Success report: Samba4 as Active Directory DC (incl. notes for Wiki)

Otso Kassinen akassine at ee.oulu.fi
Wed Mar 27 07:16:58 MDT 2013 

Dear Samba4 Developers,

I report here my success in installing Samba4 as an Active Directory DC.
Reporting success was requested at the end of the instructions:
http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO

Thanks for providing the very good instructions in the Samba Wiki!

I managed to setup the AD DC (server: Ubuntu 12.04.2 LTS, 64-bit) with 
Samba-internal DNS server, and log on the AD domain as several AD-created 
users (client: PC, Win 7 64-bit).
There were some surprises during the deployment; I list them below.

You can add related information to the Wiki page to help other people, in 
case they run into the same surprises:

* It could be good to mention that this message (when running samba -i)
"RuntimeError: kinit for SOMEHOST$@SOMEDOMAIN failed (Cannot contact any 
KDC for requested realm)"
is a sign that DNS is not working correctly - the error disappeared when 
the Samba-internal DNS server was correctly selected in resolv.conf.

* Always when I start up Samba4 AD DC, first it gives several times the 
error:
"TSIG error with server: tsig verify failure". However, when I kill the 
server process and immediately restart it, the TSIG errors disappear and 
the server works OK. (Later, the TSIG errors appear again, but still user 
logins work.) Mentioning something about this in the Wiki could be nice.

* Maybe obvious, but it can be mentioned that if using Samba-internal DNS 
then the bind9 server (or any locally running DNS server) must be first 
stopped to avoid errors such as:
"Failed to listen on 0.0.0.0:53 - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED"

* I used lots of time to get rid of this error:
"There are currently no logon servers to service the logon request" which 
was displayed, when I had joined the PC to the domain and tried to login 
as a non-Administrator user. (Domain Administrator logged in OK, probably 
because the credentials were cached during joining the domain.)
The reason was that I had defined a wireless network interface for 
connecting to the AD domain, and the wireless interface was not connected, 
when the "username and password" login dialog was shown to the users.
The solution: just edited the WLAN connection's properties in Win7: had to 
enable "Automatically connect" i.e. create a "Bootstrap Wireless Profile".
(Note: before finding this out, I suspected the error to be related to 
NetBIOS name resolution. I activated WINS support in smb.conf and defined 
the server's IP as the WINS server in Win7 network interface properties. I 
don't know if this had any effect on anything, but well, I mention it 
here.)

* I created the profiles share in /usr/local/samba/var/profiles, as 
instructed, but nothing appears there even after several users have used 
their accounts.
Intuitively, I thought that the profiles share directory would contain 
some automatically saved data related to users. The purpose of the 
profiles share could be explained briefly in the Wiki (in what situations 
something is actually saved under the profiles directory).

Didn't yet try to add any OU or GPO to my domain. But I already report 
success, because the most important AD DC functionality works now :)


Best regards,
Otso Kassinen
University of Oulu, Finland

More information about the samba-technical mailing list