Samba 4 as Active Directory configuration guide

What is Samba4 meant to accomplish? In simplest terms, Samba4 is an ambitious, yet achievable, reworking of the Samba code.
Major features for Samba4 already include:

  • Support for the 'Active Directory' logon and administration protocols that support Windows XP, Windows7, and Mac OS X clients
  • Support for Group Policy definitions
  • New 'full coverage' testsuites
  • Full NTFS semantics for sharing backends
  • An internal LDAP server, with AD semantics
  • An internal Kerberos server, including PAC support
  • Bind9 integration for AD DNS support (with DLS)
  • Fully asynchronous internals
  • Flexible process models
  • Better scalability from micro to very large installations
  • New RPC infrastructure (PIDL)
  • A flexible database architecture (LDB)
  • Python support - used extensively for client and management tools
  • Generic security subsystem (GENSEC)
  • Over 50% auto-generated code!


Lab Environment

Server: CentOS 6.2
IP Address:
I won't be able to explain each and every configuration part here for further refrence you can visit this website
For installing the latest version of Samba 4 i.e.4.1 follow the below link
Configure Samba 4.1 in Linux as AD

Prerequisite before starting with the configuration

Install below rpms

# yum -y install git gcc libacl-devel libblkid-devel gnutls-devel readline-devel python-devel gdb pkgconfig zlib-devel setroubleshoot-server setroubleshoot-plugins policycoreutils-python libsemanage-python setools-libs-python setools-libs popt-devel libpcap-devel sqlite-devel libidn-devel libxml2-devel libacl-devel libsepol-devel libattr-devel keyutils-libs-devel cyrus-sasl-devel

Once all these packages are installed move on to the next step. Now you need to download the samba4 package.

# git clone git:// samba-master; cd samba-master
# cd samba-master
# ./configure.developer
# make
# make install

If this step is completed without any error move on the provision step

/usr/local/samba/sbin/provision --domain=EXAMPLE --adminpass=SOMEPASSWORD --server-role=dc

Once this step is completed you will see the configured options which you mentioned above. Now time to start your samba server.
NOTE: Make sure you do not have any other samba server installed apart from the one you just installed.
You will have to add the PATH variable for Samba4 in your machine.

# export PATH=$PATH:/usr/local/samba/sbin:/usr/local/samba/bin

Save this path inside .bash_profile so that you do not need to export it every time you login after reboot.

Run your samba services

Execute from the terminal as root user

# samba

Testing samba4

# smbclient --version

This should show you a version starting with "Version 4.0.XXXXX"
Now try this command:

# smbclient -L localhost -U%

and check if you get a proper reply with all the shared directories including sysvol and netlogon.
The 'netlogon' and 'sysvol' shares are basic shares needed for Active Directory server operation.
To test that authentication is working, you should try to connect to the netlogon share using the administrator password you set earlier.

# smbclient //localhost/netlogon -Uadministrator%PASSWORD

Now the problem which I faced was that sample named.conf, krb5.conf and which was supposed to be created after the provision step was missing or was not properly created. So I decided to download another version of samba from the following website on one of my test servers.

Once it was downloaded I repeated the above steps i.e. configure, make and make install. Once those process were completed successfully I ran the provision command using the same realm and provision which I had used in the above case. And adding to my surprise this time the, sample named.conf and krb5.conf was there in their default location inside /usr/local/samba
So I copied those files from my test servers to samba server inside the proper location. Here I have pasted my krb5.conf, named.conf and but since you will be using some other REALM and domain name and if you are also facing the issue as I faced you can follow the same steps which I took here. As it would be hard and risky to manually create those files.

Configure DNS

Make sure DNS package is installed in your machine

# yum -y install bind

Make the following changes in your named.conf

# vi /etc/named.conf
options {
        listen-on port 53 {; };
         listen-on-v6 port 53 { ::1; };
         directory       "/var/named";
         dump-file       "/var/named/data/cache_dump.db";
         statistics-file "/var/named/data/named_stats.txt";
         memstatistics-file "/var/named/data/named_mem_stats.txt";
         allow-query     { localhost; any; };
         recursion yes;
         dnssec-enable yes;
         dnssec-validation yes;
         dnssec-lookaside auto;
         /* Path to ISC DLV key */
 #       bindkeys-file "/etc/named.iscdlv.key";
 logging {
         channel default_debug {
                 file "data/";
                 severity dynamic;
 zone "." IN {
         type hint;
         file "";
 include "/etc/named.rfc1912.zones";
 include "/usr/local/samba/private/named.conf";

Now you need to edit /usr/local/samba/private/named.conf file so take a backup of this file and create a new named.conf inside the same location with following details

# vi  /usr/local/samba/private/named.conf
# This file should be included in your main BIND configuration file
# For example with
# include "/usr/local/samba/private/named.conf";
zone "" IN {
        type master;
        file "/usr/local/samba/private/";
         * Attention: Not all BIND versions support "ms-self". The instead use
         * of allow-update { any; }; is another, but less secure possibility.
        update-policy {
                 * A rather long description here, as the "ms-self" option does
                 * not appear in any docs yet (it can only be found in the
                 * source code).
                 * The short of it is that each host is allowed to update its
                 * own A and AAAA records, when the update request is properly
                 * signed by the host itself.
                 * The long description is (look at the
                 * dst_gssapi_identitymatchesrealmms() call in lib/dns/ssu.c and
                 * its definition in lib/dns/gssapictx.c for details):
                 * A GSS-TSIG update request will be signed by a given signer
                 * (e.g. machine-name$@EXAMPLE.COM).  The signer name is split into
                 * the machine component (e.g. "machine-name") and the realm
                 * component (e.g. "EXAMPLE.COM").  The update is allowed if the
                 * following conditions are met:
                 * 1) The machine component of the signer name matches the first
                 * (host) component of the FQDN that is being updated.
                 * 2) The realm component of the signer name matches the realm
                 * in the grant statement below (EXAMPLE.COM).
                 * 3) The domain component of the FQDN that is being updated
                 * matches the realm in the grant statement below.
                 * If the 3 conditions above are satisfied, the update succeeds.
grant EXAMPLE.COM ms-self * A AAAA;
# The reverse zone configuration is optional.  The following example assumes a
# subnet of
zone "" in {
        type master;
        file "";
        update-policy {
                grant *.COM wildcard * PTR;
# Note that the reverse zone file is not created during the provision process.
# The most recent BIND versions (9.5.0a5 or later) support secure GSS-TSIG
# updates.  If you are running an earlier version of BIND, or if you do not wish
# to use secure GSS-TSIG updates, you may remove the update-policy sections in
# both examples above.


# vi /usr/local/samba/private/
; -*- zone -*-
; generated by
@               IN SOA  @   hostmaster (
                                2012052216   ; serial
                                2D              ; refresh
                                4H              ; retry
                                6W              ; expiry
                                1W )            ; minimum
                        IN NS   server1             IN A
server1        IN A
 gc._msdcs               IN CNAME        server1
8de12608-9880-4c52-ad21-8a1bf5ef7e41._msdcs     IN CNAME        server1
 ; global catalog servers
_gc._tcp                IN SRV 0 100 3268       server1
_gc._tcp.Default-First-Site-Name._sites IN SRV 0 100 3268       server1
_ldap._tcp.gc._msdcs    IN SRV 0 100 389        server1
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs     IN SRV 0 100 389 server1
; ldap servers
_ldap._tcp              IN SRV 0 100 389        server1
_ldap._tcp.dc._msdcs    IN SRV 0 100 389        server1
_ldap._tcp.pdc._msdcs   IN SRV 0 100 389        server1
_ldap._tcp.d709eaf9-d010-4f94-916c-ca3e8e179e24 IN SRV 0 100 389        server1          IN SRV 0 100 389 server1
_ldap._tcp.Default-First-Site-Name._sites               IN SRV 0 100 389 server1
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs     IN SRV 0 100 389 server1
; krb5 servers
_kerberos._tcp          IN SRV 0 100 88         server1
_kerberos._tcp.dc._msdcs        IN SRV 0 100 88 server1
_kerberos._tcp.Default-First-Site-Name._sites   IN SRV 0 100 88 server1
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 88 server1
_kerberos._udp          IN SRV 0 100 88         server1
; MIT kpasswd likes to lookup this name on password change
_kerberos-master._tcp           IN SRV 0 100 88         server1
_kerberos-master._udp           IN SRV 0 100 88         server1
; kpasswd
_kpasswd._tcp           IN SRV 0 100 464        server1
_kpasswd._udp           IN SRV 0 100 464        server1
; heimdal 'find realm for host' hack
_kerberos               IN TXT  EXAMPLE.COM
 samba           IN A

Change your DNS server pointing towards your IP inside resolv.conf and ifcfg-eth0 then restart your network card and named service

# service named restart

Check your DNS if it is working properly or not and if you get the following replies then you are good to go:

# host -t SRV has SRV record 0 100 389
 # host -t SRV has SRV record 0 100 88
 # host -t A has address

Now take a backup of your existing krb5.conf and replace it with the following
Make sure kerberos package is installed in your system

# yum -y install krb5-workstation
# mv /etc/krb5.conf /etc/krb5.conf.orig
# vi /etc/krb5.conf
        default_realm = EXAMPLE.COM
        dns_lookup_realm = false
        dns_lookup_kdc = false
        ticket_lifetime = 24h
        forwardable = yes
        EXAMPLE.COM = {
                kdc =
                admin_server =
                default_domain =
[domain_realm] = EXAMPLE.COM = EXAMPLE.COM

Now check your kerberos

# kinit administrator@EXAMPLE.COM
password for administrator@EXAMPLE.COM:

Enter the password and the part of configuration on server is done.
Check your firewall and selinux settings as in my case I have disabled both the options.
To configure iptables for Samba4 follow the below link
iptables rules for Samba 4 in Red Hat Linux
To configure a secondary domain controller using Samba4
How to configure Samba 4 Secondary Domain Controller

Client: Windows XP and Windows 7

Change the DNS of your client machine with the server IP and make sure the time zone of the client machine is same as the server.
From here you can follow this page to configure your client machine as a part of the domain and manage group policy for all the users.