Success report: Samba4 as Active Directory DC (incl. notes for Wiki)
Otso Kassinen
akassine at ee.oulu.fi
Wed Mar 27 07:16:58 MDT 2013
Dear Samba4 Developers,
I report here my success in installing Samba4 as an Active Directory DC.
Reporting success was requested at the end of the instructions:
http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
Thanks for providing the very good instructions in the Samba Wiki!
I managed to setup the AD DC (server: Ubuntu 12.04.2 LTS, 64-bit) with
Samba-internal DNS server, and log on the AD domain as several AD-created
users (client: PC, Win 7 64-bit).
There were some surprises during the deployment; I list them below.
You can add related information to the Wiki page to help other people, in
case they run into the same surprises:
* It could be good to mention that this message (when running samba -i)
"RuntimeError: kinit for SOMEHOST$@SOMEDOMAIN failed (Cannot contact any
KDC for requested realm)"
is a sign that DNS is not working correctly - the error disappeared when
the Samba-internal DNS server was correctly selected in resolv.conf.
* Always when I start up Samba4 AD DC, first it gives several times the
error:
"TSIG error with server: tsig verify failure". However, when I kill the
server process and immediately restart it, the TSIG errors disappear and
the server works OK. (Later, the TSIG errors appear again, but still user
logins work.) Mentioning something about this in the Wiki could be nice.
* Maybe obvious, but it can be mentioned that if using Samba-internal DNS
then the bind9 server (or any locally running DNS server) must be first
stopped to avoid errors such as:
"Failed to listen on 0.0.0.0:53 - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED"
* I used lots of time to get rid of this error:
"There are currently no logon servers to service the logon request" which
was displayed, when I had joined the PC to the domain and tried to login
as a non-Administrator user. (Domain Administrator logged in OK, probably
because the credentials were cached during joining the domain.)
The reason was that I had defined a wireless network interface for
connecting to the AD domain, and the wireless interface was not connected,
when the "username and password" login dialog was shown to the users.
The solution: just edited the WLAN connection's properties in Win7: had to
enable "Automatically connect" i.e. create a "Bootstrap Wireless Profile".
(Note: before finding this out, I suspected the error to be related to
NetBIOS name resolution. I activated WINS support in smb.conf and defined
the server's IP as the WINS server in Win7 network interface properties. I
don't know if this had any effect on anything, but well, I mention it
here.)
* I created the profiles share in /usr/local/samba/var/profiles, as
instructed, but nothing appears there even after several users have used
their accounts.
Intuitively, I thought that the profiles share directory would contain
some automatically saved data related to users. The purpose of the
profiles share could be explained briefly in the Wiki (in what situations
something is actually saved under the profiles directory).
Didn't yet try to add any OU or GPO to my domain. But I already report
success, because the most important AD DC functionality works now :)
Best regards,
Otso Kassinen
University of Oulu, Finland
More information about the samba-technical
mailing list