Difference between revisions of "FAQ"

m (/* added faq about using the DC as a fileserver)
m (What Does ldap_bind: Strong(er) authentication required (8) additional info: BindSimple: Transport encryption required Mean?: fix link)
 
(10 intermediate revisions by 5 users not shown)
Line 9: Line 9:
 
= General Samba Questions =
 
= General Samba Questions =
  
== When Is the next Samba Version Published? ==
+
== When Will the next Samba Version Be Released? ==
  
 
For details, see [[Samba_Release_Planning|Samba Release Planning]].
 
For details, see [[Samba_Release_Planning|Samba Release Planning]].
Line 15: Line 15:
  
  
== Can You Help Me with a Problem in an Unsupported Samba Version? ==
+
== Can I Get Help with a Problem in an Unsupported Samba Version? ==
  
Update to a supported version first. It is likely, that the problem has been fixed in the meantime. Samba is actively developed and new minor versions fix several bugs and major versions additionally include new features. If you cannot update to the latest version in the current stable release series, update to the latest version in any other supported series. For details, see [[Samba_Release_Planning|Samba Release Planning]].
+
Update to a supported version first. It is likely that the problem has been fixed in the meantime. Samba is actively developed and new minor versions fix several bugs and major versions additionally include new features. If you cannot update to the latest version in the current stable release series, update to the latest version in any other supported series. For details, see [[Samba_Release_Planning|Samba Release Planning]].
  
 
If you are running a Samba version shipped with your distribution and that is no longer supported by Samba, contact your distribution's support for help.
 
If you are running a Samba version shipped with your distribution and that is no longer supported by Samba, contact your distribution's support for help.
Line 23: Line 23:
  
  
== How do I update Samba? ==
+
== How Do I Update Samba? ==
  
 
See [[Updating_Samba|Updating Samba]].
 
See [[Updating_Samba|Updating Samba]].
Line 49: Line 49:
  
  
=== What does <code>ldap_bind: Strong(er) authentication required (8) additional info: BindSimple: Transport encryption required</code> Mean? ===
+
=== What Does <code>ldap_bind: Strong(er) authentication required (8) additional info: BindSimple: Transport encryption required</code> Mean? ===
  
See [[Updating_Samba#Default_for_LDAP_Connections_Requires_Strong_Authentication|Default for LDAP Connections Requires Strong Authentication]].
+
See [[Updating_Samba#New Default for LDAP Connections Requires Strong Authentication|Default for LDAP Connections Requires Strong Authentication]].
  
 
+
=== I Am Running Samba as an AD DC. Which Windows Server Version Can I Join as an DC to the Forest? ===
 
 
=== I Am Running Samba as an AD DC. Which Windows Server Version Can I Join as an DC to the Forrest? ===
 
  
 
The following Windows server versions are supported as a DC together with a Samba DC:
 
The following Windows server versions are supported as a DC together with a Samba DC:
Line 83: Line 81:
  
  
=== Why Is the Network Neighbourhood Empty or Does Not Show All Machines in the Domain? ===
+
=== Why Is the Network Neighbourhood empty or Does Not Show All Machines in the Domain? ===
  
 
The Samba AD DC <code>smbd</code> daemon does not support browsing.  
 
The Samba AD DC <code>smbd</code> daemon does not support browsing.  
  
It is planned to add this feature. However, there are no development resources and thus no date when this feature is included.
+
It is planned to add this feature. However, there are no development resources and thus no date when this feature will be included.
  
  
  
=== What does <code>Warning: No NC replicated for Connection!</code> Mean? ===
+
=== What Does <code>Warning: No NC replicated for Connection!</code> Mean? ===
  
 
When running the <code>samba-tool drs showrepl</code> command, the following warning is displayed at the end of the output:
 
When running the <code>samba-tool drs showrepl</code> command, the following warning is displayed at the end of the output:
Line 97: Line 95:
 
  Warning: No NC replicated for Connection!
 
  Warning: No NC replicated for Connection!
  
The warning appears, because Samba incorrectly sets some flags when registering the DC for replication. The warning is harmless and can be ignored.
+
The warning appears because Samba incorrectly sets some flags when registering the DC for replication. The warning is harmless and can be ignored.
  
  
  
=== Can I use the Samba AD DC as a fileserver ===
+
=== Can I Use the Samba AD DC as a Fileserver? ===
  
 
Whilst it is not recommended, yes you can, but you should be aware of its limitations, amongst which is that you cannot obtain the users Unix home directories or login shell from AD, you must use template lines in smb.conf
 
Whilst it is not recommended, yes you can, but you should be aware of its limitations, amongst which is that you cannot obtain the users Unix home directories or login shell from AD, you must use template lines in smb.conf
Line 109: Line 107:
 
== Configuration ==
 
== Configuration ==
  
=== Why I Do Not Have a <code>server services</code> parameter in My <code>smb.conf</code> File? ===
+
=== Why Do I Not Have a <code>server services</code> parameter in My <code>smb.conf</code> File? ===
  
 
The <code>server services</code> options in the <code>smb.conf</code> file are set during provisioning a Samba AD DC based on the settings you made during this process. If this parameter is not listed in the <code>[global]</code> section of your <code>smb.conf</code> file, the default values are used.
 
The <code>server services</code> options in the <code>smb.conf</code> file are set during provisioning a Samba AD DC based on the settings you made during this process. If this parameter is not listed in the <code>[global]</code> section of your <code>smb.conf</code> file, the default values are used.
Line 123: Line 121:
 
Removing or modifying any of the options can result in an incorrectly operating Samba AD DC!
 
Removing or modifying any of the options can result in an incorrectly operating Samba AD DC!
  
However, there are a few situations, that require manual updating the options:
+
However, there are a few situations where you can manually update the options:
  
 
* To disable the network printing spooler:
 
* To disable the network printing spooler:
Line 135: Line 133:
 
=== How Do I Enable Guest Access to a Share on a Samba AD DC? ===
 
=== How Do I Enable Guest Access to a Share on a Samba AD DC? ===
  
On non-AD DCs, you can set the <code>map to guest</code> parameter in the <code>smb.conf</code</code> file to <code>bad user</code> to enable guest access. However, guest access is based on the <code>guest account</code> parameter, that is not implemented in the Samba AD mode.
+
On non-AD DCs, you can set the <code>map to guest</code> parameter in the <code>smb.conf</code> file to <code>bad user</code> to enable guest access. However, guest access is based on the <code>guest account</code> parameter, that is not implemented in the Samba AD mode.
 +
 
 +
=== Can I Change the ID Range on a DC? ===
 +
 
 +
Yes, very easily, just give your users <code>uidNumber</code> attributes containing numbers inside the range you want to use, you should also give <code>Domain Users</code> a <code>gidNumber</code> attribute containing a number inside the same range.
 +
{{Imbox
 +
| type = important
 +
| text = Do not add any of the <code>idmap_ad</code> lines used on a domain member to your Samba AD DC smb.conf. They will have no affect and could lead to problems.
 +
}}
  
  
Line 187: Line 193:
 
=== Is a Samba DC Able to Replicate the Directory Content with an Non-AD LDAP Server? ===
 
=== Is a Samba DC Able to Replicate the Directory Content with an Non-AD LDAP Server? ===
  
Active Directory uses a different schema then other LDAP servers and thus replicating with non-AD DCs is not supported or planned to support.
+
Active Directory uses a different schema than other LDAP servers and thus replicating with non-AD DCs is not supported or planned to be supported.
  
  
Line 205: Line 211:
 
Updates of the Active Directory DNS zones are transferred automatically to other AD DNS servers using directory replication.
 
Updates of the Active Directory DNS zones are transferred automatically to other AD DNS servers using directory replication.
  
Zone transfers to non-AD DNS servers are not supported.
+
Zone transfers to non-AD DNS servers is not supported.
  
  
Line 229: Line 235:
 
== Group Policy Support ==
 
== Group Policy Support ==
  
=== Is It Possible to Set User Specific Password Policies in Samba AD, such Such as on an Organisational Unit? ===
+
=== Is It Possible to Set User Specific Password Policies in Samba AD, Such as on an Organisational Unit? ===
  
 
Password settings are validated and applied by the DC to not enable modified Windows or Unix clients to bypass the rules. However, Samba does not support GPO restrictions and only serve GPOs to clients by the Sysvol share.
 
Password settings are validated and applied by the DC to not enable modified Windows or Unix clients to bypass the rules. However, Samba does not support GPO restrictions and only serve GPOs to clients by the Sysvol share.
Line 243: Line 249:
 
  The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. To change the SYSVOL permissions to those in Active Directory, click OK.
 
  The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. To change the SYSVOL permissions to those in Active Directory, click OK.
  
However, if you click <code>OK</code>, the problem is not fixed. To reset the Sysvol settings, enter on a Samba DC:
+
See the page [[Sysvolreset]] for troubleshooting steps.
 
 
# samba-tool ntacl sysvolreset
 
 
 
 
 
  
 
== LDAP ==
 
== LDAP ==
  
=== Does Samba AD DCs Support OpenLDAP or Other LDAP Servers as Back End? ===
+
=== Do Samba AD DCs Support OpenLDAP or Other LDAP Servers as the Back End? ===
  
 
Active Directory requires features, such as ACLs stored within the directory and a different schema, that are not supported by LDAP servers.
 
Active Directory requires features, such as ACLs stored within the directory and a different schema, that are not supported by LDAP servers.
  
One of the main reasons people asking for OpenLDAP as back end for AD is that they are currently running Samba as an NT4 PDC using the OpenLDAP back end and want to migrate to Samba AD without manual transferring directory data to AD. However, even if OpenLDAP would get an supported back end on a Samba AD DC, the directory schema would be the AD schema. This means, you have to update external applications accessing the directory using, such as you have to do it when you use the Samba internal LDAP server. Additionally you have to import attributes manually from the old LDAP server that are not included in the AD schema.
+
One of the main reasons people ask for OpenLDAP as the back end for AD, is that they are currently running Samba as an NT4 PDC using the OpenLDAP back end and want to migrate to Samba AD without manual transferring directory data to AD. However, even if OpenLDAP gets to be a supported back end on a Samba AD DC, the directory schema would be the AD schema. This means, you will have to update external applications accessing the directory using, such as you have to do it when you use the Samba internal LDAP server. Additionally you will have to import attributes manually from the old LDAP server that are not included in the AD schema.
  
  
Line 287: Line 289:
 
= Samba as an Domain Member =
 
= Samba as an Domain Member =
  
== Do I Provision a Samba Domain Member Using samba-tool? ==
+
== Do I Provision a Samba Domain Member Using <code>samba-tool</code>? ==
  
Other then the <code>samba-tool domain provision --help</code> command offers, the only supported role you can provision, is <code>DC</code> (Active Directory domain controller).
+
From the roles the <code>samba-tool domain provision --help</code> command offers, the only supported provision role is <code>DC</code> (Active Directory domain controller).
  
Provisioning any other role results in an incorrect working version of an AD DC. In case you provision a different role, remove all Samba database files and the generated <code>smb.conf</code> file and join the domain member using the <code>net</code> command. For details, see [[Joining_a_Linux_or_Unix_Host_to_a_Domain|Joining a Linux or Unix Host to a Domain]].
+
Provisioning any other role, results in an incorrectly  working version of an AD DC. If you do provision a different role, remove all Samba database files and the generated <code>smb.conf</code> file and join the domain member using the <code>net</code> command. For details, see [[Setting_up_Samba_as_a_Domain_Member|Setting up Samba as a Domain Member]].
  
  
  
== Which Windows Server Version Are Supported as a Domain Member in a Samba AD? ==
+
== Which Windows Server Versions Are Supported as a Domain Member in a Samba AD? ==
  
 
For details, see [[Joining_a_Windows_Client_or_Server_to_a_Domain#Supported_Windows_Versions|Supported Windows Versions]].
 
For details, see [[Joining_a_Windows_Client_or_Server_to_a_Domain#Supported_Windows_Versions|Supported Windows Versions]].
Line 301: Line 303:
  
  
== I have set up a domain member using the <code>idmap_ad</code> backend, but <code>getent passwd</code> and <code>getent group</code> does not show users or groups ==
+
== I Have Set up a Domain Member Using The <code>idmap_ad</code> Back End, but <code>getent passwd</code> and <code>getent group</code> Do Not Show Users, Computers or Groups ==
  
 
Try explicitly asking for a user or group i.e. <code>getent passwd auser</code>, this is because winbind doesn't enumerate users & groups by default any more.
 
Try explicitly asking for a user or group i.e. <code>getent passwd auser</code>, this is because winbind doesn't enumerate users & groups by default any more.
 +
 +
Computers are never enumerated but only shown when queried explicitly i.e. <code>getent passwd SAMDOM\hostname$</code>.
  
 
If you want to show all users and groups, you will need to add these lines to smb.conf:
 
If you want to show all users and groups, you will need to add these lines to smb.conf:
Line 314: Line 318:
 
}}
 
}}
  
 
+
If, after trying the above, you still do not get any users, groups or computers, check that:
If, after trying the above, you still do not get any users or groups, check that:
 
 
* Your users have a <code>uidNumber</code> attribute containing a unique number inside the range set in smb.conf.
 
* Your users have a <code>uidNumber</code> attribute containing a unique number inside the range set in smb.conf.
 
:: Example: If you have <code>idmap config DOMAIN : range = 10000-999999</code> in smb.conf, your users <code>uidNumber</code> attributes should start at '10000' and go upto '999999', any number outside this range will be ignored.
 
:: Example: If you have <code>idmap config DOMAIN : range = 10000-999999</code> in smb.conf, your users <code>uidNumber</code> attributes should start at '10000' and go upto '999999', any number outside this range will be ignored.
 
* The Windows group <code>Domain Users</code> has a <code>gidNumber</code> attribute containing a number inside the same range, if <code>Domain Users</code> does not have a <code>gidNumber</code> ALL users will be ignored.
 
* The Windows group <code>Domain Users</code> has a <code>gidNumber</code> attribute containing a number inside the same range, if <code>Domain Users</code> does not have a <code>gidNumber</code> ALL users will be ignored.
*Check that libnss_winbind is setup correctly, see [[Libnss_winbind_Links|here]].
+
* Your computers have a <code>uidNumber</code> attribute as outlined above for users. Computers do not need a <code>gidNumber</code>.
*Check that the <code>passwd</code> and <code>group</code> lines in /etc/nsswitch.conf have had 'winbind' added, see [[Setup_Samba_as_an_AD_Domain_Member#libnss_winbind|here]].
+
* Check that libnss_winbind is setup correctly, see [[Libnss_winbind_Links|here]].
 
+
* Check that the <code>passwd</code> and <code>group</code> lines in /etc/nsswitch.conf have had 'winbind' added, see [[Setting_up_Samba_as_a_Domain_Member#Configuring_the_Name_Service_Switch|here]].
 
 
 
 
  
 +
If you set the uidNumber attribute for a computer, also known as the "Windows machine network account" e.g. SAMDOM\hostname$, the computer will have access to samba shares if they permit groups like <code>Domain Computers</code>. This can be useful during startup.
  
 
= Samba as NT4 Primary Domain Controller =
 
= Samba as NT4 Primary Domain Controller =
  
== Do I have to migrate to Samba AD? ==
+
== Do I Have to Migrate to Samba AD? ==
  
 
One of the common misconceptions is: "Samba 4" means "Active Directory only": This is wrong!
 
One of the common misconceptions is: "Samba 4" means "Active Directory only": This is wrong!
Line 338: Line 340:
  
  
== What does <code>User Administrator in your existing directory has SID ..., expected it to be ...-500 </code> Mean? ==
+
== What Does <code>User Administrator in your existing directory has SID ..., expected it to be ...-500 </code> Mean? ==
  
 
In your current NT4 domain, the RID of the domain administrator account is not <code>500</code>. For details, see [http://support.microsoft.com/kb/243330/en Windows well-known security identifiers].
 
In your current NT4 domain, the RID of the domain administrator account is not <code>500</code>. For details, see [http://support.microsoft.com/kb/243330/en Windows well-known security identifiers].
  
 
To fix:
 
To fix:
* Remove the account. It recreated automatically during the classic upgrade.
+
* Remove the account. It will be recreated automatically during the classic upgrade.
* Updated the RID of the account manually to <code>500</code> in your current Samba back end.
+
* Update the RID of the account manually to <code>500</code> in your current Samba back end.
  
 
However, you have to reconfigure applications or file system ACLs listing the domain administrator, because in the back end the <code>objectSID</code> attribute is used to identify a user. Thus, after changing the RID of the account, it is a different account.
 
However, you have to reconfigure applications or file system ACLs listing the domain administrator, because in the back end the <code>objectSID</code> attribute is used to identify a user. Thus, after changing the RID of the account, it is a different account.
 +
 +
 +
 +
= Samba as an standalone server =
 +
 +
== Why does Windows Network Neighborhood not show Samba server(s)? ==
 +
 +
If you are using SMB2 or SMB3, network browsing uses WSD/LLMNR, which is not yet supported by Samba [https://bugzilla.samba.org/show_bug.cgi?id=11473]. SMB1 is disabled by default on the latest Windows versions for security reasons. It is still possible to access the Samba resources directly via \\name or \\ip.address.
 +
 +
If SMB1 is enabled on Windows, check that NetBIOS over TCP/IP is also
 +
enabled, and that nmbd is started on the server.

Latest revision as of 02:12, 31 July 2019

Contents

Introduction

The questions listed here are frequently asked on the Samba mailing list.



General Samba Questions

When Will the next Samba Version Be Released?

For details, see Samba Release Planning.


Can I Get Help with a Problem in an Unsupported Samba Version?

Update to a supported version first. It is likely that the problem has been fixed in the meantime. Samba is actively developed and new minor versions fix several bugs and major versions additionally include new features. If you cannot update to the latest version in the current stable release series, update to the latest version in any other supported series. For details, see Samba Release Planning.

If you are running a Samba version shipped with your distribution and that is no longer supported by Samba, contact your distribution's support for help.


How Do I Update Samba?

See Updating Samba.


What Is the Maximum Size of a LDB or TDB Database File?

The maximum size is 4 GB because the databases use 32-bit structures.

Previously, there was a project called NTDB that should address the size limit and other problems. However, the project has been stopped because of problems migrating the databases.



Samba as an Active Directory Domain Controller

General

Is Samba as an Active Directory Domain Controller Stable Enough for an Production Environment?

Samba AD is stable for production environments. The AD DC support was introduced in the 4.0 version, which was released in December 2012. However, Samba AD has some unimplemented features, such as Sysvol replication.


What Does ldap_bind: Strong(er) authentication required (8) additional info: BindSimple: Transport encryption required Mean?

See Default for LDAP Connections Requires Strong Authentication.

I Am Running Samba as an AD DC. Which Windows Server Version Can I Join as an DC to the Forest?

The following Windows server versions are supported as a DC together with a Samba DC:

Windows Server Version Comments
Windows Server 2016 Not supported.
Windows Server 2012 / 2012 R2 Supported in Samba >=4.5. For details, see Joining a Windows Server 2012 / 2012 R2 DC to a Samba AD.
Windows Server 2008 / 2008 R2 Supported in Samba >=4.0. For details, see Joining a Windows Server 2008 / 2008 R2 DC to a Samba AD.
Windows Server 2003 / 2003R2 Not tested. Windows Server 2003 and 2003 R2 are no longer supported by Microsoft.
Windows 2000 Not tested. Windows Server 2003 and 2003 R2 are no longer supported by Microsoft.

One of the limiting items is the AD schema version. For details, see AD Schema Version Support.


Why Is the Network Neighbourhood empty or Does Not Show All Machines in the Domain?

The Samba AD DC smbd daemon does not support browsing.

It is planned to add this feature. However, there are no development resources and thus no date when this feature will be included.


What Does Warning: No NC replicated for Connection! Mean?

When running the samba-tool drs showrepl command, the following warning is displayed at the end of the output:

Warning: No NC replicated for Connection!

The warning appears because Samba incorrectly sets some flags when registering the DC for replication. The warning is harmless and can be ignored.


Can I Use the Samba AD DC as a Fileserver?

Whilst it is not recommended, yes you can, but you should be aware of its limitations, amongst which is that you cannot obtain the users Unix home directories or login shell from AD, you must use template lines in smb.conf


Configuration

Why Do I Not Have a server services parameter in My smb.conf File?

The server services options in the smb.conf file are set during provisioning a Samba AD DC based on the settings you made during this process. If this parameter is not listed in the [global] section of your smb.conf file, the default values are used.

For details, see the smb.conf (5) man page.


Can I Disable Some of the server services options in the smb.conf File?

The server services options in the smb.conf file are set during provisioning a Samba AD DC based on the settings you made during this process.

Removing or modifying any of the options can result in an incorrectly operating Samba AD DC!

However, there are a few situations where you can manually update the options:

  • To disable the network printing spooler:
Change the spoolss option to -spoolss.
  • To switch the DNS back end:
For details, see Changing the DNS Back End of a Samba AD DC.


How Do I Enable Guest Access to a Share on a Samba AD DC?

On non-AD DCs, you can set the map to guest parameter in the smb.conf file to bad user to enable guest access. However, guest access is based on the guest account parameter, that is not implemented in the Samba AD mode.

Can I Change the ID Range on a DC?

Yes, very easily, just give your users uidNumber attributes containing numbers inside the range you want to use, you should also give Domain Users a gidNumber attribute containing a number inside the same range.


Directory Schema

Which Active Directory Schema Versions Does Samba Support When Set up as a DC?

For details, see AD Schema Version Support.


Is It Possible to Extend the Samba AD Schema?

For details, see Samba AD Schema Extensions.


Kerberos

What Does UpdateRefs failed with WERR_DS_DRA_BAD_NC/NT Mean?

On the first start of a Samba DC in an existing Windows AD forest, the following error message is logged:

UpdateRefs failed with WERR_DS_DRA_BAD_NC/NT code 0xc00020f8 for <DC_objectUID>._msdcs.samdom.example.com CN=RID Manager$,CN=System,DC=samba,DC=example,DC=com

This error is logged by the knowledge consistency checker (KCC), until the Windows DC has established the connections to the Samba DC.

To fix the problem, run:

  • on your Windows DC:
C:\> repadmin /kcc
  • or alternatively on your Samba DC:
# samba-tool drs kcc -Uadministrator Windows_DC.samdom.example.com


Replication

Do Samba AD DCs Support Replication?

  • Everything stored inside the AD, is replicated between DCs. For example: users, groups, and DNS records.
  • In the current state, Samba does not support the distributed file system replication (DFS-R) protocol used for Sysvol replication. To work around, see Sysvol Replication (DFS-R).


Is a Samba DC Able to Replicate the Directory Content with an Non-AD LDAP Server?

Active Directory uses a different schema than other LDAP servers and thus replicating with non-AD DCs is not supported or planned to be supported.


DNS

Can I Set Multiple Forwarder Servers for the Internal DNS Server?

Setting multiple DNS forwarder servers is supported in Samba 4.5 and later versions.

For details, see Setting up a DNS Forwarder.


How Do I Set up the BIND DNS Server to Replicate AD DNS Zones?

Updates of the Active Directory DNS zones are transferred automatically to other AD DNS servers using directory replication.

Zone transfers to non-AD DNS servers is not supported.


Can I Use the .local Top-level Domain for My AD DNS Zone?

Using the .local top-level domain is not recommended. For details, see Using an Invalid TLD.


Trust Support

Does Samba AD Supports Trust Relationship?

The trust feature is experimental and has several limitations, such as:

  • SID filtering rules are not applied
  • You cannot add users and groups of a trusted domain into domain groups.


Group Policy Support

Is It Possible to Set User Specific Password Policies in Samba AD, Such as on an Organisational Unit?

Password settings are validated and applied by the DC to not enable modified Windows or Unix clients to bypass the rules. However, Samba does not support GPO restrictions and only serve GPOs to clients by the Sysvol share.

Use the samba-tool domain passwordsettings command to update password policies on a DC for a domain.


What Does The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory Mean?

When you click in the Group Policy Management Console to a GPO, the following error is displayed:

The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. To change the SYSVOL permissions to those in Active Directory, click OK.

See the page Sysvolreset for troubleshooting steps.

LDAP

Do Samba AD DCs Support OpenLDAP or Other LDAP Servers as the Back End?

Active Directory requires features, such as ACLs stored within the directory and a different schema, that are not supported by LDAP servers.

One of the main reasons people ask for OpenLDAP as the back end for AD, is that they are currently running Samba as an NT4 PDC using the OpenLDAP back end and want to migrate to Samba AD without manual transferring directory data to AD. However, even if OpenLDAP gets to be a supported back end on a Samba AD DC, the directory schema would be the AD schema. This means, you will have to update external applications accessing the directory using, such as you have to do it when you use the Samba internal LDAP server. Additionally you will have to import attributes manually from the old LDAP server that are not included in the AD schema.


Is It Planned to Support OpenLDAP as Back End for Samba AD?

Currently, there is no active work on this project.

The biggest problem is that a significant part of the complexity of the AD DC is in the LDB modules. Creating a general-purpose OpenLDAP back end requires rewriting many of these modules as OpenLDAP overlays, outside the standard Samba programming environment.

Specific problems include:

  • the metadata required for both DRS replication and dirsync
  • schema manipulation
  • transactions
  • access control lists (ACL)

The Samba team decided not to peruse this as a development avenue, and no viable approach to re-opening this functionality has been proposed.


Does the Samba Internal LDAP Server Supports Anonymous Searches?

Samba honours the dSHeuristics flag. For details, see http://support.microsoft.com/kb/326690

However, enabling anonymous access to the AD raises security problems and is not recommended. Configure LDAP authentication or Kerberos support in your client instead.



Samba as an Domain Member

Do I Provision a Samba Domain Member Using samba-tool?

From the roles the samba-tool domain provision --help command offers, the only supported provision role is DC (Active Directory domain controller).

Provisioning any other role, results in an incorrectly working version of an AD DC. If you do provision a different role, remove all Samba database files and the generated smb.conf file and join the domain member using the net command. For details, see Setting up Samba as a Domain Member.


Which Windows Server Versions Are Supported as a Domain Member in a Samba AD?

For details, see Supported Windows Versions.


I Have Set up a Domain Member Using The idmap_ad Back End, but getent passwd and getent group Do Not Show Users, Computers or Groups

Try explicitly asking for a user or group i.e. getent passwd auser, this is because winbind doesn't enumerate users & groups by default any more.

Computers are never enumerated but only shown when queried explicitly i.e. getent passwd SAMDOM\hostname$.

If you want to show all users and groups, you will need to add these lines to smb.conf:

   winbind enumerate users = yes
   winbind enumerate groups = yes

If, after trying the above, you still do not get any users, groups or computers, check that:

  • Your users have a uidNumber attribute containing a unique number inside the range set in smb.conf.
Example: If you have idmap config DOMAIN : range = 10000-999999 in smb.conf, your users uidNumber attributes should start at '10000' and go upto '999999', any number outside this range will be ignored.
  • The Windows group Domain Users has a gidNumber attribute containing a number inside the same range, if Domain Users does not have a gidNumber ALL users will be ignored.
  • Your computers have a uidNumber attribute as outlined above for users. Computers do not need a gidNumber.
  • Check that libnss_winbind is setup correctly, see here.
  • Check that the passwd and group lines in /etc/nsswitch.conf have had 'winbind' added, see here.

If you set the uidNumber attribute for a computer, also known as the "Windows machine network account" e.g. SAMDOM\hostname$, the computer will have access to samba shares if they permit groups like Domain Computers. This can be useful during startup.

Samba as NT4 Primary Domain Controller

Do I Have to Migrate to Samba AD?

One of the common misconceptions is: "Samba 4" means "Active Directory only": This is wrong!

The Active Directory (AD) Domain Controller (DC) support is one of the enhancements in Samba 4.0. However all newer versions include the features of previous versions - including the NT4-style (classic) domain support. This means you can update a Samba 3.x NT4-style PDC to a recent version, like you updated in the past - for example from 3.5.x to 3.6.x. There is no need to migrate an NT4-style domain to an AD.

Additionally, all recent versions continue to support setting up a new NT4-style PDC. The AD support in Samba 4.0 and later is optional and does not replace any for the PDC feature. The Samba team understand the difficulty presented by existing LDAP structures. For that reason, there is no plan to remove the classic PDC support. Additionally we continue testing the PDC support in our continuous integration system.


What Does User Administrator in your existing directory has SID ..., expected it to be ...-500 Mean?

In your current NT4 domain, the RID of the domain administrator account is not 500. For details, see Windows well-known security identifiers.

To fix:

  • Remove the account. It will be recreated automatically during the classic upgrade.
  • Update the RID of the account manually to 500 in your current Samba back end.

However, you have to reconfigure applications or file system ACLs listing the domain administrator, because in the back end the objectSID attribute is used to identify a user. Thus, after changing the RID of the account, it is a different account.


Samba as an standalone server

Why does Windows Network Neighborhood not show Samba server(s)?

If you are using SMB2 or SMB3, network browsing uses WSD/LLMNR, which is not yet supported by Samba [1]. SMB1 is disabled by default on the latest Windows versions for security reasons. It is still possible to access the Samba resources directly via \\name or \\ip.address.

If SMB1 is enabled on Windows, check that NetBIOS over TCP/IP is also enabled, and that nmbd is started on the server.