Samba 4.0 Whitepaper

From SambaWiki


This document aims at describing the setups supported for Samba 4.0 in the role as Active Directory domain controller. Samba 4.0 contains the software components that were previously released as the Samba 3 software and adds "active directory domain controller" as a new server role. The existing Samba 3 setups are essentially still supported by the Samba 4.0 software.

Samba 3.6 like setups

The classical setups in the style of Samba 3.6 include standalone fileservers, domain member servers (with security = domain and security = ads) and NT4-style domain controllers. These setups use (combinations of) the individually started daemons smbd, nmbd, and winbindd and they are still supported with the following exceptions:

  • The "security = server" functionality has been removed.
  • The "security = share" functionality has been removed.


The management of these classical setups happens with the well known tools "net", "smbpasswd", "smbcontrol" and several more.

New Features

New features of SMB file serving include

  • support for SMB 2.0 durable handles
  • support for SMB 2.1 (with the omission of the capabilities leases and branch cache)
  • basic support for SMB 3.0 including negotiation, signing, and encryption.

Clustered Setups with CTDB

Clustered variants of the classical setups are supported with the CTDB software as usual.

Active Directory Compatible Server

Samba 4.0 for the first time features an Active Directory Compatible Domain Controller.

The one setup as Active Directory Compatible Server supported out of the box with Samba 4.0 is this:

  • There is only a single domain in the forest.
  • There are no cross-forest-trusts (more explicitly, samba can be trusted but can not trust)
  • Samba is the only domain controller in its domain.

These limitations are being worked on and will be removed in later 4.X releases.

The support for multiple domain controllers in a domain requires to flavours of replication:

  • directory replication (for the user database)
  • file system replication (for the sysvol and netlogon shares)

Of these two windows protocols, the directory replication is available in samba, but the file system replicatoin is still being worked on.

Note: homogeneous Samba 4.0 Multi-DC-Domains

Hence one can set up homogeneous Samba 4.0 Active Directory multi-DC domains, i.e. domains with multiple Samba 4.0 domain controllers and no windows domain controllers. For this kind of setup, one needs to set up an external substitute for the file system replication, for instance with some rsync-based shell scripts. One has to do this very carefully though, since the there is not concept of sysvol master role.


The Active Directory part is administered with the new "samba-tool" command.