Success report: Samba4 as Active Directory DC (incl. notes for Wiki)

Wed Mar 27 22:53:17 MDT 2013

On Wed, Mar 27, 2013 at 9:16 AM, Otso Kassinen <akassine at ee.oulu.fi> wrote:
>
> Dear Samba4 Developers,
>
> I report here my success in installing Samba4 as an Active Directory DC.
> Reporting success was requested at the end of the instructions:
> http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
>
> Thanks for providing the very good instructions in the Samba Wiki!
>
> I managed to setup the AD DC (server: Ubuntu 12.04.2 LTS, 64-bit) with
> Samba-internal DNS server, and log on the AD domain as several AD-created
> users (client: PC, Win 7 64-bit).
> There were some surprises during the deployment; I list them below.
>
> You can add related information to the Wiki page to help other people, in
> case they run into the same surprises:
>
> * It could be good to mention that this message (when running samba -i)
> "RuntimeError: kinit for SOMEHOST$@SOMEDOMAIN failed (Cannot contact any KDC
> for requested realm)"
> is a sign that DNS is not working correctly - the error disappeared when the
> Samba-internal DNS server was correctly selected in resolv.conf.
>
> * Always when I start up Samba4 AD DC, first it gives several times the
> error:
> "TSIG error with server: tsig verify failure". However, when I kill the
> server process and immediately restart it, the TSIG errors disappear and the
> server works OK. (Later, the TSIG errors appear again, but still user logins
> work.) Mentioning something about this in the Wiki could be nice.
>
> * Maybe obvious, but it can be mentioned that if using Samba-internal DNS
> then the bind9 server (or any locally running DNS server) must be first
> stopped to avoid errors such as:
> "Failed to listen on 0.0.0.0:53 - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED"
>
> * I used lots of time to get rid of this error:
> "There are currently no logon servers to service the logon request" which
> was displayed, when I had joined the PC to the domain and tried to login as
> a non-Administrator user. (Domain Administrator logged in OK, probably
> because the credentials were cached during joining the domain.)
> The reason was that I had defined a wireless network interface for
> connecting to the AD domain, and the wireless interface was not connected,
> when the "username and password" login dialog was shown to the users.
> The solution: just edited the WLAN connection's properties in Win7: had to
> enable "Automatically connect" i.e. create a "Bootstrap Wireless Profile".
> (Note: before finding this out, I suspected the error to be related to
> NetBIOS name resolution. I activated WINS support in smb.conf and defined
> the server's IP as the WINS server in Win7 network interface properties. I
> don't know if this had any effect on anything, but well, I mention it here.)
>
> * I created the profiles share in /usr/local/samba/var/profiles, as
> instructed, but nothing appears there even after several users have used
> their accounts.
> Intuitively, I thought that the profiles share directory would contain some
> automatically saved data related to users. The purpose of the profiles share
> could be explained briefly in the Wiki (in what situations something is
> actually saved under the profiles directory).
>
> Didn't yet try to add any OU or GPO to my domain. But I already report
> success, because the most important AD DC functionality works now :)
>
>
> Best regards,
> Otso Kassinen
> University of Oulu, Finland
>
>

I'll talk to Ricky about including this in the wiki tomorrow.

-- 
Peace and Blessings,
-Scott.