[Samba] Ubuntu 14.04 as an Active Directory Domain Controller

Eric Knudstrup eric at knudstrup.org
Wed Oct 29 16:15:21 MDT 2014

To start, I've been using Samba for almost 20 years.
I wanted to use Samba as an AD DC for my businesss.
Ubuntu 14.04 comes with Samba 4.1.6.  This is a little out of date right 
now as 4.1.13 is available and 4.2 is in release candidate status, but 
it works.
I used the Samba AD DC Howto 
(https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO) as an aid to get it 
going, but there were some things that weren't quite clear.
I started with a fresh install and things weren't quite right.
There are several things that need to be changed immediately to set up 
Ubuntu 14.04 as an AD DC.
First, give your system a static IP address.  I use the GUI's network 
interface tool.
There are several packages that need to be installed.
Kerberos 5 (krb5-kdc) needs to be installed and running.  Leave out the 
kadmind package.  The Samba process does that itself.
I left the krb5.conf that krb5_newrealm created, with the exception that 
I added these two lines from Samba's krb5.conf to it at the beginning:
         dns_lookup_realm = false
         dns_lookup_kdc = true

Then set up the realm, using the same domain as your Samba AD DC will 
use (SAMDOM.EXAMPLE.COM from the Howto, for example)
I recommend removing the avahi-daemon package.  Not terribly sure it 
conflicts with Samba, but at the very least it sounds like a security 
nightmare.  Not really necessary or desirable for a server machine anyway.
Also, the ssh server isn't installed by default.
Disable dnsmasq by removing or commenting out this line in in 
/etc/NetworkManager/NetworkManager.conf.  This program conflicts with 
the internal Samba DNS server/proxy.

I changed the DNS search domain the same as my AD DC domain and set the 
DNS server to
The order of removing dnsmasq and installing/changing everything else is 
a bit tricky.  Try to make sure you have all of the packages downloaded 
you need before disabling dnsmasq but before enabling Samba.  The system 
will be without DNS resolution between these two events.
Right now it works.  I've joined one of my PCs to the domain controller 
and can log in to the domain from it.  I can also use the Microsoft 
RSAT  (Remote Server Administration Tool) to add users.
I think those are the most important details that have been left out of 
the HOWTO.
Also, to me, the daemon/init process is a bit funky and convoluted in 
Ubuntu.  It took me a bit of tinkering to make sure that everything came 
up correctly on a reboot.
I welcome further refinements.  These are just some of my notes :).

More information about the samba mailing list