Setup a Samba AD Member Server

From SambaWiki

(Redirected from Samba4/Domain Member)
Jump to: navigation, search

This HOWTO provides you the way for a basic setup of a Samba 4.x Member Server, that is part of an Active Directory (regardless if Samba or Windows provides the AD).


Required packages

See Samba OS Requirements for dependencies and recommendations.

Compiling and installation

After you have downloaded and unpacked the sources, you have to run

# ./configure --with-ads --with-shared-modules=idmap_ad --{add other options, if required for your environment}
# make
# make install

You have to run this commands inside the root of the extracted source directory.

If you have problems with the new waf build system, you can try using the old one by running the commands out of the 'source3' directory. But in this case, let the developers know on the samba-technical mailing list your problems, to get them fixed soon!

For additional information on the waf build system, see BUILD_SYSTEMS.txt and Buildsystem Use And Why.

Setting up a basic smb.conf

The following is a very basic example of a smb.conf. Normally this file is located in /usr/local/samba/etc/. Depending on your 'configure' parameters, it could be located on a different place, too):


   workgroup = SHORTDOMAINNAME
   security = ADS

   idmap config *:backend = tdb
   idmap config *:range = 70001-80000
   idmap config SHORTDOMAINNAME:backend = ad
   idmap config SHORTDOMAINNAME:schema_mode = rfc2307
   idmap config SHORTDOMAINNAME:range = 500-40000

   winbind nss info = rfc2307

   path = /srv/samba/test
   read only = no

This is just very a basic example that will make your member server part of your Active Directory. The ID mapping for domain users/groups is done via schema mode rfc2307. Users/groups having a uidNumber/gidNumber set in AD, are available on your member server with the same IDs as in your AD. If you use different UID/GID ranges in your AD, you have to adapt them. For all non-domain accounts (like BUILTIN, etc.) the mappings are stored in a local TDB file and the IDs are taken from the given range.

For further explanation on the smb.conf parameters, see the manpage.

Joining the member server to the domain

# net ads join -U administrator

Make domain users/groups available locally through winbind

To make your domain users and groups available on your member server, you have to place two links in your /lib folder:

# ln -s /usr/local/samba/lib/ /lib
# ln -s /lib/ /lib/
# ldconfig

If you are running on a 64-bit Linux system ("uname -i" will return "x86_64") then you need to replace /lib with /lib64, as shown below. If you do not do this, the 'wbinfo' check will work fine but the 'getent' one will not.

# ln -s /usr/local/samba/lib/ /lib64/
# ln -s /lib64/ /lib64/

If you are running on a 64-bit Linux system that uses multiarch for library management such as Debian or newer Ubuntu distributions then you need to replace /lib with /lib/<tuple> You can find the value for your systems tuple by using "gcc -print-multiarch". If you do not do this, the 'wbinfo' check will work fine but the 'getent' check will fail to list domain accounts.

# gcc -print-multiarch

should return output such as:


You may then use that value to create your symbolic links to the appropriate libraries.

# ln -s /usr/local/samba/lib/ /lib/x86_64-linux-gnu/
# ln -s /lib64/ /lib/x86_64-linux-gnu/

The next step is to add 'winbind' to the 'passwd' and 'group' entry of your /etc/nsswitch.conf:

passwd: compat winbind
group:  compat winbind

Starting the daemons

If you have finished the above steps, you can start the following services:

  • winbindd
  • smbd
  • nmbd

You should write/get a start script to avoid starting the services by hand everytime. Make sure that winbind is being started before smbd.

Testing the winbind user/group mapping

To check if winbind receives user and groups from the domain, run the following commands:

# wbinfo -u
# wbinfo -g

This should show up a list of all users and groups provided from the domain via winbind.

If you have setup your nsswitch.conf correct, you should also be able to get users and groups from the domain:

# getent passwd DOMAIN\\user
# getent group DOMAIN\\group

The enumeration of users and groups ("getent passwd/group" without another argument) is disabled by default because the domain can be very big and enumeration is ad bad thing in cases like that.

If you are not able to look up users using "getent", even though you see them with "wbinfo", look at AD and verify that all groups have GIDs. It may not be strictly necessary to have GIDs on *all* groups, but unless someone with a better understanding can clarify the requirement, it's the safe thing to do.

Setting up services

Check your logfiles

To be sure that your member server works fine, you should check the samba logfiles for errors.


Configure NTP (Optional, but highly recommended)

Active Directory requires an accurate time synchronization between the clients and the DC(s). It's highly recommended to run NTP or another form of synchronization. The Configure NTP page shows the full NTP configuration process including SELinux policies.

Personal tools