You are here

CentOS Samba 4 - Active Directory Domain Controller

With the recent stable release of Samba 4, it is possible to create a compatible Active Directory Domain Controller that runs on the Linux platform. Samba 4 has been in beta for years now, but with the stable release as of December 11, 2012 you should now have a compelling argument for implementing Samba into your enterprise IT network. Samba 4 is a complete re-working of the Samba code and to sum it up best is to simply quote from the Samba 4 website:

“Samba 4 is available for download via the Samba Website or from the Git repository. In short, you can join a Windows (all recent releases should be supported) machine to a Samba 4 domain, and it will behave much as it does in AD, including Kerberos domain logins where applicable. The official press release can be found on the Samba website.”


The Setup

For detailed information of configuring and setup of Samba 4 it is best to refer to the Samba4 HOWTO.

The following is how to setup and configure a basic Samba 4 domain controller running on CentOS 6.3 or 6.4. Once configured and installed, you can then administer Active Directory using Microsoft's Remote Server Administration Tools from a Windows XP, Vista, or 7 client that supports Active Directory. Note: your Windows client must be a Professional, Business or Ultimate edition.

This howto assumes you have the following:

  • functioning basic server running CentOS 6.3 or 6.4 x86_64 with root access

  • your CentOS server is using an IP address of (change to your liking)

  • FQDN of ' to your liking)

  • default gateway IP address: (change to your network gateway)

  • a Windows XP, Vista or 7 client that supports Active Directory

  • disabled SELinux (disabled to reduce complications)

  • DNS forwarding IP address using OpenDNS: (change to you liking)


Download and Installation

NOTE: All commands here are run as 'root' user. You do not need to be root for all commands (which is recommended) but for simplicity sake root will be used here to eliminate confusion.

1. Login as root and update your server

# yum update

2. Install the following packages required for installing and building Samba 4:

# yum install glibc glibc-devel gcc python* libacl-devel krb5-workstation krb5-libs pam_krb5

3. Query your rpm database to find any instances of older samba packages:

# rpm -qa | grep samba

4. If there are any older samba packages remove them with YUM:

# yum remove samba-winbind-client samba-common samba-client

5. Install git to dowload the latest Samba 4 version:

# yum install git-core

6. Use a directory of your choice and download the latest version of samba from git:

# git clone git:// samba-master

7. Reboot the server as a precaution so that all packages or kernel updates will be applied:

# shutdown -r now

8. Login again as root and then build samba:

# cd samba-master
# ./configure --enable-debug --enable-selftest
# make

9. If everything reports okay you can then install samba:

# make install

You should now have samba installed to '/usr/local/samba'.


Provision Samba 4

The provision step sets up a basic user database, and is used when you are setting up your Samba4 server in its own domain.

As root issue this command:

# /usr/local/samba/bin/samba-tool domain provision

The 'domain provision' tool should pick defaults for you automatically. Change to your configurations if necessary:

Realm [MYDOMAIN.COM]: Domain [MYDOMAIN]: (press Enter)
Server Role (dc, member, standalone) [dc]: (press Enter)
DNS forwarder IP address (write 'none' to disable forwarding) []:
Administrator password: <your_secret_admin_password>
Retype password:

If above was successful, stdout should look similar to this:

Creating CN=MicrosoftDNS,CN=System,DC=mydomain,DC=com
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: samba
DNS Domain:
DOMAIN SID: S-1-5-xx-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxxx

NOTE: You may need to remove the '/usr/local/samba/etc/smb.conf' file if you are re-running the provision command. If you encounter any errors when running the provision command, you may need to install the necessary missing packages or fix errors and then run './configure', 'make' and 'make install' commands again as stated above. Remember to do a  'make clean' in the root of your 'samba-master' directory  before running 'make' again.

If the provision setup was successful reboot the server:

# shutdown -r now


Start Samba 4 AD DC

Start the samba daemon:

# /usr/local/samba/sbin/samba

If you would like Samba to start at boot, append the following to your '/etc/rc.d/rc.local' file:



Testing Samba as an Active Directory DC

Verify you are indeed running the correct version of Samba. Your version should start with version 4 (note: samba daemon must be running):

# /usr/local/samba/sbin/samba -V
Version 4.1.0pre1-GIT-c1fb37d

Verify you are running the correct samba-client version:

# /usr/local/samba/bin/smbclient --version
Version 4.1.0pre1-GIT-c1fb37d

Now run this command to list the shares on your Samba4 server:

# /usr/local/samba/bin/smbclient -L localhost -U%
Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-c1fb37d] 

	Sharename       Type      Comment 
	---------       ----      ------- 
	netlogon        Disk      
	sysvol          Disk      
	IPC$            IPC       IPC Service (Samba 4.1.0pre1-GIT-c1fb37d) 
Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-c1fb37d] 

	Server               Comment 
	---------            ------- 

	Workgroup            Master 
	---------            -------


Configure DNS

You will need to edit your '/etc/resolv.conf' and '/etc/sysconfig/network-scripts/ifcfg-eth0' file so that Samba will use it's internal DNS correctly. If you specified a forwarding DNS server when you provisioned earlier, DNS should work correctly (you can verify this in /usr/local/samba/etc/smb.conf). Here is an example of my current '/usr/local/samba/etc/smb.conf' file:

# cat /usr/local/samba/etc/smb.conf
# Global parameters
workgroup = MYDOMAIN
netbios name = SAMBA
server role = active directory domain controller
dns forwarder =

path = /usr/local/samba/var/locks/sysvol/
read only = No

path = /usr/local/samba/var/locks/sysvol
read only = No

Edit your '/etc/resolv.conf' file to look like this:

# Generated by NetworkManager

Next you need to edit '/etc/sysconfig/network-scripts/ifcfg-eth0' so DNS is changed here also. It should look something like this:

NAME="System eth0"

Reboot the server for all network changes and DNS to take effect.

Testing DNS

Make sure that samba is running and then test to make sure that DNS is working properly. Run the following commands and compare the output to what is shown:

# host -t SRV has SRV record 0 100 389

# host -t SRV has SRV record 0 100 88

# host -t A has address

The answers you get should be similar to the ones above (adjusted for your DNS domain name and hostname). If you get any errors, carefully check your system logs and your '/etc/resolv.conf' and '/etc/sysconfig/network-scripts/ifcfg-eth0' files.


Disable Firewall (Optional)

To reduce the chances of problems you can completely disable the firewall on the Samba 4 server. Once you have successfully joined a Windows client to the domain you could then re-enable the firewall and configure IP Tables correctly.

To use the menu-based firewall utility, install this package:

# yum install system-config-firewall

Then issue this command for the menu-based firewall configuration:

# /usr/bin/system-config-firewall-tui

Disable the firewall and then reboot the server.


Configure Kerberos

In CentOS 6.3 or 6.4, kerberos is handled by the '/etc/krb5.conf' file. Make a backup copy of this original file, and then replace the existing file, if any, with the sample from /usr/local/samba/share/setup/krb5.conf.

# cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf

Edit the file and replace ${REALM} with the value you chose for the '--realm' parameter of the provision command earlier, make sure to enter the realm in uppercase letters. It should look something like this:

# cat /etc/krb5.conf
default_realm = MYDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = true


Testing Kerberos

The simplest test is to use the 'kinit' command as follows:

# kinit administrator@MYDOMAIN.COM
Password for administrator@MYDOMAIN.COM:
Warning: Your password will expire in 41 days on Sun Feb 3 14:21:51 2013

NOTE: You must specify your domain realm MYDOMAIN.COM in uppercase letters!!

'kinit' will not give you any output. To verify that Kerberos is working, and that you received a ticket, run the following:

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@MYDOMAIN.COM

Valid starting Expires Service principal
12/23/12 15:39:28 12/24/12 01:39:28 krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
renew until 12/24/12 15:39:19


NTP (Network Time Protocol)

Make sure that 'ntpd' is running and installed. If 'ntpd' is not installed you can install it with YUM:

# yum install ntp

Enable ntpd:

# /etc/init.d/ntpd start

Also, use the 'chkconfig' command to have ntpd run at boot:

# chkconfig ntpd on



Configure Windows Client to Join Domain

The following will describe how to add a Windows 7 client to the samba DC. For other versions of Windows the same principle should be the same.

To simplify and to limit errors with DHCP, we will assign a static IP address to our Windows 7 client NIC. Configure your network device as follows:

win7 client IP settings
Click 'OK' to save the changes.

Now bring up a command prompt in windows and ping the Samba DC:


Verify that DNS is working correctly by pinging the FQDN:


If you get replies from both then this is a good sign and should mean that your Samba DC is functional. Also, you may need to reboot Windows for network settings to take effect.


Configure Date, Time and Time Zone on Windows Client

Active Directory uses Kerberos as the backend for authentication. Kerberos requires that the system clocks on the client and server be synchronized to within a few seconds of each other. If they are not synchronized, then authentication will fail for apparently no reason. Adjust your date, time and time zone accordingly on your Windows client to match your Samba 4 server.

Windows 7 Date and Time


Join Windows 7 Client to the Domain

1. Right-click 'My Computer' icon and choose 'Properties'

2. From the left-side pane click 'Advanced system settings'

3. Choose the 'Computer Name' tab and click 'Change...'

4. Select option 'Domain', and insert MYDOMAIN.COM. If this fails just try MYDOMAIN.

5. When it requests a username and password, type 'Administrator' as the username and then enter your password. (password = the password you used when you ran the 'samba-tool domain provision' command)

6. You should get a message box stating 'Welcome to the MYDOMAIN.COM domain'

7. Click OK on this message box and the Properties window, and you will then be instructed to restart your computer.

8. After restarting you should be presented with the normal login dialog. Click on 'Switch User' button.

9. Choose 'Other user' and then enter in the following:

Windows 7 domain login

Press 'Enter' or the arrow button.

10. You should then authenticate and then login to Windows.


Install Windows Remote Administration Tools

To install the GUI tools to manage the domain you must install the Remote Server Administration Tools. This will allow you easily manage the domain using Active Directory.

Windows 7

1. Download the Windows Remote Server Administration Tools

2. Follow the 'Install RSAT' instructions

3. Enable the necessary components in 'Control Panel -> Programs -> Turn Windows features on or off -> Remote Server Administration Tools'

4. You may need to add the Administrative Tools to your start menu. Right-click 'Start button' and select 'Properties -> Start Menu tab - Customize... -> System administrative tools - Display on the All Programs menu'


Managing Samba 4 AD DC from Windows 7 Client

This is beyond the scope of this article. For further information please refer to the Samba4 HOWTO


Configure the Firewall

Once you have been able to successfully have your windows clients attach to your Samba 4 DC, it is prudent to renable the firewall on your CentOS 6.3 Samba 4 DC. Simply run the firewall command again:

# /usr/bin/system-config-firewall-tui

Configure the firewall to have AT LEAST these ports open:

53, TCP & UDP (DNS)

88, TCP & UDP (Kerberos authentication)

135, TCP (MS RPC)

137, UDP (NetBIOS name service)

138, UDP (NetBIOS datagram service)

139, TCP (NetBIOS session service)

389, TCP & UDP (LDAP)

445, TCP (MS-DS AD)

464, TCP & UDP (Kerberos change/set password)

1024, TCP (AD?)


For RSAT tools and extras other ports may need to be opened. Microsoft has a list of the port required which you can find here:

To setup folder redirection for users and configure offline files that synchronize, please see my article Folder Redirection using Group Policy

For binding Linux clients such as Fedora to your domain controller see this comment

Please feel free to post a comment on your experience with this Howto or find me on Google+ or LinkedIn



Thanks Jeremy; your notes worked well for me.

Here are a few of _my_ errors other’s might avoid:

-I had the EPEL repository enabled, which broke your step 2 of section “Download and Install”.

-I had no host or kinit commands installed, because I was starting from a “minimal” install of CentOS.

-I needed to understand that Samba4 has its own built-in DNS server.

-I find that another system reboot is necessary before “Testing Samba as an Active Directory DC” and after “Provision Samba 4”.

But I got through to it successfully. And, the notes were easy to follow. Thanks.

Thanks for the feedback John and glad to hear you got it working.
I added the necessary 'krb5-*' packages to step 2 of the "Download and Install" section and added the server reboot to the end of "Provision Samba 4" step. Perhaps the 'minimal' CentOS install was the issue with the 'krb5-*' packages so hopefully this will now work for anyone whether minimal or full install of CentOS 6.3. :)

Hi Jeremy
Pls guide me how to disable EPEL repository so that the Step # 2 should not fail.

Hi Barun,
There are 2 ways that I use to enable or disable repositories. The first one is to simply disable the repo. Do as follows:
1. As root, cd to the directory containing the repositories on Centos:
# cd /etc/yum.repos.d
2. Use 'vi' to open each repo that you wish to disable:
# vi <repository-name>.repo
3. Using 'vi' edit and change 'enabled=1' to 'enabled=0'. This will disable the repo. Do this for each entry in each *.repo file that you wish to disable.
4. Clear the yum cache:
# yum clean all
5. Reboot for safe measure if desired and your repos should now be disabled.
Second method, (which I use depending on the need) is to simply move each .repo file to another location:
1. # cd /etc/yum.repos.d
2. Move the .repo files that you want disabled to another location:
# mv <repo-name>.repo /root
3. Clear the yum cache:
# yum clean all
4. Reboot for safe measure if desired and your repos should now be disabled.
Sometimes moving the *.repo files is a little easier as you don't have to constantly edit each one and change the 'enabled=' statement. Hope this helps. :)

Hi Jeremy,
Thanks for the write-up. I've been waiting for an AD-compliant Samba version (probably like everyone else), since Samba 4 was first mooted (?) years back...Coincidentally, I've also recently built an HP Microserver running CentOS 6.3, so the realease of Samba 4 stable - and this write-up - have come along just at the right time! I'll run through the various steps and let you know how it all goes.

One question I had is whether or not the CentOS box can provide pass-through NTP time to attached clients.
Actually, I have another one also; Can the CentOS box provide DHCP services for Windows (and other) clients, and register those host connections dynamically in (local) DNS? Or did you find DHCP configuuration "buggy"...?

Hi Michael. NTP should work fine (works for me anyway) provided you have configured NTP on the Samba 4 DC as outlined in the article. You should be able to test this once you join a windows client to the domain. Adjust the time on the windoze client and reboot the client. Login and observe the time. You should notice the time rapidly come back into sync with the exact time of your DC. As for DHCP on the CentOS box running Samba I have to be honest and say I'm not sure. I use another server for DHCP services. I can tell you that the Samba 4 internal DNS works fine as I can ping all the other clients on the domain as they are using the Samba 4 DC as their primary DNS server. If you are running another DHCP server like I do, you just need to tell it to use your Samba 4 DC as the only DNS server for the clients on the LAN. Hope this helps.

Thank you, Jeremy.
Everything works perfectly, have done great job with this description. I have seen many articles on the web but only your description worked right away. (sorry for my english.)
Janusz of Polish

Glad to hear it worked for you. I too found resources on the web were lacking which is the main reason I decided to write this article. Thanks for your feedback!

How much ever I try kerbros is not working
[root@samba ~]# kinit
kinit: Cannot resolve network address for KDC in realm "" while getting initial credentials
[root@samba ~]#
[root@samba ~]# cat /etc/krb5.conf
default_realm = TEST.COM
dns_lookup_realm = false
dns_lookup_kdc = true
[root@samba ~]#
All are working except kerbros ntp service is also started

Hi sunil. Most likely your problem with the 'kinit' command is because you need to specify your domain in upper-case letters. You should run your command like this: # kinit administrator@TEST.COM. If you use lower-case letters (i.e. THIS WILL FAIL and give the improper credentials error. Please re-read the 'Testing Kerberos' section again carefully and it should work for you.

Hi Jeremy.
I'm trying to run your well explained howto. But I have some doubts/problems.
1.- kinit is not starting kerberos database. I've typed domain in upper case in command.
The result is kinit: Client not found in Kerberos database while getting initial credentials.
The only difference is I'm using "administrador" instead "administrador" (spanish language). I've also tryied with administrator and admin because wher I try to launch a kadmin command the root/admin<at>COMPANY.LOCAL is the validation user that seems to be used to obtain the ticket.
2.- The krb5.conf file obtained from samba is shorter that original one. I'm quite worried about some missing parameter inside.
3.- Where are the SRV records stored? I've take a look at DNS files but anything inside.
By the way, I'm using Centos 6.4x64 with all prerequisites accomplished (except if I'm wrong).
Thanks for this great tutorial, this will solve lots of questions since Samba4 was raised and sorry for my english.

Hi Josep. Please make sure you have installed all of the necessary kerberos packages and that you have configured it correctly. If possible, try running through my howto again from the start.
I've setup dozens of DCs on using this exact method and haven't had any issues. Start with the krb* packages and triple check your krb.conf file.
Good luck!

Followed this guide in combination with the official How-To from
Very comprehensive and effective !
I wanted to join the DC to an existing domain and had to skip the provisioning step as stated in the Samba4 FAQ, otherwise this article is very well written and to the point ! Joined domain the domain succesfully but i was confused not to see the domain members in either networking neighbourhoods. Apparantly this is a Known Issue with Samba4 (unable to browse netbios names) can't wait until this is ressolved

Just add a A Record and a PTR record to your Windows DNS server.
After that you should be able to browse by hostemae

Thanks for sharing such a well written solution Jeremy !!!!
I was able to configure the same in first my DC is live .......

Thank you for the perfect document
I only downloaded the tar with 4.0.1. But that was ok to.

One question, is it possible to use GPO ( create them ) and also login scripts with net use for the home drive and so on.

The Shares are no problem in SAMBA.

Thanks Toine

Hi Tione. GPOs and everything should work provided you are accessing the Samba4 DC from a Windows client using RSAT. Covering group policy is beyond the scope of this howto so in theory you should be able to configure the DC just like you would a Windows domain controller.

Many many thanks Jeremy. You have done a great job. I was trying to setup Samba4 from so many days and with your document, i was able to setup samba4 in 2 hours. Keep writing in future. Will you explain that how can i authenticate ubuntu/centos systems with samba5.

Provision failed - ProvisioningError: Your filesystem or build does not support posix ACLs, which s3fs requires. Try the mounting the filesystem with the 'acl' option.
please help me.

On what machine/OS are you trying to install Samba. you need to add the acl option in the /etc/fstab for your filesystem

ERROR(<class 'samba.provision.ProvisioningError'>): Provision failed - ProvisioningError: guess_names: 'realm=[SUNISH.COM] : DOMAIN [SUNISH]:' in [SUNISH.COM] : DOMAIN [SUNISH]: must match chosen realm '/usr/local/samba/etc/smb.conf'! Please remove the smb.conf file and let provision generate it
File "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/", line 398, in run
use_rfc2307=use_rfc2307, skip_sysvolacl=False)
File "/usr/local/samba/lib/python2.6/site-packages/samba/provision/", line 1892, in provision
sitename=sitename, rootdn=rootdn)
File "/usr/local/samba/lib/python2.6/site-packages/samba/provision/", line 536, in guess_names
raise ProvisioningError("guess_names: 'realm=%s' in %s must match chosen realm '%s'! Please remove the smb.conf file and let provision generate it" % (lp.get("realm").upper(), realm, lp.configfile))


I would recommend looking at your log files to see if you can determine your issue. Check your logs in '/usr/local/samba/var/' and '/var/log/' to see if you can narrow it down. You can also do what stderror says and delete the '/usr/local/samba/etc/smb.conf' and run the Provision step again. Please read that section again carefully! Please don't take this the wrong way, but if you aren't familiar with Linux then perhaps setting up a Linux AD DC isn't a good option for you right now. You may just want to stick with Windows Server for the time being.

Thanks for this very comprehensive document Jeremy. I've set up and configured the Samba 4 domain controller on Centos 6.3 using the outlined procedure with the exception of using "none" for dns forwarder and I used SAMBA_INTERNAL for DNS backend. All the verifications and tests gave the expected results. However, I can ping the server from a Windows 7 client by ip address but not by domain name; so I can't join the Windows client to the domain.
When I run:
"samba_dnsupdate --verbose --all-names"
I get :
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
Calling nsupdate for SRV 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION: 900 IN SRV 0 100 3268

; TSIG error with server: tsig verify failure
Failed nsupdate: 2
Failed update of 21 entries


root@ddp-samba sbin]# cat /etc/resolv.conf
# Generated by NetworkManager
search localdomain
root@ddp-samba sbin]# cat ifcfg-em1

NAME="System em1"
root@ddp-samba sbin]# host -t A has address

root@ddp-samba sbin]# cat ../etc/smb.conf
# Global parameters
workgroup = DDP
netbios name = DDP-SAMBA
server role = active directory domain controller

path = /usr/local/samba/var/locks/sysvol/
read only = No

path = /usr/local/samba/var/locks/sysvol
read only = No

[root@ddp-samba sbin]# cat ../private/krb5.conf
default_realm = DDP.SAMDOM.COM
dns_lookup_realm = false
dns_lookup_kdc = true

Would you have any suggestions ? Thanks.

It looks like you have configured correctly except for your '/etc/resolv.conf' file. Try changing 'resolv.conf ' to look like this (even tho 'search' should still work):
# Generated by NetworkManager
Save the file and then reboot the Samba server and if your Windoze client is still running give it a reboot as well.
Also, did you copy your '.../private/krb5.conf' to '/etc/krb5.conf'? It appears that if you have specified DNS correctly on your Win client it should work. Another thing to mention is the firewall on your CentOS Samba server. Are the correct ports open? Please let us know if you solve it. Good luck!

I've found out that it was just a matter of disabling the firewall on the server after which I could join the windows and mac clients into the domain. Thanks again,

Very nice tutorial, I install CentOS 6.3 with minimal packages.
Great job Jeremy many thanks.
I have one question?
I can see DC server under my network.
I can see other comp, when i try to map public folder  it's  work fine.

Hi Jeremy ,
Thanks for great help.  My Samba4 AD DC is working fine and i am able to add my Linux and Windows Clients to Samba4 AD.  Now i want to use Samba4 as a backend database for my zimbra server.  How can i add MX records in my samba4 server. My samba4 server is vijay.os and IP Address And host zimbra.vijay.os is on IP Address  When i run the command  /usr/local/samba/sbin/samba_dnsupdate --verbose --all-names.  I am getting the following error:
TSIG error with server: tsig verify failure
Failed nsupdate: 2
Failed update of 21 entries

Kindly help me.


You should be able to use RSAT from a windoze client if logged into your Samba4 DC as an admin. Simply add the entry you need to DNS.

Hi Jeremy,
I have followed your steps and I have to say that "spot on", I have the AD/DC running and I joined windows clients without too much fuss and.
Will be too much to ask you about domain member, I tried choosing member when running the provisioning tool, but I apologies don't know too much about the kerberos and the smb.conf file settings; In addition of which command to run when try to join this possible server member to the domain.
I know that is too much to ask, any help or light will be more than appreciated
Many Thanks
Juan Manuel

Hi Juan,
If I am understanding you correctly this is the howto I believe you need:
If I recall, using 'provision' is not the way to accomplish your goal. All the best.

Hi Jeremy,
Excellent article followed it right through and it worked 2nd time round, first time round was a typo on my part. Have a question once the DC is running, if updates are done, is any additional work required with Samba?

Hi Watson,
What kind of maintenance are you referring to exactly? If it is just regular server updates then everything should work just fine, as for Samba itself then you may have to refer here:
I've had no issues thus far (knock on wood) when using git but I cannot guarantee it will be the same for you. It may depend on the release so I recommend doing what the release notes say. As always, make sure you have a recent backup.

I have configured Samba4 DC as per above guideline and now it is working fine. But problem is that I cannot implement  Password Policy, desktop autolock policy, etc. I have tried by Remote Administration Tool for windows8, but I can't success.
How I can implement GPOs like, password policy, desktop autolock policy, desktop wallpaper policy etc. Please give me guideline with details if possible.

I've had no problems with GPOs for Win 7 as RSAT did everything I needed it to. As for Win 8, I can't provide any input on it as I haven't tried it yet (probably won't for quite some time too).
Sorry I can't help you there, but you may need to look elsewhere for Win 8 and specific group policy issues.

Hi Jeremy,
This is one of the easiest tutorials I have come across!
I do actually have a question. After Testing Samba as an Active Directory DC I get the following Error:
session setup failed: NT_STATUS_INVALID_SERVER_STATE
I have googled for hours and can't seem to fix rid of this message. Any help is much appriciated!

I had the same problem. I fixed it by creating directory "lib" in /usr/local/samba/var. If you look your log files I'm sure you will find some information that samba cannot create  some files or folders in  /usr/local/samba/var/lib because there's no such directory.

Hi Jeremy
I have successfully configured samba4 domain followed by your above steps. The Samba4 domain controller is working fine. All kinds of windows clients (Windos-XP/7/8) can be joined to the domain smoothly. Through RSAT I can apply group policies like password policy, desktop autolock policy, desktop wallpaper policy, etc.
But my problem is that I cannot find ldapsearch command in samba4 domain controller. My previous system is samba-3.5 PDC and I can search any user in samba-3.5 PDC using command of “ldapsearch  -x -b dc=example,dc=com uid=user1”. When I use ldapsearch command in samba4 domain controller, it replies “ldapsearch: command not found”.  I need your help for this, ldapsearch is important for me.  
My another issue is that I want to integrate mail server (postfix-dovecot-squirrelmail) with samba4 domain controller.
Please help me about my above two issues.

Glad to hear you got Samba 4 setup. It does really work quite nicely with RSAT and I've never had any probs with GPOs.
As for ldapsearch, I believe you need to install the 'openldap-clients' package which provides the ldapsearch command. However, you may run into problems using it with Samba4 due to SASL. You can give it a try but I'm pretty sure ldapsearch has been broken for quite a while now on Samba4.
As for your postfix/dovecot integration, exactly how do you mean? The scope of that can be quite large so you may need to be more specific.

I liked and appreciate the way you have eloborated a step by step procedure to install and configure Samba.. 
Great job done. 

Thanks Jeremy for the nice tutorial and simple explanations. Its working!!!!! I can join domain, add users from windows network. My question is how to add users from Windows AD tools that can have their own home directories and unix logons. Thanks again for the help you already provided through your tutorials and your answers in the blog.

Thanks for the kind words Umair and glad this article was of some help.

I decided to write an article on how to setup home folders or more specifically folder redirection using group policy. You can view my article here: Folder Redirection using Group Policy

Hopefully that article will help you with what you need. :)

We found that it is necessary to run  /usr/local/samba/bin/samba-tool ntacl sysvolrese on the server so that windows gets the updates of sysvol when we execute gpupdate command on windows for getting the latest machine policies configured on the samba server


Using your tutorial, I've gotten to the provision step without errors but I'm unable to successfully provision...after entering admin password:

Looking up IPv4 addresses

More than one IPv4 address found. Using

Looking up IPv6 addresses

No IPv6 address will be assigned

ldb: module schema_load initialization failed : No such object

ldb: module rootdse initialization failed : No such object

ldb: module samba_dsdb initialization failed : No such object

ldb: Unable to load modules for /usr/local/samba/private/sam.ldb: (null)

samdb_connect failed

VFS connect failed!

ERROR(<class 'samba.provision.ProvisioningError'>): Provision failed - ProvisioningError: Your filesystem or build does not support posix ACLs, which s3fs requires.  Try the mounting the filesystem with the 'acl' option.

  File "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/", line 398, in run

    use_rfc2307=use_rfc2307, skip_sysvolacl=False)

  File "/usr/local/samba/lib64/python2.6/site-packages/samba/provision/", line 2052, in provision

    raise ProvisioningError("Your filesystem or build does not support posix ACLs, which s3fs requires.  Try the mounting the filesystem with the 'acl' option.")



my /etc/fstab shows the acl option:

UUID=20da86f0-0eb6-43aa-8bdc-4e91c67f7585 /                       ext4    defaults,acl        1 1

UUID=fcbac2ce-d372-4207-82bd-df69f92e851e swap                    swap    defaults        0 0

tmpfs                   /dev/shm                tmpfs   defaults,acl        0 0

devpts                  /dev/pts                devpts  gid=5,mode=620  0 0

sysfs                   /sys                    sysfs   defaults,acl        0 0

proc                    /proc                   proc    defaults,acl        0 0

UUID=a137a93f-6501-4e3d-8f13-465150242349 /ourhome ext4 defaults,acl 0 0

/dev/sdb1 /security ext4 defaults,acl 0 0

/dev/sdc1 /backup ext4 defaults,acl 0 0


have any ideas what's gone wrong...thanks,



addendum to post:
after reading samba I realized that I needed to remove BOTH the  /usr/local/samba/private and /usr/local/samba/etc directories, then run samba-tool domain provision again because I hadn't put in a strong enough password initially ( The password complexity requirement is at least one uppercase letter, and one number, and at least eight characters long.  You might upda te the instructions to reflect this.  I think the acl errors were created when I initially built samba4 so you might make that an early requirement for the tutorial.
otherwise, great post.

Thank you Robert for posting back explaining how you resolved your issue. I'll make the edit for the password requirements but I must admit this is the first time I've heard of it causing a problem. Hope you enjoy your Samba DC. :)

Hi Jeremy
Thank you for your good guide.
All goes well, i can add win client to domain, with rsat i can edit the policy, with smb-tool i can change additional parameter like password aging , dns work well for client etc...
But i have a problem.
When i share a folder on samba 4 i can't access it unless i'm logged as domain administrator (administrator- and the password is complex).
Netlogon and sysvol is accessible and secure tab appear on windows side.
Home folder (as you can see in my smb.conf) is inaccessible and security label is not activated and not visible.
I run a centos 6.4 just installed.
my /usr/local/samba/etc/smb.conf is
# Global parameters
        workgroup = MYDOMAIN
        realm = MYDOMAIN.COM
        netbios name = SAMBA-DC
        server role = active directory domain controller
        dns forwarder =

        path = /usr/local/samba/var/locks/sysvol/
        read only = No

        path = /usr/local/samba/var/locks/sysvol
        read only = No

path = /data/home
    read only = No
i've tyied to 777 something, but it's unuseful samba4 don't read the unix permission.
i've tried to copy the acl of /usr/local/samba/var/locks/sysvol on /data/home but it still unuseful.
maybe the problem is the acl(acl_xattr) on filesystem must be enabled?
Have any suggest?
Best Regards

Please read my Folder Redirection howto which explains how to setup user folders and other network shares. Basically, you don't want to change the permissions on the Samba 4 side but rather as a domain admin once you log into windows.

Also, when setting up folder redirection, you must let the domain controller create the folders automatically for each user. This sets the appropriate perms on each user's folder once the GPO is applied. If you try to do it manually, I can promise that it will most likely fail. Good luck!

First of all thank you for your support and fast reply

I have read you folder redirection guide and resolved this problem i need it too!!

I'm right with you for user folder must be generated from logging user but if the user can't read/write the folder where to store their home may be a problem.

My scope is implement what i do with samba3, samba dc   roaming profiles   home dir separate for each users. Your second guide on folder redirection help me to cover "roaming profiles   home dir separate for each users" and the first "samba dc".

But in the middle there is a strange problem of access to share created by myself.
Strangely the netlogon and sysvol is readable/writable with rightclick proprieties security tab enabled...

My two problems are that i can't access the share create by myself as administrator (or user) plus a problem reported on samba list (link here:

I think the second problem is caused by first access problem.

I've reloaded samba each time i done any kind of modify and i log on to windows 7/xp always with domain administrator (administrator) credentials.
I've googled to try to find a solution with no luck, but maybe it's a strange problem of my installation and the right direction is reinstalling everything.

When you installing samba on a fresh centos if you create a shared folder like
    path = /data/music
    comment = music folders
    read only = No

and mkdir -p /data/music
and restart samba

at this time your shared folder under windows is accessible or not from the domain administrator? Because if yes maybe best solution is to format and reinstall everything

Hi Charls. Hopefully I am understanding you correctly and I'll do my best to help.
I can access my shared folders as a domain admin OR as a user that has access to it without issue.  I apologize if the following seems novice but might be worth mentioning:
1. Your Windows 7 client has the necessary ports open for file and printer sharing. If unsure, just disable the firewall to test (happens to the best of us).
2. You are using full UNC paths (i.e \\\<sharename>) when trying to access the network share. Even if you have multiple shares in different paths on your Samba 4 DC, as a domain admin in Windows, they should be visible using '\\'  using Explorer.  In your case you should see netlogon, sysvol, Users. Also, you could try to create your share using this path:

    path = /usr/local/samba/var/music
    comment = music folders
    read only = No
3. When you create the network share, you will need to assign the correct NTFS perms via Windows 7 as a domain admin, almost identicle to the way you would for folder redirection.
If none of the above seems to help, my best suggestion would be to reinstall everything in a virtual environment and see if that solves your problem. There could be a plethora of issues that could be causing your dilemma but that's what I would probably attempt rather than spend too much trying to debug. From what you're describing doesn't sound like a Samba 4 problem but more of a permissions problem somewhere. If you have been changing permissions as root on the DC, something may have been messed up somewhere along the way.
If you do find the problem, please don't hesitate to post back and let us know the fix.  Cheers

I accidentally found the solution that make me laugh and maybe make laugh you too.

I've reinstalled and restarted to the top of your guide but now i have created more share in more filesystem points for testing and result was that all share works and one not.

My new share was:

        path = /data/pubblic
        read only = No

        path = /data/homes
        read only = No

        path = /data/profiles
        read only = No

        path = /data/personal

What is the share that didn't work?

If you see my first post in smb.conf my only share was:

path = /data/home
    read only = No

Sure "homes" !!! not home or anything other but "homes"

homes not work while the other one works well with security tab working.

So i've tried to explain this problem and the solution was:

So for the homes (Yes HOMES not HOME) share to work you need winbind
functioning (not necessarily pam auth, but at least winbind).

(second reply in this forum link:

If you see this resolve at same time the question of user that ask on samba forum (link

all now work correctly :-)

I suggest a little change in you guide.
The network part is important to be completed before provision the domain.
Because if you change netbios name or ip address after provisioned the domain the result may be a not working dc.

I think the first step was set the network card, set the dns, set the host name (/etc/sysconfig/network) and then provision the domain.
In this way you are sure (hope) to provision the domain in definitive state.

Thank You very much for your guide and support!!!