Problem solved!  Thanks from Martin.  See my Solution at the end of Installing Samba.

Building Samba from source works.  But when I try to build my domain ‘bales.lan’ it errors:

[root@dc1 samba4]# samba-tool domain provision --use-rfc2307 --interactive

Realm [BALES.LAN]:
Domain [BALES]:
Server Role (dc, member, standalone) [dc]:
DNS forwarder IP address (write 'none' to disable forwarding) []:
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=bales,DC=lan
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups

ERROR(ldb): uncaught exception - operations error at ../source4/dsdb/samdb/ldb_modules/password_hash.c:2816
File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/", line 176, in _run
return*args, **kwargs)
File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/", line 462, in run
nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode)
File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/", line 2175, in provision
File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/", line 1787, in provision_fill
next_rid=next_rid, dc_rid=dc_rid)
File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/", line 1447, in fill_samdb
"KRBTGTPASS_B64": b64encode(krbtgtpass.encode('utf-16-le'))
File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/", line 55, in setup_add_ldif
ldb.add_ldif(data, controls)
File "/usr/local/samba/lib64/python2.7/site-packages/samba/", line 225, in add_ldif
self.add(msg, controls)

It errors on both minimal CentOS and Gnome CentOS.  It errors on both with samba using git “checkout tags/samba-4.5.3” and downloading the zip 4.5.3 package.

I posting this on my blog and not report it as a possible Samba Bug because I might not be a bug, but something else.

There is a bug listed in showing this same error, reported in 10-26-2015 and the status is “Resolved Invalid”.

I had no idea what that means – resolved invalid??  It might that person who reported the bug, the last comment he made is “Sorry, it’s local misconfiguration in /etc/krb5.conf.”  I looked at the krb5.conf file and since my Linux tech ability is so-so, I could not find any error.

Also this blog from Samba about using Fedora and Fedora post; again it sound like something incorrect about krb5.conf.

Any ideas, hints and/or suggesting are truely appreciated. 🙂

I will be using this information for the Samba AD DC minimal CentOS server:

Samba Server: dc1
IP Address:
Default Gateway:
DNS Domain Name: bales.lan
NetBIOS Domain Name: BALES

After Installing CentOS:

Using SSH for root I installed updates using terminal:

yum update

then I rebooted.

Then disabled the firewall and disabled SELinux:

systemctl stop firewalld
systemctl disable firewalld
nano /etc/sysconfig/selinux

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.


Prerequisite CentOS:

I changed the network:

nano /etc/sysconfig/network-scripts/ifcfg-ens33

Then I changed the /etc/hosts file to match the actual IP of my server (dc1):   localhost localhost.localdomain localhost4 localhost4.localdomain4 dc1.bales.lan dc1
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

Then changed to the hostname to only ‘dc1’:

nano /etc/hostname


I then changed the path directory by adding’:/usr/local/samba/bin:/usr/local/samba/sbin’ a new file called in the /etc/profile.d/ directory:

nano /etc/profile.d/


Then I added the same line to the sudoers file in the ‘Defaults secure_path’ line:

nano /etc/sudoers

# Defaults   env_keep += "HOME"

Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/samba/bin:/usr/local/samba/sbin

## Next comes the main part: which users can run what software on 
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:


Then I rebooted again.

After rebooting install the requirements/dependencies for Samba AD DC:

 yum install perl gcc attr libacl-devel libblkid-devel \
    gnutls-devel readline-devel python-devel gdb pkgconfig \
    krb5-workstation zlib-devel setroubleshoot-server libaio-devel \
    setroubleshoot-plugins policycoreutils-python \
    libsemanage-python perl-ExtUtils-MakeMaker perl-Parse-Yapp \
    popt-devel libxml2-devel libattr-devel \
    keyutils-libs-devel cups-devel bind-utils libxslt \
    docbook-style-xsl openldap-devel autoconf python-crypto pam-devel

Note: I took off perl-Test-Base because it’s not found. Thanks to Ron for noticing this.


Installing Samba AD DC:

Download the current samba file:

git clone git:// /usr/src/samba4/

Cloning into '/usr/src/samba4'...
remote: Counting objects: 1284556, done.
remote: Compressing objects: 100% (276871/276871), done.
remote: Total 1284556 (delta 998857), reused 1281332 (delta 995727)
Receiving objects: 100% (1284556/1284556), 250.21 MiB | 1.82 MiB/s, done.
Resolving deltas: 100% (998857/998857), done.

Then I retrieved on the 4.5.3 Samba from the /usr/src/samba4/ directory.

git checkout tags/samba-4.5.3

Note: checking out 'tags/samba-4.5.3'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:

 git checkout -b new_branch_name

HEAD is now at 3da5d75... VERSION: Disable git snapshots for the 4.5.3 release.

Using terminal first do a ./configure in the extraction directory of /usr/local/samba4.


Then a make:


Then lastly make install:

make install

Solution:  Do these two steps.

# mv /etc/krb5.conf /etc/krb5.conf.bak
# cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf

Then Reboot.

Time to build the Samba AD DC:

sudo samba-tool domain provision --use-rfc2307 --interactive

Then it errors. Again any help, advice or suggestion are truly appreciated.



8 thoughts on “SOLVED – Installing Samba 4.5.3 AD DC on CentOS 7.1611 – not working

  1. Hi Jeff,
    i ran into the same problem…
    after wasting a lot of time looking for the obvious i found the problem :
    you have to replace your krb5.conf with the one created by samba

    mv /etc/krb5.conf /etc/krb5.conf.bak
    cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf

    after that provisioning works like a charm

    best regards

  2. Thanks Martin
    Problem solved after following below steps
    mv /etc/krb5.conf /etc/krb5.conf.bak
    cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf

  3. Excellent! Thanks a lot!
    Problem solved after following below steps
    mv /etc/krb5.conf /etc/krb5.conf.bak
    cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s