[Samba] Setting up new AD on (k)ubuntu 20.04

Rowland penny rpenny at samba.org
Thu Dec 3 21:22:38 UTC 2020

On 03/12/2020 20:38, Krzysztof Kucybała via samba wrote:
> Hi all,
> I've been stuck on this for a good month now trying to set up a small domain at home so that I don't have to manage users on every PC at home separately. With 4 kids doing home schooling right now this is more important than ever, although by now I spent so much time one this that I probably would've set up the users on every machine 3 times back and forth and still would've spent less time 🙂
> I took the advice and set up a new AD DC in a dedicated VM (Debian 10). I also installed kubuntu fresh on one of the PCs and followed the samba wiki tutorial to join it to the domain using winbind. Here's my basic AD smb.conf:
> [global]
>    dns forwarder =
>    netbios name = PRIMARYDC
>    realm = MYDOMAIN.COM
>    server role = active directory domain controller
>    workgroup = MYDOMAIN
>    idmap_ldb:use rfc2307 = yes
>    template shell = /bin/bash
>    template homedir = /home/%D/%U
Your DC's smb.conf is ok up to here
>    unix extensions = Yes
>    vfs objects = dfs_samba4 acl_xattr recycle
I would remove the unix extensions line, you do not need it on a DC and 
as you don't seem to be using the recycle bin, you might as well remove 
the 'vfs objects' line.
> [netlogon]
>    path = /var/lib/samba/sysvol/mydomain.com/scripts
>    read only = No
> [sysvol]
>    path = /var/lib/samba/sysvol
>    read only = No
> I tried many different tweaks before I ended up with this on the client PC:
> ## Browsing/Identification ###
> # Change this to the workgroup/NT-domain name your Samba server will part of
> security = user
This is a domain member, so it should be 'security = ADS'
>     winbind refresh tickets = Yes
>     map acl inherit = Yes
>     store dos attributes = Yes
'store dos atributes = yes' is the default, so not required
>     dedicated keytab file = /etc/krb5.keytab
>     kerberos method = secrets and keytab
>     winbind use default domain = Yes
>     bind interfaces only = Yes
>     interfaces = lo eth0
>     winbind enum users = Yes
>     winbind enum groups = Yes
The two line above should only be used for testing.
> # server string is the equivalent of the NT Description field
>     server string = %h server (Samba, Ubuntu)
>     winbind nss info = rfc2307
That has been replaced by a line in 'idmap config', so not required.
>     idmap config * : backend = tdb
>     idmap config * : range = 3000-7999
>     idmap config MYDOMAIN:backend = ad
>     idmap config MYDOMAIN:schema_mode = rfc2307
>     idmap config MYDOMAIN:range = 10000-999999
>     idmap config MYDOMAIN:unix_nss_info = Yes
>     idmap config MYDOMAIN:unix_primary_group = Yes
This is where it gets interesting, first have you given your users a 
uidNumber containing a unique number inside the 10000-999999 range and 
does Domain Users have a gidNumber inside the same range ? Finally, you 
have this 'idmap config MYDOMAIN:unix_primary_group = Yes' , so do your 
users have a gidNumber attribute containing the number of the group you 
wish to use for that user ? None of these attributes are added to AD by 
default, you must add them manually.
>     template shell = /bin/bash
>     template homedir = /home/%D/%U
>     username map = /etc/samba/user.map

The user.map should just contain '!root = MYDOMAIN\Administrator'

You have a couple of lines missing:

workgroup = MYDOMAIN

> pam.d configs were updated to contain winbind entries automatically after the installation of required packages. However, not this and none of the configs I experimented with on the way resulted in workable domain join. When I ran "net ads join" it reported success, but the client was only running winbindd - smbd and nmbd weren't even starting up.

You should ensure that smbd, nmbd and winbind are stopped before the 
join, now join the domain, start winbind, then smbd followed by nmbd.

If any of them do not start, check the logs and report the error.


More information about the samba mailing list