Installing Samba as Active Directory Domain Controller Using Internal DNS on Ubuntu 18.04


  • Samba 4.7.6
  • Ubuntu 18.04
  • Samba Internal DNS
Set your IP Address
# sudo nano /etc/netplan/50-cloud-init.yaml
dhcp4: false
search: []
version: 2

Get fresh sources
# sudo apt-get update

Get fresh updates
# sudo apt-get upgrade

Locale error!
perl: warning: Falling back to a fallback locale (“en_US.UTF-8”).
locale: Cannot set LC_ALL to default locale: No such file or directory

If you got locale error, here is the solution:
# sudo su
# export LANGUAGE=”en_US.UTF-8″
# echo ‘LANGUAGE=”en_US.UTF-8″‘ >> /etc/default/locale
# echo ‘LC_ALL=”en_US.UTF-8″‘ >> /etc/default/locale
# reboot

Install Samba, Kerberos, winbind, smbclient

# sudo apt -y install samba krb5-config winbind smbclient

Set Realm
Default Kerberos version 5 realm: DC.COM

Specify the hostname
Kerberos servers for your realm:

Specify the hostname
Administrative server for your Kerberos realm:

Configure Samba AD DC

Rename or remove the default config
# sudo mv /etc/samba/smb.conf /etc/samba/

Setup Samba Provision
# sudo samba-tool domain provision
Specify Realm
Realm: DC.COM
Domain [DC]: DC
Server Role (dc, member, standalone) [dc]: dc
DNS forwarder IP address (write 'none' to disable forwarding) []: none
Administrator password:
Retype password:

A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
Once the above files are installed, your Samba AD server will be ready to use
Server Role: active directory domain controller
Hostname: addc
NetBIOS Domain: DC
DNS Domain:
DOMAIN SID: S-1-5-21-1101332558-2985550191-2366278001

Copy krb5.conf
# sudo cp /var/lib/samba/private/krb5.conf /etc/

Stop system resolved, supaya etc/resolve.conf ga berubah2, jadi static
# sudo systemctl stop smbd nmbd winbind systemd-resolved
# sudo systemctl disable smbd nmbd winbind systemd-resolved

Remove /etc/systemd/system/samba-ad-dc.service.
# sudo systemctl unmask samba-ad-dc

Hosts nya belum bener
# sudo nano /etc/hosts
---start--- localhost.localdomain localhost addc

Remove the link of resolv.conf and create new one
# sudo ls -l /etc/resolv.conf
lrwxrwxrwx 1 root root 39 Jul 25 22:59 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf
# sudo rm /etc/resolv.conf
# sudo nano /etc/resolv.conf

Replace the domain name to your own environment

Start & enable samba-ad-dc
# systemctl start samba-ad-dc
# systemctl enable samba-ad-dc

Confirm doman level and add a Domain user

Confirm doman level
# sudo samba-tool domain level show
Domain and forest function level for domain 'DC=dc,DC=com'
Forest function level: (Windows) 2008 R2
Domain function level: (Windows) 2008 R2
Lowest function level of a DC: (Windows) 2008 R2

Add a domain user
# sudo samba-tool user create ubuntu
New Password:
User 'ubuntu' created successfully

Verifying DNS

The tcp-based _ldap SRV record in the domain:
# host -t SRV has SRV record 0 100 389

The udp-based _kerberos SRV resource record in the domain:
# host -t SRV has SRV record 0 100 88

The A record of the domain controller:
# host -t A has address

Testing DNS

From another PC
# nslookup
> server
Default server:
> set type=SRV
Address: service = 0 100 389

Testing Kerberos and authentication

Try to connect to the server we are on using smbclient
# sudo smbclient -L -U 'administrator'
Enter BC\administrator's password:
Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.7.6-Ubuntu)
Reconnecting with SMB1 for workgroup listing.
Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP ADDC

Test authentication with smblient
# sudo smbclient //localhost/netlogon -U 'administrator'
Enter BC\administrator's password:
Try "help" to get a list of possible commands.
smb: >

Now verify current samba settings by running the command below.
# testparm
atau yg lebih lengkap
# samba-tool testparm -v

Basic User Management

# sudo su

Display domain users list
root@smb:~# samba-tool user list

Add a domain user
root@smb:~# samba-tool user create ubuntu

Delete a domain user
root@smb:~# samba-tool user delete ubuntu

Reset password for a user
root@smb:~# samba-tool user setpassword ubuntu

Set expiry for a user
root@smb:~# samba-tool user setexpiry ubuntu --days=7

Disable/Enable user account
root@smb:~# samba-tool user disable ubuntu

Display domain groups list
root@smb:~# samba-tool group list

Display members in a group
root@smb:~# samba-tool group listmembers "Domain Users"

Add a domain group
root@smb:~# samba-tool group add ServerWorld

Delete a domain group
root@smb:~# samba-tool group delete ServerWorld

Add a member from a domain group.
root@smb:~# samba-tool group addmembers ServerWorld ubuntu

Remove members to group ServerWorld
root@smb:~# samba-tool group removemembers ServerWorld ubuntu

Change Domain User Password
# sudo smbpasswd -a username
[sudo] password for admin:
New SMB password:
Retype new SMB password:

Samba AD DC Port Usage

Service Port Protocol
DNS * 53 tcp/udp
Kerberos 88 tcp/udp
ntp ** 123 udp
End Point Mapper (DCE/RPC Locator Service) 135 tcp
NetBIOS Name Service 137 udp
NetBIOS Datagram 138 udp
NetBIOS Session 139 tcp
LDAP 389 tcp/udp
SMB over TCP 445 tcp
Kerberos kpasswd 464 tcp/udp
LDAPS *** 636 tcp
Global Catalog 3268 tcp
Global Catalog SSL *** 3269 tcp
Dynamic RPC Ports **** 49152-65535 tcp

About AD Password

To see GPO info in windows client
gpresult /v

Samba Active Directory domain can be usually fully configured without any issues using RSAT, it seems that the password policy is one of these very few things where this doesn't work, or at least not in its entirety.

The password complexity (on | off | default). Defaultis 'on'
# sudo samba-tool domain passwordsettings set --complexity=off

The password history length ( integer | default). Default is 24.
# sudo samba-tool domain passwordsettings set --history-length=0

The minimum password length ( integer | default). Default is 7.
# sudo samba-tool domain passwordsettings set --min-pwd-length=3

The minimum password age ( integer | default). Default is 1.
# sudo samba-tool domain passwordsettings set --min-pwd-age=0

The maximum password age ( integer |default). Default is 43.
# sudo samba-tool domain passwordsettings set --max-pwd-age=0

Restart samba
# sudo /etc/init.d/smbd restart

Or reboot server
# sudo reboot

Windows side
# gpupdate /force

Restarted Samba, did a gpupdate /force on the windows workstation, and it worked. No need to set up a GPO (although that would sometimes be preferable).

See here,

That’s it, hope it helps.

Leave a Reply