If you've been struggling with Samba3 domain controllers and NT4 style domains working with Windows7 (or Vista) you are not alone. Various work arounds and hacks exist for the 3.3, 3.4, 3.5 and 3.6 series of Samba to make this go. Our experience (50+ installs) has been intermittent success, with seemingly random failures (Trust relationships, &c).
Move forward to Samba4
Pre-requsites
For Samba4 to operate properly you'll need to have a properly running DHCP/DNS (dnsmasq) and as well as NTP (openntpd). The DHCP/DNS services don't necessarily have to run on the Samba server but the NTP should be running on the domain controller.
Installing Samba4
It's crazy easy on Gentoo/Praxis - still easy on Ubuntu. Use the latest git master for the best success.
Gentoo Based
~ # echo "=net-fs/samba-4.0.0_alpha11" >> /etc/portage/package.unmask ~ # export USE="readline smbclient sqlite threads" ~ # ACCEPT_KEYWORDS="~amd64" emerge -av =net-fs/samba-4.0.0_alpha11 [ebuild R ] sys-libs/talloc-2.0.7 USE="-compat python*" 0 kB [ebuild N ] sys-libs/tevent-0.9.16 484 kB [ebuild U #] net-fs/samba-4.0.0_alpha11 [3.5.15] USE="(-acl%*) (-addns%) (-ads%) (-aio%*) (-avahi%) -caps client (-cluster%) (-cups%) -debug (-doc%) -dso% (-examples%) (-fam%) -gnutls% (-ldap%*) (-ldb%) netapi (-pam%*) python%* (-quota%) (-readline%*) server (-smbclient%*) (-smbsharemodes%) (-smbtav2%) -sqlite% (-swat%) (-syslog%*) -threads% tools%* (-winbind%)" 13,592 kB
Ubuntu Based
~ # apt-get install build-essential libacl1-dev python-dev libldap2-dev pkg-config gdb libgnutls-dev libblkid-dev libreadline-dev libattr1-dev ~ # git clone git://git.samba.org/samba.git /usr/src/samba4/ ~ # cd /usr/src/samba4 ~ # ./configure --enable-debug ~ # make ~ # make install ~ # export PATH="/usr/local/samba/sbin:/usr/local/samba/bin:$PATH"
Provision Samba4
Run the simple provision
command to create a new Active Directory style domain.
~ # provision \ --realm=domain.lan --domain=nt4dom \ --server-role=dc \ --dns-backend=NONE \ SAMBA_INTERNAL --adminpass='Cl3verG1rl'
If you get a message like this:
ProvisioningError: Your filesystem or build does not support posix ACLs, which s3fs requires. Try the mounting the filesystem with the 'acl' option.
You'll need to fix those to proceed, either with --use-ntvfs or mounting your FS with ACLs in place.
--use-ntvfs
Really you should fix your file system.
DNS Updates for dnsmasq
Most of the documentation points to using Bind9 as the DNS system for your Active Directory. I hate bind, so it's dnsmasq to the rescue.
AD depends on a number of special SRV and A/CNAME records to function nicely.
So, in addition to the traditional host records from DHCP, or /etc/hosts
we need to add this stuff to the configuration.
The variables here represent values for your environment, adjust as necessary. This is available as a script from edoceo.com/pub/samba4-dnsmasq-update.sh.
PDC="pdc" IP4="10.65.0.3" DOMAIN="edoceo.lan" NT4DOM="edoceo" ADHOST="${PDC}.${DOMAIN}" ADGUID="00ed0ce0-1234-4321-4444-d5a81a980958" ADSITE="default-first-site-name" address=/${ADGUID}._msdcs.${DOMAIN}/$IP4 # address=/${ADGUID}._msdcs.${DOMAIN}/$IP6 address=/gc._msdcs.${DOMAIN}/$IP4 # address=/gc._msdcs.${DOMAIN}/$IP6 address=/kerberos.${DOMAIN}/$IP4 # address=/kerberos.${DOMAIN}/$IP6 # Maybe Remove the Above for ADGUID? # Global Catalog srv-host=_gc._tcp.${DOMAIN},${ADHOST},3268 srv-host=_gc._tcp.${ADSITE}._sites.${DOMAIN},${ADHOST},3268 # Kerberos # This is queried for, but I don't know which port to reply with # srv-host=_kerberos._http.${DOMAIN},${ADHOST},80 srv-host=_kerberos._tcp.${DOMAIN},${ADHOST},88 srv-host=_kerberos._tcp.dc._msdcs.${DOMAIN},${ADHOST},88 srv-host=_kerberos._tcp.${ADSITE}._sites.${DOMAIN},${ADHOST},88 srv-host=_kerberos._tcp.${ADSITE}._sites.dc._msdcs.${DOMAIN},${ADHOST},88 srv-host=_kerberos._udp.${DOMAIN},${ADHOST},88 # kpasswd srv-host=_kpasswd._tcp.${DOMAIN},${ADHOST},464 srv-host=_kpasswd._udp.${DOMAIN},${ADHOST},464 # LDAP Server srv-host=_ldap._tcp.5e6c4f0e-995e-4ccb-ae97-9629e2be9130.domains._msdcs.${DOMAIN},${ADHOST},389 srv-host=_ldap._tcp.${ADSITE}._sites.dc._msdcs.${DOMAIN},${ADHOST},389 srv-host=_ldap._tcp.${ADSITE}._sites.${PDC}.${DOMAIN},${ADHOST},389 srv-host=_ldap._tcp.${ADSITE}._sites.${DOMAIN},${ADHOST},389 srv-host=_ldap._tcp.dc._msdcs.${DOMAIN},${ADHOST},389 srv-host=_ldap._tcp.${ADSITE}._sites.dc._msdcs.${DOMAIN},${ADHOST},389 srv-host=_ldap._tcp.${ADSITE}._sites.gc._msdcs.${DOMAIN},${ADHOST},389 srv-host=_ldap._tcp.${ADSITE}._sites.${DOMAIN},${ADHOST},389 srv-host=_ldap._tcp.gc._msdcs.${DOMAIN},${ADHOST},389 srv-host=_ldap._tcp.${PDC}._msdcs.${DOMAIN},${ADHOST},389 srv-host=_ldap._tcp.${PDC}.${DOMAIN},${ADHOST},389 srv-host=_ldap._tcp.${DOMAIN},${ADHOST},389
Start and Test Samba
Now start samba and then run a few tests against the server to see if it's OK.
~ # samba ~ # smbclient -L localhost -U% ~ # smbclient //localhost/netlogon -U 'administrator'
Testing from Windows
ipconfig /release ipconfig /renew ipconfig /all net view /domain:$DOMAIN net view \\$ADHOST nbtstat -A $ADHOST_IP4
You should also download the Windows Server 2003 Service Pack 2 Administration Tools Pack.
This gives you some tools such as dsa.msc
.
wget http://download.microsoft.com/download/f/5/4/f541633c-6e89-4407-a69e-673dc7f2b485/WindowsServer2003-KB340178-SP2-x86-ENU.msi
Join Domain Clients
Windows XP, Vista, 7 and 8
Samba4 works with all these systems, Professional edition, and all join right up to the domain w/o needing any registry hacks or other tricks.
Join Samba3
Samba3 has no problem joining the Samba4 domain as a member server.
~ # net rpc join -U administrator member Enter administrator's password: Joined domain EDOCEO.
Caveats
Be wary of information in /etc/nsswitch.conf, /etc/krb5.conf....
No More Network Browsing
In Windows based AD you can still browse a network, Samba3 had this but Samba4 does not. So, you will not see your domain, or browse machines in the domain.
Samba4 and Homes
The [homes]
share and the browseable directive don't work as expected.
Cannot contact any KDC for requested realm: unable to reach any KDC in realm $DOMAIN
This is a DNS related issue, it's likely the above SRV records are not present, fix your DNS.
ntptr_init_context: failed to find NTPTR providor='simple_ldb'
I don't know yet, doesn't seem to be fatal.
nbtd netlogon handler failed from 10.65.0.122:138 to REMOTE<1c> - NT_STATUS_BAD_NETWORK_NAME
This is save to ignore, provided that the IP address and the name (REMOTE) are referencing an old, previous or same-subnet domain. This is just a warning about a recieved netbios name that is being ignored cause it's not part of our AD.