How To Install and Configure Excellent Samba4 Appliance as Active Directory Server Part 2

Posted by

Previous article :

# Provisioning Samba

After samba4 already compiled and install, you can provisioning samba4 and make it as Active Directory. Provisioning is like dcpromo on Windows Server

Do the following command on samba4 server

/usr/local/samba/bin/samba-tool domain provision --use-rfc2307 --interactive

Fill as the following example :

Realm : Your domain. Example IMANUDIN.NET
Domain : Your Workgroup (Usually domain name without TLD). Example IMANUDIN
Server Role : dc
DNS backend : BIND9_DLZ
Password : VerySecret123 (fill password with minimum length of 8 characters, 1 upper case, 1 lowercase and 1 number)

If you see the following process/info as below, your samba4 has been success provisioned

provisioning samba4

# Starting Samba4

For stop/starting samba4, i’ve been saving init script in /srv/ai folder. You can add the script to systemctl/sysinit.

cp /srv/ai/samba4 /etc/init.d/samba4
chmod 755 /etc/init.d/samba4
chmod +x /etc/init.d/samba4
chkconfig samba4 on
service samba4 restart
service samba4 status

# Test insert to folder share

/usr/local/samba/bin/smbclient //localhost/netlogon -Uadministrator%VerySecret123

VerySecret123 is password while provisioning samba4. if success, console would be changed like : smb: \> :

# Configure Dynamic DNS Server

Configure named.conf to perform query DNS from samba server (BIND9_DLZ) that has been chosen in provisioning section

vi /etc/named.conf

add and adjust the following line on the bottom

include "/usr/local/samba/private/named.conf";

Open file /etc/sysconfig/named and change NAMED_RUN_CHROOTED=”yes” become no


Change owner folder /var/lib/named become named

chown named /var/lib/named/

Open file /usr/local/samba/private/named.conf and make sure already use bind 9.9.x

dlz "AD DNS Zone" {
    # For BIND 9.8.0
    # database "dlopen /usr/local/samba/lib/bind9/";

    # For BIND 9.9.0
     database "dlopen /usr/local/samba/lib/bind9/";

restart dns service and testing

systemctl restart named
systemctl status named
systemctl enable named
host -t SRV
host -t SRV
host -t A

The result must like below. If the result are different, maybe dns configuration still problem

[root@samba4 ~]# host -t SRV has SRV record 0 100 389
[root@samba4 ~]# host -t SRV has SRV record 0 100 88
[root@samba4 ~]# host -t A has address

# Configure Kerberos

cp /etc/krb5.conf /etc/krb5.conf.ori
cp /usr/local/samba/private/krb5.conf /etc/krb5.conf

# Testing Kerberos

kinit administrator
klist -e

The following is output result from above command

[root@samba4 ~]# kinit administrator
Password for administrator@IMANUDIN.NET: 
Warning: Your password will expire in 41 days on Sat Mar 12 23:41:47 2016
[root@samba4 ~]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@IMANUDIN.NET

Valid starting     Expires            Service principal
03/12/16 23:41:04  03/12/16 10:57:04  krbtgt/IMANUDIN.NET@IMANUDIN.NET
        renew until 03/12/16 00:57:01, Etype (skey, tkt): arcfour-hmac, arcfour-hmac 

# Configure kerberos DNS dynamic updates (Optional)

This configuration is optional. You can apply or skip this section. For configuration, adding this line tkey-gssapi-keytab “/usr/local/samba/private/dns.keytab”; on named.conf in the options section. See the following example

vi /etc/named.conf
options {
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";

Run the following command to change owner and access on dns.keytab file

chgrp named /usr/local/samba/private/dns.keytab
chmod g+r /usr/local/samba/private/dns.keytab

check whether any updates about dynamic DNS with the following command

/usr/local/samba/sbin/samba_dnsupdate --verbose

# Configure NTP Server (Optional)

Open file /etc/ntp.conf and add the following line in the bottom (adjust with your NTP server in your Timezone)


Restart NTP services

systemctl restart ntpd
systemctl enable ntpd
systemctl status ntpd
ntpq -p

Congratulation, now we have been succeeded install Excellent Samba4 Appliance as Active Directory and be able join Windows client to Samba4.

You can configure some information below to complete your Samba4 Active Directory 😀





Good luck and hopefully useful 😀


  1. I tried to make the first step but my result was as follows :

    Retype password:
    ERROR(): Provision failed – ProvisioningError: guess_names: Domain ‘GERMAN’ must not be equal to short host name ‘GERMAN’!
    File “/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/”, line 461, in run
    nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode)
    File “/usr/local/samba/lib64/python2.7/site-packages/samba/provision/”, line 2024, in provision
    sitename=sitename, rootdn=rootdn, domain_names_forced=(samdb_fill == FILL_DRS))
    File “/usr/local/samba/lib64/python2.7/site-packages/samba/provision/”, line 626, in guess_names
    raise ProvisioningError(“guess_names: Domain ‘%s’ must not be equal to short host name ‘%s’!” % (domain, netbiosname))

    Can you help me please?

    1. Hi German,

      Your hostname and your domain do not same. You can use your hostname SAMBA4 and your domain GERMAN.COM. So that, your FQDN is SAMBA4.GERMAN.COM. You don’t use

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.