How To: Samba4 AD PDC + Windows XP, Vista and 7

dnsmasq

If you've been struggling with Samba3 domain controllers and NT4 style domains working with Windows7 (or Vista) you are not alone. Various work arounds and hacks exist for the 3.3, 3.4, 3.5 and 3.6 series of Samba to make this go. Our experience (50+ installs) has been intermittent success, with seemingly random failures (Trust relationships, &c).

Move forward to Samba4

Pre-requsites

For Samba4 to operate properly you'll need to have a properly running DHCP/DNS (dnsmasq) and as well as NTP (openntpd). The DHCP/DNS services don't necessarily have to run on the Samba server but the NTP should be running on the domain controller.

Installing Samba4

It's crazy easy on Gentoo/Praxis - still easy on Ubuntu. Use the latest git master for the best success.

Gentoo Based

~ # echo "=net-fs/samba-4.0.0_alpha11" >> /etc/portage/package.unmask

~ # export USE="readline smbclient sqlite threads"

~ # ACCEPT_KEYWORDS="~amd64" emerge -av =net-fs/samba-4.0.0_alpha11

[ebuild   R    ] sys-libs/talloc-2.0.7  USE="-compat python*" 0 kB

[ebuild  N     ] sys-libs/tevent-0.9.16  484 kB

[ebuild     U #] net-fs/samba-4.0.0_alpha11 [3.5.15] USE="(-acl%*) (-addns%) (-ads%) (-aio%*) (-avahi%) -caps client (-cluster%) (-cups%) -debug (-doc%) -dso% (-examples%) (-fam%) -gnutls% (-ldap%*) (-ldb%) netapi (-pam%*) python%* (-quota%) (-readline%*) server (-smbclient%*) (-smbsharemodes%) (-smbtav2%) -sqlite% (-swat%) (-syslog%*) -threads% tools%* (-winbind%)" 13,592 kB

Ubuntu Based

~ # apt-get install build-essential libacl1-dev python-dev libldap2-dev pkg-config gdb libgnutls-dev libblkid-dev libreadline-dev libattr1-dev

~ # git clone git://git.samba.org/samba.git /usr/src/samba4/

~ # cd /usr/src/samba4

~ # ./configure --enable-debug

~ # make

~ # make install

~ # export PATH="/usr/local/samba/sbin:/usr/local/samba/bin:$PATH"

Provision Samba4

Run the simple provision command to create a new Active Directory style domain.

~ # provision \

    --realm=domain.lan --domain=nt4dom \

    --server-role=dc \

    --dns-backend=NONE \  SAMBA_INTERNAL

    --adminpass='Cl3verG1rl'

If you get a message like this:

ProvisioningError: Your filesystem or build does not support posix ACLs, which s3fs requires. Try the mounting the filesystem with the 'acl' option.

You'll need to fix those to proceed, either with --use-ntvfs or mounting your FS with ACLs in place.

    --use-ntvfs

Really you should fix your file system.

DNS Updates for dnsmasq §

Most of the documentation points to using Bind9 as the DNS system for your Active Directory. I hate bind, so it's dnsmasq to the rescue.

AD depends on a number of special SRV and A/CNAME records to function nicely. So, in addition to the traditional host records from DHCP, or /etc/hostswe need to add this stuff to the configuration.

The variables here represent values for your environment, adjust as necessary. This is available as a script from edoceo.com/pub/samba4-dnsmasq-update.sh.

PDC="pdc"

IP4="10.65.0.3"

DOMAIN="edoceo.lan"

NT4DOM="edoceo"

ADHOST="${PDC}.${DOMAIN}"

ADGUID="00ed0ce0-1234-4321-4444-d5a81a980958"

ADSITE="default-first-site-name"

address=/${ADGUID}._msdcs.${DOMAIN}/$IP4

# address=/${ADGUID}._msdcs.${DOMAIN}/$IP6

address=/gc._msdcs.${DOMAIN}/$IP4

# address=/gc._msdcs.${DOMAIN}/$IP6

address=/kerberos.${DOMAIN}/$IP4

# address=/kerberos.${DOMAIN}/$IP6

# Maybe Remove the Above for ADGUID?

# Global Catalog

srv-host=_gc._tcp.${DOMAIN},${ADHOST},3268

srv-host=_gc._tcp.${ADSITE}._sites.${DOMAIN},${ADHOST},3268

# Kerberos

# This is queried for, but I don't know which port to reply with

# srv-host=_kerberos._http.${DOMAIN},${ADHOST},80

srv-host=_kerberos._tcp.${DOMAIN},${ADHOST},88

srv-host=_kerberos._tcp.dc._msdcs.${DOMAIN},${ADHOST},88

srv-host=_kerberos._tcp.${ADSITE}._sites.${DOMAIN},${ADHOST},88

srv-host=_kerberos._tcp.${ADSITE}._sites.dc._msdcs.${DOMAIN},${ADHOST},88

srv-host=_kerberos._udp.${DOMAIN},${ADHOST},88

# kpasswd

srv-host=_kpasswd._tcp.${DOMAIN},${ADHOST},464

srv-host=_kpasswd._udp.${DOMAIN},${ADHOST},464

# LDAP Server

srv-host=_ldap._tcp.5e6c4f0e-995e-4ccb-ae97-9629e2be9130.domains._msdcs.${DOMAIN},${ADHOST},389

srv-host=_ldap._tcp.${ADSITE}._sites.dc._msdcs.${DOMAIN},${ADHOST},389

srv-host=_ldap._tcp.${ADSITE}._sites.${PDC}.${DOMAIN},${ADHOST},389

srv-host=_ldap._tcp.${ADSITE}._sites.${DOMAIN},${ADHOST},389

srv-host=_ldap._tcp.dc._msdcs.${DOMAIN},${ADHOST},389

srv-host=_ldap._tcp.${ADSITE}._sites.dc._msdcs.${DOMAIN},${ADHOST},389

srv-host=_ldap._tcp.${ADSITE}._sites.gc._msdcs.${DOMAIN},${ADHOST},389

srv-host=_ldap._tcp.${ADSITE}._sites.${DOMAIN},${ADHOST},389

srv-host=_ldap._tcp.gc._msdcs.${DOMAIN},${ADHOST},389

srv-host=_ldap._tcp.${PDC}._msdcs.${DOMAIN},${ADHOST},389

srv-host=_ldap._tcp.${PDC}.${DOMAIN},${ADHOST},389

srv-host=_ldap._tcp.${DOMAIN},${ADHOST},389

Start and Test Samba

Now start samba and then run a few tests against the server to see if it's OK.

~ # samba

~ # smbclient -L localhost -U%

~ # smbclient //localhost/netlogon -U 'administrator'

Testing from Windows

ipconfig /release

ipconfig /renew

ipconfig /all

net view /domain:$DOMAIN

net view \\$ADHOST

nbtstat -A $ADHOST_IP4

You should also download the Windows Server 2003 Service Pack 2 Administration Tools Pack. This gives you some tools such as dsa.msc.

wget http://download.microsoft.com/download/f/5/4/f541633c-6e89-4407-a69e-673dc7f2b485/WindowsServer2003-KB340178-SP2-x86-ENU.msi

Join Domain Clients

Windows XP, Vista, 7 and 8

Samba4 works with all these systems, Professional edition, and all join right up to the domain w/o needing any registry hacks or other tricks.

Join Samba3

Samba3 has no problem joining the Samba4 domain as a member server.

~ # net rpc join -U administrator member

Enter administrator's password:

Joined domain EDOCEO.

Caveats

Be wary of information in /etc/nsswitch.conf, /etc/krb5.conf....

No More Network Browsing §

In Windows based AD you can still browse a network, Samba3 had this but Samba4 does not. So, you will not see your domain, or browse machines in the domain.

Samba4 and Homes §

The [homes] share and the browseable directive don't work as expected.

Cannot contact any KDC for requested realm: unable to reach any KDC in realm $DOMAIN

This is a DNS related issue, it's likely the above SRV records are not present, fix your DNS.

ntptr_init_context: failed to find NTPTR providor='simple_ldb'

I don't know yet, doesn't seem to be fatal.

nbtd netlogon handler failed from 10.65.0.122:138 to REMOTE<1c> - NT_STATUS_BAD_NETWORK_NAME

This is save to ignore, provided that the IP address and the name (REMOTE) are referencing an old, previous or same-subnet domain. This is just a warning about a recieved netbios name that is being ignored cause it's not part of our AD.