD DNS Domain Name:                shaver.net

Kerberos Realm:                    shaver.net

NT4 Domain Name/NetBIOS Name:      shaver

IP Address:                        192.168.0.200

Server Role:                       Domain Controller (DC)

Forwarder DNS Server:              192.168.0.1

First make sure everything is up to date and install some pre-requisites. You may want to reboot if your kernel updates.

#get fresh sources
$sudo apt-get update
#get fresh updates
$sudo apt-get upgrade
#install samba pre-reqs
$sudo apt-get install attr build-essential libacl1-dev libattr1-dev \
   libblkid-dev libgnutls-dev libreadline-dev python-dev libpam0g-dev \
   python-dnspython gdb pkg-config libpopt-dev libldap2-dev \
   dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl ntp

During the installation of Kerberos, it may ask you what your Kerberos realm as well as the name of this server. This is our Kerberos Realm and AD DC Hostname from above:

Realm=SHAVER.NET
Server=DC1.SHAVER.NET

Setting a static IP

It is important for our server to have a static IP, mostly because DNS is so important to the configuration of Samba

$sudo nano /etc/network/interfaces
#
#/etc/network/interfaces
#
#and change:
iface eth0 inet dhcp
#to:
#this will depend on your network setup, 192.168.0.200 is the IP of the box that Samba will be on.
iface eth0 inet static
address 192.168.0.200
netmask 255.255.255.0
gateway 192.168.0.1
#currently we want this server and our upstream DNS
dns-nameservers 192.168.0.200 192.168.0.1
#this should be set to what you want your samba domain to be
dns-search shaver.net

Setting your hostname:

$sudo nano /etc/hostname

Put in the name that you want your domain controller to be named:

#
#/etc/hostname
#
dc1

Setting file system parameters:

Because samba makes use of some extended filesystem attributes that EXT3/4 don’t normally support we have to set them in fstab. Not that the packages acl and attr are required for this to work.

$sudo nano /etc/fstab
#
#/etc/fstab
#
#this is an example of a partition where our Samba shares will live.
UUID=xyzxyzxy-xyzx-xyzx-xyzx-xyzxyzxyzxyzxy    /       ext4      errors=remount-ro     0     1
#Add a few parameters:
UUID=xyzxyzxy-xyzx-xyzx-xyzx-xyzxyzxyzxyzxy    /       ext4      user_xattr,acl,barrier=1,errors=remount-ro     0     1

We need to reboot for the changes to take effect.

#do a reboot
sudo shutdown -r 0

Setting hosts file:

We need to be certain that dc1 always resolves to localhost.

$sudo nano /etc/hosts
#
#/etc/hosts
#
#change:
127.0.1.1     shaver.net   shaver
#to whatever your FQDN is going to be for your server:
127.0.1.1     dc1.shaver.net    dc1

Setting NTP:

Network Time Protocol is the system that manages what time it is on your system, and it is important that our time is accurate for the proper functioning of Kerberos.

#
#Configuring ntp
#
#stop the ntp service
$sudo service ntp stop
#sync ntp
$sudo ntpdate -B 0.ubuntu.pool.ntp.org
#start the ntp service
$sudo service ntp start

Setting up Samba

This is where we actually install Samba. The default smb.conf file needs to be moved elsewhere so that Samba doesn’t try to use it. It will generate its own during the provisioning process. I like to run samba-tool in interactive mode because it gives you suggestions, though if you prefer you can specify all of the parameters in one command.

#
#Installing samba
#
$sudo apt-get install samba smbclient
#
#Provisioning Samba
#
#move the old smb.conf to a safe place:
$sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.orig
#provision samba in interactive mode:
$sudo samba-tool domain provision --use-rfc2307 --interactive
DOMAIN:SHAVER
Server Role:dc
DNS backend:SAMBA_INTERNAL
#note: this should be the upstream DNS server
DNS forwarder IP address: 192.168.0.1
Administrator password: Something!S3cure!

Removing Upstream DNS:

We now want to remove the upstream DNS server from our network config, so that when resolv.conf is generated at boot it only points dns at ourselves. We do this because Samba is now managing
DNS and forwarding any external requests to the upstream DNS server.

$sudo nano /etc/network/interfaces
#
#/etc/network/interfaces
#
#Remove the upstream DNS server as Samba is now handling it
#192.168.0.200 is the address of the samba server
dns-nameservers 192.168.0.200 192.168.0.1
#becomes
dns-nameservers 192.168.0.200
$sudo shutdown -r 0

Testing DNS:

It is very important that DNS is working well for Samba to function correctly, therefore we should test it to make sure that it is working correctly. These three tests ensure A records are resolving and that Kerberos and LDAP SRV records are resolving to the proper server(s). The results should include the server that you are on.

#test SRV record for ldap on TCP
$ host -t SRV _ldap._tcp.shaver.net
_ldap._tcp.shaver.net has SRV record 0 100 389 dc1.shaver.net.
#test SRV record for kerberos on UDP
$ host -t SRV _kerberos._udp.shaver.net
_kerberos._udp.shaver.net has SRV record 0 100 88 dc1.shaver.net
#test name resolution of our host
$ host -t A dc1.shaver.net
dc1.shaver.net has address 192.168.0.200

Setting up Kerberos

Samba generated us a Kerberos config file, but Kerberos also comes with a default configuration file that we need to move before using the Samba one. We use a symbolic link so that if samba does any updates to the config file we don’t have to do this again.

#
#Setting up kerberos
#
#move original kerberos file to a safe place
$sudo mv /etc/krb5.conf /etc/krb5.conf.orig
#link the samba created kerberos file to it's config location
$sudo ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf

Testing Kerberos and authentication:

We want to make sure that Kerberos is actually handing out tickets(authentication tokens) and that we can actually authenticate using these tokens.

#
#Test kerberos and smbclient
#
$kinit administrator@SHAVER.NET
#enter the password that you created with samba
$klist
#you should see  valid krbtgt ticket
#now we try to connect to the server we are on using smbclient
$sudo smbclient -L dc1.shaver.net -U%
# you should see netlogon and sysvol listed
#test authentication with smblient
$sudo smbclient //localhost/netlogon -U 'administrator'

Photo Credit

149 thoughts on “Setting up an Active Directory Domain Controller using Samba 4 on Ubuntu 14.04

  1. Hi Jim,

    This is the tutorial I have been looking for. Great job! Anyhow, can you see your Samba 4.0 server FQDN in the network neighborhood from the Windows 8.1 workstation? I am not able to get the server as a network device listed with its shared folders as it is the case with Windows Server 2012 R2. I would appreciate your comments.

    1. Not 100% sure and I freed up the space that my VMs were using. So I can’t even fire ’em up to see. I actually hate that network neighbourhood feature as I find it unreliable even in Windows only situations. What happens when you run “net view” from the client? Your client is using Samba for DNS? I think if I remember correctly, a random computer is elected the master browser, which is how this feature works(but don’t quote me on that). I think even a client can be elected based on your settings. I think there is a way to force Samba to be the master browser and to broadcast that info.

      –Jim

      1. When I issue “net view” command, it returns “There are no entries in the list.” My Samba server provides a DNS service to all computers on my LAN, of course. I have been messing around with this issue a couple of days. No success. The previous releases of Samba prior to version 4 worked quite well as far as network neighbourhood si concerned, but they lacked the Active Directory feature I definitely need now. Finally, I have found the solution in the meantime. Zentyal Server is the savior. Have a look at http://www.zentyal.org. It is a great product I have been fallen for and can recommend to all who wish to build a Samba server with Active Directory services.

      2. Hi Jim, I did everything as U in this tutorial but… after all done I can’t get access to the internet, dns isn’t working good. Didn’t try with other computers but AD1 himself can’t resolve any hosts.

    2. Great job. I managed to setup it up after going through this. Thanks!!
      But somehow I have to change my IP now. How do I change the static IP?
      I edited the /etc/network/interface and changed to another fix IP.
      But when i do nslookup mydomain.com, the IP that returned is still old/previous IP.
      Please advise.
      Thank you.

  2. Awesome! Everything is fine but one question! Samba is installed on Ubuntu 14.04 step by step with the video. Added a windows 2008 server to network to install exchange 2013. Windows 2008 is stand alone and member of Samba DC. I can connect to almost all services from win2008 to samba. AD Users and Computers, DNS, GP management etc.. Than i thought if i install exchange 2013 on the network it would work like other services. But when i try to install exchange 2013 on win2008 server gives an error “The mode ‘install’ is not a valid mode” I think its not compatible, I hope it’s not true :(. Do you have an openion why it didn’t work or is there a way to do it?

  3. Jim buddy!! I have beat my brains out trying to get this to work from other articles. Yours made it a piece of cake man!
    Thanks

    1. I don’t have any experience joining those two technologies, though I do have experience connecting NPS to AD. Some vendor agnostic pointers from that experience… the certificate that the RADIUS server uses has to be trusted by the client. You are probably wanting to do Protected EAP(PEAP) for authentication. PEAP is one of the implementations of the extensible authentication protocol(PEAP). Almost all EAP implementations have the server identified and authenticated in the same way, via a certificates. The major difference between EAP implementations is how the clients are authenticated. With PEAP and LEAP(Cisco proprietary) the client is identified via a username and password. With EAP-TLS the client is identified with a client certificate. You connect the edge device(switch or AP or whatever) to the RADIUS server via a pre-shared secret. This creates an encrypted tunnel between the devices. I’m assuming that FreeRADIUS supports authentication via NTLM or Kerberos? It should work? Maybe.

  4. I guess I must be in the minority as I followed this to the letter on a fresh Ubuntu 14.04 Virtual Box install, using bridged networking. The kinit failed, with the error “Cannot find KDC for realm ….”. Also samba does not appear to be sending dns requests upstream. Any thoughts on what I could be doing wrong?

  5. Hi, following your procedure, I was able to install everything the same ways as you did without any errors. But, when I tested the DNS doesnt seem to work. what could be the issue with my configuration??…

    I get a reply such as eg. “host _ldap._tcp.mydomain.local. not found 3(nxdomain)”

  6. Perfect setup, i have it up and running. I can create groups. How do i add users to AD? Active directory domain services gives me error – Contact system administrator

      1. 1st computer is ubuntu domain controller – i can add domain users with “samba-tool user add test1” from terminal;

        2nd computer is windows 7 with all domain tools i need;
        i am logged in W7 as DOMAIN\administrator, i run Active Directory Users and Computers;
        – i enabled Trust this computer for Delegation to any service;
        – i can create new group;
        – i cannot create new user; (an error occurred. Contact your system administrator.)
        – i cannot change password for existing user(Windows cannot complete the password change for user because: The requested operation cannot be completed. The computer must be trusted for delegation and the current user account must be configured to allow delegation;

        ty

        1. Interestingly, I’m having the exact same problem with AWS Directory Services, this apparently uses samba 4 too. My nice new directory has only one user I can use, the administrator, I can’t set passwords for any other user (I can create users using ADSIedit but not set their passwords.)

          1. Even more strangely, I can set the passwords using powershell and the ADSI type accelerator, but I can’t set them using ADSIedit (or dsa.msc)

          2. I interpret AWS to be using samba 4 from this here: http://aws.amazon.com/directoryservice/details/#simplify-deployment
            “Powered by samba 4” sounds like they claim to be using samba 4 to me. Do you have inside info? you could tell me but then have to kill me maybe?

            Yes I did run adsiedit and dsa as administrator using “run as administrator”

            I did give up on solving this as there were too many other things that just did not behave as expected with AWS directory services. The domain I built myself on EC2 works just fine though.

          1. mhhh, I’m having the same problem on aws, I removed those windows updates and it worked: I was able to change the password and create users. I’d love to know what those updates do and why removing them make it all work.

            Thanks,

            Roberto

          2. I looked through my Installed Updates and cannot find those two there, but I am having this exact issue. It is driving me crazy, I have been trying to fix it for hours and hours. Interestingly enough, I created a Windows 8.1 VM (didn’t install any updates) and it works, and it works from an XP VM as well, just not my stupid laptop…

  7. Awsome tutorial. I like that you explain detail – what is that, why we did that, how this command works, etc.
    Great job!

    1. Thanks! I have been on the receiving end of a lot of articles and videos that don’t explain context. If you don’t understand the context well enough to show others, then you don’t understand it well. Also when you help people understand the context, you help them solve their own problems.

  8. after following the steps everything is perfect except kinit administrator@domain.local

    kinit:cannot contact any kdc realm ‘DOMAIN.LOCAL’ while getting initial credentials. i follow the same steps like setting kerberos and authenticating. My dns is working properly.

  9. Everything is working fine for me except testing kerberos authentication all other are working fine, i setup kerberos but when testing kerberos with authentication, When i kinit administrator@domain.local cannot find KDC for realm. all other are working properly.

    1. Hello again Jim.
      I ran across a problem this morning with DNS after starting the VM server up. When I attempted to download Webmin from Sourceforge, I encountered the following error:

      root@dc1:~/tmp# wget http://prdownloads.sourceforge.net/webadmin/webmin_1.570_all.deb
      –2014-12-24 07:19:05– http://prdownloads.sourceforge.net/webadmin/webmin_1.570_all.deb
      Resolving prdownloads.sourceforge.net (prdownloads.sourceforge.net)… failed: Name or service not known.
      wget: unable to resolve host address ‘prdownloads.sourceforge.net’

      I was able to quickly determine the problem was with DNS. I corrected the problem by putting back the upstream DNS server address into the network config (/etc/network/interfaces). Is there a better place to resolve this problem?

      Other questions:
      What is the purpose of running and configuring Byoub?
      Could we have tested the smbclient just after provisioning SAMBA?

      1. Byobu is completely optional :). I just like it for switching between multiple terminals. As for your question about DNS, if you are using Samba’s internatl DNS, I’d check to make sure that DNS is pointing at yourself, whatever your samba servers IP is, then make sure your smb.conf has the upstream DNS server in it. At least that is what I would check.

  10. Jim–this has been very helpful. I was wondering if you know why there is no reverse DNS zone when using RSAT–I have had a hard time getting DNS to dynamically update the reverse zone, although it will populate A records for added clients.

  11. I´m having a problem sharing a folder in other HD.

    For example if I create a folder in Linux partition like /TEST and share in SMB.CONF works fine, but when I mount other HD (/mnt/hd1) and then create a folder (/mnt/hd1/test), and share this path in SMB.CONF Windows ask for password.

    Someone knows if is needed some special instruction to mount one HD to Samba share?

    Thanks!

  12. Hi.
    I write share script in smb.conf file.
    Then restart service for command “sudo /etc/init.d/samba restart” or “sudo /etc/init.d/samba-ad-dc restart”

    No effect. No refresh

    Help me. Please command restart service samba4.

    Thank you.
    Kordon.

  13. Thank you very much for you answer. But not work.

    sudo vi /etc/samba/smb.conf

    [Manager]
    directory_mode: parameter = 0770
    read only = no
    path = /manager

    #################################################
    sudo smbclient -L samba
    Enter root’s password:
    Anonymous login successful
    Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]

    Sharename Type Comment
    ——— —- ——-
    netlogon Disk
    sysvol Disk
    Users Disk
    IPC$ IPC IPC Service

    ############################################

    sudo service smbd restart
    stop: Unknown instance:
    smbd start/running, process 1957

    ##################################################
    sudo smbclient -L samba
    Enter root’s password:
    Anonymous login successful
    Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]

    Sharename Type Comment
    ——— —- ——-
    netlogon Disk
    sysvol Disk
    Users Disk
    IPC$ IPC IPC Service
    ######################################################

    Help me Please.
    Thank you.
    Kordon.

  14. Hi Jim, i have followed your tutorial but when i testing dns i got error : Host _ldap._tcp.sodexomsina.com not found: 3(NXDOMAIN)
    and testing kerberos got error :
    Host _kerberos._udp.sodexomsina.com not found: 3(NXDOMAIN)

    Why it can be error? besides i have setup dns server in my samba. Please your solution. Thanks in advanced

    1. And you are testing DNS on the Samba server itself? You are using Samba’s internal DNS server? Did you use capitalized letters when you provisioned Kerberos(e.g. EXAMPLE.COM instead of example.com)?

      1. Yes Jim, i am testing DNS on samba’s internal DNS Server. I provisioned Kerberos use capitalized like EXAMPLE.COM, please your solution. Thanks

  15. Excellent article…worked with very little “extra” steps to figure out for my specific environment. Now I just need to see how I manage users, groups, etc. in this new domain. Thanks!

    1. Hi tom,

      I have followed that tutorial but when i testing dns and kerberos i got error:
      Host _ldap._tcp.sodexomsina.com not found: 3(NXDOMAIN)
      and testing kerberos got error :
      Host _kerberos._udp.sodexomsina.com not found: 3(NXDOMAIN)

      Please any solution ? Thanks

  16. Jim, first of all thanks a billion this beautiful tutorial. Things look awesome at my end:
    – I was able to install correctly
    – add 12 linux and one Windows 7 ESXi VM guest in my home lab
    – I can add users, manage policies using Windows 7 instead of Windows 8 like you did.

    I other words I am able to work with seamlessly, except for one little problem and here it is:

    I am not able to ping linux clients using domain names. I can ping dns server using domain name from all clients, including the windows 7 client. One interesting aspect is that I cannot ping the windows machine from any of my linux clients including the domain controller. Do you have any idea what I might be missing?

    Thanks!

  17. Really nice article, thank you! Little question non directly concerning the article but the srvet managent. The server runs fine: I can join domain and login using administrator. I wanted to add domain users from a client using Windows 7. I installed KB958830, but I cannot activate am AD Users snap-in in any way. Any hint?

    1. Unlike in Win8, on Win7 once you install RSAT(the KB you mentioned) you actually have to activate ADUC as a feature in Programs and Features. From there you should be able to run “dsa.msc”.

  18. First of all. Sorry for my english. I’m Joan and i’m spanish student. I have to do the all steps and i have a problem when I want to join a machine with windows 7. When I put the administrator username and password for to join. Say me and error about that it’s not possible join to domain because username or password is not correct. With windows xp I didn’t have any problem. Somebody can help me please. Thank you And congratulations for the blog. Thanks

    1. Check if the time of your windows 7 machine is same as the time of your Domain Controller (Samba4). Time between the client and the server should be the same for kerberos authentication.

  19. Hey Mr.Shaver thanks for your tutorial i followed it correctly and i have a working AD now but i am facing this problem for a while i saw other methods of creating samba AD but everything work fine except i can not share my new created folders in samba server to netlogon and sysvol are accessible but my new folder suppose users is not accessible . i also give chmod 777 nothing is helping . i tried re-installing server still the same problem please help….

    1. The provisioning of Samba4 does a bunch of automatic configuration to smb.conf. Adding shares in smb.conf is probably what you want to look into and learn about.

      1. This is the same problem I am having. Now have a valid AD DC up and running, can browse the server on a windows machine and see the Netlogin and Sysvol shares ok. I add a new share to the smb.conf and this is not visible either to the windows machine, nor is it available to smbclient running on the same Linux box. It looks as though it just ignores additional shares when running in this mode. Any thoughts?

  20. Great tutorial! Works perfect. I have DC up and running…

    How would I create a secondary domain controller? wiki.samba.org has a “Join a domain as a DC” but I can’t get it to work for me… would I use your steps, except do a “samba-tool domain join” instead of provision? Or?

    Thanks again for the tutorial… I looked all over and yours was the most complete (and working :-)) tutorial and explanation.

  21. really nice, mr.shaver ,can you explain me,,are Primary Domain Controller or Active Domain Controller from samba can not be function if we don’t config our dns using bind ? and what the purpose of provisioning samba use samba as ADC. please answer my question.
    sorry for bad english

  22. This article looks great, thanks so much. Last time I messed with trying to use Samba as a Domain Controller was back in the Samba 3 days and it was a complete mess. It looks like the situation is much more promising these days.

    I assume it’s possible to set Group Policy, Network Printers etc. using a Windows 7 client after this is created? Do you have any experience with joining Linux clients to the Samba domain controller for login auth? I’m hoping that part is pretty straightforward as well.

  23. I don’t know if you can help me. I have managed to set up the Samba4 AD DC which all works. However the client windows machines (laptops) run Outlook connecting to an external hosted exchange server. When setting up Outlook it finds the server and auto-provisions itself but then fails to authenticate and connect. Do you have any ideas?
    Open-Change seems to do a proxy which, if it works whilst the computers are on the domain, would be half the battle, but what about when they are working remotely?
    Any thoughts / pointers / ideas would be greatly appreciated. Thanks.

  24. Hi there thanks for this great tutorial,
    there is some error that i would ask you if you don’t mind

    i manage to do as you said

    ~# host -t SRV _ldap._tcp.test.sg
    _ldap._tcp.test.sg has SRV record 0 0 389 4ecapsvsg6.test.sg.

    ~# host -t SRV _kerberos._udp.test.sg
    _kerberos._udp.test.sg has SRV record 0 0 88 4ecapsvsg6.test.sg.

    ~# host -t A 4ecapsvsg6.test.sg
    4ecapsvsg6.test.sg has address 10.153.64.5

    but when i try

    ~# smbclient -L 4ecapsvsg6 -U%
    Connection to 4ecapsvsg6 failed (Error NT_STATUS_CONNECTION_REFUSED)

    can you help me out here ?

  25. HI, i try to use your tutorial, step by step, result of all tests is without errors, i joined machine to domain, but i cannot login in system, wrong login or password. I cannot understand what’s problem. Help me , please))

    1. You need to log in with DOMAINNAME\Administrator. IF you just type Administrator into the username it can think you are trying to log in with the machines local administrator account not the domain Administrator account.

      1. of course,Jim. I try to login as administrator@ups.loc . No result. I have two virtual machine, interface is network bridge, router Dlink. XP takes name “XP.Dlink”(ipconfig , dns-suffix- .Dlink) from DHCP, and when i set Dlink as Realm, i can joined to domain and login in system, but in next day i cannot login again ((((.

  26. “netstat -ta” in moment of login : …
    dc.test.ups:1024 xp.test.ups:1031
    dc.test.ups:loc-srv xp.test.ups:1030
    dc.test.ups:1024 xp.test.ups:supdiledbg

  27. Thanks for the guide! BUT one little problem, everything worked very good except the last part with “kinit administrator@[example].[example]. It responds with: “kinit: Cannot find KDC fir realm “LINUX.LOCAL” while getting initial credentials” Im trying to set up a simple domain for a school project and therefore am i using the .local part. It would be awesome if you responded quickly! Thanks! 🙂

  28. Current version of samba is broke

    script /etc/init.d/samba no longer starts samba-ad-dc

    in script change
    /etc/init.d/samba-ad-dc start
    to
    service samba-ad-dc start

    do that for the stop line in script, too.

  29. Hello thanks for the great tutorial, furthest ive got so far, but how would i go about connecting a windows 7 client to this, when i go to computer -> Properties -> Domain and enter my domain (every other step worked first time 🙂 ) it says it can’t find the domain, ive tried setting the IVP4 settings of the wins7 client to the IP of the server but no results, Thanks again

    1. I solved my own problem, i had to just enter shaver.net as apposed to dc1.shaver.net in the “domain” part of windows 7, seriously wicked tutorial been stuck on this for weeks, my only problem is now that i have connected and logged in on the domain i cant see the internet from the wins7 PC any body know how to fix this, i have tried adding the default gateway back into /etc/interfaces but no luck!

  30. Thanks for this tutorial. It is awesome! What I would like to do is set up a standalone Ubuntu 14.04 system as a DC and then have a virtual machine running windows join that domain (which is what you have demonstrated) but I want to do this using a host-only network config. I’ve tried tweeking your instructions but the DNS part is not working right. I can successfully resolve _ldap._tcp.my.domain if I use

    host -t SRV _ldap._tcp.my.domain localhost

    but without the localhost it fails. I have configured my resolv.conf to list 127.0.0.1 as the DNS server but still no go.

    Any incite you can give would be greatly appreciated! Thanks!

  31. Good day, first of all thank you very much for instructions on how to install the domain controller in ubuntu 14.04 everything is going well: group policies, organizational units, pcs policies, etc … but it happens that Windows clients appears repeatedly them the user and password are not correct, necessarily to restart the Linux Ubuntu already have access to computers without problems.

    What may be happening here?

    Thank you.

  32. Jim, very nice tutorial! In your configuration is the domain controller also a file server? or do you separate the two services on separate machines?

    Thanks! Caesar.

    1. This was for a test environment, but… Technically all DCs are file servers as that is how you get things like group policies. I would probably keep them separate. I’d hate to have me downloading a word document off of a network drive slowing down someone’s login.

  33. Great video, only negative is too many reboots. I followed your instructions with less no reboot. Just knowing network restart commands, making sure host file, modified at the correct time. Just remember with Unix and Linux if you have a problem you don’t need to reboot to solve a issue.

    a command to reload network interfaces.

    systemctl restart networking

  34. Hi guys,
    everytime I try to make the test
    bananapi@bananapi:~$ host -t SRV _ldap._tcp.bender.local

    I get the error
    Host _ldap._tcp.bender.local not found: 3(NXDOMAIN)

    What am I doing wrong?

    thx Alex

      1. Sorry, that I’m replying so late. What do u mean with samba server in /etc/resolv.conf My Ubuntu says, that everything will be overwritten….

        thx alex

        1. Yeah you don’t edit it, it gets automatically generated at boot after you modify the network config. I still need to know what is in it. /etc/hosts too.

  35. Hello Jim,

    Thank your for this most excellent how-to guide.
    The only thing that popped up was a problem with NTP that I haven’t been able to figure out.

    While NTP is installed my Windows client is unable to get time from the samba server.
    Now I tracked it back to NTP signing but here I’m at loss.

    I tried the following

    sudo chgrp ntp /var/lib/samba/ntp_signd

    Add the following to to /etc/ntp.conf

    ntpsigndsocket /var/lib/samba/ntp_signd/
    restrict default mssntp

    And tell apparmor about it.
    /var/lib/samba/ntp_signd/socket rw,

    But sadly it still doesn’t work 🙁 any idea how to get this working?

      1. Hi Jim,

        Sorry for the late reply, I’m running this in a virtualized environment and the recommendation is to have one time source (AD) and let the rest sync with it.

        Eventually I got it to work and the problem was with apparmor and the location of the above files.
        Still thanks a lot.

        Peter

  36. Hello Jim,
    Thank you for this guide. I have a problem with accessing shared folders.
    I can join the domain add or delete users from Windows Active Directory Users.

    I can access netlogon or sysvol, but I cant access Users.

    # Global parameters
    [global]
    workgroup = SAMPLE
    realm = SAMPLE.LOCAL
    netbios name = SAMPLESERVER
    server role = active directory domain controller
    dns forwarder = 100.0.0.1
    idmap_ldb:use rfc2307 = yes

    [netlogon]
    path = /var/lib/samba/sysvol/goguda.local/scripts
    read only = No

    [sysvol]
    path = /var/lib/samba/sysvol
    read only = No

    [Users]
    path = /Users/
    read only = No

    Thank you!

  37. Hello Jim. Tank you for the tutorial. I followed it and was almost successful till the end. But at the final tests I, unfortunately, got the following error. I’ve googled around but couldn’t yet find a solution. Can you help? Thank you.
    The error:
    root@dc01:~# kinit administrator@atm.uz
    Password for administrator@atm.uz:
    kinit: Bad encryption type while getting initial credentials
    root@dc01:~#
    root@dc01:~# cat /etc/krb5.conf
    [libdefaults]
    default_realm = ATM.UZ
    dns_lookup_realm = false
    dns_lookup_kdc = true
    root@dc01:~#

  38. Hello Jim. Thank you for the tutorial. Can you help me to resolve the following error?
    Thank you in advance.

    kinit administrator
    Password for administrator@ATM.UZ:
    kinit: Bad encryption type while getting initial credentials

    Here are my settings:
    smb.conf
    # Global parameters
    [global]
    workgroup = ATM
    realm = ATM.UZ
    netbios name = DC01
    server role = active directory domain controller
    dns forwarder = 192.168.0.9
    idmap_ldb:use rfc2307 = yes
    allow dns updates = nonsecure and secure
    printing = bsd
    printcap name = /dev/null

    [netlogon]
    path = /var/lib/samba/sysvol/atm.uz/scripts
    read only = No

    [sysvol]
    path = /var/lib/samba/sysvol
    read only = No
    ————————

    krb5.conf
    [libdefaults]
    default_realm = ATM.UZ
    dns_lookup_realm = false
    dns_lookup_kdc = true

  39. when I install the librarres and packages it says
    for each package
    is not available, but is referred to by another package.
    this may mean that the package is missing , has been obsoleted or is only available from another source

  40. Hi Jim
    Could you show me the reason follow: I have samba 4 ADS, and i had joined successful a samba 4 server (domain member server) to my ADS. But i can login domain member server with domain user, i just can login with local user. Please!

  41. Any idea where the sam.ldb would be? I read that it is supposed to be in /usr/local/samba/private but I don’t even have a /usr/local/samaba directory.

  42. Hi, I did everything as in tutorial and AC DC is running good. I am joining one computer via administrator account to the domain, via AD users and computers I am adding new user to the AD.

    Running another fresh windows and trying to join domain fails. No matter if I use administrator or new created account there is an info about bad user/pass.

    Strange, because I joined and logged on administrator account 2 min before…

    Please help :]

  43. After I created new user via AD Users and Computers I tried it with command:
    smbclient //localhost/netlogon -U ‘test1’
    it logged in but when I tried to list folder, got such information:

    NT_STATUS_ACCESS_DENIED listing \*

    I also can’t log in or join domain using this account.

  44. Dr. Mr. Shaver. your tutorial is awesome! But i have a problem with share new directory.
    My smb.conf

    # Global parameters
    [global]
    workgroup = TEST
    realm = TEST.NET
    netbios name = DC1
    server role = active directory domain controller
    dns forwarder = 8.8.8.8
    idmap_ldb:use rfc2307 = yes

    [netlogon]
    path = /var/lib/samba/sysvol/test.net/scripts
    read only = No

    [sysvol]
    path = /var/lib/samba/sysvol
    read only = No

    [backup]
    patch = /var/lib/samba/backup
    read only = No
    #################################

    Can you help me? How to share new directory?

  45. with the command smbclient -L localhost -U ‘administrator’ when i insert the password this is the output

    Domain=[DOMINIOSAMBA] OS=[UNIX Server=[Samba 4.1.6-Ubuntu]
    Sharename Type Comment

    ——— —- ——-

    netlogon Disk

    sysvol Disk

    IPC$ IPC IPC Service (Samba 4.1.6-Ubuntu)

    Domain=[DOMINIOSAMBA] OS=[UNIX Server=[Samba 4.1.6-Ubuntu]

    Server Comment

    ——— ——-

    Workgroup Master

    ——— ——-

    WORKGROUP ALICEGATE

    is it normal that to appear as the master the model / brand of router (ALICEGATE)
    thanks
    Luigina

  46. I had the same 3(NXDOMAIN) issue on _ldap._tcp and _kerberos._udp and found the problem was that I mis-configured the realm in samba (as it wasn’t in the tutorial). To check what your _ldap._tcp actually is, use the following command: sudo_dnsupdate –verbose

  47. Jim – great article and even though it’s a year or so old now, it’s still very relevant.

    The only thing that I would advise anyone who’s reading this, is that (certainly within a virtualization environment, such as vmware or VirtualBox) when you’re provisioning samba, you may receive an error stating that you should be using the additional “acl” and “user_xattr” within /etc/fstab (even if you’ve added them already). What worked for me is to add the “–use-ntvfs” switch. So, the provisioning command reads “samba-tool domain provision –use-rfc2307 –interactive –use-ntvfs”

    Additionally, I had a number of attempts of following this through (within virtualization) but I had two NICs set up on my virtual machine: a NAT and a Host Only. The 3(NXDOMAIN) issue was caused by the DNS server supplied by the NAT NIC, which was allocated by DHCP. If I figure out a way around that, then I may add an additional post here to assist those who are also experiencing the same…

  48. Hi Jim

    First i really thankful to you , To create a such wonderful document . From where non Linux user can create AD successfully like me. Apart from this , one more thing i want to know how can i add Linux client in samba4 domain. Pleaseeee reply as soon as possible ,

    Thanks in advance..

      1. Hi Jim

        It would be great help if you share some document or link , which i can refer to join linux user in samba domain 4.

        Thanks

  49. Hi Jim
    i do everything like You, (side by side video with my fresh install ubuntu 14.04)
    but on command smbclient -L dc -U% i receive error
    session setup failed: NT_STATUS_OBJECT_NAME_NOT_FOUND

    only difference i have in fstab
    /dev/mapper/dc–vg-root / ext4 user_xattr,acl,barrier=1,errors=remount-ro 0 1
    # /boot was on /dev/sda1 during installation
    UUID=48ea2bc8-dcf1-4814-a868-d40d9518b2cc /boot ext2 defaults 0 2
    #/dev/mapper/dc–vg-swap_1 none swap sw 0 0
    /dev/fd0 /media/floppy0 auto rw,user,noauto,exec,utf8 0 0
    /dev/mapper/cryptswap1 none swap sw 0 0

    any suggestion ?

    thank for Your great work

    Den

      1. in smb.conf server services = +smb
        is sollution
        but i cant see server from windows
        can You post primary config files (samba, kerberos etc) on this page or send it to my mail ?
        thx

        1. Hi,
          Video is good and everything is working fine now. Major issue is windows client cant see server under network connection, Server can access windows client by using ID created in AD. also connects to freenas drives. What to do so windows can see server May be smb.conf file has to be configured to add something more to it? I have tried searching alot no solution so far. I want to share is Raid 5 drive 16TB is size only one single mount and its mounted as home directory.

          Any suggestion?

          regards

          1. Let me start fresh.
            It’s a huge comment. Sorry 🙁
            Working for a week on this issue

            I have install ubuntu server 14.04 LTS and Samba server on the following Hardware.
            Intel server board s2600cp2.
            Intel Xeon E5 processor x 2.
            4 x 4GB Ram. (16GB ram)
            10 x 2TB HDD (9xHDD for raid 5, 1xHDD for Ubuntu server).
            Raid 5 setup is done using manual configuration for Disks.
            Raid space is 16TB, one single partition and it is mounted under /home.

            /etc/samba/smb.conf file as follows
            # Global parameters

            [global]
            workgroup = MYDOMAIN
            realm = MYDOMAIN.COM
            netbios name = DOMAIN
            server role = active directory domain controller
            dns forwarder = 192.168.1.1
            idmap_ldb:use rfc2307 = yes
            wins support = yes
            security = user
            usershare owner only = false
            usershare max shares = 100
            usershare allow guests = yes

            server services = +smb
            local master = yes
            preferred master = yes

            [netlogon]
            path = /var/lib/samba/sysvol/mydomain.com/scripts
            read only = No

            [sysvol]
            path = /var/lib/samba/sysvol
            read only = No

            [storage]
            path = /home/username/storage
            read only = No
            browesable = yes

            [homes]
            browseable = yes
            read only = no
            create mask = 0775
            directory mask = 0775
            valid users = %S

            kerberos setting
            Default kerberos version 5 realm: MYDOMAIN.COM
            Kerberos servers for your realm: DOMAIN.MYDOMAIN.COM
            Administrative server for your kerberos realm: DOMAIN.MYDOMAIN.COM

            /etc/network/interfaces file as follows
            # This file describes the network interfaces available on your system
            # and how to activate them. For more information, see interfaces(5).

            # The loopback network interface
            auto lo
            iface lo inet loopback

            # The primary network interface
            auto eth1
            iface eth1 inet static
            address 192.168.1.5
            netmask 255.255.255.0
            gateway 192.168.1.1
            dns-nameservers 192.168.1.5
            dns-search mydomain.com

            /etc/hosts file as follows (hostname is domain)
            127.0.0.1 localhost
            127.0.1.1 domain.mydomain.com domain

            # The following lines are desirable for IPv6 capable hosts
            ::1 localhost ip6-localhost ip6-loopback
            ff02::1 ip6-allnodes
            ff02::2 ip6-allrouters

            /etc/krb5.conf file as follows
            [libdefaults]
            default_realm = MYDOMAIN.COM
            dns_lookup_realm = false
            dns_lookup_kdc = true

            sudo smbclient -L domain.mydomain.com -U% (gives the following)
            Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 4.3.9-Ubuntu]

            Sharename Type Comment
            ——— —- ——-
            netlogon Disk
            sysvol Disk
            storage Disk
            homes Disk
            IPC$ IPC IPC Service

            Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 4.3.9-Ubuntu]

            Server Comment
            ——— ——-

            Workgroup Master
            ——— ——-
            (In your video you get WORKGROUP under workgroup section from above. I dont have it)

            sudo smbclient //domain.mydomain.com/netlogon -U ‘administrator’ (gives the following)
            Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 4.3.9-Ubuntu]

            WINDOWS MACHINE (windows 10)
            IP: 192.168.1.114
            subnet mask: 255.255.255.0
            Default gateway: 192.168.1.1 (Router IP)
            Preferred DNS: 192.168.1.5 (server IP address from above)
            Alternate DNS: 192.168.1.1 (Router IP)

            Computer properties as follows
            Name: abc
            member of Domain: mydomain.com (small case)
            It asked for ID and Password I typed,
            ID: administrator
            pass: mypassword

            Windows PC connect and restart. Login as administrator and checked my Network, all the windows PC and NAS shows up except Ubuntu Server.

            Using CMD I can ping server with name as well as IP address.
            CMD shows the following ipconfig

            Ethernet adapter Ethernet 2:

            Connection-specific DNS Suffix . :
            Link-local IPv6 Address . . . . . : fe80::6ce3:d398:4953:acf3%11
            IPv4 Address. . . . . . . . . . . : 192.168.1.114
            Subnet Mask . . . . . . . . . . . : 255.255.255.0
            Default Gateway . . . . . . . . . : 192.168.1.1

            Tunnel adapter isatap.{C4185302-5AC0-454C-A964-80C212CCF63F}:

            Media State . . . . . . . . . . . : Media disconnected
            Connection-specific DNS Suffix . :

            On windows administrative tools:
            Active directory users and computer works.
            DNS works. (It shows the server name and all the SRV records)

            services.msc: when I try to connect it gives error “Windows was unable to open service control manager database on DOMAIN.MYDOMAIN.COM Error 1722: The RPC server is unavailable.” (nothing shows up)

            regedit: gives error “unable to connect to Domain.mydomain.com. Make sure that this computer is on the network, has remote administration enabled, and that both computers are running the remote registry service” (I have no idea why “d” in domain name is written in caps, rest all are in small case)

            Group policy managment: Default domain policy->settings It shows Administrative Templates for Computer Configuration and User Configuration (Enabled). You don’t have it.

            When I Edit default domain policy I get warning “Namespace ‘Microsoft.policies.windowsLocationProvider’ is already defined as the target namespace for another file in the store. File C:\WINDOWS PolicyDefinitions\Microsoft-Windows-Geolocation-WLP Adm.admx, line 5, column 110”

            Working on this for a Week now. Any Help on what might be wrong?

    1. Hi Den
      I am stuck with the same problem did you get it working?
      i am using Ubuntu server 16.04 install on a virtualBox. On my windows machine I have change DNS and i can ping server as well as IP address. Still not working 🙁

  50. Same happens to me. Followed the guide exactly, everything works except for this last command.

    sudo smbclient -L dc. -U%

    session setup failed: NT_STATUS_OBJECT_NAME_NOT_FOUND

    Also – what do i need to do to be able to log onto the server itself with a domain account? E.g., i want to SSH into the dc as domain administrator.

  51. Hi
    Did anyone solve the issue for the error
    session setup failed: NT_STATUS_OBJECT_NAME_NOT_FOUND?
    I switched to 14.04 from 16.04 sever but still have the same issue.
    I followed the video exact same way.

  52. After following this tutorial, should I be able to log into my system as Domain Administrator?

    when I try “ssh administrator@DC1.MYDOMAIN.NET” I get “Permission Denied, please try again”. How can I fix this? I would like to be able to log into my domain controller as domain admin.

    As a previous poster mentioned, at least on my version, 4.3.8-ubuntu,

    server services = +smb

    is required in smb.conf to make the NT_STATUS_OBJECT_NAME_NOT_FOUND error to go away.

  53. Please check your Samba log files. If you find the following line:
    /usr/sbin/winbindd: Failed to exec child – No such file or directory
    install winbind:
    apt-get install winbind

  54. This worked for me.

    I built samba 4.4.2 from source on 14.04.3 LTS. I would like to know if it’s possible to distribute smbd, nmbd, winbindd to other linux clients for connecting to the Samba ADC?

    When I built torque from source they had a some client files/script I could copy over and I was hoping there was something similar here.

    Cheers

  55. This was a very helpful tutorial. I ran into a few problems, but they were outside of the scope of this tutorial and nothing a simple google search did not resolve, except for one, but that only seemed to affect the AD server itself, clients had no issues. Thanks for putting it together! One of the issues I ran into is the clients domain was too long for samba. I just had them get a shorter one for use on their domain.

    Thanks!

  56. samba-tool user setpassword <– can you write non-interactive script in bash ? 🙂 Please help me 🙂

  57. Hey Jim,

    I enjoyed this tutorial, And I have learned a great deal about DNS, Samba, and pretty much everything else that gets covered in here. I will say this ride has not been smooth…And still isn’t complete.

    I have had many issues with the DNS, Finally everything is running the way it is supposed to except for the final piece.

    Running

    smbclient //localhost/netlogon -U ‘administrator’ WORKS
    smbclient //mydomian/netlogon -U ‘administrator’ FAILS (Error NT_STATUS_IO_TIMEOUT)
    smbclient //mydomain.lan/netlogon -U ‘administrator’ WORKS

    The overall issue, Although I am able to connect to the domain,
    I am unable to login as a domain user.

    Do you have any advice?
    I have searched my samba logs but see nothing about the failed logon attempts that result in an incorrect password or username from windows.

    Thank you,
    Derek.

  58. Hello Jim
    Fantastic setup guide.
    I have a problem with RSAT.

    When i try to add the server as managed, it says somthing about not member of trusted hosts, and Kerberos

    What could be the problem?

  59. Encountered following error after command: sudo samaba-tool domain provision –use-rfc2307 –interactive

    ERROR(): Provision failed – ProvisioningError: server role (DC) should be one of active directory domain controller”, “member server”, “standalone server”

  60. Thx for the tutorial I installed it on a RPI3 with ubuntu mate. My krp.conf was bad but with a little bit google I solved it. Now I have a Active Directory Domain running on a Raspberry PI….

Leave a Reply