Setup a Samba4 Domain Controller on Debian 6.0 Squeeze



An Active Directory Domain Controller is a vital tool for business network administrators.  It allows the centralized management of all the computers in a business network, whether it’s local, nation or worldwide.  You can add a user to the network with all there information, set their limits to features on a computer and they will be able to login to any computer on the business network.

Active Directory Domain Controllers used to be a costly feature exculsive to Microsoft Windows Servers, but with the recent open source release of Samba 4.0 stable all of these features are now avaliable for free.  This will allow small businesses and home users to utilize this Active Directory Domain Controllers on a limited budget.  Today we will walk you through the steps to setup your own Samba4 Active Directory Domain Controller on Debian 6.0 “aka Squeeze”.

Tips Before we Begin

  • Before setting up your Samba4 domain controller you will want to remove any older versions of Samba 3.x to prevent interference with Samba4, unless you plan on migrating an old NT style Samba3 domain controller to Samba4.  ***If this is the case, this tutorial is not for you***
  • If you are starting with a fresh install make sure to enable xattr on any partition that Samba will be running on or accessing.  This will be addressed later if you have a currently running install.
  • Resolv.conf is often a source if issues as it typically gets overwritten automatically.  If you run into issues down the road make sure that this file hasn’t changed.
  • If you are new to Linux tutorials commands that are typed into the command prompt “aka Bash” will appear in a grey box and will start with “$ “.  You can omit the “$” sign and just type that command.  See the example below:

$ echo “This is an example of a command to type at the Bash prompt”

  • If the grey box doesn’t contain the “$ ” then apply the contents as described in that step of the process.

Installing Debian 6.0

If already have a working install of debian 6.0 then you may skip this section.

Installing Dependancies

1) Install Samba4 dependencies and utilities required for this tutorial with the following command.

$ apt-get install build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev git acl nano

2) The krb5-user package will ask for the following questions, highlighted in bold text.  We have included the proper responses in the example below.

Default Realm: test.local
Default Realm:
Administrative Server:

 FSTAB File Setup

Now that all dependencies for Samba4 are installed we will now configure the /etc/fstab file.
Warning: If you are not farmiliar with the contents of this file read your distrobutions manual.  Edit at your own risk!!!

1) Open the /etc/fstab file in your preferred text editor.  For this example we will use nano.

$ nano /etc/fstab

2) Within the fstab file you will find your hard drive partition configuration.  Add the following parameters if they aren’t present: user_xattr, acl and barrier=1.  View the example below.

UUID=db6f8346-60ca-47b4-8ab2-046337abd834 / ext4 user_xattr,acl,barrier=1,errors=remount-ro 0 1

3) You must apply these setting to all partitions that Samba4 will access and remount your partition with the following command.

$ mount -a

Download Samba4

We will download the latest version of Samba4 via a program called git.  The following command will download the latest stable version.

$ git clone -b v4-0-stable git:// samba4

Compile and Install Samba4

Compile and install Samba4 with the following commands.

$ ./configure –enable-debug –enable-selftest
$ make
$ make install

Provision Samba4

1) Provisioning the Samba4 Domain Controller creates the configuration files and the Active Directory database.  Use the following command to start the process.

$ /usr/local/samba/bin/samba-tool domain provision

2) The provision command will ask you for some information about your network.  Use the following example as a guideline, but modify the info as needed for your network.

Realm [test.local]: test.local
Domain [S4]: SAMBA4TEST
Server Role (dc, member, standalone) [dc]: dc
DNS forwarder IP address (write ‘none’ to disable forwarding) []:
Administrator password: Ex@mpleP@$$word
Retype password: Ex@mpleP@$$word

You should see output similar to the following example:

Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=test,DC=local
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=test,DC=local
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: LinuxServer
DNS Domain: test.local
DOMAIN SID: S-1-5-21-1811932520-1978264231-2890610938

Modify resolv.conf and hosts File

1) Edit your resolv.conf file in nano

$ nano /etc/resolv.conf

2) The following info should be sufficient as long as this system is running only Samba4.

domain test.local

3) Debian by default will overwrite the /etc/resolv.conf file with updated DHCP and other network services.  To prevent this we make the resolv.conf file read only. 

$ chattr +i /etc/resolv.conf

Note: This is not the most elegant solution, especially if you are running other services.  Other solutions to this issue are out of the scope of this tutorial.

Mangage Kerberos

1) Samba4 has created a krb5.conf for you to use as a replacement for the existing configuration file.  Use the following commands to backup the old file and copy the new configuration file.

$ mv /etc/krb5.conf /etc/krb5.conf.bak
$ cp /usr/local/samba/private/krb5.conf /etc/krb5.conf

2) Now you must edit the new krb5.conf file to include your domain realm info.

$ nano /etc/krb5.conf

3) Modify the “default_realm = SAMDOM.EXAMPLE.COM” line to contain your domain info.  In our tutorial it is “TEST.LOCAL”

NOTE: The domain realm MUST be typed in uppercase!

Start Samba

You should now have a functioning Samba4 Domain Controller.  Start Your Domain Controller by using the following command. You should now be able to connect your Windows and other device to your Active Directory Domain Controller.

$ /usr/local/samba/sbin/samba

Add Samba Directories to PATH Variable (optional):

 1) Edit your enviromental variables with nano.

$ nano ~/.bashrc

2) Add the following to your .bashrc config file



Post Setup Tips:

  • Any devices that you will connect to your domain should have the primary DNS of your Samba4 server. (ie:
  • If your windows machine doesn’t seem to be connecting to the Samba4 DNS server, try the following command at the Windows command prompt.

ipconfig /flushdns

Samba 4 with Active Directory gets a stable release


Samba 4 has been a long time coming, and now the world has a stable, free and full featured alternative to a Microsoft Server Active Directory Domain Controller on Linux/Unix based systems.  Head over to and download Samba 4 now!

Samba Press Release:

The Samba Team is proud to announce the release of Samba 4.0, a major new release of the award-winning Free Software file, print and authentication server suite for Microsoft Windows® clients.

The First Free Software Active Directory Compatible Server

As the culmination of ten years’ work, the Samba Team has created the first compatible Free Software implementation of Microsoft’s Active Directory protocols. Familiar to all network administrators, the Active Directory protocols are the heart of modern directory service implementations.

Samba 4.0 comprises an LDAP directory server, Heimdal Kerberos authentication server, a secure Dynamic DNS server, and implementations of all necessary remote procedure calls for Active Directory. Samba 4.0 provides everything needed to serve as an Active Directory Compatible Domain Controller for all versions of Microsoft Windows clients currently supported by Microsoft, including the recently released Windows 8.

The Samba 4.0 Active Directory Compatible Server provides support for features such as Group Policy, Roaming Profiles, Windows Administration tools and integrates with Microsoft Exchange and Free Software compatible services such as OpenChange.

The Samba 4.0 Active Directory Compatible Server can also be joined to an existing Microsoft Active Directory domain, and Microsoft Active Directory Domain Controllers can be joined to a Samba 4.0 Active Directory Compatible Server, showing true peer-to-peer interoperability of the Microsoft and Samba implementations of the Active Directory protocols.

Acknowledging the value of the interoperability of the Samba 4.0 Active Directory Compatible Server, Steve van Maanen, the co-founder of Starsphere LLC, an IT services company in Tokyo, said:

“Thanks to Samba 4, I have two fully replicating Active Directory Domain controllers that boot in under 10 seconds ! It is nice to have alternatives, and Samba 4 is a great one.”

Upgrade scripts are also provided for organizations using the previous Microsoft Windows NT Domain Controller functionality in Samba 3.x, to allow them to migrate smoothly to Samba 4.0.

Suitable for low-power and embedded applications, yet scaling to large clusters, Samba 4.0 is efficient and flexible. Its Python programming interface and administration toolkit help in enterprise deployments.

Created Using Microsoft Documentation

The Samba 4.0 Active Directory Compatible Server was created with help from the official protocol documentation published by Microsoft Corporation and the Samba Team would like acknowledge the documentation help and interoperability testing by Microsoft engineers that made our implementation interoperable.

“Active Directory is a mainstay of enterprise IT environments, and Microsoft is committed to support for interoperability across platforms,” said Thomas Pfenning, director of development, Windows Server. “We are pleased that the documentation and interoperability labs that Microsoft has provided have been key in the development of the Samba 4.0 Active Directory functionality.”

Introducing SMB2.1 File Serving Support

Samba 4.0 includes the first Free Software implementation of Microsoft’s SMB2.1 file serving protocol. Building on the success of the SMB2.0 server in Samba 3.6, the Samba 4.0 file server component is an evolution of the trusted Samba file serving code that is used worldwide by vendors of file servers, such as IBM’s clustered Scale Out Network Attached Storage (SONAS), and many other commercial products.

In addition, the Samba 4.0 file server contains an initial implementation of SMB3, which will be further developed in later Samba 4 releases into a fully-featured SMB3 clustered file server implementation.

Future developments of our SMB3 server and client suite, in combination with our expanding number of SMB3 tests, will keep driving the performance improvements and improved compatibility with Microsoft Windows that Samba users have come to expect from our software.

Integrated Clustered File Server Support

Building on our success as the first commercial implementation of a clustered SMB/CIFS server, Samba 4.0 provides industry-leading scalability and performance as a clustered SMB2/SMB/CIFS file server, using our “clustered tdb” (ctdb) technology – also available as Free Software.

Clustered Samba provides a “Single Server” view of clustered file storage, allowing clients to connect to the least loaded server and still providing a completely coherent view of the underlying clustered file system.

Written and tested to be compatible with most clustered file systems, both Free Software and proprietary, Samba 4.0 with ctdb provides a scalable clustered file server solution with full Windows file sharing semantics.

Samba and ctdb have been shipping in production file serving products for many years, to some of the most demanding customers in the world.

Easy Integration into Existing Directory Services

Samba 4.0 ships with an improved winbind, which allows Samba 4.0 file servers to easily integrate into existing Active Directory services as member servers. Both Microsoft Active Directory and Samba 4.0 Active Directory Compatible servers are supported.

Stability, Security and Performance

Samba 4.0 has been tested using our widely accepted smbtorture test suite, created by the Samba Team to test Samba itself and now used by most of the companies writing SMB3/SMB2/SMB/CIFS file server software to test their own products. We also regularly test interoperability with other major vendors at plug-fest events to make sure Samba 4.0 deployments work correctly with existing customer equipment.

In addition, Samba is one of eleven open source projects that leading software integrity vendor Coverity has certified as “secure” and has reached Coverity “Integrity Rung 2” certification.

The Samba Team provides immediate responses to any security vulnerabilities, and provides fixes to all vendors using the Samba code in coordination with industry standard security reporting agencies.

A Modular Toolbox for OEM Vendor Needs

As Free Software, Samba 4.0 is the ideal choice for Original Equipment Manufacturers (OEMs) to use for their file, print and authentication products. It is easily integrated into a whole host of different tasks, and can be customized at will by the vendor to satisfy their needs.

In addition, Samba 4.0 includes a modular “Virtual File System” (VFS) interface that vendors can use to quickly and efficiently customize Samba to take advantage of any specific features of their underlying technology without having to modify any of the core Samba code. From advanced file systems to network traffic analysis, the Samba VFS layer allows external code to be easily integrated with Samba. Example modules are provided as source code for vendors to customize as they wish.

Samba is the leading choice for Microsoft Windows connectivity

Samba is the leading technology choice for Windows file serving on Linux and UNIX platforms and in embedded Network Attached Storage (NAS) solutions. Samba is used by vendors selling NAS solutions ranging from high end clustered business-critical systems, to low end consumer devices, and everything in between. Samba is fully IPv6 enabled and meets all mandates for modern network interoperability.

Commercial support is available for Samba from many different vendors.

Getting Samba 4.0

Samba 4.0 source code is available now from the Samba Web site.

About Active Directory

Microsoft Windows and Active Directory are trademarks of Microsoft Corporation.

About the Samba Team

The Samba Team is a worldwide group of computer professionals working together via the Internet to produce the highest quality Free Software Windows (SMB3/SMB2/SMB/CIFS) server and client software. We are the undisputed experts in providing interoperability with computers running Microsoft Windows. Members of the Samba Team work for many of the largest companies in the software Industry and even helped Microsoft produce the protocol documentation that fully specifies the SMB/CIFS protocol.

Samba 4 RC5 has been released



The free alternative to Windows Server Active Directory/Domain Controller, Samba4, has been in the making for years and continues to inch closer to a stable release.  The feature set is now frozen and the development team is busy squashing major bugs before labeling Samba4 stable for production use.

Our experience with Samba4 as a small office domain controller has been a stable, bug free experience.  The installation on our Ubuntu server was fairly painless when following the HOW-TO located on the official Samba website.  The DC has yet to crash or cause any problems with the PC’s on our diverse network.

Samba4 packs everything you expect from a Windows Domain Controller into a free open source package.  Samba4 is in a unique position to shake up the Domain Controller market by making a free option to pricey Microsoft options.  I am excited to see Samba4 reach the stable release, so that I can begin implementation outside of our networks.

Samba4 Features

  • Samba 4.0 supports the server-side of the Active Directory logon environment used by Windows 2000 and later, so we can do full domain join and domain logon operations with these clients.
  • Our Domain Controller (DC) implementation includes our own built-in LDAP server and Kerberos Key Distribution Center (KDC) as well as the Samba3-like logon services provided over CIFS. We correctly generate the infamous Kerberos PAC, and include it with the Kerberos tickets we issue.
  • Samba 4.0.0rc5 ships with two distinct file servers. We now use the file server from the Samba 3.x series ‘smbd’ for all file serving by default.
  • Samba 4.0 also ships with the ‘NTVFS’ file server. This file server is what was used in all previous releases of Samba 4.0, and is tuned to match the requirements of an AD domain controller. We continue to support this, not only to provide continuity to installations that have deployed it as part of an AD DC, but also as a running example of the NT-FSA architecture we expect to move smbd to in the longer term.
  • For pure file server work, the binaries users would expect from that series (nmbd, winbindd, smbpasswd) continue to be available. When running an AD DC, you only need to run ‘samba’ (not nmbd/smbd/winbind), as the required services are co-coordinated by this master binary.
  • As DNS is an integral part of Active Directory, we also provide two DNS solutions, a simple internal DNS server for ‘out of the box’ configurations and a more elaborate BIND plugin using the BIND DLZ mechanism in versions 9.8 and 9.9. During the provision, you can select which backend to use. With the internal backend, your DNS server is good to go. If you chose the BIND_DLZ backend, a configuration file will be generated for bind to make it use this plugin, as well as a file explaining how to set up bind.
  • To provide accurate timestamps to Windows clients, we integrate with the NTP project to provide secured NTP replies. To use you need to start ntpd and configure it with the ‘restrict … ms-sntp’ and ntpsigndsocket options.
  • Finally, a new scripting interface has been added to Samba 4, allowing Python programs to interface to Samba’s internals, and many tools and internal workings of the DC code is now implemented in python.