Windows Active Directory with SAMBA4

13 minute read , Aug 06, 2013

Setting up an Active Directory server for company domain is a must in these days. It provides centralized management of user rights and permissions and secure access to shared resources. It is very convenient for exporting users home directories thus avoiding the need of backups. It also provides SSO (Single Sign On) for various services like Apache, SSH, Nslcd etc. using Kerberos MIT tickets. The newly released Samba4 makes this set up free of the usual Microsoft AC charges and licences.


We’ll be using CentOS6.4 x86_64 for OS for our Active Directory server. It will be running as a VM (smb4dc) inside our office PVE virtualization server.

Setup network interface and FQDN on the VM instance

After we launch our VM, we connect via VNC console and create the following network interface file:

[root@smb4dc]# vi /etc/sysconfig/network-scripts/ifcfg-eth0

to make the VM part of our office network. We set up the host name too:

[root@smb4dc]# vi /etc/sysconfig/network

to be part of our internal/private office domain

Install needed packages, set user and switch off SElinux

[root@smb4dc]# yum install glibc glibc-devel gcc python* libacl-devel krb5-workstation krb5-libs pam_krb5 gnutls-devel openssl-devel libacl-devel git-core
[root@smb4dc]# useradd -c "Igor Cicimov" -m -s /bin/bash -G wheel igorc
[root@smb4dc]# passwd igorc
[root@smb4dc]# vi /etc/sysconfig/selinux
[root@smb4dc]# setenforce 0

Prepare the file system

We need to set some extended user attributes on the file system for best SAMBA AD DC support. Recommended file systems are ext3, ext4 and xfs as ones with the needed features available. We use ext4 on our server. To enable the additional features we change:

/dev/mapper/VolGroup-lv_root /     ext4    defaults        1 1


/dev/mapper/VolGroup-lv_root /     ext4    user_xattr,acl,barrier=1        1 1

in /etc/fstab.conf file. Then we remount the file system:

[root@smb4dc]# mount -a -o remount,rw /

Without barrier=1 the TDB database used by SAMBA can’t be guaranteed to be consistent in case of system crash. The xattr and acl is needed for the windows share permissions set up and making them available on the user side.


We need to download, compile and install the latest SAMBA from its official web site:

[igorc@smb4dc ~]$ git clone git:// samba-master
[igorc@smb4dc ~]$ cd samba-master
[igorc@smb4dc samba-master]$ ./configure --enable-debug --enable-selftest
[igorc@smb4dc samba-master]$ make
[igorc@smb4dc samba-master]$ sudo make install
[igorc@smb4dc samba-master]$ sudo shutdown -r now

Then we provision our internal domain:

[igorc@smb4dc samba-master]$ sudo /usr/local/samba/bin/samba-tool domain provision
 Domain [ENCOMPASS]:
 Server Role (dc, member, standalone) [dc]:
 DNS forwarder IP address (write 'none' to disable forwarding) []:
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=encompass,DC=com
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=encompass,DC=com
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role:           active directory domain controller
Hostname:              smb4dc
NetBIOS Domain:        ENCOMPASS
DNS Domain:  
DOMAIN SID:            S-1-5-21-4154966781-565189077-2949095343

I have chosen one of the public Google DNS servers ( for DNS forwarder in the above configuration. When done the Samba config file will now look like this:

[root@smb4dc samba]# cat /usr/local/samba/etc/smb.conf
# Global parameters
        workgroup = ENCOMPASS
        realm = ENCOMPASS.COM
        netbios name = SMB4DC
        server role = active directory domain controller
        dns forwarder =
        path = /usr/local/samba/var/locks/sysvol/
        read only = No
        path = /usr/local/samba/var/locks/sysvol
        read only = No

One good thing with this Samba release is that all those services Samba3 needed and which were running as external, ie DNS, OpenLDAP, winbind, Kerberos etc, are now built in into Samba4! It even provides Kerberos config file and setup. To check if DNS is working:

[root@smb4dc ~]# host -t SRV has SRV record 0 100 389
[root@smb4dc ~]# host -t A has address
[root@smb4dc ~]# host -t SRV has SRV record 0 100 88

We grab the Kerberos config provided by Samba4 and we copy it over under /etc:

[root@smb4dc ~]# mv /etc/krb5.conf /etc/krb5.conf.default
[root@smb4dc ~]# cp /usr/local/samba/private/krb5.conf /etc/krb5.conf
[root@smb4dc ~]# kinit administrator@ENCOMPASS.COM
Password for administrator@ENCOMPASS.COM:
Warning: Your password will expire in 41 days on Wed Sep 11 07:31:28 2013
[root@smb4dc ~]#

To check if its working:

[root@smb4dc ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@ENCOMPASS.COM
Valid starting     Expires            Service principal
07/31/13 07:47:31  07/31/13 17:47:31  krbtgt/ENCOMPASS.COM@ENCOMPASS.COM
    renew until 08/01/13 07:47:27
[root@smb4dc ~]#


[root@smb4dc samba]# /usr/local/samba/sbin/samba
[root@smb4dc samba]# ps -ef | grep samba
root      5682     1  2 14:59 ?        00:00:00 /usr/local/samba/sbin/samba
root      5683  5682  0 14:59 ?        00:00:00 /usr/local/samba/sbin/samba
root      5684  5682  0 14:59 ?        00:00:00 /usr/local/samba/sbin/samba
root      5685  5682  0 14:59 ?        00:00:00 /usr/local/samba/sbin/samba
root      5686  5682  0 14:59 ?        00:00:00 /usr/local/samba/sbin/samba
root      5687  5682  6 14:59 ?        00:00:00 /usr/local/samba/sbin/samba
root      5688  5682  0 14:59 ?        00:00:00 /usr/local/samba/sbin/samba
root      5689  5683  2 14:59 ?        00:00:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
root      5690  5682  0 14:59 ?        00:00:00 /usr/local/samba/sbin/samba
root      5691  5682  0 14:59 ?        00:00:00 /usr/local/samba/sbin/samba
root      5692  5682  0 14:59 ?        00:00:00 /usr/local/samba/sbin/samba
root      5693  5682  0 14:59 ?        00:00:00 /usr/local/samba/sbin/samba
root      5694  5682  0 14:59 ?        00:00:00 /usr/local/samba/sbin/samba
root      5695  5682  0 14:59 ?        00:00:00 /usr/local/samba/sbin/samba
root      5696  5682  0 14:59 ?        00:00:00 /usr/local/samba/sbin/samba
root      5699  5689  0 14:59 ?        00:00:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
root      5701  1475  0 15:00 pts/0    00:00:00 grep samba
[root@smb4dc samba]# kill -TERM 5682


Time is very important in AD and all workstations that join the domain must be in sync with the DC. The allowed clock drift is just a couple of milliseconds.

For ntpd package compiled with SAMBA support we just do:

[root@smb4dc ~]# yum install ntp
[root@smb4dc ~]# chkconfig ntpd on
[root@smb4dc ~]# service ntpd start
Starting ntpd:                                             [  OK  ]

[root@smb4dc ~]# ntpstat
  time server re-starting
   polling server every 64 s
[root@smb4dc ~]# ntpstat
synchronised to NTP server ( at stratum 3
   time correct to within 37 ms
   polling server every 64 s

[root@smb4dc ~]# date
Wed Jul 31 18:12:50 EST 2013

But CentOS minimal install doesn’t come with one. So we build from source to enable signd service for Samba support:

[igorc@smb4dc ~]$ wget
[igorc@smb4dc ~]$ tar -xzvf ntp-4.2.6p5.tar.gz
[igorc@smb4dc ~]$ cd ntp-4.2.6p5
[igorc@smb4dc ntp-4.2.6p5]$ ./configure --enable-ntp-signd
[igorc@smb4dc ntp-4.2.6p5]$ make
[igorc@smb4dc ntp-4.2.6p5]$ sudo make install
[igorc@smb4dc ntp-4.2.6p5]$ sudo vi /etc/ntpd.conf
fudge stratum 10
server  iburst prefer
server  iburst prefer
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
restrict default kod nomodify notrap nopeer mssntp
restrict mask nomodify notrap nopeer noquery
restrict mask nomodify notrap nopeer noquery

SAMBA4 has Unix socket opened for communication with NTP in /usr/local/samba/var/lib/ntp_signd/ hence the above configuration. We also set appropriate permissions on that directory so the ntp user has read access:

[igorc@smb4dc ntp-4.2.6p5]$ sudo chown root:ntp /usr/local/samba/var/lib/ntp_signd/
[igorc@smb4dc ntp-4.2.6p5]$ sudo chmod 0750 /usr/local/samba/var/lib/ntp_signd/

At the end we start the server:

[root@smb4dc samba]# /usr/local/bin/ntpd

and put the above command in /etc/rc.d/rc.local as well for auto start on boot up.

To check for peers and clock status:

[root@smb4dc samba]# ntpdc -s -l
client    LOCAL(0)
     remote           local      st poll reach  delay   offset    disp
*    2   64   17 0.06996  0.003538 0.03880
 LOCAL(0)       10   64   14 0.00000  0.000000 1.98436
.resolver02.as24    2   64   17 0.03087  0.006614 0.04684


After we have set up the above services, we configure the firewall to have the following ports open:

53, TCP & UDP (DNS)
88, TCP & UDP (Kerberos authentication)
135, TCP (MS RPC)
137, UDP (NetBIOS name service)
138, UDP (NetBIOS datagram service)
139, TCP (NetBIOS session service)
389, TCP & UDP (LDAP)
445, TCP (MS-DS AD)
464, TCP & UDP (Kerberos change/set password)
1024, TCP (AD?)

The configuration:

[root@smb4dc ~]# vi /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 88 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 88 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 135 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 464 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 464 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 1024 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

And we restart the iptables service and set it to start up on boot time:

[root@smb4dc ~]# service iptables restart
[root@smb4dc ~]# chkconfig iptables on

BIND as DNS back-end (optional)

This is in case we don’t want to use the built in SAMBA4 DNS server. It’s been given here just in case we already have DNS server running somewhere for our domain and we want to integrate it with Samba AD.

Compile latest BIND 9.9.3 atm with options for Samba DC (kerberos support etc.):

[igorc@smb4dc ~]$ wget
[igorc@smb4dc ~]$ tar -xzvf bind-9.9.3-P2.tar.gz
[igorc@smb4dc ~]$ cd bind-9.9.3-P2
[igorc@smb4dc bind-9.9.3-P2]$ ./configure --with-gssapi=/usr/include/gssapi --with-dlopen=yes
[igorc@smb4dc bind-9.9.3-P2]$ make
[igorc@smb4dc bind-9.9.3-P2]$ sudo make install
[igorc@smb4dc bind-9.9.3-P2]$ sudo cp ./bin/tests/system/common/rndc.key /etc/

Alternatively, the missing rndc.key can also be generated by running rndc-confgen command:

[root@smb4dc named]# rndc-confgen -a
wrote key file "/etc/rndc.key"

Set minimal named.conf file:

[root@smb4dc ~]# vi /etc/named.conf
# Global options
options {
       auth-nxdomain yes;
       directory "/var/named";
       forwarders {;; };
       allow-transfer { none; };
       notify no;
       empty-zones-enable no;
       allow-query {
       allow-recursion {
# Root servers (required zone for recursive queries)
zone "." {
       type hint;
       file "named.root";
# Required localhost forward-/reverse zones
 zone "localhost" {
       type master;
       file "zones/master/";
zone "" {
       type master;
       file "zones/master/";

Set BIND user account and directory:

[root@smb4dc ~]# groupadd -g 25 named
[root@smb4dc ~]# useradd -g named -u 25 -d /var/named -M -s /sbin/nologin named
[root@smb4dc ~]# mkdir /var/named
[root@smb4dc named]# mkdir -p /var/named/zones/master

Download the root name server list from InterNIC:

# wget -q -O /var/named/named.root
# chown named:named /var/named/named.root

Create zone files:

[root@smb4dc named]# vi /var/named/zones/master/
$ORIGIN localhost.
@       1D      IN     SOA     @       root (
                       2013050101      ; serial
                       8H              ; refresh
                       2H              ; retry
                       4W              ; expiry
                       1D              ; minimum
@       IN      NS      @
        IN      A
[root@smb4dc named]# vi /var/named/zones/master/
@       IN      SOA     localhost. root.localhost. (
                        2013050101      ; Serial
                        8H              ; Refresh
                        2H              ; Retry
                        4W              ; Expire
                        1D              ; Minimum TTL
       IN      NS      localhost.
1      IN      PTR     localhost.

Set proper file permissions:

[root@smb4dc named]# chown named:named /var/named/zones/master/*.zone
[root@smb4dc named]# chmod 640 /var/named/zones/master/*.zone

Finally start the daemon:

[root@smb4dc named]# named -u named
[root@smb4dc named]# tail -f /var/log/messages

Quick status check:

[root@smb4dc named]# rndc status
version: 9.9.3-P2
number of zones: 3
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running

At the end we need to change the SAMBA settings and tell it to use the external DNS. This is the BIND9_DLZ option --dns-backend=BIND_DLZ when we set the domain. If we are already on internal DNS and want to move to BIND9_DLZ, then we run samba_upgradedns script and configure the BIND DLZ module.

Client and config test

Some useful commands and tools are given bellow for purpose of status check of our newly running Active Directory server.

[root@smb4dc ~]# /usr/local/samba/bin/smbclient --version
Version 4.2.0pre1-GIT-7615b25

[root@smb4dc ~]# /usr/local/samba/bin/smbclient -L localhost -U%
Domain=[ENCOMPASS] OS=[Unix] Server=[Samba 4.2.0pre1-GIT-7615b25]
    Sharename       Type      Comment
    ---------       ----      -------
    netlogon        Disk     
    sysvol          Disk     
    IPC$            IPC       IPC Service (Samba 4.2.0pre1-GIT-7615b25)
Domain=[ENCOMPASS] OS=[Unix] Server=[Samba 4.2.0pre1-GIT-7615b25]
    Server               Comment
    ---------            -------
    Workgroup            Master
    ---------            -------
[root@smb4dc ~]#

Global settings:

[root@smb4dc samba]# testparm
Load smb config files from /usr/local/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
Press enter to see a dump of your service definitions
    workgroup = ENCOMPASS
    realm = ENCOMPASS.COM
    server role = active directory domain controller
    passdb backend = samba_dsdb
    dns forwarder =
    rpc_server:tcpip = no
    rpc_daemon:spoolssd = embedded
    rpc_server:spoolss = embedded
    rpc_server:winreg = embedded
    rpc_server:ntsvcs = embedded
    rpc_server:eventlog = embedded
    rpc_server:srvsvc = embedded
    rpc_server:svcctl = embedded
    rpc_server:default = external
    idmap config * : backend = tdb
    map archive = No
    map readonly = no
    store dos attributes = Yes
    vfs objects = dfs_samba4, acl_xattr
    path = /usr/local/samba/var/locks/sysvol/
    read only = No
    path = /usr/local/samba/var/locks/sysvol
    read only = No
[root@smb4dc samba]#

[root@smb4dc ~]# /usr/local/samba/bin/smbclient //localhost/netlogon -UAdministrator% -P -c 'ls'
Domain=[ENCOMPASS] OS=[Unix] Server=[Samba 4.2.0pre1-GIT-7615b25]
  .                                   D        0  Wed Jul 31 07:31:21 2013
  ..                                  D        0  Wed Jul 31 07:31:30 2013
        61497 blocks of size 524288. 53831 blocks available
[root@smb4dc ~]#

List the own domain:

[root@smb4dc samba]# /usr/local/samba/bin/wbinfo --own-domain

This is the name (ENCOMPASS) we’ll be using in the Windows client set up to join the workstation to the AD.

List Windows Domain users and groups:

[root@smb4dc samba]# /usr/local/samba/bin/wbinfo -u
[root@smb4dc samba]# /usr/local/samba/bin/wbinfo -g
Enterprise Read-Only Domain Controllers
Domain Admins
Domain Users
Domain Guests
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Group Policy Creator Owners
Read-Only Domain Controllers
[root@smb4dc samba]#

Check the winbind service is running:

[root@smb4dc samba]# /usr/local/samba/bin/wbinfo -p
Ping to winbindd succeeded

Check the RPC service:

[root@smb4dc samba]# rpcclient localhost -U% -c enumprivs
found 25 privileges
SeMachineAccountPrivilege       0:6 (0x0:0x6)
SeTakeOwnershipPrivilege        0:9 (0x0:0x9)
SeBackupPrivilege       0:17 (0x0:0x11)
SeRestorePrivilege      0:18 (0x0:0x12)
SeRemoteShutdownPrivilege       0:24 (0x0:0x18)
SePrintOperatorPrivilege        0:4097 (0x0:0x1001)
SeAddUsersPrivilege         0:4098 (0x0:0x1002)
SeDiskOperatorPrivilege         0:4099 (0x0:0x1003)
SeSecurityPrivilege         0:8 (0x0:0x8)
SeSystemtimePrivilege       0:12 (0x0:0xc)
SeShutdownPrivilege         0:19 (0x0:0x13)
SeDebugPrivilege        0:20 (0x0:0x14)
SeSystemEnvironmentPrivilege        0:22 (0x0:0x16)
SeSystemProfilePrivilege        0:11 (0x0:0xb)
SeProfileSingleProcessPrivilege         0:13 (0x0:0xd)
SeIncreaseBasePriorityPrivilege         0:14 (0x0:0xe)
SeLoadDriverPrivilege       0:10 (0x0:0xa)
SeCreatePagefilePrivilege       0:15 (0x0:0xf)
SeIncreaseQuotaPrivilege        0:5 (0x0:0x5)
SeChangeNotifyPrivilege         0:23 (0x0:0x17)
SeUndockPrivilege       0:25 (0x0:0x19)
SeManageVolumePrivilege         0:28 (0x0:0x1c)
SeImpersonatePrivilege      0:29 (0x0:0x1d)
SeCreateGlobalPrivilege         0:30 (0x0:0x1e)
SeEnableDelegationPrivilege         0:27 (0x0:0x1b)

Managing SAMBA AD from Windows

Install Win7/WinXP or similar and, this is very important, set the DNS server to the IP of the Samba4 AD in the network interface configuration. Then join the workstation to the ENCOMPASS domain (see screen shots).

When “Network ID” clicked, enter AD user name and ENCOMPASS for domain name in the fields and click OK. If all good you will be presented with the AD domain welcome screen as confirmation of successfully joining the domain. Restart the PC and you should get a Login screen now where you enter your Domain user name and password and choose “ENCOMPASS” in the “Login to:” drop box:

After installing WIn7 or WinXP in my case, we follow the links given on the Samba support page

Basically, install the RSAT tools from:

and start the Acite Directory Management from Amdin Tools:

That’s it, now we have fully flagged Active Directory server and Windows Management UI where we can set and edit users, groups, shares and policies. The same Manager can be used for AD DNS administration ie creating or editing zones and records.

Leave a Comment