Samba4 AD DC on Ubuntu 14.04

Samba 4 is a good bit of software. If only that last few tweaks could be done to finish it and the documentation off it would be great software. I have found lot of ways to set up Samba4 as a AD DC most of which fail to work only this one series of steps worked. Samba4 configuration is really really flaky! The official Samba documentation is getting better and beginning to cover some of the configuration pitfalls.

For this how to we are building on some of my other howtos.

We will be building this:

  • AD DC Hostname: lab-addc1
  • AD DNS Domain Name: black.dragon.lab
  • Kerberos Realm: black.dragon.lab
  • Domain Name/NetBIOS Name: black
  • IP Address:
  • Forwarder DNS Server:
  • Gateway:
  • Subnet Mask:
  • Server Role: Primary Domain Controller (PDC)
  • Domain Admin Password: Admin1234
  • Backend DNS: BIND9 DLZ

Update Ubuntu To The Latest

Always use the latest bug fixes and security patches. Also Samba is still being updated with bug fixes and newer features so get them too.

sudo apt-get update
sudo apt-get dist-upgrade

OS Requirements

A functioning DNS and usually a DHCP server see above. Kerberos requires that all systems have the same time, you will therefore need a functioning NTP server. See my post about setting up an NTP server process.

To use the full functionality of Samba when sharing file systems you need acl and both user and system xattr additions. Although using your AD DC as a file share is not a good idea, as the file system could be overloaded sharing files and be slow or unable to check credentials of users.

Make sure the acl and attr packages are installed.

sudo apt-get install acl attr

These can be turned on by updating your /etc/fstab. Be careful when setting these get it wrong an the system will not be bootable. You did do that full backup, didn’t you?!

To add the features add user_xattr,acl,barrier=1 to each file system you want to use for shares. Try it out on a file system that is not required during the booting process, e.g. Create a small temporary fs and mount that as /data.

sudo nano /etc/fstab
/dev/sdb1   /data   ext4 user_xattr,acl,barrier=1,noatime  0  0

Test it out without booting first, when you get the fs mounted without errors then proceed to the others and reboot before proceeding.

umount /data
mount -a
mount | grep '/data '
/dev/sdb1 on / type ext4 (rw,user_xattr,acl,barrier=1,noatime)

and all other file systems on the server where they are going to be accessed via Samaba using Windows ACL’s

Once you are sure you have your fstab correct you should reboot, to take those changes into use.

Check ACL’s are working

This next part is almost direct lift from the Samba docs, it seemed pointless reinventing the wheel for this part.
Some of the names have been changed to protect the innocent.

All these commands should be run as root, either su to root or give yourself a root shell with sudo -i.

Create a test file, to play around with:

sudo touch testing_acl.txt

Add some extended attributes with the name user.test, adding a value of test. Then add a second set named security.test and a valuer of test2.

sudo setfattr -n user.test -v test testing_acl.txt
sudo setfattr -n security.test -v test2 testing_acl.txt

View the ACL’s just added to the test file.

sudo getfattr -d testing_acl.txt
# file: testing_acl.txt
sudo getfattr -n security.test -d testing_acl.txt
# file: testing_acl.txt

Now add some file access control list, ACL, permissions to our test file. For the users who have the Linux group adm give them, additionally, read/write and execute permissions.

sudo setfacl -m g:adm:rwx testing_acl.txt
sudo getfacl testing_acl.txt
# file: testing_acl.txt
# owner: root
# group: root

Only continue on if all went as above. If it did not go back top your backup and start again.

Installing even more software

Depending on how you installed your system some of these packages may already be installed.

sudo apt-get install samba smbclient  build-essential libacl1-dev libattr1-dev \
   libblkid-dev libgnutls-dev libreadline-dev python-dev libpam0g-dev \
   python-dnspython gdb pkg-config libpopt-dev libldap2-dev \
   dnsutils libbsd-dev krb5-user docbook-xsl libcups2-dev ldb-tools

During the installation process you will be asked some questions:

  • Configuring Kerberos Authentication: BLACK.DRAGON.LAB
  • hostname of Kerberos servers in the BLACK.DRAGON.LAB: lab-addc1
  • hostname of the Administrative (password changing) servers: lab-addc1

Pitfall: If you get these wrong your AD DC will not work and you will have to start again!

Once that lot is installed, without errors, delete the Samba configuration file created by the system. The provisioning tool fails if it already exists. (Why don’t the Samba guys update the provisioning tool to do that or ask you?)

sudo rm /etc/samba/smb.conf

Now to provision the AD. Pitfall: Be very careful and precise here you only get one shot at this!

sudo samba-tool domain provision --use-rfc2307 --interactive

The only inputs you should been to change are:

  • Domain: BLACK
  • Server Role: dc
  • DNS Backend: BIND_DLZ
  • Administrator password:
 Domain [BLACK]: 
 Server Role (dc, member, standalone) [dc]: 
Administrator password: 
Retype password: 
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=black,DC=dragon,DC=lab
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=black,DC=dragon,DC=lab
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
See /var/lib/samba/private/named.conf for an example configuration include file for BIND
and /var/lib/samba/private/named.txt for further documentation required for secure DNS updates
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba4 server will be ready to use
Server Role:           active directory domain controller
Hostname:              lab-addc1
NetBIOS Domain:        BLACK
DNS Domain:            black.dragon.lab
DOMAIN SID:            S-1-5-21-1234567890-1234567890-1234567890

Configuring Samba and Bind

Edit the file /etc/samba/smb.conf and add the following lines to the end of the [global] section.

sudo nano /etc/samba/smb.conf
        allow dns updates = nonsecure and secure 
        dns forwarder =

        # Thanks to Lars for this fix, it stops the syslog
        # being spammed by the lack of a CUPS server.
        printing = CUPS
        printcap name = /dev/null

Add the following to /etc/bind/named.conf.options at the end of the options{…} block. You may need to comment out any existing lines as duplicate settings are not allowed.

sudo nano /etc/bind/named.conf.options
   auth-nxdomain yes;  
   empty-zones-enable no;

   // Adding this Samba generated file will allow for automatic DDNS updates
   tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

Edit /var/lib/samba/private/named.conf for the version of bind9 see the comments in the file, to find out the version of bind run the following and look at the last line there is a lot of output here which is the usage text for the command.

sudo /usr/sbin/rndc --version
Version: 9.9.5-3ubuntu0.2-Ubuntu
sudo nano /var/lib/samba/private/named.conf
dlz "AD DNS Zone" {
    # For BIND 9.8.0
#    database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/";

    # For BIND 9.9.0
     database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/";

Add the following to /etc/bind/named.conf as the second include line.

sudo nano /etc/bind/named.conf
include "/var/lib/samba/private/named.conf";

Change the permissions on the private dns.keytab file so it is readable by your bind group.

sudo chgrp bind /var/lib/samba/private/dns.keytab
sudo chmod g+r /var/lib/samba/private/dns.keytab

Add the following apparmor rules to the end of /etc/apparmor.d/usr.sbin.named inside the {..}

sudo nano /etc/apparmor.d/usr.sbin.named 
   /usr/lib/x86_64-linux-gnu/ldb/** rwmk,
   /usr/lib/x86_64-linux-gnu/samba/** rwmk,

   /var/lib/samba/private/dns/** rwmk,
   /var/lib/samba/private/named.conf r,
   /var/lib/samba/private/dns.keytab r,

   /var/tmp/* rw,

   /dev/urandom rw, 

Pitfall: If you followed all of the above and the software for Samba, Kerberos and Bind has not changed and the configuration requirements have not changed for anything, your AD DC should work. Check it all through once more before rebooting. If it fails to work after the reboot it will be quicker to just start again. πŸ™

sudo reboot

Testing it all still works.

smbclient -L localhost -U%
Domain=[BLACK] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]

	Sharename       Type      Comment
	---------       ----      -------
	netlogon        Disk      
	sysvol          Disk      
	IPC$            IPC       IPC Service (Samba 4.1.6-Ubuntu)
Domain=[BLACK] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------
smbclient //localhost/netlogon -UAdministrator -c 'ls'
Enter Administrator's password: 
Domain=[BLACK] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
  .                                   D        0  Sat May  9 12:20:08 2015
  ..                                  D        0  Sat May  9 12:20:14 2015

		41773 blocks of size 262144. 27672 blocks available
host -t SRV has SRV record 0 100 389
host -t SRV has SRV record 0 100 88
host -t A has address

Kerberos testing

kinit administrator 
Password for administrator@BLACK.DRAGON.LAB: 
Warning: Your password will expire in 41 days on Sat 20 Jun 2015 12:20:13 BST
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: administrator@BLACK.DRAGON.LAB

Valid starting     Expires            Service principal
09/05/15 12:33:07  09/05/15 22:33:07  krbtgt/BLACK.DRAGON.LAB@BLACK.DRAGON.LAB
	renew until 10/05/15 12:32:59
samba-tool dns query lab-addc1 BLACK.DRAGON.LAB @ ALL
  Name=, Records=3, Children=0
    SOA: serial=1, refresh=900, retry=600, expire=86400, minttl=0,, (flags=600000f0, serial=1, ttl=3600)
    NS: (flags=600000f0, serial=1, ttl=900)
    A: (flags=600000f0, serial=1, ttl=900)
  Name=_msdcs, Records=0, Children=0
  Name=_sites, Records=0, Children=1
  Name=_tcp, Records=0, Children=4
  Name=_udp, Records=0, Children=2
  Name=DomainDnsZones, Records=0, Children=2
  Name=ForestDnsZones, Records=0, Children=2
  Name=lab-addc1, Records=1, Children=0
    A: (flags=f0, serial=1, ttl=900)

If the above test worked you should have a working AD DC running on Linux and can replace your Microsoft Small Business Server with it. Yay!

To add Ubuntu machines to the new domain see this how to I prepared earlier πŸ™‚

Trouble shooting

Aug  2 16:22:18 lab-addc1 named[2347]: Loading 'AD DNS Zone' using driver dlopen
Aug  2 16:22:18 lab-addc1 named[2347]: dlz_dlopen: incorrect version 1 should be 2 in '/usr/lib/x86_64-linux-gnu/samba/bind9/'
Aug  2 16:22:18 lab-addc1 named[2347]: dlz_dlopen of 'AD DNS Zone' failed

You need to edit /var/lib/samba/private/named.conf for the correct version of the lib.

After booting up a Windows machine using DHCP and the DNS updated automatically. Put a tail on the syslog file and run the following command. It will try and force Samba to update the DNS setting it knows about. The command below will in turn try and call the bind utility nsupdate.

sudo samba_dnsupdate --verbose --all-names

There will be loads of output to the terminal and to the syslog. Likely causes are

  • The apparmor rules in
    • /etc/apparmor.d/usr.sbin.named
    • /etc/apparmor.d/usr.sbin.dhcpd
  • File permissions
    • -rw-r–r– 1 root root 3781 May 10 11:59 /etc/krb5.conf
    • -rw-r—– 1 root bind 852 May 10 12:00 /var/lib/samba/private/dns.keytab

Also see

For the next part in this series take a look at Administering AD DC via Windows.

40 thoughts on “Samba4 AD DC on Ubuntu 14.04

  1. Lars Urban

    Hello Richard,

    thank you very much for this Tutorial ! Now i was able to setup my DC without problems …. after 2 Weeks self study … =)

    After a full copy from your lab i figured out for me, that my problem was the naming from bind + samba with FQN -_-

    But on Question , if i follow your tutorial , the first step is setup Bind9 and then the DC.
    You use the same IP for DNS and DC , this is correct for Samba4 setups with Bind, but i am a little bit confused with the Hostnames =)

    For AD is it : lab-addc1
    For DNS is it: dns-server

    If i setup DNS then DC is my DC Hostname allways dns-server.
    You have change your setup ?
    Or i have a missing configuration πŸ˜‰

    Greetings and Thank you again !

    By the way, Ubuntu 14.04 Server has always the ACL as default, normaly you need only the packages.
    But for documentation is it ok, and not totaly wrong =)

    1. Richard Post author

      Thank you for the feedback. regarding your question, I missed off a CNAME record in the Bind9 tutorial, sorry! I have updated that post.
      You need to add another record to /var/lib/bind/ at the end.

      lab-addc1 CNAME ns1

      Also add the reverse lookup record to /var/lib/bind/ The new record is the one in the middle.

      3 PTR dns-server.dragon.lab.
      3 PTR lab-addc1.dragon.lab. <=- this is the new line PTR dragon.lab.

      CNAME records allow you to have one IP address with multiple hostnames.

  2. Lars Urban

    And I am again =)

    If I do after this installation a :

    sudo samba_dnsupdate --verbose --all-names

    I obtain this in my syslog:
    type=1400 audit(1408563965.420:18): apparmor=”DENIED” operation=”mknod” profile=”/usr/sbin/named” name=”/var/tmp/DNS_105″ pid=1116 comm=”named” requested_mask=”c” denied_mask=”c” fsuid=105 ouid=105

    so we need in your tutorial one entry more for appamor:
    /var/tmp/** rw,

    and this also in the global section from smb.conf
    printing = bsd
    printcap name = /dev/null

    without we have a flooding syslog with printer cups errors =)

    Greetings Lars

    1. Richard Post author

      Thanks again Lars for the feed back and pointing out more errors, grumble grumble πŸ™‚

      Thanks for the solution to the issue with error messages in the syslog saved me looking that up. The values for the printing option can be any one of these: BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX, CUPS, and SOFTQ.

      I will update this tutorial and use CUPS as I’m thinking about adding a section of printer sharing, which will use CUPS.

  3. joebell

    Hi Richard,

    I do very appreciate your tutorial. Being a totally newbie among Linux/Ubuntu users, I was able to install a stand alone Samba Active Directory Server perfectly with these few exceptions:
    1. command ‘host -t’ did not work for me. I received replies with “not found: 3(NXDOMAIN)” at the end
    2. restarting bind9 failed. I could find this line during the process “rndc: connect failed:
    connection refused”, and finally * Starting domain name service… bind9 [fail]
    3. in the syslog file there are lines as follows:
    Aug 21 21:41:32 server2 named[2111]: Loading ‘AD DNS Zone’ using driver dlopen
    Aug 21 21:41:32 server2 named[2111]: samba_dlz: Failed to connect to /var/lib/samba/private/dns/sam.ldb
    Aug 21 21:41:32 server2 named[2111]: dlz_dlopen of ‘AD DNS Zone’ failed
    Aug 21 21:41:32 server2 named[2111]: SDLZ driver failed to load.
    Aug 21 21:41:32 server2 named[2111]: DLZ driver failed to load.
    Aug 21 21:41:32 server2 named[2111]: loading configuration: failure
    Aug 21 21:41:32 server2 named[2111]: exiting (due to fatal error)

    I would be very pleased to know what was done wrong during the Samba Server with AD installation. Could you help me with that issue?

    Many thanks!

    1. Richard Post author

      This looks like the permissions on the file /var/lib/samba/private/dns/sam.ldb are wrong which, implies you missed a step or something else went wrong. There may also be entries in your syslog from apparmor regarding the file which means you’ll need to update the its config file for /usr/sbin/named.

      The permissions on the directory and files in in should be

      sudo ls -l /var/lib/samba/private/dns -d
      drwxrwx--- 3 root bind 4096 Aug 17 08:40 /var/lib/samba/private/dns

      sudo ls -l /var/lib/samba/private/dns/
      -rw-rw---- 1 root bind 3018752 Aug 17 08:40 sam.ldb
      drwxrwx--- 2 root bind 4096 Aug 17 08:40 sam.ldb.d

      I would also say that installing and configuring Bind9 DNS and Samba4 as a AD DC was not a task to be undertaken by someone new to Linux, try smaller steps and do one step at a time. πŸ™‚

    2. Schnix

      chown root:bind /var/lib/samba/private/ will solve your problem. This Information is missing in the tutorial, which ist one of the best so far in the web

    1. Richard Post author

      You also had to install Linux, in this case Ubuntu. πŸ™‚

      Which is why I say at the beginning of the tutorial “For this how to I am building on some of my other howtos.” and provide links to the required posts.

  4. Drew

    i would like to say first off great tutorial. its fairly easy to understand and follow but i had a few questions concerning “samba-tool domain provision –use-rfc2307 –interactive”
    i have found out that this will set up an INTERNAL LDAP however i am trying to use OpenLDAP as the LDAP backend so i can manage the users/passwords for everyone in a unified single sign-on environment for things like mail, web access, printers, and the like am i correct in guessing that i can skip this step or is there another option for provisoning that will help set up an external LDAP server? i have found a plethera of information regarding Samba 4 and LDAP and so far this is the only one that is extremly easy to folow.

    1. Richard Post author

      Whatever method you use to authenticate users you will have to provision the Samba server, using anything other than the Samba internal LDAP server does not look promising though.

      The Samba4 Wiki is quite explicit about using OpenLDAP as an LDAP backend with Samba. It does not sound like a good direction to go, two quotes from that page:
      While this is an area of active development in Samba as an Active Directory Domain Controller, it is not supported, or expected to be supported in the near future” and “This does not yet work in any released or development branch. You have been warned.“.

      On a brighter note you may be able to configure Postfix to use a Samba back end to authenticate logins. I have not yet tried but it is on my rather long list. πŸ™‚

  5. Teo

    Hi, thanks for really nice tutorial, but there are some thing i miss understand.
    Is ICS-DHCP-SERVER still dynamic update leased IP to DNS records on BIND9_DLZ DNS Server ?
    I have setup BIND9 and ICS-DHCP-Server use rndc.key to update before and it’s automaticly update to DNS Server without problems.
    But after i change to BIND9_DLZ it’s no longer work anymore (i checked on DNS Manager of Administrator Tools on Windows 7 and dinn’t see any WORKGROUP cliens.)


  6. Dov

    I am trying to setup AD-DC server following this tutorial, thanks for taking the time to make such a clear and easy to follow set of instructions.

    While the tutorial have the setup of isc-dhcp-server as a requirement for setting the AD-DC,
    I found the following comment on the wiki for ad-dc:

    “Note: If your server is set up to receive its IP configuration via DHCP, the β€ž/etc/resolv.confβ€œ file might be automatically updated. Refer to your distributions documentation on how to stop/change this behavior, although DHCP is not recommended on a DC!”

    1. Richard Post author

      To be clear, You do not want your AD DC server to get its IP address from DHCP, that is just plain nuts, for so many reasons.

    1. Richard Post author

      I did not have to as it gets puled lin automatically and the default configuration is good enough to get this all working.

  7. Jeebsion

    Hi Richard,

    I’ve followed your tutorial religiously, I believe … but here’s what happened when I try to start bind:

    root@primera:/home/najib# tail /var/log/syslog
    Jan 16 04:00:45 primera named[1293]: listening on IPv4 interface eth0,
    Jan 16 04:00:45 primera named[1293]: generating session key for dynamic DNS
    Jan 16 04:00:45 primera named[1293]: sizing zone task pool based on 7 zones
    Jan 16 04:00:45 primera named[1293]: Loading ‘AD DNS Zone’ using driver dlopen
    Jan 16 04:00:46 primera named[1293]: samba_dlz: started for DN DC=mbmdistro,DC=loc
    Jan 16 04:00:46 primera named[1293]: samba_dlz: starting configure
    Jan 16 04:00:46 primera named[1293]: samba_dlz: Failed to configure zone ‘mbmdistro.loc’
    Jan 16 04:00:46 primera named[1293]: loading configuration: already exists
    Jan 16 04:00:46 primera named[1293]: exiting (due to fatal error)
    Jan 16 04:00:46 primera named[1293]: samba_dlz: shutting down

    Any idea what went wrong?

  8. Justin Stein

    Can you explain what exactly the ranges affect? Does it mean that you can only use that many users (i.e. if I put the SERVER:backend as 10000-59999, there can only be 49999 users created on that server?) Thanks for this article, it helped me a ton!

    1. Richard Post author

      Yes you are right about this limiting the number of ADDC user to a maximum of 49999. If you are administering an environment (Windows and Linux) with that many users your company should be sending you on tutor lead courses to give you the proper training. You should not have to rely on information scraped from blogs like mine πŸ™‚

  9. Simeon

    Hello Richard,

    Thank you for your nice tutorial. Almost everything works very nice here.

    Unfortunately, I choose a too long Kerberos Authentication. That’s why Kerberos isn’t working here.
    How can I change the Kerberos Realm?

    In your Tutorial it’s just written like this:
    If you get these wrong your AD DC will not work and you will have to start again!

    Thank you very much for your answer!

    1. Richard Post author

      It was a lot simpler, for me :-), to say “start again” than go into details of fixing problems and editing multiple files.

  10. Eric


    thank you for your great work
    I’m hanging on one point:
    when I try to use:
    host -t A
    I just get an NXDOMAIN error

    all the other commands work fine just that particular one doesnt work
    I already tried to reinstall the server 3 times but stuck every time at the same point

    Hope you or someone can help with that


  11. drlegend

    this was the best tutorial every .. east to follow step by step. I tried many others and this is the first one that worked flawlessly … congratulation on your had work ….

  12. Tony Ferguson

    Hi Richard

    Thank you very much for this – it still works well.

    The next step is to add users and shares on the machine –

    1 – How do I add a user to the SAMBA network
    2 – How do I add groups?


      1. Richard Post author

        I doubt I will be doing a post for 16.04 as Samba 4 cannot run as an AD DC for 2012 or 2016. See the samaba documentation. This means you would have to remain using a 2008 server and that is getting on for 8 years out of date or the pre-stone age in computer terms!

  13. Bob Wooden

    I can’t help it, I have to comment. I have used your article with success to install and configure U16.04.1LTS with samba 4.3.9 and bind9.10 and get a functional active directory DC working. Having said that, your article has missed many important steps that are needed to get Samba4 working. Like where did you install bind9? Nowhere in your list of packages to install did you include bind9? Yet, you configured bind9 . . .
    I know this sounds harshly critical but, it’s a good article . . . just some of the pieces are missing. There has too be a lot of readers who tried and failed, just like I did. Look at the August 2016 comment about “apt-get install bind9 and winbind” . . . . that dude was frustrated. Sorry but, shame on you for leaving out those critical parts!!

    1. Richard Post author

      You may find this reply harsh. Shame on you for not bothering to read the post in full. It clearly states, with a link, that this post builds on my post for installing and configuring Bind9. Try reading the instructions, all of them, in the order they were written. Yes, that includes the bit about installing and configuring Bind9. Before posting comments about your own frustrations make sure you have bothered to read the full post then you will not be the cause of your own frustration!

  14. Onno

    Hello Richard,

    I’m a bit stuck on the part of adding a test volume. I’m trying to follow these steps on an Ubuntu 16.04 VM with LVM for disk management.

    How do I create a test file system with LVM?

  15. mackuz

    Thank You!
    Despite this article is quite outdated, it may be used Π΅Ρ‰ΠΏΡƒΠ΅Ρ€ΡƒΠΊ with other materials. And Bind9 part is actual.

    I have only one question: if we are installing samba from Ubuntu repo, why do we need all theese dev packages? And do we need them?

    1. Richard Post author

      I cannot remember that far back. Since there is nothing being compiled against them and they are not being changed, you may be able to get away with not having them. I found the connection will no longer work with M$ server 2012 and after so I gave up. M$ are only interested in their revenue, and so continually change the protocol without making it backwards compatible or back porting security fixes. Forcing companies to go their way once they are locked into the M$ BS. πŸ™ Also, I changed firms just after doing this post and no longer had to deal with the security nightmare and IT abomination that is M$. Good luck.

      1. mackuz

        Thank You again.
        Sadly, soft, we are using, as far as I know, is not working with other LDAP implementations, so we need AD. I’ll try to make it work.

        And “Π΅Ρ‰ΠΏΡƒΠ΅Ρ€ΡƒΠΊ” is “together” πŸ™‚

        1. Richard Post author

          Aah, it looks like the SAMBA guys have updated their documentation. Last time I looked it was saying Windows 2012 would not be supported.

  16. J.

    Hello, just saying you might want to add the “domain must be uppercase for kerberos” warning somewhere, otherwise you’ll get
    kinit: KDC reply did not match expectations while getting initial credentials


Leave a Reply

Your email address will not be published. Required fields are marked *