- 1 Introduction
- 2 General Samba Questions
- 3 Samba as an Active Directory Domain Controller
- 3.1 General
- 3.1.1 Is Samba as an Active Directory Domain Controller Stable Enough for an Production Environment?
- 3.1.2 What Does ldap_bind: Strong(er) authentication required (8) additional info: BindSimple: Transport encryption required Mean?
- 3.1.3 I Am Running Samba as an AD DC. Which Windows Server Version Can I Join as an DC to the Forest?
- 3.1.4 Why Is the Network Neighbourhood Empty or Does Not Show All Machines in the Domain?
- 3.1.5 What Does Warning: No NC replicated for Connection! Mean?
- 3.1.6 Can I Use the Samba AD DC as a Fileserver?
- 3.2 Configuration
- 3.3 Directory Schema
- 3.4 Kerberos
- 3.5 Replication
- 3.6 DNS
- 3.7 How Do I Set up the BIND DNS Server to Replicate AD DNS Zones?
- 3.8 Trust Support
- 3.9 Group Policy Support
- 3.10 LDAP
- 3.1 General
- 4 Samba as an Domain Member
- 5 Samba as NT4 Primary Domain Controller
The questions listed here are frequently asked on the Samba mailing list.
General Samba Questions
When Will the next Samba Version Be Released?
For details, see Samba Release Planning.
Can I Get Help with a Problem in an Unsupported Samba Version?
Update to a supported version first. It is likely that the problem has been fixed in the meantime. Samba is actively developed and new minor versions fix several bugs and major versions additionally include new features. If you cannot update to the latest version in the current stable release series, update to the latest version in any other supported series. For details, see Samba Release Planning.
If you are running a Samba version shipped with your distribution and that is no longer supported by Samba, contact your distribution's support for help.
How Do I Update Samba?
See Updating Samba.
What Is the Maximum Size of a LDB or TDB Database File?
The maximum size is 4 GB because the databases use 32-bit structures.
Previously, there was a project called
NTDB that should address the size limit and other problems. However, the project has been stopped because of problems migrating the databases.
Samba as an Active Directory Domain Controller
Is Samba as an Active Directory Domain Controller Stable Enough for an Production Environment?
Samba AD is stable for production environments. The AD DC support was introduced in the 4.0 version, which was released in December 2012. However, Samba AD has some unimplemented features, such as Sysvol replication.
ldap_bind: Strong(er) authentication required (8) additional info: BindSimple: Transport encryption required Mean?
I Am Running Samba as an AD DC. Which Windows Server Version Can I Join as an DC to the Forest?
The following Windows server versions are supported as a DC together with a Samba DC:
|Windows Server Version||Comments|
|Windows Server 2016||Not supported.|
|Windows Server 2012 / 2012 R2||Supported in Samba >=4.5. For details, see Joining a Windows Server 2012 / 2012 R2 DC to a Samba AD.|
|Windows Server 2008 / 2008 R2||Supported in Samba >=4.0. For details, see Joining a Windows Server 2008 / 2008 R2 DC to a Samba AD.|
|Windows Server 2003 / 2003R2||Not tested. Windows Server 2003 and 2003 R2 are no longer supported by Microsoft.|
|Windows 2000||Not tested. Windows Server 2003 and 2003 R2 are no longer supported by Microsoft.|
One of the limiting items is the AD schema version. For details, see AD Schema Version Support.
Why Is the Network Neighbourhood Empty or Does Not Show All Machines in the Domain?
The Samba AD DC
smbd daemon does not support browsing.
It is planned to add this feature. However, there are no development resources and thus no date when this feature will be included.
Warning: No NC replicated for Connection! Mean?
When running the
samba-tool drs showrepl command, the following warning is displayed at the end of the output:
Warning: No NC replicated for Connection!
The warning appears because Samba incorrectly sets some flags when registering the DC for replication. The warning is harmless and can be ignored.
Can I Use the Samba AD DC as a Fileserver?
Whilst it is not recommended, yes you can, but you should be aware of its limitations, amongst which is that you cannot obtain the users Unix home directories or login shell from AD, you must use template lines in smb.conf
Why Do I Not Have a
server services parameter in My
server services options in the
smb.conf file are set during provisioning a Samba AD DC based on the settings you made during this process. If this parameter is not listed in the
[global] section of your
smb.conf file, the default values are used.
For details, see the
smb.conf (5) man page.
Can I Disable Some of the
server services options in the
server services options in the
smb.conf file are set during provisioning a Samba AD DC based on the settings you made during this process.
Removing or modifying any of the options can result in an incorrectly operating Samba AD DC!
However, there are a few situations where you can manually update the options:
- To disable the network printing spooler:
- Change the
- To switch the DNS back end:
- For details, see Changing the DNS Back End of a Samba AD DC.
On non-AD DCs, you can set the
map to guest parameter in the
smb.conf file to
bad user to enable guest access. However, guest access is based on the
guest account parameter, that is not implemented in the Samba AD mode.
Can I Change the ID Range on a DC?
Yes, very easily, just give your users
uidNumber attributes containing numbers inside the range you want to use, you should also give
Domain Users a
gidNumber attribute containing a number inside the same range.
|Do not add any of the |
Which Active Directory Schema Versions Does Samba Support When Set up as a DC?
For details, see AD Schema Version Support.
Is It Possible to Extend the Samba AD Schema?
For details, see Samba AD Schema Extensions.
UpdateRefs failed with WERR_DS_DRA_BAD_NC/NT Mean?
On the first start of a Samba DC in an existing Windows AD forest, the following error message is logged:
UpdateRefs failed with WERR_DS_DRA_BAD_NC/NT code 0xc00020f8 for <DC_objectUID>._msdcs.samdom.example.com CN=RID Manager$,CN=System,DC=samba,DC=example,DC=com
This error is logged by the knowledge consistency checker (KCC), until the Windows DC has established the connections to the Samba DC.
To fix the problem, run:
- on your Windows DC:
C:\> repadmin /kcc
- or alternatively on your Samba DC:
# samba-tool drs kcc -Uadministrator Windows_DC.samdom.example.com
Do Samba AD DCs Support Replication?
- Everything stored inside the AD, is replicated between DCs. For example: users, groups, and DNS records.
- In the current state, Samba does not support the distributed file system replication (DFS-R) protocol used for Sysvol replication. To work around, see Sysvol Replication (DFS-R).
Is a Samba DC Able to Replicate the Directory Content with an Non-AD LDAP Server?
Active Directory uses a different schema than other LDAP servers and thus replicating with non-AD DCs is not supported or planned to be supported.
Can I Set Multiple Forwarder Servers for the Internal DNS Server?
Setting multiple DNS forwarder servers is supported in Samba 4.5 and later versions.
For details, see Setting up a DNS Forwarder.
How Do I Set up the BIND DNS Server to Replicate AD DNS Zones?
Updates of the Active Directory DNS zones are transferred automatically to other AD DNS servers using directory replication.
Zone transfers to non-AD DNS servers is not supported.
Can I Use the
.local Top-level Domain for My AD DNS Zone?
.local top-level domain is not recommended. For details, see Using an Invalid TLD.
Does Samba AD Supports Trust Relationship?
The trust feature is experimental and has several limitations, such as:
- SID filtering rules are not applied
- You cannot add users and groups of a trusted domain into domain groups.
Group Policy Support
Is It Possible to Set User Specific Password Policies in Samba AD, Such as on an Organisational Unit?
Password settings are validated and applied by the DC to not enable modified Windows or Unix clients to bypass the rules. However, Samba does not support GPO restrictions and only serve GPOs to clients by the Sysvol share.
samba-tool domain passwordsettings command to update password policies on a DC for a domain.
The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory Mean?
When you click in the Group Policy Management Console to a GPO, the following error is displayed:
The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. To change the SYSVOL permissions to those in Active Directory, click OK.
See the page Sysvolreset for troubleshooting steps.
Do Samba AD DCs Support OpenLDAP or Other LDAP Servers as the Back End?
Active Directory requires features, such as ACLs stored within the directory and a different schema, that are not supported by LDAP servers.
One of the main reasons people ask for OpenLDAP as the back end for AD, is that they are currently running Samba as an NT4 PDC using the OpenLDAP back end and want to migrate to Samba AD without manual transferring directory data to AD. However, even if OpenLDAP gets to be a supported back end on a Samba AD DC, the directory schema would be the AD schema. This means, you will have to update external applications accessing the directory using, such as you have to do it when you use the Samba internal LDAP server. Additionally you will have to import attributes manually from the old LDAP server that are not included in the AD schema.
Is It Planned to Support OpenLDAP as Back End for Samba AD?
Currently, there is no active work on this project.
The biggest problem is that a significant part of the complexity of the AD DC is in the LDB modules. Creating a general-purpose OpenLDAP back end requires rewriting many of these modules as OpenLDAP overlays, outside the standard Samba programming environment.
Specific problems include:
- the metadata required for both DRS replication and dirsync
- schema manipulation
- access control lists (ACL)
The Samba team decided not to peruse this as a development avenue, and no viable approach to re-opening this functionality has been proposed.
Does the Samba Internal LDAP Server Supports Anonymous Searches?
Samba honours the
dSHeuristics flag. For details, see http://support.microsoft.com/kb/326690
However, enabling anonymous access to the AD raises security problems and is not recommended. Configure LDAP authentication or Kerberos support in your client instead.
Samba as an Domain Member
Do I Provision a Samba Domain Member Using
From the roles the
samba-tool domain provision --help command offers, the only supported provision role is
DC (Active Directory domain controller).
Provisioning any other role, results in an incorrectly working version of an AD DC. If you do provision a different role, remove all Samba database files and the generated
smb.conf file and join the domain member using the
net command. For details, see Setting up Samba as a Domain Member.
Which Windows Server Versions Are Supported as a Domain Member in a Samba AD?
For details, see Supported Windows Versions.
I Have Set up a Domain Member Using The
idmap_ad Back End, but
getent passwd and
getent group Do Not Show Users, Computers or Groups
Try explicitly asking for a user or group i.e.
getent passwd auser, this is because winbind doesn't enumerate users & groups by default any more.
Computers are never enumerated but only shown when queried explicitly i.e.
getent passwd SAMDOM\hostname$.
If you want to show all users and groups, you will need to add these lines to smb.conf:
winbind enumerate users = yes winbind enumerate groups = yes
|You should only add the lines for testing purposes|
If, after trying the above, you still do not get any users, groups or computers, check that:
- Your users have a
uidNumberattribute containing a unique number inside the range set in smb.conf.
- Example: If you have
idmap config DOMAIN : range = 10000-999999in smb.conf, your users
uidNumberattributes should start at '10000' and go upto '999999', any number outside this range will be ignored.
- Example: If you have
- The Windows group
Domain Usershas a
gidNumberattribute containing a number inside the same range, if
Domain Usersdoes not have a
gidNumberALL users will be ignored.
- Your computers have a
uidNumberattribute as outlined above for users. Computers do not need a
- Check that libnss_winbind is setup correctly, see here.
- Check that the
grouplines in /etc/nsswitch.conf have had 'winbind' added, see here.
If you set the uidNumber attribute for a computer, also known as the "Windows machine network account" e.g. SAMDOM\hostname$, the computer will have access to samba shares if they permit groups like
Domain Computers. This can be useful during startup.
Samba as NT4 Primary Domain Controller
Do I Have to Migrate to Samba AD?
One of the common misconceptions is: "Samba 4" means "Active Directory only": This is wrong!
The Active Directory (AD) Domain Controller (DC) support is one of the enhancements in Samba 4.0. However all newer versions include the features of previous versions - including the NT4-style (classic) domain support. This means you can update a Samba 3.x NT4-style PDC to a recent version, like you updated in the past - for example from 3.5.x to 3.6.x. There is no need to migrate an NT4-style domain to an AD.
Additionally, all recent versions continue to support setting up a new NT4-style PDC. The AD support in Samba 4.0 and later is optional and does not replace any for the PDC feature. The Samba team understand the difficulty presented by existing LDAP structures. For that reason, there is no plan to remove the classic PDC support. Additionally we continue testing the PDC support in our continuous integration system.
User Administrator in your existing directory has SID ..., expected it to be ...-500 Mean?
In your current NT4 domain, the RID of the domain administrator account is not
500. For details, see Windows well-known security identifiers.
- Remove the account. It will be recreated automatically during the classic upgrade.
- Update the RID of the account manually to
500in your current Samba back end.
However, you have to reconfigure applications or file system ACLs listing the domain administrator, because in the back end the
objectSID attribute is used to identify a user. Thus, after changing the RID of the account, it is a different account.