Gentoo // Samba 4.5 as AD DC

… still fighting – means: try and error + under construction.


Configure NTP

 emerge ntp
 rc-update add ntp-client default

Check /etc/hosts

# CHECK #	dc.test.local dc

Use Sambas own Heimdal kerberos.
Using Sambas own internal DNS backend with DNS forwarder.
This machine is a dedicated ADDC. Files will be stored on a samba domain member file server.
ADDC’s IP is, host name is DC

Selecting Sambas USE flags

 addc addns -system-mitkrb5 gnutls winbind gssapi quota fam ldap cups
 emerge samba

Create /etc/krb5.conf

	default_realm = SAMDOM.TEST.LOCAL
	dns_lookup_realm = false
	dns_lookup_kdc = true


Delete an existing /etc/samba/smb.conf – provisioning creates a brand new smb.conf

 samba-tool domain provision --use-rfc2307 --interactive


Domain: SAMDOM

Server role: dc

Use SAMBA_INTERNAL as DNS backend.

Select your companys internal (or external :] ) DNS resolver as DNS forwarder.

The resulting /etc/samba/smb.conf should be similar to

 # Global parameters
	netbios name = DC
	workgroup = SAMDOM
	server role = active directory domain controller
	idmap_ldb:use rfc2307 = yes

	path = /var/lib/samba/sysvol/samdom.test.irmedia/scripts
	read only = No

	path = /var/lib/samba/sysvol
	read only = No

Your Active Directory Domain Controller machine should resolve all names against sambas internal DNS:
Edit /etc/resolv.conf

 domain samdom.test.local

ATTENTION: Do not use /etc/init.d/samba start, it will fail

Create a samba start script in /etc/local.d and make it excutable

 test -d /run/samba || mkdir -p /run/samba
 test -d /var/log/samba || mkdir -p /var/log/samba
 if [ $? -eq 0 ]; then
    echo "SAMBA started."
    echo "SAMBA failed."
 # END

Create a samba stop script in /etc/local.d and make it excutable

 pkill samba
 if [ $? -eq 0 ]; then
    echo "SAMBA stopped."
    echo "Stopping SAMBA failed."
 # END


Maintenance under Windows
Check this (!!!):

Install RSAT-Tools (for Windows 7: on a Windows machine.

Start “Windows Programs and Features” and enable the required tools.

Run gpmc.msc or dsa.msc or ..

Maintenance under Linux
Check this (!!!):

list users and machines

 pdbedit -L -w

delete users and machines

 pdbedit -x COMPUTER$
 pdbedit -x USER

Additional Info:

Have had to add the pid directory to the newly created smb.conf

Have had to create /var/run/samba directory

Tune password complexity

 samba-tool domain passwordsettings show
 samba-tool domain passwordsettings set --complexity=off 
 samba-tool domain passwordsettings set --history-length=0
 samba-tool domain passwordsettings set --min-pwd-age=0
 samba-tool domain passwordsettings set --max-pwd-age=0
 samba-tool user setexpiry Administrator --noexpiry
 samba-tool domain passwordsettings set --min-pwd-length=0

xidNumber is the UNIX user Id (root -> 0)

Show and edit users properties:

# ldbedit -e mcedit -H /usr/local/samba/private/sam.ldb 'sAMAccountName=zuppiuser'

ATTENTION: Adding a user with samba-tool:

home-directory should be double quoted
home-drive needs trailing ‘:’ (like U:) – otherwise z: will be used.

If you create corresponding local unix users additional to samba users and you give them a shell like /sbin/noshell, do not forget to add this shell to /etc/shells.

…coming soon.

…coming soon.

One thought on “Gentoo // Samba 4.5 as AD DC

  1. Nice Guide!
    Got me going, but for some odd reason I can’t check smb share file/folder security permissions in windows 10.
    Doing so crashes explorer/COM Surrogate, no idea what’s up.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.