The questions and answers on this page have been extracted from the Samba technical mailing list.
- 1 General
- 2 Configuration Parameters
- 3 Replication
- 3.1 Is replication of Active Directory supported by a Samba AD DC?
- 3.2 Is SysVol share replication supported by a Samba AD DC?
- 3.3 Message: Warning: No NC replicated for Connection!
- 3.4 Is it possible to replicate between Samba AD and an external LDAP server?
- 3.5 How do I get DNS failover in a Multi-DC environment?
- 4 DNS
- 5 Trusts
- 6 GPO
- 7 LDAP backend
- 8 Migration from a Samba NT4-style domain to Samba AD
- 9 Schemas
Can I use Samba 4.0 as an AD DC on my production server right now?
We have now released Samba 4.0, and a number of users have it in use in a production environment. All the features from the Samba 3.6 series are now available, for example, the file server in the smbd binary.
Of course, normal Systems Administration caution is generally advised, as an AD Domain is the central hub for authentication on a network, as is participation on our mailing lists to discuss any issues that arise.
We do however encourage people to try Samba 4.0 as an AD DC, report bugs, and give feedback.
When will Samba 4.0 releases be made?
For the current Samba 4.0 and 4.x release plans, please see Samba Release Planning.
How to do or fix ... in an outdated Samba version?
Often people are asking for help/support for very outdated versions on the mailing lists or other places. You should really consider of moving to a recent version (best would be to the latest version of the current series). See the Samba Release Planning page to get an overview, which versions are still maintainanced.
Every release of Samba improves its features, fix many bugs and add more compatibility. In many cases the problems, people are having with their old versions, doesn't exist any more in the meantime. Often not even the developers can't say when the requested feature was added to Samba. And if your request appears to be a bug, then it'll be only fixed in maintainend version trees. So please consider upgrading and you'll have a much better chance to get responses and help by other users and developers on the mailing lists, etc.
If you are required to run an outdated version, that was shipped with your distribution but which is out of the maintainance by Samba, you should contact your vendor (Redhat, SuSE, etc.) for support.
If you were brought here by a response to one of your questions somewhere, please consider this as a first try to help.
How do I update from Samba 3.x to 4.x?
See the Updating Samba HowTo.
Can I turn off some of the server service options?
For a Samba AD DC you need them all. Only spoolss can be disabled.
If you remove the complete 'server services' parameter, Samba AD works fine. All AD required services are started automatically, even if the complete parameter was removed from your smb.conf
If all server services options are required for an AD DC, why is this parameter required at all?
It wasn't ever intended that the 'server services' parameter would be something that admins would even see, but a late change in development (the final merge of the file servers) caused this to gain much more prominence than was ever expected.
If you use the internal DNS, then you can remove the 'server services' parameter completely from your smb.conf. All AD required services are started by default automatically.
If you use BIND_DLZ, then it's enough to have the short following version (all other services are started by default automatically):
server services = -dns
Is replication of Active Directory supported by a Samba AD DC?
Yes. Everything that is done inside the Active Directory (user/group management, ACL changes, etc.), is replicated to other DCs.
It's currently not implemented. But as workaround you can replicate changes e. g. with rsync. Depending on the kind of workaround you choose, you maybe have to do changes only on one DC, if your tool doesn't support bi-directional replication. You can find a HowTo for a rsync-based replication on the Wiki.
Message: Warning: No NC replicated for Connection!
When Samba registers for replication, there are a couple of flags that aren't correctly set. That's what the DRS command shows: They are not set. It's pretty harmless and you can ignore this warning.
Is it possible to replicate between Samba AD and an external LDAP server?
No. This is currently not supported and not expected to be support. The Active Directory LDAP has a different schema layout on LDAP with how Samba 3.x was traditionally deployed, among other serious issues.
How do I get DNS failover in a Multi-DC environment?
- First you setup your additional DC according to the Samba AD DC HowTo. You just skip the provisioning/upgrading part.
- Then join your new DC to the domain. See Join Samba as an additional DC.
- In the output of "samba-tool drs showrepl" you can see, that the DNS partition is replicated too, if everything was successfull.
- At last you have to configure your clients to use the DNS on that additional DC, of course.
Can the internal DNS have more than one forwarder?
No. If you require more than one host to forward foreign requests to, you must use BIND_DLZ.
Does Samba support trust relationship with AD?
Trusts are currently not finished implemented. Samba can be trusted, but can't trust yet.
But even this is unofficial and should not be relied on, because "parts that appear to work are a partial development that just happen to be in our released versions" (July 2014).
Do trusts only not work in Samba AD only environments, and are fine in Samba AD/Windows environments?
No. The Samba DC just won't know much about the trust.
Is it possible to set user specific password policies in Samba4 (e. g. on a OU-base)?
Samba can't handle GPO restrictions. You have to use 'samba-tool domain passwordsettings' to change password policies. But this only applies on domain level.
Background: The password settings have to be used and validated by the server. Otherwise a modified Windows client or a Unix client (which doesn't handle GPOs) could bypass these settings. But Samba can't evaluate and apply GPO restrictions. It only serves GPOs via the SysVol share.
If you click in GPMC to a GPO, you get a message "The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. To change the SYSVOL permissions to those in Active Directory, click OK." Clicking OK won't fix the problem. Instead run
# samba-tool ntacl sysvolreset
Will Samba 4 have a built-in, full fledged LDAP server?
Yes. While we certainly won't compare ourselves with the standards-based products from other vendors (our aim is to please AD clients first, and hopefully do so while complying with the standards), it will include an LDAPv3 server.
Why is the LDAP backend (used so successfully in classic Samba domains) not supported with the AD DC?
We certainly appreciate the bind that the LDAP server situation puts our administrators in. We went to great lengths to try and avoid this, but were unable to make it work, while also supporting features such as DRS replication, and many of the finer points of AD's LDAP server. The biggest killer for the feature was the need for runtime schema translation, or for the administrator to load the AD schema and layout on their external LDAP server (which rather defeats the purpose).
The there are three ways out of this difficult situation
- continue to use Samba as a 'classic' domain controller as-is using smbd/nmbd (this code remains and remains supported).
- Add schema extensions to our LDAP server (disabled by default, but supported), and cope with the AD-specified layout restrictions.
- Somehow sync Samba with an existing LDAP server.
There are major challenges with synchronisation of directories - but it certainly may be an option in some situations.
We certainly understand that it appears almost rude, on the face of it, to step up from being an equal partner in the unix-LDAP ecosystem supporting a number of different directory servers to demanding that everyone else use only our internal server. We do wish it didn't have to be this way, and we have left in (with tests) as much of the code we used for the LDAP backend experiment as is possible, in case somehow someone builds a workable use case in the future.
Is it planned to support openLDAP as backend again?
An LDAP backend to the AD DC is not a viable proposition at this point in time, as even with the addition of massive extra resources trying to revive it would create an incredible distraction.
The biggest issue is that a significant part of the complexity of the AD DC turns out to be in our ldb modules. Creating a general-purpose, OpenLDAP backed AD DC would involve rewriting many of these modules as OpenLDAP overlays, outside the standard Samba programming environment.
Totally removing the LDAP listener would require rewriting even more code than that, and would (based on the past experience of Luke Howard's XAD) require extensive patches to OpenLDAP.
Specific issues include the metadata required for both DRS replication and dirsync, schema manipulation, transactions, Access Control Lists, impersonation (if Samba still operated as an LDAP proxy) or authentication (if OpenLDAP was the LDAP listener) and AD-specific matching rules.
The components of LDAP that are left unaltered, after all this is done, are actually the easy bits, as is seen by the relative simplicity of ldb itself.
Finally, as mentioned in the previous question, even if this was all done, the schema would still be the AD schema, which removes the advantage of doing all that work in the first place.
The team has decided not to peruse this as a development avenue, and no viable approach to re-opening this functionality has been proposed, but where it does not compromise development, the technical doors open for some special case development here have been left open, with code and tests remaining in the tree.
Are anonymous LDAP searches possible?
While there are many good reasons to do or not do this, Samba follows AD, including honouring the dsHuristics flag for this. http://support.microsoft.com/kb/326690
However, it is better to authenticate and Kerberos if used correctly can make that transparent.
Migration from a Samba NT4-style domain to Samba AD
User 'Administrator' in your existing directory has SID ..., expected it to be ...-500
The error says what's wrong: In your NT4-style domain backend, the RID of the domain administrator account isn't 500, what it should be (see. Windows well-known security identifiers). Change it to 500 and start over. You can remove the account, too, as it will be automatically created during the AD provisioning.
Will it also be possible in the future to extend the server by loading user defined schema's?
Yes, user-defined schema may be loaded into the Samba AD DC. It is experimental, so you must set
dsdb:schema update allowed = yes
in the smb.conf to permit it.