[Samba] ODP: Setting up new AD on (k)ubuntu 20.04

Krzysztof Kucybała krzysieq at hotmail.com
Mon Dec 7 08:57:04 UTC 2020

Thanks Rowland,
I managed to join the PCs to the domain with the tweaks You suggested, much appreciated. However, I still seem to have two problems and I'm not sure what to do about that:
1) Every 10 minutes or so there's a dns update failure logged on the DC:

/usr/sbin/samba_dnsupdate: ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')

2) Winbind seems noticeably slower than sssd when logging users on. I was thinking that maybe it's the latency from running the DC in a VM, but that VM is hardly doing anything, CPU only rarely spikes above 5% use, RAM used in 25% consistently. Occasionally, after I logged on and opened a terminal instead of the usual prompt looking something like:

username at computer:/home/username#

I got something like this:

I have no name!@computer:/home/username#

This seems to come and go without any clear pattern, sometimes it happens, sometimes it doesn't. Everything seems to be working fine though - the user is logged on and they have access to their files and everything.

Any hints?
Od: samba <samba-bounces at lists.samba.org> w imieniu użytkownika Rowland penny via samba <samba at lists.samba.org>
Wysłane: czwartek, 3 grudnia 2020 22:22
Do: samba at lists.samba.org <samba at lists.samba.org>
Temat: Re: [Samba] Setting up new AD on (k)ubuntu 20.04

On 03/12/2020 20:38, Krzysztof Kucybała via samba wrote:
> Hi all,
> I've been stuck on this for a good month now trying to set up a small domain at home so that I don't have to manage users on every PC at home separately. With 4 kids doing home schooling right now this is more important than ever, although by now I spent so much time one this that I probably would've set up the users on every machine 3 times back and forth and still would've spent less time 🙂
> I took the advice and set up a new AD DC in a dedicated VM (Debian 10). I also installed kubuntu fresh on one of the PCs and followed the samba wiki tutorial to join it to the domain using winbind. Here's my basic AD smb.conf:
> [global]
>    dns forwarder =
>    netbios name = PRIMARYDC
>    realm = MYDOMAIN.COM
>    server role = active directory domain controller
>    workgroup = MYDOMAIN
>    idmap_ldb:use rfc2307 = yes
>    template shell = /bin/bash
>    template homedir = /home/%D/%U
Your DC's smb.conf is ok up to here
>    unix extensions = Yes
>    vfs objects = dfs_samba4 acl_xattr recycle
I would remove the unix extensions line, you do not need it on a DC and
as you don't seem to be using the recycle bin, you might as well remove
the 'vfs objects' line.
> [netlogon]
>    path = /var/lib/samba/sysvol/mydomain.com/scripts
>    read only = No
> [sysvol]
>    path = /var/lib/samba/sysvol
>    read only = No
> I tried many different tweaks before I ended up with this on the client PC:
> ## Browsing/Identification ###
> # Change this to the workgroup/NT-domain name your Samba server will part of
> security = user
This is a domain member, so it should be 'security = ADS'
>     winbind refresh tickets = Yes
>     map acl inherit = Yes
>     store dos attributes = Yes
'store dos atributes = yes' is the default, so not required
>     dedicated keytab file = /etc/krb5.keytab
>     kerberos method = secrets and keytab
>     winbind use default domain = Yes
>     bind interfaces only = Yes
>     interfaces = lo eth0
>     winbind enum users = Yes
>     winbind enum groups = Yes
The two line above should only be used for testing.
> # server string is the equivalent of the NT Description field
>     server string = %h server (Samba, Ubuntu)
>     winbind nss info = rfc2307
That has been replaced by a line in 'idmap config', so not required.
>     idmap config * : backend = tdb
>     idmap config * : range = 3000-7999
>     idmap config MYDOMAIN:backend = ad
>     idmap config MYDOMAIN:schema_mode = rfc2307
>     idmap config MYDOMAIN:range = 10000-999999
>     idmap config MYDOMAIN:unix_nss_info = Yes
>     idmap config MYDOMAIN:unix_primary_group = Yes
This is where it gets interesting, first have you given your users a
uidNumber containing a unique number inside the 10000-999999 range and
does Domain Users have a gidNumber inside the same range ? Finally, you
have this 'idmap config MYDOMAIN:unix_primary_group = Yes' , so do your
users have a gidNumber attribute containing the number of the group you
wish to use for that user ? None of these attributes are added to AD by
default, you must add them manually.
>     template shell = /bin/bash
>     template homedir = /home/%D/%U
>     username map = /etc/samba/user.map

The user.map should just contain '!root = MYDOMAIN\Administrator'

You have a couple of lines missing:

workgroup = MYDOMAIN

> pam.d configs were updated to contain winbind entries automatically after the installation of required packages. However, not this and none of the configs I experimented with on the way resulted in workable domain join. When I ran "net ads join" it reported success, but the client was only running winbindd - smbd and nmbd weren't even starting up.

You should ensure that smbd, nmbd and winbind are stopped before the
join, now join the domain, start winbind, then smbd followed by nmbd.

If any of them do not start, check the logs and report the error.


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list