User Tools

Site Tools


Samba4 Active Directory and Bind

See DNS/DHCP page for domain info.

sudo apt-get update
sudo apt-get dist-upgrade

Install the acl

sudo apt-get install acl attr

Configure acl in the /etc/fstab

sudo nano /etc/fstab

/dev/mapper/vg0-lv_data / ext4 user_xattr,acl,barrier=1,noatime 0 0

sudo mount -a


Installing Samba software:

sudo apt-get install samba smbclient  build-essential libacl1-dev libattr1-dev \
   libblkid-dev libgnutls-dev libreadline-dev python-dev libpam0g-dev \
   python-dnspython gdb pkg-config libpopt-dev libldap2-dev \
   dnsutils libbsd-dev krb5-user docbook-xsl libcups2-dev ldb-tools

During the installation process you will be asked some questions:

Kerberos Authentication: MYDC.ABC.LAN

hostname of Kerberos server:

hostname of the Administrative:

Remove your old smb.conf

sudo rm /etc/samba/smb.conf

Provision AD:

sudo samba-tool domain provision --use-rfc2307 --interactive

Input the following:


DNS Backend: BIND9_DLZ

 Domain [MYDC]: 
 Server Role (dc, member, standalone) [dc]: 
Administrator password: 
Retype password: 
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=mydc,DC=abc,DC=lan
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=mydc,DC=abc,DC=lan
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
See /var/lib/samba/private/named.conf for an example configuration include file for BIND
and /var/lib/samba/private/named.txt for further documentation required for secure DNS updates
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: dcsrv
NetBIOS Domain: MYDC
DNS Domain:
DOMAIN SID: S-1-5-21-416587768-2115368124-2463890298

Note: After the AD provisioning is completed, the Domain Administrator password will expire in 41 days. To prevent this, run the following command.

sudo samba-tool user setexpiry administrator --noexpiry

Add the following to /etc/bind/named.conf.options at the end of the options. You may need to remove any duplicate existing lines.

sudo nano /etc/bind/named.conf.options

   auth-nxdomain yes;  
   empty-zones-enable no;
   tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

Choose your version of BIND by removing comment (see example below).

sudo nano /var/lib/samba/private/named.conf

dlz "AD DNS Zone" {
    # For BIND 9.8.0
#    database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/";
    # For BIND 9.9.0
     database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/";

Add the following to /etc/bind/named.conf as the second line in the included section.

sudo nano /etc/bind/named.conf

include "/var/lib/samba/private/named.conf";

Add the following apparmor rules to the end of /etc/apparmor.d/usr.sbin.named inside the { }

sudo nano /etc/apparmor.d/usr.sbin.named

  /usr/lib/x86_64-linux-gnu/samba/** rwmk,
   /usr/lib/x86_64-linux-gnu/ldb/** rwmk,
   /var/lib/samba/private/dns/** rwmk,
   /var/lib/samba/private/named.conf r,
   /var/lib/samba/private/dns.keytab rk,
   /dev/urandom rw,



Page Tools