Install Samba 4.7.6 AD DC – Ubuntu 18.04 – Bind 9.11 DNS – Backend AD RFC2307


  • Samba 4.7.6
  • Ubuntu 18.04
  • Bind 9.11
Set your IP address

# sudo nano /etc/netplan/50-cloud-init.yaml
             dhcp4: false
                 search: []
     version: 2

perl: warning: Falling back to a fallback locale (“en_US.UTF-8”).
locale: Cannot set LC_ALL to default locale: No such file or directory

If you got locale error, try this:
# sudo su
# export LANGUAGE=”en_US.UTF-8″
# echo ‘LANGUAGE=”en_US.UTF-8″‘ >> /etc/default/locale
# echo ‘LC_ALL=”en_US.UTF-8″‘ >> /etc/default/locale
# reboot

Get fresh sources
# sudo apt-get update

Get fresh updates
# sudo apt-get upgrade

Install Bind9

# sudo apt-get install bind9 bind9utils

Optional!! Downloading the DNS Root Servers List
# cd /etc/bind

Download the latest list of the DNS root servers to the /etc/bind/db.root file:
#  sudo wget -q -O /etc/bind/db.root

Enable the BIND user to read the root servers list:
# sudo chown bind:bind /etc/bind/db.root
# sudo chmod 640 /etc/bind/db.root

Optionally, set up a Cron job to automatically update the file.

Install Samba, Kerberos, winbind, smbclient

# sudo apt -y install samba krb5-config winbind smbclient

Set Realm
Default Kerberos version 5 realm: DC.COM

Specify the hostname
Kerberos servers for your realm:

Specify the hostname
Administrative server for your Kerberos realm:

Configure Samba AD DC

Rename or remove the default config
# sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.initial

Setting up RFC2307 and NIS Extensions in a Samba AD
# sudo samba-tool domain provision --use-rfc2307 --interactive
Realm: DC.COM
Domain [DC]: DC
Server Role (dc, member, standalone) [dc]: dc

A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf

Once the above files are installed, your Samba AD server will be ready to use

Server Role:           active directory domain controller
Hostname:              addc
NetBIOS Domain:        DC
DNS Domain:  
DOMAIN SID:            S-1-5-21-1314142769-2543882361-2372172498

Copy krb5.conf 
# sudo cp /var/lib/samba/private/krb5.conf /etc/

Stop system resolved, make etc/resolve.conf static.
# sudo systemctl stop smbd nmbd winbind systemd-resolved
# sudo systemctl disable smbd nmbd winbind systemd-resolved

Remove /etc/systemd/system/samba-ad-dc.service.
# sudo systemctl unmask samba-ad-dc

Set Hosts
# sudo nano /etc/hosts
 ---start---       localhost.localdomain localhost addc

Remove the link of resolv.conf and create new one
# sudo ls -l /etc/resolv.conf
lrwxrwxrwx 1 root root 39 Jul 25 22:59 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf
# sudo rm /etc/resolv.conf
# sudo nano /etc/resolv.conf

Replace the domain name to your own environment

Start & enable samba-ad-dc
# systemctl start samba-ad-dc
# systemctl enable samba-ad-dc

Configure Samba AD DC and Bind9_DLZ

There are 2 DNS Server type:
- Caching DNS Server
- Forwarding DNS Server
In my case, I will use Caching DNS Server, only hundreds of users, low workload.
BIND9_DLZ should be installed under the same root as ADDC, not in separate server, ADDC will access directly to DNS Server.

Configure the BIND9_DLZ back end as a Caching DNS Server
# sudo nano /etc/bind/named.conf
Delete all and use these!
 include "/etc/bind/named.conf.options";
 include "/etc/bind/named.conf.local";
 include "/etc/bind/named.conf.default-zones";
 include "/var/lib/samba/private/named.conf";

Edit /etc/bind/named.conf.options
# sudo nano /etc/bind/named.conf.options
Delete all and use these!
options {
         directory "/var/cache/bind";
         notify no;
         empty-zones-enable no;

         #Adding this Samba generated file will allow for automatic DDNS updates
         # To enable dynamic DNS updates using Kerberos 
         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

         # IP addresses and network ranges allowed to query the DNS server: 
         # allowed users from another segment
         allow-query {

# IP addresses and network ranges allowed to run recursive queries:
# (Zones not served by this DNS server) 
         # allowed users from another segment
         allow-recursion {

# Forward queries that can not be answered from own zones
         # to these DNS servers: 
         forwarders {

# Disable zone transfers
         allow-transfer {

dnssec-validation auto;

auth-nxdomain no; # conform to RFC1035
# If auth-nxdomain is 'yes' allows the server to answer authoritatively (the AA bit is set)
# when returning NXDOMAIN (domain does not exist) answers, if 'no' (the default) the 
# server will not answer authoritatively. 
listen-on-v6 { any; };


Edit /etc/bind/named.conf.local
Add zone for Samba ADDC
# sudo nano /etc/bind/named.conf.local

Delete all and use these
// 127.0.0. zone.
zone "" {
type master;
file "/etc/bind/db.0.0.127";

Check /etc/bind/named.conf.default-zones
Its already default, no need to change
# sudo nano /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
zone "" {
type master;
file "/etc/bind/db.127";
zone "" {
type master;
file "/etc/bind/db.0";
zone "" {
type master;
file "/etc/bind/db.255";

Creating the localhost Zone File, content of /etc/bind/named.conf.default-zones
# cd /etc/bind

Create the localhost forward zone in the /etc/bind/db.local file:
# sudo nano /etc/bind/db.local
$ORIGIN localhost.
@ 1D IN SOA @ root (
20190107 ; serial
8H ; refresh
2H ; retry
4W ; expiry
1D ; minimum
@ IN NS @

Enable the BIND user to read the zone file:
# sudo chown bind:bind /etc/bind/db.local
# sudo chmod 640 /etc/bind/db.local

Create the reverse zone in the /etc/bind/db.0.0.127 file:
# sudo nano /etc/bind/db.0.0.127
 @       IN      SOA     localhost. root.localhost. (
                         20190107        ; Serial
                         8H              ; Refresh
                         2H              ; Retry
                         4W              ; Expire
                         1D              ; Minimum TTL
    IN      NS      localhost.
 1      IN      PTR     localhost.

Enable the BIND user to read the zone file:
# sudo chown bind:bind /etc/bind/db.0.0.127
# sudo chmod 640 /etc/bind/db.0.0.12

Configuring the BIND9_DLZ Module

The BIND9_DLZ module is a BIND9 plugin that accesses the Samba Active Directory (AD) database directly for registered zones. For this reason: - BIND must be installed on the same machine as the Samba AD domain controller (DC).
- BIND must not run in a changed root environment.
- Zones are stored and replicated within the directory. 

Display the BIND version:
# named -v
 BIND 9.11.3-1ubuntu1.2-Ubuntu (Extended Support Version) 

 Edit /var/lib/samba/private/named.conf
 # sudo nano /var/lib/samba/private/named.conf
 dlz "AD DNS Zone" {
     # For BIND 9.11.x
      database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/";

Change the permissions on the private dns.keytab, readable by your bind group.

# sudo chgrp bind /var/lib/samba/private/dns.keytab
# sudo chmod g+r /var/lib/samba/private/dns.keytab

Add apparmor rules to the end of /etc/apparmor.d/usr.sbin.named inside the {..}
# sudo nano /etc/apparmor.d/usr.sbin.named
 /usr/lib/x86_64-linux-gnu/ldb/** rwmk,
   /usr/lib/x86_64-linux-gnu/samba/** rwmk,
 /var/lib/samba/private/dns/** rwmk,
   /var/lib/samba/private/named.conf r,
   /var/lib/samba/private/dns.keytab r,
 /var/tmp/* rw,
   /dev/urandom rw,

 # sudo nano /etc/apparmor.d/local/usr.sbin.named
 Samba4 DLZ and Active Directory Zones (default source installation)
 /usr/local/samba/lib/** rm,
 /usr/local/samba/private/dns.keytab r,
 /usr/local/samba/private/named.conf r,
 /usr/local/samba/private/dns/** rwk,

# sudo reboot


# sudo samba-tool domain level show
Domain and forest function level for domain 'DC=bc,DC=com'
Forest function level: (Windows) 2008 R2
Domain function level: (Windows) 2008 R2
Lowest function level of a DC: (Windows) 2008 R2

# smbclient -L localhost -U%
Sharename       Type      Comment ---------       ----      ------- netlogon        Disk       sysvol          Disk       IPC$            IPC       IPC Service (Samba 4.7.6-Ubuntu)
Reconnecting with SMB1 for workgroup listing.
Server               Comment ---------            ------- Workgroup            Master ---------            -------
     WORKGROUP            ADDC

# smbclient //localhost/netlogon -UAdministrator -c 'ls'
 Enter BC\Administrator's password: 
   .                                   D        0  Fri Oct 26 04:11:28 2018
   ..                                  D        0  Fri Oct 26 04:11:37 2018
         10252564 blocks of size 1024. 5360728 blocks available

# host -t SRV
--start-- has SRV record 0 100 389

# host -t SRV
--start-- has SRV record 0 100 88

 # host -t A
--start-- has address

# samba-tool dns query addc @ ALL -U administrator%#password#
 Name=, Records=3, Children=0
     SOA: serial=37, refresh=900, retry=600, expire=86400, minttl=3600,, (flags=600000f0, serial=37, ttl=3600)
     NS: (flags=600000f0, serial=1, ttl=900)
     A: (flags=600000f0, serial=1, ttl=900)
   Name=_msdcs, Records=0, Children=0
   Name=_sites, Records=0, Children=1
   Name=_tcp, Records=0, Children=4
   Name=_udp, Records=0, Children=2
   Name=addc, Records=1, Children=0
     A: (flags=f0, serial=1, ttl=900)
   Name=DomainDnsZones, Records=0, Children=2
   Name=ForestDnsZones, Records=0, Children=2

Lookup from another PC
# nslookup
   Default server:
>  set type=SRV
   Address:    service = 0 100 389

Now verify current samba settings by running the command below.
# testparm
or more complex parameter
# samba-tool testparm -v

rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
In order to make the necessary change permanent, I entered the following
line in “/etc/security/limits.conf”:
# sudo nano /etc/security/limits.conf
* – nofile 16384
# sudo reboot

Check again
# testparm
The warning previously given by “testparm” is now gone.

Check config:
# named-checkconf

Check Bind logs:
# tail -f /var/log/syslog

Start the BIND service
# sudo service bind9 start
# sudo service bind9 status

Start the Samba service
# sudo service samba-ad-dc start

Optional!. Adding a UPN Suffix to Active Directory

- Select Active Directory Domains and Trusts from the Tools menu 
- In the Active Directory Domains and Trusts management console, right-click Active Directory Domains and Trusts in the left pane and select Properties from the menu.
- In the dialog box on the UPN Suffixes tab, type the name of the suffix that you would like to add to your AD forest in the Alternate UPN suffixes box. Click Add and then OK. 

Error permission Denied : /var/lib/samba/private/named.conf

Check Permission:
ls -la /var/lib/samba/private/named.conf
-rw-r–r– 1 root root 780 Oct 22 09:23 /var/lib/samba/private/named.conf
Change user bind:bind
sudo chown bind:bind /var/lib/samba/private/named.conf
sudo chmod 640 /var/lib/samba/private/named.conf

Error working directory ‘/’ is not writable

Obtaining root key for view _default from ‘/etc/bind/bind.keys’
loading configuration: permission denied
Make sure directory “/var/cache/bind”; di /etc/bind/named.conf.options
Not commented #

Basic User Management

# sudo su

Display domain users list
root@smb:~# samba-tool user list

Add a domain user
root@smb:~# samba-tool user create ubuntu

Delete a domain user
root@smb:~# samba-tool user delete ubuntu

Reset password for a user
root@smb:~# samba-tool user setpassword ubuntu

Set expiry for a user
root@smb:~# samba-tool user setexpiry ubuntu --days=7

Disable/Enable user account
root@smb:~# samba-tool user disable ubuntu

Display domain groups list
root@smb:~# samba-tool group list

Display members in a group
root@smb:~# samba-tool group listmembers "Domain Users"

Add a domain group
root@smb:~# samba-tool group add ServerWorld

Delete a domain group
root@smb:~# samba-tool group delete ServerWorld

Add a member from a domain group.
root@smb:~# samba-tool group addmembers ServerWorld ubuntu

Remove members to group ServerWorld
root@smb:~# samba-tool group removemembers ServerWorld ubuntu

Change Domain User Password
# sudo smbpasswd -a username
[sudo] password for admin:
New SMB password:
Retype new SMB password:

Samba AD DC Port Usage

Service Port Protocol
DNS * 53 tcp/udp
Kerberos 88 tcp/udp
ntp ** 123 udp
End Point Mapper (DCE/RPC Locator Service) 135 tcp
NetBIOS Name Service 137 udp
NetBIOS Datagram 138 udp
NetBIOS Session 139 tcp
LDAP 389 tcp/udp
SMB over TCP 445 tcp
Kerberos kpasswd 464 tcp/udp
LDAPS *** 636 tcp
Global Catalog 3268 tcp
Global Catalog SSL *** 3269 tcp
Dynamic RPC Ports **** 49152-65535 tcp

About AD Password

To see GPO info in windows client
gpresult /v

Samba Active Directory domain can be usually fully configured without any issues using RSAT, it seems that the password policy is one of these very few things where this doesn't work, or at least not in its entirety.

The password complexity (on | off | default). Defaultis 'on'
# sudo samba-tool domain passwordsettings set --complexity=off

The password history length ( integer | default). Default is 24.
# sudo samba-tool domain passwordsettings set --history-length=0

The minimum password length ( integer | default). Default is 7.
# sudo samba-tool domain passwordsettings set --min-pwd-length=3

The minimum password age ( integer | default). Default is 1.
# sudo samba-tool domain passwordsettings set --min-pwd-age=0

The maximum password age ( integer |default). Default is 43.
# sudo samba-tool domain passwordsettings set --max-pwd-age=0

Restart samba
# sudo /etc/init.d/smbd restart

Or reboot server
# sudo reboot

Windows side
# gpupdate /force

Restarted Samba, did a gpupdate /force on the windows workstation, and it worked. No need to set up a GPO (although that would sometimes be preferable).

See here,
That’s it, hope it helps.


  1. Hafiz September 12, 2019 Reply
    • Terry September 13, 2019 Reply

Leave a Reply