The questions and answers on this page have been extracted from the Samba technical mailing list.
Can I use Samba 4.0 as an AD DC on my production server right now?
We have now released Samba 4.0, and a number of users have it in use in a production environment. All the features from the Samba 3.6 series are now available, for example, the file server in the smbd binary.
Of course, normal Systems Administration caution is generally advised, as an AD Domain is the central hub for authentication on a network. We also advise participation on our mailing lists to discuss any issues that arise.
We do however encourage people to try Samba 4.0 as an AD DC, report bugs, and give feedback.
When will Samba 4.0 releases be made?
For the current Samba 4.0 and 4.x release plans, please see Samba Release Planning.
How to do or fix ... in an outdated Samba version?
Often people are asking for help/support for very outdated versions on the mailing lists or other places. You should really consider of moving to a recent version (best would be to the latest version of the current series). See the Samba Release Planning page to get an overview, which versions are still maintainanced.
Every release of Samba improves its features, fixes many bugs and adds more compatibility. In many cases, upgrading fixes the problems people are having with their old versions. Often, not even the developers can say when the requested feature was added to Samba. If your problem turns out to be a bug, then it will only be fixed in maintained version trees. So please consider upgrading, you will have a much better chance of getting a response and help from other users and developers on the mailing lists, etc.
If you are required to run an outdated version that was shipped with your distribution and it is out of maintainance by Samba, you should contact your vendor (Redhat, SuSE, etc.) for support.
If you were brought here by a response to one of your questions somewhere, please consider this as a first try to help.
How do I update from Samba 3.x to 4.x?
See the Updating Samba HowTo.
Can I provision a member or a standalone server?
Whilst 'samba-tool domain provision --help' shows this as one of the options:
--server-role=ROLE The server role (domain controller | dc | member server | member | standalone). Default is dc.
The only server that you can provision at the moment is a 'domain controller' or 'dc' for short. The other options will not work yet, so if you require a member server, see the Setup_a_Samba_AD_Member_Server HowTo.
Samba AD vs. MS AD compatibility
Does Samba AD allow Windows Server 2008 / 2008 R2 to be joined as DC?
Does Samba AD allow Windows Server 2008 / 2008 R2 to be joined as Member Server?
Yes. See Joining a Windows Client to a Domain. The join is done like for Windows Workstations.
Does Samba AD allow Windows Server 2012 / 2012 R2 to be joined as DC?
Does Samba AD allow Windows Server 2012 / 2012 R2 to be joined as Member Server?
Yes. See Joining a Windows Client to a Domain. The join is done like for Windows Workstations.
Can I turn off some of the 'server services' options?
The options of 'server services' are set during the Samba AD DC provisioning/join and are based on the choices made during this process. If you don't have the 'server services' in your smb.conf, this only means that the options of this parameter are on its default.
All of the parameters set are required. The only reasonable changes are:
- Disable spoolss:
server services = ... -spoolss
server services = ... -dns
server services = ... dns
If all server services options are required for an AD DC, why is this parameter required at all?
It wasn't ever intended that the 'server services' parameter would be something that admins would even see, but a late change in development (the final merge of the file servers) caused this to gain much more prominence than was ever expected.
If you use the internal DNS, then you can remove the 'server services' parameter completely from your smb.conf. All AD required services are started by default automatically.
If you use BIND_DLZ, then it's enough to have the short following version (all other services are started by default automatically):
server services = -dns
On a non AD domain, you can use 'map to guest = bad user' in smb.conf to allow windows machines that are not part of the domain, to access public shares. This will not work with an AD domain, guest access to the domain needs to be based on the 'guest' account being enabled, but unfortunately, this is not yet implemented.
Is replication of Active Directory supported by a Samba AD DC?
Yes. Everything that is done inside the Active Directory (user/group management, ACL changes, etc.), is replicated to other DCs.
It's currently not implemented. But as a workaround you can replicate changes e. g. with rsync. Depending on the kind of workaround you choose, you may have to do changes only on one DC, if your tool doesn't support bi-directional replication. You can find a HowTo for a rsync-based replication on the Wiki.
Message: Warning: No NC replicated for Connection!
When Samba registers for replication, there are a couple of flags that aren't correctly set. That's what the DRS command shows: They are not set. It's pretty harmless and you can ignore this warning.
Is it possible to replicate between Samba AD and an external LDAP server?
No. This is currently not supported and is not expected to be supported. The Active Directory LDAP has a different schema layout to the LDAP with which Samba 3.x was traditionally deployed, this is just one of the many serious issues.
How do I get DNS failover in a Multi-DC environment?
- First set up your additional DC following the Samba AD DC HowTo. You just skip the provisioning/upgrading part.
- Then join your new DC to the domain. See Join Samba as an additional DC.
- In the output of "samba-tool drs showrepl", you should see that the DNS partition was successfully replicated.
- Finally you have to configure your clients to also use the DNS on the additional DC.
Why does directory replication fail to Windows servers for git build Samba <= 4.1.13?
# samba-tool testparm -v --suppress-prompt | grep samba_kcc samba kcc command = /usr/local/samba/sbin/samba_kcc
If your result is as shown above, add the following line in your smb.conf
kccsrv:samba_kcc = false
Joining A Domain As Domain Controller
Error „UpdateRefs failed with WERR_DS_DRA_BAD_NC/NT“ in Logfiles
When you start Samba the first time as a new Domain Controller in an existing Windows domain, you may find errors messages like the following in the Samba logfiles:
UpdateRefs failed with WERR_DS_DRA_BAD_NC/NT code 0xc00020f8 for 5344d0a6-78a1-4758be69-66d933f1123._msdcs.samdom.example.com CN=RID Manager$,CN=System,DC=samba,DC=example,DC=com
This is caused by the Knowledge Consistency Checker (KCC) not having being run by the Windows Domain Controller yet, this means it has not yet created connections to the new Samba DC.
To fix this, you can either run "repadmin /kcc" on the Windows DC as an Administrator or you can use the samba-tool command to do the same thing, like this:
# samba-tool drs kcc -Uadministrator windowsdc.samdom.example.com
Message: "Failed to find our own NTDS Settings invocationId in the ldb!" during joining
Check if you have an existing smb.conf and remove it before joining.
Can the internal DNS have more than one forwarder?
No. If you require more than one host to forward foreign requests to, you must use BIND_DLZ.
Does Samba support trust relationship with AD?
Trusts are currently not finished implemented. Samba can be trusted, but can't trust yet.
But even this is unofficial and should not be relied on, because "parts that appear to work are a partial development that just happen to be in our released versions" (July 2014).
Do trusts only not work in Samba AD only environments, and are fine in Samba AD/Windows environments?
No. The Samba DC just won't know much about the trust.
How to disable des and rc4 in the AD DC?
'samba-tool domain exportkeytab', export keytab files including arcfour-hmac-md5, des-cbc-md5 and des-cbc-crc. The 'allow_weak_keys = false' option (which is the default) in the krb5.conf is the tool for controlling this. Currently this only disables DES, and only at runtime, not at the layer the keytab export uses.
When Heimdal will be updated, this have to be done carefully, because arcfour-hmac-md5 has been declared weak, and this will break Windows 2003 and WinXP clients.
Additionally, until Samba 4.2, were defaulting to Windows 2003 functional level, so haven't been storing the newer AES keys.
Is it possible to set user specific password policies in Samba4 (e. g. on a OU-base)?
Samba can't handle GPO restrictions. You have to use 'samba-tool domain passwordsettings' to change password policies. But this only applies on domain level.
Background: The password settings have to be used and validated by the server. Otherwise a modified Windows client or a Unix client (which doesn't handle GPOs) could bypass these settings. But Samba can't evaluate and apply GPO restrictions. It only serves GPOs via the SysVol share.
If you click in GPMC to a GPO, you get a message "The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. To change the SYSVOL permissions to those in Active Directory, click OK." Clicking OK won't fix the problem. Instead run
# samba-tool ntacl sysvolreset
Will Samba 4 have a built-in, full fledged LDAP server?
Yes. While we certainly won't compare ourselves with the standards-based products from other vendors (our aim is to please AD clients first, and hopefully do so while complying with the standards), it will include an LDAPv3 server.
Why is the LDAP backend (used so successfully in classic Samba domains) not supported with the AD DC?
We certainly appreciate the bind that the LDAP server situation puts our administrators in. We went to great lengths to try and avoid this, but were unable to make it work, while also supporting features such as DRS replication, and many of the finer points of AD's LDAP server. The biggest killer for the feature was the need for runtime schema translation, or for the administrator to load the AD schema and layout on their external LDAP server (which rather defeats the purpose).
The there are three ways out of this difficult situation
- continue to use Samba as a 'classic' domain controller as-is using smbd/nmbd (this code remains and remains supported).
- Add schema extensions to our LDAP server (disabled by default, but supported), and cope with the AD-specified layout restrictions.
- Somehow sync Samba with an existing LDAP server.
There are major challenges with synchronisation of directories - but it certainly may be an option in some situations.
We certainly understand that it appears almost rude, on the face of it, to step up from being an equal partner in the unix-LDAP ecosystem supporting a number of different directory servers to demanding that everyone else use only our internal server. We do wish it didn't have to be this way, and we have left in (with tests) as much of the code we used for the LDAP backend experiment as is possible, in case somehow someone builds a workable use case in the future.
Is it planned to support openLDAP as backend again?
An LDAP backend to the AD DC is not a viable proposition at this point in time, as even with the addition of massive extra resources trying to revive it would create an incredible distraction.
The biggest issue is that a significant part of the complexity of the AD DC turns out to be in our ldb modules. Creating a general-purpose, OpenLDAP backed AD DC would involve rewriting many of these modules as OpenLDAP overlays, outside the standard Samba programming environment.
Totally removing the LDAP listener would require rewriting even more code than that, and would (based on the past experience of Luke Howard's XAD) require extensive patches to OpenLDAP.
Specific issues include the metadata required for both DRS replication and dirsync, schema manipulation, transactions, Access Control Lists, impersonation (if Samba still operated as an LDAP proxy) or authentication (if OpenLDAP was the LDAP listener) and AD-specific matching rules.
The components of LDAP that are left unaltered, after all this is done, are actually the easy bits, as is seen by the relative simplicity of ldb itself.
Finally, as mentioned in the previous question, even if this was all done, the schema would still be the AD schema, which removes the advantage of doing all that work in the first place.
The team has decided not to peruse this as a development avenue, and no viable approach to re-opening this functionality has been proposed, but where it does not compromise development, the technical doors open for some special case development here have been left open, with code and tests remaining in the tree.
Are anonymous LDAP searches possible?
While there are many good reasons to do or not do this, Samba follows AD, including honouring the dsHuristics flag for this. http://support.microsoft.com/kb/326690
However, it is better to authenticate and Kerberos if used correctly can make that transparent.
Migration from a Samba NT4-style domain to Samba AD
User 'Administrator' in your existing directory has SID ..., expected it to be ...-500
The error says what's wrong: In your NT4-style domain backend, the RID of the domain administrator account isn't 500, what it should be (see. Windows well-known security identifiers). Change it to 500 and start over. You can remove the account, too, as it will be automatically created during the AD provisioning.
Will it also be possible in the future to extend the server by loading user defined schema's?
Yes, user-defined schema may be loaded into the Samba AD DC. It is experimental, so you must set
dsdb:schema update allowed = yes
in the smb.conf to permit it.
Does Samba support MS AD schema extensions?
Samba is shipped with AD schema version 47 (MS Windows Server 2008 R2). Schema updates, as they are required when adding a DC running Windows Server 2012 or newer, are currently not supported by the Samba backend. The schema update against a Samba DC will fail and if done against a Windows 2008 R2 DC in the domain, it will break AD replication with all Samba DCs and makes your AD inconsistent!
Why is Network Neighbourhood empty or does not show all machines in an Samba AD environment?
The master browser code in smbd does not collect names because the netbios server in the AD DC does not have the browsing code in it. We would like to add that, but it just is a matter of a developer finding it to be a personal (or employer) priority. (Sadly on the AD DC, there isn't spare developer time just floating around).
As a workaround, you can try Samba4Wins: ftp://ftp.sernet.de/pub/samba4wins/