** You should install Samba 4.6.2 or above because of the ‘CVE-2017-2619 (Symlink race allows access outside share definition)’ bug fix. **

Starting with Samba 4.6.0 AD, it allows for the latest Windows 10 to see the netlogon and sysvol share.

Windows 10 can see the netlogon and sysvol folder
Windows 10 can see the netlogon and sysvol folder

Note: When installing Ubuntu server I would recommend you also install openSSH Server with default Standard System Utilities in the Software Installation page. However do not install Samba File Server; if you do do an ” apt purge samba* ” before you actually install Samba from source.

I will be using this information for the Samba AD DC on the Ubuntu server:

Samba Server: dc1
IP Address:
Default Gateway:
DNS Domain Name: bales.lan
NetBIOS Domain Name: BALES

After Installing Ubuntu:

Using SSH for root I installed updates using terminal:

apt update


apt dist-upgrade

Then disabled the firewall:

ufw disable

Then Reboot.

Prerequisite Ubuntu:

Make the static IP for the server.

nano /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto ens33
iface ens33 inet static

Then I changed the /etc/hosts file to match the actual IP of my server (dc1): localhost dc1.bales.lan dc1 dc1

# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouter6

I then changed the path directory by adding’:/usr/local/samba/bin:/usr/local/samba/sbin’ a new file called samba-path.sh in the /etc/profile.d/ directory:

nano /etc/profile.d/samba-path.sh


I also added the same to the secure_path to the /etc/sudoers file.

nano /etc/sudoers

Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/usr/local/samba/bin:/usr/local/samba/sbin"

Install the requirements/dependencies for Samba AD DC:

apt-get install acl attr autoconf bison build-essential debhelper dnsutils docbook-xml docbook-xsl flex gdb krb5-user libacl1-dev libaio-dev libattr1-dev libblkid-dev libbsd-dev libcap-dev libcups2-dev libgnutls28-dev libjson-perl libldap2-dev libncurses5-dev libpam0g-dev libparse-yapp-perl libpopt-dev libreadline-dev perl perl-modules pkg-config python-all-dev python-dev python-dnspython python-crypto xsltproc zlib1g-dev libsystemd-dev libgpgme11-dev python-gpgme python-m2crypto

Then reboot.

Installing Samba AD DC:

Make a directory for samba4 and download the current samba file:

mkdir /samba
cd /samba
wget https://download.samba.org/pub/samba/stable/samba-4.6.1.tar.gz

Then I extract the file.

tar -zxf samba-4.6.1.tar.gz

Go to /samba/samba-4.6.1 and first configure Samba.


Then a make:


Then lastly make install:

make install

Do these two last steps to install samba.

mv /etc/krb5.conf /etc/krb5.conf.bak
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf

Time to build the Samba AD DC:

samba-tool domain provision --use-rfc2307 --interactive

Realm [BALES.LAN]: 
 Domain [BALES]: 
 Server Role (dc, member, standalone) [dc]: 
 DNS forwarder IP address (write 'none' to disable forwarding) []:
Administrator password: 
Retype password: 
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=bales,DC=lan
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=bales,DC=lan
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: dc1
DNS Domain: bales.lan
DOMAIN SID: S-1-5-21-1561570446-918321230-2588930881

* Administrator password:

At least 8 characters
Containing at least three of the following five character groups:

Uppercase characters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
Base 10 digits (0 through 9)
Nonalphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;”‘,.?/
Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.
If the password doesn’t fulfil the complexity requirements, the provisioning will fail and you will have to start over (remove the generated new “smb.conf” in that case).

Then copy your private krb5.conf to /etc/krb5.conf.

cp /usr/local/samba/private/krb5.conf /etc/krb5.conf


First start samba*:


* Samba does not have init script for samba4, but you can make your own https://wiki.samba.org/index.php/Managing_the_Samba_AD_DC_Service

Testing my Samba AD DC default netlogon and sysvol shares:

# smbclient -L localhost -U%
Domain=[BALES] OS=[] Server=[]

 Sharename Type Comment
 --------- ---- -------
 netlogon Disk 
 sysvol Disk 

 IPC$ IPC IPC Service (Samba 4.6.1)
Domain=[BALES] OS=[] Server=[]

 Server Comment
 --------- -------

 Workgroup Master
 --------- ------

To test that authentication is working, I connected to the netlogon share, using the Domain Administrator account, that was created during provisioning:

$ smbclient //localhost/netlogon -UAdministrator -c 'ls'

Enter BALES\Administrator's password: 
Domain=[BALES] OS=[] Server=[]
 . D 0 Sat Mar 25 10:57:41 2017
 .. D 0 Sat Mar 25 11:00:15 2017

 17811456 blocks of size 1024. 15709076 blocks available

To test that DNS is working properly, I ran the following commands:

$ host -t SRV _ldap._tcp.bales.lan
_ldap._tcp.bales.lan has SRV record 0 100 389 dc1.bales.lan
$ host -t SRV _kerberos._udp.bales.lan
_kerberos._udp.bales.lan has SRV record 0 100 88 dc1.bales.lan
$ host -t A dc1.bales.lan
dc1.bales.lan has address

Use “kinit” to obtain a Kerberos ticket.

$ kinit administrator
Password for administrator@BALES.LAN:
Warning: Your password will expire in 41 days on Sat 06 May 2017 11:00:14 AM PDT

Do a list of cached kerberos tickets:

$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@BALES.LAN

Valid starting Expires Service principal
03/25/2017 11:06:03 03/25/2017 21:06:03 krbtgt/BALES.LAN@BALES.LAN
 renew until 03/26/2017 11:06:00

No error message, you are ready to go! But it’s something is going wrong, see the 
Samba AD DC Troubleshooting page.




2 thoughts on “Installing Samba 4.6.1 Active Directory on Ubuntu 16.04 LTS Server

  1. Thank you very much for this great tutorial. But I have come to the last step with an error. Can you please have a look at it ?
    when I run the command:
    kinit administrator

    I get this error below ?!
    kinit: Improper format of Kerberos configuration file while initializing Kerberos 5 library

    Thanks in advance

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s