[Samba] Samba AD 4.8.3 Windows Server 2016 Active Directory Users and Computers: The procedure number is out of range

Thomas Glanzmann thomas at glanzmann.de
Wed Jul 18 16:18:46 UTC 2018

Hello Rowland,

> These shouldn't be set or are defaults:
> name resolve order = host
> passdb backend = tdbsam
> security = user
> domain logons = yes
> log level = 3
> os level = 64
> preferred master = yes
> local master = yes
> domain master = yes
> tls keyfile  = key.pem
> tls certfile = cert.pem
> tls cafile   = ca.pem

I kicked these out. I found the config somewhere on the Internet and
left the stuff I did not understand as provided.

> time server = yes

I have ntpd configured on the ip address which serves time. So I leave
it in.

> This is definitely wrong:
> dns forwarder =
> You do not forward to itself.

Acutally, I do. I have a recursive bind listening on and
recursive name lookup works also via the SAMBA internal DNS
implementation. So I'm happy with it.

> This is all 'netlogon' needs:

> [netlogon]
> comment = Domain Logon Service
> path = /local/samba-config/v101/netlogon
> read only = no


> 'sysvol' is okay except it needs to be writeable.

fixed as well.

> You also do not set the maximum password age with pdbedit.

I do, but you're saying I should not? I do in the shell script:

/local/samba/bin/samba-tool user setexpiry Administrator --noexpiry -s ${SAMBACONFIG}
/local/samba/bin/pdbedit -s ${SAMBACONFIG} -P "maximum password age" -C -1

While my active directories do not survive one week, I thought just to be on
the safe side, I disable password aging. Is there a better way?

> Yes try reading up on Samba AD more before trying to train others on
> how to use it. ;-)

Rest assured, I'm training no one on samba, I just need an active directory to
be able show a domain join with VMware products. That's all. However I was
quiet impressed how far samba has become. And how good it works. Can you
recommend a book or a documentation to get more familiar with SAMBA AD?

Thanks a lot. After your cleanup, I can now use Active Directory Users
and Computers. My new Samba Config is here:



More information about the samba mailing list