SMB4 AD and Bind

Samba4 Active Directory and Bind
See DNS/DHCP page for domain info.
sudo apt-get update
sudo apt-get dist-upgrade

Install the acl
sudo apt-get install acl attr
Configure acl in the /etc/fstab
sudo nano /etc/fstab
/dev/mapper/vg0-lv_data / ext4 user_xattr,acl,barrier=1,noatime 0 0
sudo mount -a
Installing Samba software:

sudo apt-get install samba smbclient build-essential libacl1-dev libattr1-dev \
libblkid-dev libgnutls-dev libreadline-dev python-dev libpam0g-dev \
python-dnspython gdb pkg-config libpopt-dev libldap2-dev \
dnsutils libbsd-dev krb5-user docbook-xsl libcups2-dev ldb-tools

During the installation process you will be asked some questions:
Kerberos Authentication: MYDC.ABC.LAN
hostname of Kerberos server:
hostname of the Administrative:
Remove your old smb.conf
sudo rm /etc/samba/smb.conf
Provision AD:

sudo samba-tool domain provision –use-rfc2307 –interactive

Input the following:
DNS Backend: BIND9_DLZ

Domain [MYDC]:
Server Role (dc, member, standalone) [dc]:
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=mydc,DC=abc,DC=lan
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=mydc,DC=abc,DC=lan
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
See /var/lib/samba/private/named.conf for an example configuration include file for BIND
and /var/lib/samba/private/named.txt for further documentation required for secure DNS updates
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: dcsrv
NetBIOS Domain: MYDC
DNS Domain:
DOMAIN SID: S-1-5-21-416587768-2115368124-2463890298

//Note:// After the AD provisioning is completed, the Domain Administrator password will expire in 41 days. To prevent this, run the following command.
sudo samba-tool user setexpiry administrator –noexpiry

Configuring Samba and Bind.
Edit the file /etc/samba/smb.conf and add the following lines to the end of the [global] section.
sudo nano /etc/samba/smb.conf

allow dns updates = nonsecure and secure
dns forwarder =

# Thanks to Lars for this fix, it stops the syslog
# being spammed by the lack of a CUPS server.
printing = CUPS
printcap name = /dev/null

sudo nano /etc/bind/named.conf.options
Add the following to /etc/bind/named.conf.options at the end of the options. You may need to remove any duplicate existing lines.

auth-nxdomain yes;
empty-zones-enable no;
tkey-gssapi-keytab “/var/lib/samba/private/dns.keytab”;

Choose your version of BIND by removing comment (see example below).
sudo nano /var/lib/samba/private/named.conf

dlz “AD DNS Zone” {
# For BIND 9.8.0
# database “dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/”;

# For BIND 9.9.0
database “dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/”;

Add the following to /etc/bind/named.conf as the second line in the included section.
sudo nano /etc/bind/named.conf
include “/var/lib/samba/private/named.conf”;
Add the following apparmor rules to the end of /etc/apparmor.d/usr.sbin.named inside the { }
sudo nano /etc/apparmor.d/usr.sbin.named

/usr/lib/x86_64-linux-gnu/samba/** rwmk,
/usr/lib/x86_64-linux-gnu/ldb/** rwmk,
/var/lib/samba/private/dns/** rwmk,
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns.keytab rk,

/dev/urandom rw,