Starting from version 4.0, Samba is able to run as an Active Directory (AD) domain controller (DC). If you are installing Samba in a production environment, it is recommended to run two or more DCs for failover reasons.

This example is configured in the following environment:


Domain Name:BFURTHER

Preparing the Installation

  • Use a static IP address on the DC.
  • Disable tools, such as resolvconf, that automatically update your /etc/resolv.conf DNS resolver configuration file. AD DCs and domain members must use an DNS server that is able to resolve the AD DNS zones.
  • Select a DNS domain for your AD forest. The name will also be used as the AD Kerberos realm.

Make sure that you provision the AD using a DNS domain that will not need to be changed. Samba does not support renaming the AD DNS zone and Kerberos realm. Do not use .local for the TLD, this is used by Avahi.


For additional information, see Active Directory Naming FAQ.

Set a fully qualified domain name (FQDN) hostname on your server

No matter your server is a testing machine or production server, it’s strongly recommended to set a fully qualified domain name (FQDN) hostname.

Enter command hostname -f to view the current hostname:

root@dc:~# hostname -f

On Debian Linux, hostname is set in two files: /etc/hostname and /etc/hosts.

  • /etc/hostname: short hostname, not FQDN.
  • /etc/hosts: static table lookup for hostnames. Warning: Please list the FQDN hostname as first item.
# Part of file: /etc/hosts	localhost	dc.bfurther.demo dc

Verify the FQDN hostname. If it wasn’t changed after updating above two files, please reboot server to make it work.

root@dc:~# hostname -f

Remove an existing /etc/krb5.conf file:

root@dc:~# rm /etc/krb5.conf

*) Install required packages

root@dc:~# apt -y install samba krb5-config winbind smbclient
Samba server and utilities
Configuration Kerberos Authentication :: Realm
Configuration Kerberos Authentication :: Hostname
Configuration Kerberos Authentication :: Hostname


Rename or remove the default config

root@dc:~# mv /etc/samba/smb.conf /etc/samba/

Provisioning Samba AD in Interactive Mode

root@dc:~# samba-tool domain provision --use-rfc2307 --interactive
Domain [BFURTHER]:
Server Role (dc, member, standalone) [dc]:
DNS forwarder IP address (write 'none' to disable forwarding) []:
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs
Adding DomainDN: DC=bfurther,DC=demo
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers and extended rights
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=bfurther,DC=demo
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
Setting up fake yp server settings
Once the above files are installed, your Samba AD server will be ready to use
Server Role: active directory domain controller
Hostname: dc
DNS Domain: bfurther.demo
DOMAIN SID: S-1-5-21-3602519554-868990551-1084580647

Configuring the DNS Resolver: /etc/resolv.conf

domain bfurther.demo
search bfurther.demo

Configuring Kerberos: /etc/krb5.conf

root@dc:~# cp /var/lib/samba/private/krb5.conf /etc

Configure samba….

root@dc:~# systemctl stop smbd nmbd winbind
root@dc:~# systemctl disable smbd nmbd winbind
Synchronizing state of smbd.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable smbd
Synchronizing state of nmbd.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable nmbd
Synchronizing state of winbind.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable winbind
Removed /etc/systemd/system/
Removed /etc/systemd/system/
Removed /etc/systemd/system/
root@dc:~# systemctl unmask samba-ad-dc
Removed /etc/systemd/system/samba-ad-dc.service.
root@dc:~# systemctl start samba-ad-dc
root@dc:~# systemctl enable samba-ad-dc
Synchronizing state of samba-ad-dc.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable samba-ad-dc
Created symlink /etc/systemd/system/ → /lib/systemd/system/samba-ad-dc.service.

Verifying the File Server

root@dc:~# smbclient -L localhost -U%
Sharename       Type      Comment
---------       ----      -------
netlogon        Disk      
sysvol          Disk      
IPC$            IPC       IPC Service (Samba 4.9.5-Debian)
Reconnecting with SMB1 for workgroup listing.

Server Comment
--------- -------

Workgroup Master
--------- -------

To verify authentication, connect to the netlogon share using the domain administrator account:

root@dc:~# smbclient //localhost/netlogon -UAdministrator -c 'ls'
Enter BFURTHER\Administrator's password:
.    D    0 Sun May 17 13:04:41 2020
..   D    0 Sun May 17 13:04:44 2020

    6880992 blocks of size 1024. 5039080 blocks available

Verify domain level

root@dc:~# samba-tool domain level show
Domain and forest function level for domain 'DC=bfurther,DC=demo'

Forest function level: (Windows) 2008 R2
Domain function level: (Windows) 2008 R2
Lowest function level of a DC: (Windows) 2008 R2