Setting up an Active Directory Domain Controller using Samba 4 on Ubuntu 16.04

I love to mess around with Linux in my home lab and I like to check out the state of Samba from time to time. I originally wrote this article for Ubuntu 14.04 and it has been one of the most popular posts on this blog, so I have updated it and fixed a few things that have changed over the years. There is a screencast that accompanied the original post on YouTube outlining the process for 14.04.  Largely the process is the same except for a few more dependencies(see the apt-get sections) and I cleaned up the testing with smbclient. I chose Ubuntu because they have pretty recent packages of Samba, more info about binary packages for different Distributions on the Samba Wiki. If you are following this as a guide, I’m assuming that you have already installed Ubuntu 16.04. If you do watch the screencast for 14.04, it is best viewed in HD!

This is the setup:

This is just a reference as some of these will be unique to your setup.

AD DC Hostname:                    DC1

AD DNS Domain Name:      

Kerberos Realm:          

NT4 Domain Name/NetBIOS Name:      shaver

IP Address:              

Server Role:                       Domain Controller (DC)

Forwarder DNS Server:    

First make sure everything is up to date and install some pre-requisites. You may want to reboot if your kernel updates.

#get fresh sources
$sudo apt-get update
#get fresh updates
$sudo apt-get upgrade
#install samba pre-reqs
$sudo apt-get install attr build-essential libacl1-dev libattr1-dev \
   libblkid-dev libgnutls-dev libreadline-dev python-dev libpam0g-dev \
   python-dnspython gdb pkg-config libpopt-dev libldap2-dev \
   dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl ntp ntpdate winbind 

During the installation of Kerberos, it may ask you what your Kerberos realm as well as the name of this server. This is our Kerberos Realm and AD DC Hostname from above:


Setting a static IP

It is important for our server to have a static IP, mostly because DNS is so important to the configuration of Samba

$sudo nano /etc/network/interfaces
#and change:
iface eth0 inet dhcp
#this will depend on your network setup, is the IP of the box that Samba will be on.
iface eth0 inet static
#currently we want this server and our upstream DNS
#this should be set to what you want your samba domain to be

Setting your hostname:

$sudo nano /etc/hostname

Put in the name that you want your domain controller to be named:


Setting file system parameters:

Because samba makes use of some extended filesystem attributes that EXT3/4 don’t normally support we have to set them in fstab. Not that the packages acl and attr are required for this to work.

$sudo nano /etc/fstab
#this is an example of a partition where our Samba shares will live.
UUID=xyzxyzxy-xyzx-xyzx-xyzx-xyzxyzxyzxyzxy    /       ext4      errors=remount-ro     0     1
#Add a few parameters:
UUID=xyzxyzxy-xyzx-xyzx-xyzx-xyzxyzxyzxyzxy    /       ext4      user_xattr,acl,barrier=1,errors=remount-ro     0     1

We need to reboot for the changes to take effect.

#do a reboot
sudo shutdown -r 0

Setting hosts file:

We need to be certain that dc1 always resolves to localhost.

$sudo nano /etc/hosts
#change:   shaver
#to whatever your FQDN is going to be for your server:    dc1

Setting NTP:

Network Time Protocol is the system that manages what time it is on your system, and it is important that our time is accurate for the proper functioning of Kerberos.

#Configuring ntp
#stop the ntp service
$sudo service ntp stop
#sync ntp
$sudo ntpdate -B
#start the ntp service
$sudo service ntp start

Setting up Samba

This is where we actually install Samba. The default smb.conf file needs to be moved elsewhere so that Samba doesn’t try to use it. It will generate its own during the provisioning process. I like to run samba-tool in interactive mode because it gives you suggestions, though if you prefer you can specify all of the parameters in one command.

#Installing samba
$sudo apt-get install samba smbclient
#Provisioning Samba
#move the old smb.conf to a safe place:
$sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.orig
#provision samba in interactive mode:
$sudo samba-tool domain provision --use-rfc2307 --interactive
Server Role:dc
#note: this should be the upstream DNS server
DNS forwarder IP address:
Administrator password: Something!S3cure!

Removing Upstream DNS:

We now want to remove the upstream DNS server from our network config, so that when resolv.conf is generated at boot it only points dns at ourselves. We do this because Samba is now managing
DNS and forwarding any external requests to the upstream DNS server.

$sudo nano /etc/network/interfaces
#Remove the upstream DNS server as Samba is now handling it
# is the address of the samba server
$sudo shutdown -r 0

Testing DNS:

It is very important that DNS is working well for Samba to function correctly, therefore we should test it to make sure that it is working correctly. These three tests ensure A records are resolving and that Kerberos and LDAP SRV records are resolving to the proper server(s). The results should include the server that you are on.

#test SRV record for ldap on TCP
$ host -t SRV has SRV record 0 100 389
#test SRV record for kerberos on UDP
$ host -t SRV has SRV record 0 100 88
#test name resolution of our host
$ host -t A has address

Setting up Kerberos

Samba generated us a Kerberos config file, but Kerberos also comes with a default configuration file that we need to move before using the Samba one. We use a symbolic link so that if samba does any updates to the config file we don’t have to do this again.

#Setting up kerberos
#move original kerberos file to a safe place
$sudo mv /etc/krb5.conf /etc/krb5.conf.orig
#link the samba created kerberos file to it's config location
$sudo ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf

Testing Kerberos and authentication:

We want to make sure that Kerberos is actually handing out tickets(authentication tokens) and that we can actually authenticate using these tokens.

#Test kerberos and smbclient
$kinit administrator@SHAVER.NET
#enter the password that you created with samba
#you should see  valid krbtgt ticket
#now we try to connect to the server we are on using smbclient
$sudo smbclient -L -U 'administrator' # you should see netlogon and sysvol listed
#test authentication with smblient
$sudo smbclient //localhost/netlogon -U 'administrator'

Photo Credit

57 thoughts on “Setting up an Active Directory Domain Controller using Samba 4 on Ubuntu 16.04

  1. Great article. Once this is complete, should i be able to log into dc1 with user “administrator”? I can’t – it says invalid username or password, even though everything else in the tutorial and tests works fine.

      1. Thanks for the response – what are the steps to enable this? Looking at other tutorials on how to enable domain login are for systems which aren’t acting as a domain controller, and specify changes to smb.conf which are in conflict with those that the domain controller requires. Simply installing winbind and adding winbind to nss.conf doesn’t work… so something I’m missing.

        Alternatively – is this never supposed to work, either out of best practices or other reasons?

          1. After a lot of trouble, I was able to get AD users to be able to log into the domain controller. In the end I needed to make sure there was a keytab file present:

            sudo kinit administrator
            sudo klist
            sudo net ads keytab create -k

            install SSSD, and add this line to sssd.conf

            ldap_id_mapping = True


            Hope this helps someone else!

  2. You installed several dev libraries by default, but I don’t see where they are being used or required. For instance, I’m trying to resist having `gcc` and friends installed on the server if I can help it (security paranoia). Are they needed in a way that the `apt`-based dependencies do not reflect? (Similarly for `docbook-xsl`.)

      1. I’m having a hard time getting past `kinit: KDC reply did not match expectations while getting initial credentials` (both without and with the additional dev libraries), so I can’t exactly say much else yet.

        Currently I’m getting `RuntimeError: kinit for DC1$@SAMDOM.MYDOMAIN.COM failed (Cannot contact any KDC for requested realm)` in syslog, as well as `../source4/dsdb/dns/dns_update.c:294: Failed DNS update – NT_STATUS_ACCESS_DENIED`, I suppose they are directly related.

        I’m trying to see if apparmor is affecting things. There do not appear to be any samba-related apparmor configurations, so perhaps that’s a problem. Learning.

  3. Thanks Jim, I keep forgetting kerberos is case-sensitive. It wasn’t the file, it was my command-line. Thanks, I’ll keep moving.

  4. I have followed your instruction up to “testing DNS” several times now starting with a fresh install using the complete hard drive, Ubuntu Server 16.04 CD then doing apt-get upgrade, unfortunately all I get is:

    ;; connection timed out; no servers could be reached

    any ideas on what is going wrong?

    Acer Aspire laptop, 500Gb HD, 8Gb ram


  5. Upstream dns server was correct.
    Does the ‘host’ test depend on the upstream server?
    Noticed apt-get update no longer works.
    So is it my local DNS that is not working (host test) and not passing requests on for apt-get?

  6. Thank you for the tutorial 🙂 Would you happen to have instructions on how to setup a backup domain controller? I would love to set this up for the non-profit I’m helping out, but I need to make sure the AD accounts are backed up for when the primary domain controller goes down. The guides I’ve found use the standard smbpasswd not kerberos ( 🙁 so I’m not sure how to sync the primary with the backup. Anyway, just thought I’d ask 🙂

      1. So, just so I’m clear – should I set up two domain controllers, as per your instructions above, and then run the “samba-tool domain join” on one of them? I apologize if my questions seem a bit amateur, but this is more of a hobby for me rather than a profession O:-)

        1. No you use the one command to join instead of provision. If you provision on the second server you will have two different domains. If you join you will have two AD DCs in the same domain(you want this).

  7. Hi Jim,

    thanks for your tutorial. AD is now successfully set up on two domains for me. However, when I try to create additional users from within AD (using RSAT on Win10) I receive an error from Active Directory Domain Services: “Windows cannot create the object username because: Not enough storage is available to complete this operation.”

    Microsoft suggested a fix at however, this has not worked. Any thoughts?


      1. I bypassed the problem by using the samba-tool to create my new users and manage the groups. eg sudo samba-tool user add username1 password1.

        1. O contrair
          I setup Ubuntu 16.04 LTS with the samba i believe the current disto’s version is samba 4.3.8 and I am using the RSAT tools on Windows 10 and window 7
          works fine for DNS Administration and User Administration, haven’t checked others yet

  8. This is one fine piece of work, Sir!

    I wandered fruitlessly, all over the internet, site after site, all claiming to do what this posting has finally let me accomplish! For a while, I thought that I might need to “go back” to 14.04 just so that I could join my AD domain with my Ubuntu-based server PC’s!

    I have been running Xubuntu 16.04 LTS for quite a while, and really like 16.04’s stability, so even though I HAVE run Ubuntu 14.04, I still don’t relish going backwards just for this single requirement!

    Bless you, and thank you very much for your contnued diligence in this so important but all-to-often quite badly handled proceedure! You took a fairly lengthy and quite complex process and broke it down into small, easy to manage bits, which I found very easy to follow…

    One quick question, if I may (and pardon my ignorance if this seems trivial to you) – In your reply to Riccardo’s post, you mention both PROVISION and JOIN; my question is: do you simply follow these SAME INSTRUCTIONS, verbatim, until the point where you run samba-tool, at which point you swap out the word “provision” and replace that with the word “join” instead? Or, is the process of setting up another DC to “join” the domain slightly different? Because if the different result is simply based on a single word, that is remarkably handy!

    Thanks again, and do keep up the great work!

  9. I LOVE this article, and have had success multiple times in rolling out an ADDC with Ubuntu 16.04! I tried following your 14.04 with 16.04, and found the issues personally, so I am grateful you brought this version up to date. I do have one question, what are the differences between using BIND9 and SAMBA_INTERNAL as the DNS backend? What if I have a DHCP and DNS setup already managed, and just want to plug this into it? Would I still use SAMBA_INTERNAL and point it towards the managed DNS? I also might have to use this due to our multi-site situation.

    1. Yeah one of the most annoying things about this setup is the inflexibility of this setup. In theory you can use BIND if you need the flexibility. According to what I have read on the Samba wiki, BIND needs to be running on the same box that Samba does. I’m not really sure why this is a requirement. In theory you should just be able to have whatever you want as the upstream server. You just wouldn’t be able to manage the DNS records configured by Samba.

  10. Hi Jim,

    This is a fantastic article. Thanks. I have successfully set up an Active Directory Server.

    One quick question though and apologies if you have mentioned it before, Do I perform the same steps to create a backup domain controller. DO you know any additional steps I might need to make to do this?

    Your assistance and help is appreciated. Keep up the great work

  11. HI. Thanks for the great article. I am installing samba 4 on Ubuntu 16.04. When I join win 10 pc to the domain, it fails saying it can’t find the ads. It carries out a search on ‘SRV record for _ldap._tcp.dc._msdcs.MYDOMAIN’.
    When I search the dns from terminal on the server, it can not be found. It seems that the dns update is not working. Pl help me to understand.

  12. I’m following your exact steps, but when I get to testing DNS nothing at all works:

    (my domain is aev25.local)

    $host -t SRV _ldap._tcp.aev25.local

    Host _ldap._tcp.aev25.local not found: 3(NXDOMAIN)

    $host -t SRV _kerberos._udp.aev25.local

    Host _kerberos._udp.aev25.local not found: 3(NXDOMAIN)

    $host -t A odin.aev25.local

    Host odin.aev25.local not found: 3(NXDOMAIN)

    Any ideas? It would be nice to include som hints for troubleshoting as well.

    1. run: sudo netstat -tulpn | grep “:53”

      check if named is using port 53, if so disable service and reboot

      1. Thanks, looks like that solved that problem. Unfortunately now I get the following:

        @dc1:host -t SRV
        ;; connection timed out; no servers could be reached

  13. Everything seems to work, according to the steps in your article. However, I’m unable to join my Windows 10 client to the Samba domain.

    Using the whole domain name – in my case, aev25.local – yields an immediate error.
    Using just aev25 results in Windows working for several minutes, then giving the error that the domain controller either doesn’t exist or cannot be reached.

  14. Hi, thanks for the article, everything looks good until I get to the very end of the smbclient testing. I get NT_STATUS_OBJECT_NAME_NOT_FOUND. where could I have possibly done wrong? thank you.

  15. I’m currently running to AD DC’s on Windows 2012 R2, I want to migrate these to this Ubuntu setup. Do I provision one server en join the other one? Any suggestion on how to migrate the Windows AD to the Ubuntu flawlessly?

  16. Great article Jim!!! Thx a lot!
    Everything seems to work fine so far. However I discovered an issue with dynamic DNS updates. Suddenly my registered host entries are lost (maybe the client does update them correctly). When I perform “samba_dnsupdate –verbose –all-names” command on the DC it seems to fail with ” TSIG error with server: tsig verify failure” for each entry. Could this be related to my DNS update issue? Or any other hints?
    Thx 🙂

  17. Jim,

    Firstly thank you for your article. It was the only thing that I found on the internet that actually worked. You obviously have both windows and Ubuntu skills.

    Our reason for doing this is to replace a windows file server that with an Ubuntu one. The current server was put in a few years ago by someone who has now left. We have 10 windows machines Windows 7 Enterprise and currently the server provides a single shared drive for all work.

    We would like to have a H: drive mapped to the Ubuntu Home directly and a S: drive mapped to the shared folder containing the work.

    Can you expand your article to what comes next.

    Adding users to match what we currently have on the existing Windows server with the ability to switch the old windows server off and have the new Ubuntu server accept the logins. Map the H: and S: drives and authenticate the users as if they were on the windows server.

    Can you share more of your knowledge on how to do this. Extensive searching just pulls up various articles about setting up the AD controller not what to do afterwards. Yours was the 3rd article we tried and the only one that worked.

    We started with a clean Ubutnu 16.04 server install on a headless server. WE have SSH access and Webmin access.

    Any help appreciated.


  18. Hi, I have installed using this guide in the past with no issues, i have installed on another new server and i am getting an error with kinit, using kinit administrator@SERVER.LOCAL, reply kinit: Cannot contact any KDC for realm ‘SERVER.LOCAL’ while getting initial credentials

    the smbclient gives me the correct information and the dns checks work too, any help appreciated, my krb5.conf file below
    default_realm = SERVER.LOCAL
    dns_lookup_realm = false
    dns_lookup_kdc = true

    Thanks in advance

    1. HI Jim after searching to the end of the world on google i eventually found my issues, below is the reolve for me

      in file /etc/nsswitch.conf

      hosts: files mdns4_minimal [NOTFOUND=return] dns

      DNS will not be looked up at all and it would return if host record was not found in files (/etc/hosts) and mdns4_minimal (This source seem to be related to avahi-daemon multicast DNS, however it seems unable to resolve your kerberos host)

      Removing [NOTFOUND=return] allowed host resolution process to contact dns servers in /etc/resolv.conf (which seem to be working as per dig requests seen above)

      Hope this helps others with this issue too.


Leave a Reply