[Samba] Ubuntu 14.04 as an Active Directory Domain Controller
eric at knudstrup.org
Wed Oct 29 16:15:21 MDT 2014
To start, I've been using Samba for almost 20 years.
I wanted to use Samba as an AD DC for my businesss.
Ubuntu 14.04 comes with Samba 4.1.6. This is a little out of date right
now as 4.1.13 is available and 4.2 is in release candidate status, but
I used the Samba AD DC Howto
(https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO) as an aid to get it
going, but there were some things that weren't quite clear.
I started with a fresh install and things weren't quite right.
There are several things that need to be changed immediately to set up
Ubuntu 14.04 as an AD DC.
First, give your system a static IP address. I use the GUI's network
There are several packages that need to be installed.
Kerberos 5 (krb5-kdc) needs to be installed and running. Leave out the
kadmind package. The Samba process does that itself.
I left the krb5.conf that krb5_newrealm created, with the exception that
I added these two lines from Samba's krb5.conf to it at the beginning:
dns_lookup_realm = false
dns_lookup_kdc = true
Then set up the realm, using the same domain as your Samba AD DC will
use (SAMDOM.EXAMPLE.COM from the Howto, for example)
I recommend removing the avahi-daemon package. Not terribly sure it
conflicts with Samba, but at the very least it sounds like a security
nightmare. Not really necessary or desirable for a server machine anyway.
Also, the ssh server isn't installed by default.
Disable dnsmasq by removing or commenting out this line in in
/etc/NetworkManager/NetworkManager.conf. This program conflicts with
the internal Samba DNS server/proxy.
I changed the DNS search domain the same as my AD DC domain and set the
DNS server to 127.0.0.1.
The order of removing dnsmasq and installing/changing everything else is
a bit tricky. Try to make sure you have all of the packages downloaded
you need before disabling dnsmasq but before enabling Samba. The system
will be without DNS resolution between these two events.
Right now it works. I've joined one of my PCs to the domain controller
and can log in to the domain from it. I can also use the Microsoft
RSAT (Remote Server Administration Tool) to add users.
I think those are the most important details that have been left out of
Also, to me, the daemon/init process is a bit funky and convoluted in
Ubuntu. It took me a bit of tinkering to make sure that everything came
up correctly on a reboot.
I welcome further refinements. These are just some of my notes :).
More information about the samba