- 1 Introduction
- 2 General Samba Questions
- 3 Samba as an Active Directory Domain Controller
- 3.1 General
- 3.1.1 Is Samba as an Active Directory Domain Controller Stable Enough for an Production Environment?
- 3.1.2 What does ldap_bind: Strong(er) authentication required (8) additional info: BindSimple: Transport encryption required Mean?
- 3.1.3 I Am Running Samba as an AD DC. Which Windows Server Version Can I Join as an DC to the Forrest?
- 3.1.4 Why Is the Network Neighbourhood Empty or Does Not Show All Machines in the Domain?
- 3.1.5 What does Warning: No NC replicated for Connection! Mean?
- 3.2 Configuration
- 3.3 Directory Schema
- 3.4 Kerberos
- 3.5 Replication
- 3.6 DNS
- 3.7 How Do I Set up the BIND DNS Server to Replicate AD DNS Zones?
- 3.8 Trust Support
- 3.9 Group Policy Support
- 3.10 LDAP
- 3.1 General
- 4 Samba as an Domain Member
- 5 Samba as NT4 Primary Domain Controller
The questions listed here are frequently asked on the Samba mailing list.
General Samba Questions
When Is the next Samba Version Published?
For details, see Samba Release Planning.
Can You Help Me with a Problem in an Unsupported Samba Version?
Update to a supported version first. It is likely, that the problem has been fixed in the meantime. Samba is actively developed and new minor versions fix several bugs and major versions additionally include new features. If you cannot update to the latest version in the current stable release series, update to the latest version in any other supported series. For details, see Samba Release Planning.
If you are running a Samba version shipped with your distribution and that is no longer supported by Samba, contact your distribution's support for help.
How do I update Samba?
See Updating Samba.
What Is the Maximum Size of a LDB or TDB Database File?
The maximum size is 4 GB because the databases use 32-bit structures.
Previously, there was a project called
NTDB that should address the size limit and other problems. However, the project has been stopped because of problems migrating the databases.
Samba as an Active Directory Domain Controller
Is Samba as an Active Directory Domain Controller Stable Enough for an Production Environment?
Samba AD is stable for production environments. The AD DC support was introduced in the 4.0 version, which was released in December 2012. However, Samba AD has some unimplemented features, such as Sysvol replication.
ldap_bind: Strong(er) authentication required (8) additional info: BindSimple: Transport encryption required Mean?
I Am Running Samba as an AD DC. Which Windows Server Version Can I Join as an DC to the Forrest?
The following Windows server versions are supported as a DC together with a Samba DC:
|Windows Server Version||Comments|
|Windows Server 2016||Not supported.|
|Windows Server 2012 / 2012 R2||Supported in Samba >=4.5. For details, see Joining a Windows Server 2012 / 2012 R2 DC to a Samba AD.|
|Windows Server 2008 / 2008 R2||Supported in Samba >=4.0. For details, see Joining a Windows Server 2008 / 2008 R2 DC to a Samba AD.|
|Windows Server 2003 / 2003R2||Not tested. Windows Server 2003 and 2003 R2 are no longer supported by Microsoft.|
|Windows 2000||Not tested. Windows Server 2003 and 2003 R2 are no longer supported by Microsoft.|
One of the limiting items is the AD schema version. For details, see AD Schema Version Support.
Why Is the Network Neighbourhood Empty or Does Not Show All Machines in the Domain?
The Samba AD DC
smbd daemon does not support browsing.
It is planned to add this feature. However, there are no development resources and thus no date when this feature is included.
Warning: No NC replicated for Connection! Mean?
When running the
samba-tool drs showrepl command, the following warning is displayed at the end of the output:
Warning: No NC replicated for Connection!
The warning appears, because Samba incorrectly sets some flags when registering the DC for replication. The warning is harmless and can be ignored.
Why I Do Not Have a
server services parameter in My
server services options in the
smb.conf file are set during provisioning a Samba AD DC based on the settings you made during this process. If this parameter is not listed in the
[global] section of your
smb.conf file, the default values are used.
For details, see the
smb.conf (5) man page.
Can I Disable Some of the
server services options in the
server services options in the
smb.conf file are set during provisioning a Samba AD DC based on the settings you made during this process.
Removing or modifying any of the options can result in an incorrectly operating Samba AD DC!
However, there are a few situations, that require manual updating the options:
- To disable the network printing spooler:
- Change the
- To switch the DNS back end:
- For details, see Changing the DNS Back End of a Samba AD DC.
- If you are running Samba 4.2 or later, you can disable the recommended
winbindddaemon and switch to the older
winbindbuiltin portion of the samba daemon. To switch, set:
server services = ... -winbindd +winbind
On non-AD DCs, you can set the
map to guest parameter in the
smb.conf</code file to
bad user to enable guest access. However, guest access is based on the
guest account parameter, that is not implemented in the Samba AD mode.
Which Active Directory Schema Versions Does Samba Support When Set up as a DC?
For details, see AD Schema Version Support.
Is It Possible to Extend the Samba AD Schema?
For details, see Samba AD Schema Extensions.
UpdateRefs failed with WERR_DS_DRA_BAD_NC/NT Mean?
On the first start of a Samba DC in an existing Windows AD forest, the following error message is logged:
UpdateRefs failed with WERR_DS_DRA_BAD_NC/NT code 0xc00020f8 for <DC_objectUID>._msdcs.samdom.example.com CN=RID Manager$,CN=System,DC=samba,DC=example,DC=com
This error is logged by the knowledge consistency checker (KCC), until the Windows DC has established the connections to the Samba DC.
To fix the problem, run:
- on your Windows DC:
C:\> repadmin /kcc
- or alternatively on your Samba DC:
# samba-tool drs kcc -Uadministrator Windows_DC.samdom.example.com
Do Samba AD DCs Support Replication?
- Everything stored inside the AD, is replicated between DCs. For example: users, groups, and DNS records.
- In the current state, Samba does not support the distributed file system replication (DFS-R) protocol used for Sysvol replication. To work around, see Sysvol Replication (DFS-R).
Is a Samba DC Able to Replicate the Directory Content with an Non-AD LDAP Server?
Active Directory uses a different schema then other LDAP servers and thus replicating with non-AD DCs is not supported or planned to support.
Can I Set Multiple Forwarder Servers for the Internal DNS Server?
Setting multiple DNS forwarder servers is supported in Samba 4.5 and later versions.
For details, see Setting up a DNS Forwarder.
How Do I Set up the BIND DNS Server to Replicate AD DNS Zones?
Updates of the Active Directory DNS zones are transferred automatically to other AD DNS servers using directory replication.
Zone transfers to non-AD DNS servers are not supported.
Can I Use the
.local Top-level Domain for My AD DNS Zone?
.local top-level domain is not recommended. For details, see Using an Invalid TLD.
Does Samba AD Supports Trust Relationship?
The trust feature is experimental and has several limitations, such as:
- SID filtering rules are not applied
- You cannot add users and groups of a trusted domain into domain groups.
Group Policy Support
Is It Possible to Set User Specific Password Policies in Samba AD, such Such as on an Organisational Unit?
Password settings are validated and applied by the DC to not enable modified Windows or Unix clients to bypass the rules. However, Samba does not support GPO restrictions and only serve GPOs to clients by the Sysvol share.
samba-tool domain passwordsettings command to update password policies on a DC for a domain.
The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory Mean?
When you click in the Group Policy Management Console to a GPO, the following error is displayed:
The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. To change the SYSVOL permissions to those in Active Directory, click OK.
However, if you click
OK, the problem is not fixed. To reset the Sysvol settings, enter on a Samba DC:
# samba-tool ntacl sysvolreset
Does Samba AD DCs Support OpenLDAP or Other LDAP Servers as Back End?
Active Directory requires features, such as ACLs stored within the directory and a different schema, that are not supported by LDAP servers.
One of the main reasons people asking for OpenLDAP as back end for AD is that they are currently running Samba as an NT4 PDC using the OpenLDAP back end and want to migrate to Samba AD without manual transferring directory data to AD. However, even if OpenLDAP would get an supported back end on a Samba AD DC, the directory schema would be the AD schema. This means, you have to update external applications accessing the directory using, such as you have to do it when you use the Samba internal LDAP server. Additionally you have to import attributes manually from the old LDAP server that are not included in the AD schema.
Is It Planned to Support OpenLDAP as Back End for Samba AD?
Currently, there is no active work on this project.
The biggest problem is that a significant part of the complexity of the AD DC is in the LDB modules. Creating a general-purpose OpenLDAP back end requires rewriting many of these modules as OpenLDAP overlays, outside the standard Samba programming environment.
Specific problems include:
- the metadata required for both DRS replication and dirsync
- schema manipulation
- access control lists (ACL)
The Samba team decided not to peruse this as a development avenue, and no viable approach to re-opening this functionality has been proposed.
Does the Samba Internal LDAP Server Supports Anonymous Searches?
Samba honours the
dSHeuristics flag. For details, see http://support.microsoft.com/kb/326690
However, enabling anonymous access to the AD raises security problems and is not recommended. Configure LDAP authentication or Kerberos support in your client instead.
Samba as an Domain Member
Do I Provision a Samba Domain Member Using samba-tool?
Other then the
samba-tool domain provision --help command offers, the only supported role you can provision, is
DC (Active Directory domain controller).
Provisioning any other role results in an incorrect working version of an AD DC. In case you provision a different role, remove all Samba database files and the generated
smb.conf file and join the domain member using the
net command. For details, see Joining a Linux or Unix Host to a Domain.
Which Windows Server Version Are Supported as a Domain Member in a Samba AD?
For details, see Supported Windows Versions.
Samba as NT4 Primary Domain Controller
Do I have to migrate to Samba AD?
One of the common misconceptions is: "Samba 4" means "Active Directory only": This is wrong!
The Active Directory (AD) Domain Controller (DC) support is one of the enhancements in Samba 4.0. However all newer versions include the features of previous versions - including the NT4-style (classic) domain support. This means you can update a Samba 3.x NT4-style PDC to a recent version, like you updated in the past - for example from 3.5.x to 3.6.x. There is no need to migrate an NT4-style domain to an AD.
Additionally, all recent versions continue to support setting up a new NT4-style PDC. The AD support in Samba 4.0 and later is optional and does not replace any for the PDC feature. The Samba team understand the difficulty presented by existing LDAP structures. For that reason, there is no plan to remove the classic PDC support. Additionally we continue testing the PDC support in our continuous integration system.
User Administrator in your existing directory has SID ..., expected it to be ...-500 Mean?
In your current NT4 domain, the RID of the domain administrator account is not
500. For details, see Windows well-known security identifiers.
- Remove the account. It recreated automatically during the classic upgrade.
- Updated the RID of the account manually to
500in your current Samba back end.
However, you have to reconfigure applications or file system ACLs listing the domain administrator, because in the back end the
objectSID attribute is used to identify a user. Thus, after changing the RID of the account, it is a different account.