FAQ: Difference between revisions

From SambaWiki
m (Updated link)
(add ldb on LMDB size notes)
(25 intermediate revisions by 6 users not shown)
Line 1: Line 1:
= Introduction =
The questions and answers on this page have been extracted from the [http://lists.samba.org/archive/samba-technical/ Samba technical mailing list].


The questions listed here are frequently asked on the [http://lists.samba.org/archive/samba/ Samba mailing list].






= General =


== Can I use Samba 4.0 as an AD DC on my production server right now? ==


= General Samba Questions =
We have now released Samba 4.0, and a number of users have it in use in a production environment. All the features from the Samba 3.6 series are now available, for example, the file server in the smbd binary.


== When Will the next Samba Version Be Released? ==
Of course, normal Systems Administration caution is generally advised, as an AD Domain is the central hub for authentication on a network. We also advise participation on our mailing lists to discuss any issues that arise.


For details, see [[Samba_Release_Planning|Samba Release Planning]].
We do however encourage people to try Samba 4.0 as an AD DC, report bugs, and give feedback.






== Can I Get Help with a Problem in an Unsupported Samba Version? ==
== When will Samba 4.0 releases be made? ==


Update to a supported version first. It is likely that the problem has been fixed in the meantime. Samba is actively developed and new minor versions fix several bugs and major versions additionally include new features. If you cannot update to the latest version in the current stable release series, update to the latest version in any other supported series. For details, see [[Samba_Release_Planning|Samba Release Planning]].
For the current Samba 4.0 and 4.x release plans, please see [[Samba Release Planning]].


If you are running a Samba version shipped with your distribution and that is no longer supported by Samba, contact your distribution's support for help.




== How to do or fix ... in an outdated Samba version? ==


== How Do I Update Samba? ==
Often people are asking for help/support for very outdated versions on the mailing lists or other places. You should really consider of moving to a recent version (best would be to the latest version of the current series). See the [[Samba_Release_Planning|Samba Release Planning page]] to get an overview, which versions are still maintained.


See [[Updating_Samba|Updating Samba]].
Every release of Samba improves its features, fixes many bugs and adds more compatibility. In many cases, upgrading fixes the problems people are having with their old versions. Often, not even the developers can say when the requested feature was added to Samba. If your problem turns out to be a bug, then it will only be fixed in maintained version trees. So please consider upgrading, you will have a much better chance of getting a response and help from other users and developers on the mailing lists, etc.


If you are required to run an outdated version that was shipped with your distribution and it is out of maintainance by Samba, you should contact your vendor (Redhat, SuSE, etc.) for support.


If you were brought here by a response to one of your questions somewhere, please consider this as a first try to help.


== What Is the Maximum Size of a LDB or TDB Database File? ==


=== TDB files and LDB files using TDB ===
The maximum size is 4 GB because the databases use 32-bit structures.


Previously, there was a project called <code>NTDB</code> that should address the size limit and other problems. However, the project has been stopped because of problems migrating the databases.
== How do I update from Samba 3.x to 4.x? ==


=== LDB files based on LMDB, specifically the sam.ldb on the AD DC ===
See the [[Updating_Samba|Updating Samba HowTo]].


The size specified by the --backend-store-size=SIZE parameter to ''samba-tool domain provision'' and ''samba-tool domain join'' controls the maximum DB size. The default is 8GB. As LMDB is a true 64-bit database, the maximum is limited only by the storage available on the system.


= Samba as an Active Directory Domain Controller =


== General ==
== Can I provision a member or a standalone server? ==


=== Is Samba as an Active Directory Domain Controller Stable Enough for an Production Environment? ===
Whilst 'samba-tool domain provision --help' shows this as one of the options:


Samba AD is stable for production environments. The AD DC support was introduced in the 4.0 version, which was released in December 2012. However, Samba AD has some unimplemented features, such as Sysvol replication.
--server-role=ROLE The server role (domain controller | dc | member
server | member | standalone). Default is dc.


The only server that you can provision at the moment is a 'domain controller' or 'dc' for short. The other options will not work yet, so if you require a member server, see the [[Setup_Samba_as_an_AD_Domain_Member|Setup Samba as an AD Domain Member]] HowTo.




=== What Does <code>ldap_bind: Strong(er) authentication required (8) additional info: BindSimple: Transport encryption required</code> Mean? ===


See [[Updating_Samba#New Default for LDAP Connections Requires Strong Authentication|Default for LDAP Connections Requires Strong Authentication]].
== What is the maximum size of a tdb file? ==


=== I Am Running Samba as an AD DC. Which Windows Server Version Can I Join as an DC to the Forest? ===
The limit is 4 GB, because TDB is still using 32bits structures. We had a project called NTDB that was copping with this issue and other issues we had in TDB as we found other way to solve the TDB issues (but the size) we have dropped the work on NTDB as there was some issues on how to manage the migration.


The following Windows server versions are supported as a DC together with a Samba DC:


{| class="wikitable"
!Windows Server Version
!Comments
|-
|Windows Server 2016
|Not supported.
|-
|Windows Server 2012 / 2012 R2
|Supported in Samba >=4.5. For details, see [[Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_AD|Joining a Windows Server 2012 / 2012 R2 DC to a Samba AD]].
|-
|Windows Server 2008 / 2008 R2
|Supported in Samba >=4.0. For details, see [[Joining_a_Windows_Server_2008_/_2008_R2_DC_to_a_Samba_AD|Joining a Windows Server 2008 / 2008 R2 DC to a Samba AD]].
|-
|Windows Server 2003 / 2003R2
|Not tested. Windows Server 2003 and 2003 R2 are no longer supported by Microsoft.
|-
|Windows 2000
|Not tested. Windows Server 2003 and 2003 R2 are no longer supported by Microsoft.
|}


One of the limiting items is the AD schema version. For details, see [[AD_Schema_Version_Support|AD Schema Version Support]].




= Samba vs. MS compatibility =


== Does Samba AD allow Windows Server 2008 / 2008 R2 to be joined as DC? ==
=== Why Is the Network Neighbourhood empty or Does Not Show All Machines in the Domain? ===


The Samba AD DC <code>smbd</code> daemon does not support browsing.
Yes. See [[Joining_a_Windows_Server_2008_/_2008_R2_DC_to_a_Samba_AD|Joining a Windows Server 2008 / 2008 R2 DC to a Samba AD]]


It is planned to add this feature. However, there are no development resources and thus no date when this feature will be included.




== Does Samba AD allow Windows Server 2008 / 2008 R2 to be joined as Member Server? ==


=== What Does <code>Warning: No NC replicated for Connection!</code> Mean? ===
Yes. See [[Joining_a_Windows_Client_or_Server_to_a_Domain|Joining a Windows Client or Server to a Domain]]. The join is done like for Windows Workstations.


When running the <code>samba-tool drs showrepl</code> command, the following warning is displayed at the end of the output:


Warning: No NC replicated for Connection!


The warning appears because Samba incorrectly sets some flags when registering the DC for replication. The warning is harmless and can be ignored.
== Does Samba AD allow Windows Server 2012 / 2012 R2 to be joined as DC? ==


No. See [[#Does_Samba_support_MS_AD_schema_extensions.3F|FAQ 'Does Samba support MS AD schema extensions?' for details]].




=== Can I Use the Samba AD DC as a Fileserver? ===


Whilst it is not recommended, yes you can, but you should be aware of its limitations, amongst which is that you cannot obtain the users Unix home directories or login shell from AD, you must use template lines in smb.conf
== Can I join Samba to Windows Server 2012 / 2012 R2 AD as a DC? ==
No. See [[#Does_Samba_support_MS_AD_schema_extensions.3F|FAQ 'Does Samba support MS AD schema extensions?' for details]].




== Does Samba AD allow Windows Server 2012 / 2012 R2 to be joined as Member Server? ==


== Configuration ==
Yes. See [[Joining_a_Windows_Client_or_Server_to_a_Domain|Joining a Windows Client or Server to a Domain]]. The join is done like for Windows Workstations.


=== Why Do I Not Have a <code>server services</code> parameter in My <code>smb.conf</code> File? ===


The <code>server services</code> options in the <code>smb.conf</code> file are set during provisioning a Samba AD DC based on the settings you made during this process. If this parameter is not listed in the <code>[global]</code> section of your <code>smb.conf</code> file, the default values are used.


For details, see the <code>smb.conf (5)</code> man page.
== Can I join Samba as a domain member to an Microsoft Active Directory? ==


Yes. Samba as a domain member supports all MS AD versions - regardless the Windows Server OS version, the AD schema version, and the functional level.




=== Can I Disable Some of the <code>server services</code> options in the <code>smb.conf</code> File? ===


The <code>server services</code> options in the <code>smb.conf</code> file are set during provisioning a Samba AD DC based on the settings you made during this process.


Removing or modifying any of the options can result in an incorrectly operating Samba AD DC!
= Configuration Parameters =


However, there are a few situations where you can manually update the options:
== Can I turn off some of the 'server services' options? ==


* To disable the network printing spooler:
The 'server services' options are set during the Samba AD DC provisioning/join and are based on the choices made during this process. If you don't have the 'server services' line in your smb.conf, this means that the default parameter options are being used. To see the default lines run this:
:Change the <code>spoolss</code> option to <code>-spoolss</code>.


* To switch the DNS back end:
samba-tool testparm -v --suppress-prompt | grep 'server services'
:For details, see [[Changing_the_DNS_Back_End_of_a_Samba_AD_DC|Changing the DNS Back End of a Samba AD DC]].


All of the parameters set are required. The only reasonable changes are:


* Disable spoolss:


=== How Do I Enable Guest Access to a Share on a Samba AD DC? ===
server services = ... -spoolss


On non-AD DCs, you can set the <code>map to guest</code> parameter in the <code>smb.conf</code> file to <code>bad user</code> to enable guest access. However, guest access is based on the <code>guest account</code> parameter, that is not implemented in the Samba AD mode.
* [[Changing_the_DNS_backend#Changing_from_Samba_Internal_DNS_to_BIND_DLZ|Change DNS backend from Samba Internal to BIND9_DLZ]]:


=== Can I Change the ID Range on a DC? ===
server services = ... -dns


Yes, very easily, just give your users <code>uidNumber</code> attributes containing numbers inside the range you want to use, you should also give <code>Domain Users</code> a <code>gidNumber</code> attribute containing a number inside the same range.
* [[Changing_the_DNS_backend#Changing_from_BIND_DLZ_to_Samba_Internal_DNS|Change DNS backend from BIND9_DLZ to Samba Internal]]:
{{Imbox
| type = important
| text = Do not add any of the <code>idmap_ad</code> lines used on a domain member to your Samba AD DC smb.conf. They will have no affect and could lead to problems.
}}


server services = ... dns


* If you are using 4.2.x, then you can change which 'winbdind' deamon to run:
server services = -winbindd +winbind


== Directory Schema ==
== If all server services options are required for an AD DC, why is this parameter required at all? ==


=== Which Active Directory Schema Versions Does Samba Support When Set up as a DC? ===
It wasn't ever intended that the 'server services' parameter would be something that admins would even see, but a late change in development (the final merge of the file servers) caused this to gain much more prominence than was ever expected.


For details, see [[AD_Schema_Version_Support|AD Schema Version Support]].
If you use the internal DNS, then you can remove the 'server services' parameter completely from your smb.conf. All AD required services are started by default automatically.


If you use BIND_DLZ, then it's enough to have the short following version (all other services are started by default automatically):


server services = -dns


=== Is It Possible to Extend the Samba AD Schema? ===


For details, see [[Samba_AD_schema_extensions|Samba AD Schema Extensions]].


== I keep getting asked for username/password when trying to access a public share on the AD DC. ==


On a non AD domain, you can use 'map to guest = bad user' in smb.conf to allow windows machines that are not part of the domain, to access public shares. This will not work with an AD domain, guest access to the domain needs to be based on the 'guest' account being enabled, but unfortunately, this is not yet implemented.


== Kerberos ==


=== What Does <code>UpdateRefs failed with WERR_DS_DRA_BAD_NC/NT</code> Mean? ===


On the first start of a Samba DC in an existing Windows AD forest, the following error message is logged:
== Why is security=share not supported any more? ==


UpdateRefs failed with WERR_DS_DRA_BAD_NC/NT code 0xc00020f8 for <DC_objectUID>._msdcs.samdom.example.com CN=RID Manager$,CN=System,DC=samba,DC=example,DC=com
See [https://lists.samba.org/archive/samba-technical/2012-February/081832.html https://lists.samba.org/archive/samba-technical/2012-February/081832.html]


This error is logged by the knowledge consistency checker (KCC), until the Windows DC has established the connections to the Samba DC.


To fix the problem, run:


* on your Windows DC:


C:\> repadmin /kcc


* or alternatively on your Samba DC:
= Replication =


# samba-tool drs kcc -Uadministrator Windows_DC.samdom.example.com
== Is replication of Active Directory supported by a Samba AD DC? ==


Yes. Everything that is done inside the Active Directory (user/group management, ACL changes, etc.), is replicated to other DCs.




== Replication ==


=== Do Samba AD DCs Support Replication? ===
== Is SysVol share replication supported by a Samba AD DC? ==


* Everything stored inside the AD, is replicated between DCs. For example: users, groups, and DNS records.
It's currently not implemented. But as a workaround you can replicate changes e. g. with rsync. Depending on the kind of workaround you choose, you may have to do changes only on one DC, if your tool doesn't support bi-directional replication. You can find a [[Rsync_based_SysVol_replication_workaround|HowTo for a rsync-based replication]] on the Wiki.


* In the current state, Samba does not support the distributed file system replication (DFS-R) protocol used for Sysvol replication. To work around, see [[SysVol_replication_(DFS-R)|Sysvol Replication (DFS-R)]].




== Message: Warning: No NC replicated for Connection! ==


=== Is a Samba DC Able to Replicate the Directory Content with an Non-AD LDAP Server? ===
When Samba registers for replication, there are a couple of flags that aren't correctly set. That's what the DRS command shows: They are not set. It's pretty harmless and you can ignore this warning.


Active Directory uses a different schema than other LDAP servers and thus replicating with non-AD DCs is not supported or planned to be supported.




== Is it possible to replicate between Samba AD and an external LDAP server? ==


== DNS ==
No. This is currently not supported and is not expected to be supported. The Active Directory LDAP has a different schema layout to the LDAP with which Samba 3.x was traditionally deployed, this is just one of the many serious issues.


=== Can I Set Multiple Forwarder Servers for the Internal DNS Server? ===
== How do I get DNS failover in a Multi-DC environment? ==


Setting multiple DNS forwarder servers is supported in Samba 4.5 and later versions.
* First set up your additional DC following the [[Setup_a_Samba_Active_Directory_Domain_Controller|Samba AD DC HowTo]]. You just skip the provisioning/upgrading part.


For details, see [[Samba_Internal_DNS_Back_End#Setting_up_a_DNS_Forwarder|Setting up a DNS Forwarder]].
* Then join your new DC to the domain. See [[Joining_a_Samba_DC_to_an_Existing_Active_Directory|Joining a Samba DC to an Existing Active Directory]].


* In the output of "samba-tool drs showrepl", you should see that the DNS partition was successfully replicated.


* Finally you have to configure your clients to also use the DNS on the additional DC.


== How Do I Set up the BIND DNS Server to Replicate AD DNS Zones? ==


Updates of the Active Directory DNS zones are transferred automatically to other AD DNS servers using directory replication.


Zone transfers to non-AD DNS servers is not supported.
== Why does directory replication fail to Windows servers for git build Samba <= 4.1.13? ==


Please check
# samba-tool testparm -v --suppress-prompt | grep samba_kcc
samba kcc command = /usr/local/samba/sbin/samba_kcc


If your result is as shown above, add the following line in your smb.conf


=== Can I Use the <code>.local</code> Top-level Domain for My AD DNS Zone? ===
kccsrv:samba_kcc = false


Using the <code>.local</code> top-level domain is not recommended. For details, see [[Active_Directory_Naming_FAQ#Using_an_Invalid_TLD|Using an Invalid TLD]].
= Joining A Domain As Domain Controller =


== Error „UpdateRefs failed with WERR_DS_DRA_BAD_NC/NT“ in Logfiles ==


When you start Samba the first time as a new Domain Controller in an existing Windows domain, you may find errors messages like the following in the Samba logfiles:


== Trust Support ==
UpdateRefs failed with WERR_DS_DRA_BAD_NC/NT code 0xc00020f8 for 5344d0a6-78a1-4758be69-66d933f1123._msdcs.samdom.example.com CN=RID Manager$,CN=System,DC=samba,DC=example,DC=com


=== Does Samba AD Supports Trust Relationship? ===
This is caused by the Knowledge Consistency Checker (KCC) not having being
run by the Windows Domain Controller yet, this means it has not yet
created connections to the new Samba DC.


The trust feature is experimental and has several limitations, such as:
To fix this, you can either run "repadmin /kcc" on the Windows DC as
an Administrator or you can use the samba-tool command to do the same
thing, like this:


* SID filtering rules are not applied
# samba-tool drs kcc -Uadministrator windowsdc.samdom.example.com


* You cannot add users and groups of a trusted domain into domain groups.




== Message: "Failed to find our own NTDS Settings invocationId in the ldb!" during joining ==


== Group Policy Support ==
Check if you have an existing <tt>smb.conf</tt> and remove it before joining.


=== Is It Possible to Set User Specific Password Policies in Samba AD, Such as on an Organisational Unit? ===


Password settings are validated and applied by the DC to not enable modified Windows or Unix clients to bypass the rules. However, Samba does not support GPO restrictions and only serve GPOs to clients by the Sysvol share.


Use the <code>samba-tool domain passwordsettings</code> command to update password policies on a DC for a domain.




= DNS =


=== What Does <code>The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory</code> Mean? ===
== Can the internal DNS have more than one forwarder? ==


When you click in the Group Policy Management Console to a GPO, the following error is displayed:
No. If you require more than one host to forward foreign requests to, you must use BIND_DLZ.


The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. To change the SYSVOL permissions to those in Active Directory, click OK.


See the page [[Sysvolreset]] for troubleshooting steps.


== LDAP ==
== Can I use .local in the domain name? ==


=== Do Samba AD DCs Support OpenLDAP or Other LDAP Servers as the Back End? ===
No. See [[The_Samba_AD_DNS_Back_Ends#Avoid_.local_TLD|Avoid .local TLD]].


Active Directory requires features, such as ACLs stored within the directory and a different schema, that are not supported by LDAP servers.


One of the main reasons people ask for OpenLDAP as the back end for AD, is that they are currently running Samba as an NT4 PDC using the OpenLDAP back end and want to migrate to Samba AD without manual transferring directory data to AD. However, even if OpenLDAP gets to be a supported back end on a Samba AD DC, the directory schema would be the AD schema. This means, you will have to update external applications accessing the directory using, such as you have to do it when you use the Samba internal LDAP server. Additionally you will have to import attributes manually from the old LDAP server that are not included in the AD schema.






=== Is It Planned to Support OpenLDAP as Back End for Samba AD? ===
= Trusts =


Currently, there is no active work on this project.
== Does Samba support trust relationship with AD? ==


The biggest problem is that a significant part of the complexity of the AD DC is in the LDB modules. Creating a general-purpose OpenLDAP back end requires rewriting many of these modules as OpenLDAP overlays, outside the standard Samba programming environment.
Trusts are currently not finished implemented. Samba can be trusted, but can't trust yet.


Specific problems include:
But even this is unofficial and should not be relied on, because
* the metadata required for both DRS replication and dirsync
"[https://lists.samba.org/archive/samba/2014-July/182830.html parts that appear to work are a partial development that just happen to be in our released versions]" (July 2014).
* schema manipulation
* transactions
* access control lists (ACL)


The Samba team decided not to peruse this as a development avenue, and no viable approach to re-opening this functionality has been proposed.




== Do trusts only not work in Samba AD only environments, and are fine in Samba AD/Windows environments? ==


=== Does the Samba Internal LDAP Server Supports Anonymous Searches? ===
No. The Samba DC just won't know much about the trust.


Samba honours the <code>dSHeuristics</code> flag. For details, see http://support.microsoft.com/kb/326690


However, enabling anonymous access to the AD raises security problems and is not recommended. Configure LDAP authentication or Kerberos support in your client instead.








= Kerberos =


= Samba as an Domain Member =
== How to disable des and rc4 in the AD DC? ==


== Do I Provision a Samba Domain Member Using <code>samba-tool</code>? ==
'samba-tool domain exportkeytab', export keytab files including arcfour-hmac-md5, des-cbc-md5 and des-cbc-crc. The 'allow_weak_keys = false' option (which is the default) in the
krb5.conf is the tool for controlling this. Currently this only disables DES, and only at runtime, not at the layer the keytab export uses.


From the roles the <code>samba-tool domain provision --help</code> command offers, the only supported provision role is <code>DC</code> (Active Directory domain controller).
When Heimdal will be updated, this have to be done carefully, because arcfour-hmac-md5 has been declared weak, and this will break Windows 2003 and WinXP clients.


Provisioning any other role, results in an incorrectly working version of an AD DC. If you do provision a different role, remove all Samba database files and the generated <code>smb.conf</code> file and join the domain member using the <code>net</code> command. For details, see [[Setting_up_Samba_as_a_Domain_Member|Setting up Samba as a Domain Member]].
Additionally, until Samba 4.2, were defaulting to Windows 2003 functional level, so haven't been storing the newer AES keys.






== Which Windows Server Versions Are Supported as a Domain Member in a Samba AD? ==


For details, see [[Joining_a_Windows_Client_or_Server_to_a_Domain#Supported_Windows_Versions|Supported Windows Versions]].


= GPO =


== Is it possible to set user specific password policies in Samba4 (e. g. on a OU-base)? ==


== I Have Set up a Domain Member Using The <code>idmap_ad</code> Back End, but <code>getent passwd</code> and <code>getent group</code> Do Not Show Users, Computers or Groups ==
Samba can't handle GPO restrictions. You have to use 'samba-tool domain passwordsettings' to change password policies. But this only applies on domain level.


Try explicitly asking for a user or group i.e. <code>getent passwd auser</code>, this is because winbind doesn't enumerate users & groups by default any more.
Background: The password settings have to be used and validated by the server. Otherwise a modified Windows client or a Unix client (which doesn't handle GPOs) could bypass these settings. But Samba can't evaluate and apply GPO restrictions. It only serves GPOs via the SysVol share.


Computers are never enumerated but only shown when queried explicitly i.e. <code>getent passwd SAMDOM\hostname$</code>.


If you want to show all users and groups, you will need to add these lines to smb.conf:
winbind enumerate users = yes
winbind enumerate groups = yes


{{Imbox
== Incompatible permissions of GPO objects and SysVol share ==
| type = note
| text = You should only add the lines for testing purposes
}}


If, after trying the above, you still do not get any users, groups or computers, check that:
If you click in GPMC to a GPO, you get a message "The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. To change the SYSVOL permissions to those in Active Directory, click OK." Clicking OK won't fix the problem. Instead run
* Your users have a <code>uidNumber</code> attribute containing a unique number inside the range set in smb.conf.
:: Example: If you have <code>idmap config DOMAIN : range = 10000-999999</code> in smb.conf, your users <code>uidNumber</code> attributes should start at '10000' and go upto '999999', any number outside this range will be ignored.
* The Windows group <code>Domain Users</code> has a <code>gidNumber</code> attribute containing a number inside the same range, if <code>Domain Users</code> does not have a <code>gidNumber</code> ALL users will be ignored.
* Your computers have a <code>uidNumber</code> attribute as outlined above for users. Computers do not need a <code>gidNumber</code>.
* Check that libnss_winbind is setup correctly, see [[Libnss_winbind_Links|here]].
* Check that the <code>passwd</code> and <code>group</code> lines in /etc/nsswitch.conf have had 'winbind' added, see [[Setting_up_Samba_as_a_Domain_Member#Configuring_the_Name_Service_Switch|here]].


If you set the uidNumber attribute for a computer, also known as the "Windows machine network account" e.g. SAMDOM\hostname$, the computer will have access to samba shares if they permit groups like <code>Domain Computers</code>. This can be useful during startup.
# samba-tool ntacl sysvolreset


= Samba as NT4 Primary Domain Controller =


== Do I Have to Migrate to Samba AD? ==


One of the common misconceptions is: "Samba 4" means "Active Directory only": This is wrong!


The Active Directory (AD) Domain Controller (DC) support is one of the enhancements in Samba 4.0. However all newer versions include the features of previous versions - including the NT4-style (classic) domain support. This means you can update a Samba 3.x NT4-style PDC to a recent version, like you updated in the past - for example from 3.5.x to 3.6.x. There is no need to migrate an NT4-style domain to an AD.


Additionally, all recent versions continue to support setting up a new NT4-style PDC. The AD support in Samba 4.0 and later is optional and does not replace any for the PDC feature. The Samba team understand the difficulty presented by existing LDAP structures. For that reason, there is no plan to remove the classic PDC support. Additionally we continue testing the PDC support in our continuous integration system.
= LDAP backend =


== Will Samba 4 have a built-in, full fledged LDAP server? ==


Yes. While we certainly won't compare ourselves with the
standards-based products from other vendors (our aim is to please AD
clients first, and hopefully do so while complying with the standards),
it will include an LDAPv3 server.


== What Does <code>User Administrator in your existing directory has SID ..., expected it to be ...-500 </code> Mean? ==


In your current NT4 domain, the RID of the domain administrator account is not <code>500</code>. For details, see [http://support.microsoft.com/kb/243330/en Windows well-known security identifiers].


To fix:
== Why is the LDAP backend (used so successfully in classic Samba domains) not supported with the AD DC?==
* Remove the account. It will be recreated automatically during the classic upgrade.
* Update the RID of the account manually to <code>500</code> in your current Samba back end.


However, you have to reconfigure applications or file system ACLs listing the domain administrator, because in the back end the <code>objectSID</code> attribute is used to identify a user. Thus, after changing the RID of the account, it is a different account.
We certainly appreciate the bind that the LDAP server situation puts our administrators in. We went to great lengths to try and avoid this, but were unable to make it work, while also supporting features such as DRS replication, and many of the finer points of AD's LDAP server. The biggest killer for the feature was the need for runtime schema translation, or for the administrator to load the AD schema and layout on their external LDAP server (which rather defeats the purpose).


The there are three ways out of this difficult situation
* continue to use Samba as a 'classic' domain controller as-is using smbd/nmbd (this code remains and remains supported).
* Add schema extensions to our LDAP server (disabled by default, but supported), and cope with the AD-specified layout restrictions.
* Somehow sync Samba with an existing LDAP server.


There are major challenges with synchronisation of directories - but it certainly may be an option in some situations.


= Samba as an standalone server =
We certainly understand that it appears almost rude, on the face of it, to step up from being an equal partner in the unix-LDAP ecosystem supporting a number of different directory servers to demanding that everyone else use only our internal server. We do wish it didn't have to be this way, and we have left in (with tests) as much of the code we used for the [[Samba4/LDAP Backend|LDAP backend]] experiment as is possible, in case somehow someone builds a workable use case in the future.


== Why does Windows Network Neighborhood not show Samba server(s)? ==


If you are using SMB2 or SMB3, network browsing uses WSD/LLMNR, which is not yet supported by Samba [https://bugzilla.samba.org/show_bug.cgi?id=11473]. SMB1 is disabled by default on the latest Windows versions for security reasons. It is still possible to access the Samba resources directly via \\name or \\ip.address.


If SMB1 is enabled on Windows, check that NetBIOS over TCP/IP is also
== Is it planned to support openLDAP as backend again? ==
enabled, and that nmbd is started on the server.

An LDAP backend to the AD DC is not a viable proposition
at this point in time, as even with the addition of massive extra
resources trying to revive it would create an incredible distraction.

The biggest issue is that a significant part of the complexity of the AD
DC turns out to be in our ldb modules. Creating a general-purpose,
OpenLDAP backed AD DC would involve rewriting many of these modules as
OpenLDAP overlays, outside the standard Samba programming environment.

Totally removing the LDAP listener would require rewriting even more code than that,
and would (based on the past experience of Luke Howard's XAD) require extensive patches to OpenLDAP.

Specific issues include the metadata required for both DRS replication
and dirsync, schema manipulation, transactions, Access Control Lists,
impersonation (if Samba still operated as an LDAP proxy) or authentication
(if OpenLDAP was the LDAP listener) and AD-specific matching
rules.

The components of LDAP that are left unaltered, after all this is done, are actually the easy bits, as is seen by the relative simplicity of ldb itself.

Finally, as mentioned in the previous question, even if this was all done, the schema would still be the AD
schema, which removes the advantage of doing all that work in the first
place.

The team has decided not to peruse this as a development avenue, and
no viable approach to re-opening this functionality has been proposed, but
where it does not compromise development, the technical doors open for some
special case development here have been left open, with code and tests remaining in the tree.



== Are anonymous LDAP searches possible? ==

While there are many good reasons to do or not do this, Samba follows
AD, including honouring the dSHeuristics flag for this.
[http://support.microsoft.com/kb/326690 http://support.microsoft.com/kb/326690]

However, it is better to authenticate and Kerberos if used correctly
can make that transparent.

= Migration from a Samba NT4-style domain to Samba AD =

== User 'Administrator' in your existing directory has SID ..., expected it to be ...-500 ==

The error says what's wrong: In your NT4-style domain backend, the RID of the domain administrator account isn't 500, what it should be (see. [http://support.microsoft.com/kb/243330/en Windows well-known security identifiers]). Change it to 500 and start over. You can remove the account, too, as it will be automatically created during the AD provisioning.





= Schemas =

== Will it also be possible in the future to extend the server by loading user defined schema's? ==

Yes, [[Samba_AD_schema_extensions|user-defined schema]] may be loaded into the Samba AD DC. It is experimental, so you must set

dsdb:schema update allowed = yes

in the smb.conf to permit it.



== Does Samba support MS AD schema extensions? ==

Samba is shipped with AD schema version 47 (MS Windows Server 2008 R2). Schema updates, as they are required when adding a DC running Windows Server 2012 or newer, are currently not supported by the Samba backend. The schema update against a Samba DC will fail and if done against a Windows 2008 R2 DC in the domain, it will break AD replication with all Samba DCs and makes your AD inconsistent!





= WINS =

== Why is Network Neighbourhood empty or does not show all machines in an Samba AD environment? ==

The master browser code in smbd does not collect names because the netbios server in the AD DC does not have the browsing code in it. We would like to add that, but it just is a matter of a developer finding it to be a personal (or employer) priority. (Sadly on the AD DC, there isn't spare developer time just floating around).

Revision as of 08:01, 28 January 2020

Introduction

The questions listed here are frequently asked on the Samba mailing list.



General Samba Questions

When Will the next Samba Version Be Released?

For details, see Samba Release Planning.


Can I Get Help with a Problem in an Unsupported Samba Version?

Update to a supported version first. It is likely that the problem has been fixed in the meantime. Samba is actively developed and new minor versions fix several bugs and major versions additionally include new features. If you cannot update to the latest version in the current stable release series, update to the latest version in any other supported series. For details, see Samba Release Planning.

If you are running a Samba version shipped with your distribution and that is no longer supported by Samba, contact your distribution's support for help.


How Do I Update Samba?

See Updating Samba.


What Is the Maximum Size of a LDB or TDB Database File?

TDB files and LDB files using TDB

The maximum size is 4 GB because the databases use 32-bit structures.

Previously, there was a project called NTDB that should address the size limit and other problems. However, the project has been stopped because of problems migrating the databases.

LDB files based on LMDB, specifically the sam.ldb on the AD DC

The size specified by the --backend-store-size=SIZE parameter to samba-tool domain provision and samba-tool domain join controls the maximum DB size. The default is 8GB. As LMDB is a true 64-bit database, the maximum is limited only by the storage available on the system.

Samba as an Active Directory Domain Controller

General

Is Samba as an Active Directory Domain Controller Stable Enough for an Production Environment?

Samba AD is stable for production environments. The AD DC support was introduced in the 4.0 version, which was released in December 2012. However, Samba AD has some unimplemented features, such as Sysvol replication.


What Does ldap_bind: Strong(er) authentication required (8) additional info: BindSimple: Transport encryption required Mean?

See Default for LDAP Connections Requires Strong Authentication.

I Am Running Samba as an AD DC. Which Windows Server Version Can I Join as an DC to the Forest?

The following Windows server versions are supported as a DC together with a Samba DC:

Windows Server Version Comments
Windows Server 2016 Not supported.
Windows Server 2012 / 2012 R2 Supported in Samba >=4.5. For details, see Joining a Windows Server 2012 / 2012 R2 DC to a Samba AD.
Windows Server 2008 / 2008 R2 Supported in Samba >=4.0. For details, see Joining a Windows Server 2008 / 2008 R2 DC to a Samba AD.
Windows Server 2003 / 2003R2 Not tested. Windows Server 2003 and 2003 R2 are no longer supported by Microsoft.
Windows 2000 Not tested. Windows Server 2003 and 2003 R2 are no longer supported by Microsoft.

One of the limiting items is the AD schema version. For details, see AD Schema Version Support.


Why Is the Network Neighbourhood empty or Does Not Show All Machines in the Domain?

The Samba AD DC smbd daemon does not support browsing.

It is planned to add this feature. However, there are no development resources and thus no date when this feature will be included.


What Does Warning: No NC replicated for Connection! Mean?

When running the samba-tool drs showrepl command, the following warning is displayed at the end of the output:

Warning: No NC replicated for Connection!

The warning appears because Samba incorrectly sets some flags when registering the DC for replication. The warning is harmless and can be ignored.


Can I Use the Samba AD DC as a Fileserver?

Whilst it is not recommended, yes you can, but you should be aware of its limitations, amongst which is that you cannot obtain the users Unix home directories or login shell from AD, you must use template lines in smb.conf


Configuration

Why Do I Not Have a server services parameter in My smb.conf File?

The server services options in the smb.conf file are set during provisioning a Samba AD DC based on the settings you made during this process. If this parameter is not listed in the [global] section of your smb.conf file, the default values are used.

For details, see the smb.conf (5) man page.


Can I Disable Some of the server services options in the smb.conf File?

The server services options in the smb.conf file are set during provisioning a Samba AD DC based on the settings you made during this process.

Removing or modifying any of the options can result in an incorrectly operating Samba AD DC!

However, there are a few situations where you can manually update the options:

  • To disable the network printing spooler:
Change the spoolss option to -spoolss.
  • To switch the DNS back end:
For details, see Changing the DNS Back End of a Samba AD DC.


How Do I Enable Guest Access to a Share on a Samba AD DC?

On non-AD DCs, you can set the map to guest parameter in the smb.conf file to bad user to enable guest access. However, guest access is based on the guest account parameter, that is not implemented in the Samba AD mode.

Can I Change the ID Range on a DC?

Yes, very easily, just give your users uidNumber attributes containing numbers inside the range you want to use, you should also give Domain Users a gidNumber attribute containing a number inside the same range.


Directory Schema

Which Active Directory Schema Versions Does Samba Support When Set up as a DC?

For details, see AD Schema Version Support.


Is It Possible to Extend the Samba AD Schema?

For details, see Samba AD Schema Extensions.


Kerberos

What Does UpdateRefs failed with WERR_DS_DRA_BAD_NC/NT Mean?

On the first start of a Samba DC in an existing Windows AD forest, the following error message is logged:

UpdateRefs failed with WERR_DS_DRA_BAD_NC/NT code 0xc00020f8 for <DC_objectUID>._msdcs.samdom.example.com CN=RID Manager$,CN=System,DC=samba,DC=example,DC=com

This error is logged by the knowledge consistency checker (KCC), until the Windows DC has established the connections to the Samba DC.

To fix the problem, run:

  • on your Windows DC:
C:\> repadmin /kcc
  • or alternatively on your Samba DC:
# samba-tool drs kcc -Uadministrator Windows_DC.samdom.example.com


Replication

Do Samba AD DCs Support Replication?

  • Everything stored inside the AD, is replicated between DCs. For example: users, groups, and DNS records.
  • In the current state, Samba does not support the distributed file system replication (DFS-R) protocol used for Sysvol replication. To work around, see Sysvol Replication (DFS-R).


Is a Samba DC Able to Replicate the Directory Content with an Non-AD LDAP Server?

Active Directory uses a different schema than other LDAP servers and thus replicating with non-AD DCs is not supported or planned to be supported.


DNS

Can I Set Multiple Forwarder Servers for the Internal DNS Server?

Setting multiple DNS forwarder servers is supported in Samba 4.5 and later versions.

For details, see Setting up a DNS Forwarder.


How Do I Set up the BIND DNS Server to Replicate AD DNS Zones?

Updates of the Active Directory DNS zones are transferred automatically to other AD DNS servers using directory replication.

Zone transfers to non-AD DNS servers is not supported.


Can I Use the .local Top-level Domain for My AD DNS Zone?

Using the .local top-level domain is not recommended. For details, see Using an Invalid TLD.


Trust Support

Does Samba AD Supports Trust Relationship?

The trust feature is experimental and has several limitations, such as:

  • SID filtering rules are not applied
  • You cannot add users and groups of a trusted domain into domain groups.


Group Policy Support

Is It Possible to Set User Specific Password Policies in Samba AD, Such as on an Organisational Unit?

Password settings are validated and applied by the DC to not enable modified Windows or Unix clients to bypass the rules. However, Samba does not support GPO restrictions and only serve GPOs to clients by the Sysvol share.

Use the samba-tool domain passwordsettings command to update password policies on a DC for a domain.


What Does The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory Mean?

When you click in the Group Policy Management Console to a GPO, the following error is displayed:

The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. To change the SYSVOL permissions to those in Active Directory, click OK.

See the page Sysvolreset for troubleshooting steps.

LDAP

Do Samba AD DCs Support OpenLDAP or Other LDAP Servers as the Back End?

Active Directory requires features, such as ACLs stored within the directory and a different schema, that are not supported by LDAP servers.

One of the main reasons people ask for OpenLDAP as the back end for AD, is that they are currently running Samba as an NT4 PDC using the OpenLDAP back end and want to migrate to Samba AD without manual transferring directory data to AD. However, even if OpenLDAP gets to be a supported back end on a Samba AD DC, the directory schema would be the AD schema. This means, you will have to update external applications accessing the directory using, such as you have to do it when you use the Samba internal LDAP server. Additionally you will have to import attributes manually from the old LDAP server that are not included in the AD schema.


Is It Planned to Support OpenLDAP as Back End for Samba AD?

Currently, there is no active work on this project.

The biggest problem is that a significant part of the complexity of the AD DC is in the LDB modules. Creating a general-purpose OpenLDAP back end requires rewriting many of these modules as OpenLDAP overlays, outside the standard Samba programming environment.

Specific problems include:

  • the metadata required for both DRS replication and dirsync
  • schema manipulation
  • transactions
  • access control lists (ACL)

The Samba team decided not to peruse this as a development avenue, and no viable approach to re-opening this functionality has been proposed.


Does the Samba Internal LDAP Server Supports Anonymous Searches?

Samba honours the dSHeuristics flag. For details, see http://support.microsoft.com/kb/326690

However, enabling anonymous access to the AD raises security problems and is not recommended. Configure LDAP authentication or Kerberos support in your client instead.



Samba as an Domain Member

Do I Provision a Samba Domain Member Using samba-tool?

From the roles the samba-tool domain provision --help command offers, the only supported provision role is DC (Active Directory domain controller).

Provisioning any other role, results in an incorrectly working version of an AD DC. If you do provision a different role, remove all Samba database files and the generated smb.conf file and join the domain member using the net command. For details, see Setting up Samba as a Domain Member.


Which Windows Server Versions Are Supported as a Domain Member in a Samba AD?

For details, see Supported Windows Versions.


I Have Set up a Domain Member Using The idmap_ad Back End, but getent passwd and getent group Do Not Show Users, Computers or Groups

Try explicitly asking for a user or group i.e. getent passwd auser, this is because winbind doesn't enumerate users & groups by default any more.

Computers are never enumerated but only shown when queried explicitly i.e. getent passwd SAMDOM\hostname$.

If you want to show all users and groups, you will need to add these lines to smb.conf:

   winbind enumerate users = yes
   winbind enumerate groups = yes

If, after trying the above, you still do not get any users, groups or computers, check that:

  • Your users have a uidNumber attribute containing a unique number inside the range set in smb.conf.
Example: If you have idmap config DOMAIN : range = 10000-999999 in smb.conf, your users uidNumber attributes should start at '10000' and go upto '999999', any number outside this range will be ignored.
  • The Windows group Domain Users has a gidNumber attribute containing a number inside the same range, if Domain Users does not have a gidNumber ALL users will be ignored.
  • Your computers have a uidNumber attribute as outlined above for users. Computers do not need a gidNumber.
  • Check that libnss_winbind is setup correctly, see here.
  • Check that the passwd and group lines in /etc/nsswitch.conf have had 'winbind' added, see here.

If you set the uidNumber attribute for a computer, also known as the "Windows machine network account" e.g. SAMDOM\hostname$, the computer will have access to samba shares if they permit groups like Domain Computers. This can be useful during startup.

Samba as NT4 Primary Domain Controller

Do I Have to Migrate to Samba AD?

One of the common misconceptions is: "Samba 4" means "Active Directory only": This is wrong!

The Active Directory (AD) Domain Controller (DC) support is one of the enhancements in Samba 4.0. However all newer versions include the features of previous versions - including the NT4-style (classic) domain support. This means you can update a Samba 3.x NT4-style PDC to a recent version, like you updated in the past - for example from 3.5.x to 3.6.x. There is no need to migrate an NT4-style domain to an AD.

Additionally, all recent versions continue to support setting up a new NT4-style PDC. The AD support in Samba 4.0 and later is optional and does not replace any for the PDC feature. The Samba team understand the difficulty presented by existing LDAP structures. For that reason, there is no plan to remove the classic PDC support. Additionally we continue testing the PDC support in our continuous integration system.


What Does User Administrator in your existing directory has SID ..., expected it to be ...-500 Mean?

In your current NT4 domain, the RID of the domain administrator account is not 500. For details, see Windows well-known security identifiers.

To fix:

  • Remove the account. It will be recreated automatically during the classic upgrade.
  • Update the RID of the account manually to 500 in your current Samba back end.

However, you have to reconfigure applications or file system ACLs listing the domain administrator, because in the back end the objectSID attribute is used to identify a user. Thus, after changing the RID of the account, it is a different account.


Samba as an standalone server

Why does Windows Network Neighborhood not show Samba server(s)?

If you are using SMB2 or SMB3, network browsing uses WSD/LLMNR, which is not yet supported by Samba [1]. SMB1 is disabled by default on the latest Windows versions for security reasons. It is still possible to access the Samba resources directly via \\name or \\ip.address.

If SMB1 is enabled on Windows, check that NetBIOS over TCP/IP is also enabled, and that nmbd is started on the server.