Find the answer to your Linux question:
Results 1 to 2 of 2
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    Samba 4 on Ubuntu 12.04.1 server 64-bit problems


    I wanted to set up a Samba 4 AD PDC following a howto from matrix44 (I'm not allowed to submit URL's)
    So what I have done is copying and pasting it in a text editor.
    Where I run in to problems I will put CODE tags in the text with my output etc.

    Samba 4 AD Domain with Ubuntu 12.04
    Building a Samba 4 Active Directory Domain

    In this Article, i will outline the configuration of a small Active Directory using Samba4.

    The Ubuntu versions involved is 12.04. I assume that you have modest knowledge on how to configure Ubuntu on the command line – i.e. i will not explain every single step in detail.

    Network parameters we will use are:

    Network name:demo.local
    IP Range:
    Base System and Samba 4

    Step 1: Install a Ubuntu 12.04 System
    Step 2: Configure the Network to use a static address. Edit /etc/network/interfaces:

    1 auto lo eth0
    2 iface lo inet loopback
    4 iface eth0 inet static
    5 address
    6 netmask
    7 gateway
    8 dns-nameservers
    9 dns-search demo.local

    Step 3: Add the basic host entries to resolve without DNS

    Edit /etc/hosts and insert:

    1 localhost
    2 vupapsam401 vupapsam401.demo.local

    Step 4: Install the Samba 4 Packages

    1 apt-get install samba4

    The installation will throw out an error and apt will set the package to half installed. As the error isn’t relevant to us, we have to fix the package by manually setting the package to installed.

    Edit /var/lib/dpkg/status and search for “Package: samba4″
    Replace “half-configured” with “installed”

    Now we are going to build the Active Directory Domain:

    1 rm /etc/samba/smb.conf

    /usr/share/samba/setup/provision --realm=demo.local --domain=DEMO --adminpass='Test123' --server-role=dc

    This will set up all stuff needed for running a Domain (LDAP, Kerberos, …)

    Next step is to start Samba:

    1 initctl start samba4

    Step 5: Testing out our installation

    1 apt-get install samba4-clients
    2 smbclient -L localhost -U%

    The last command should display the currently defined and served shares on the server. Should look something like:

    1 Sharename Type Comment
    2 --------- ---- -------
    3 netlogon Disk
    4 sysvol Disk
    5 IPC$ IPC IPC Service

    root@virtual:/# smbclient -L localhost -U%
            Sharename       Type       Comment
            ---------       ----       -------
            netlogon        Disk       
            sysvol          Disk       
            IPC$            IPC        IPC Service
    REWRITE: list servers not implemented
    Bind Name Server

    We also need a naming service in our network to resolve hosts and services. Active Directory uses DNS to discover a huge amount of services, so here we go:

    Step 1: Install Bind

    1 apt-get install bind9

    Step 2: Configure Bind

    Now you need to edit the bind configuration file to include the necessary configurations for Samba – Active Directory relies heavily on special DNS entries to find various services on the network.

    Edit /etc/bind/named.conf and append the following line at the end:

    1 include "/var/lib/samba/private/named.conf"

    Step 3: Adapt the AppArmor configuration

    As Ubuntu is securing it’s services using AppArmor we need to make sure that Bind has the rights to access the files provided by Samba.

    Edit /etc/apparmor.d/usr.sbin.named and append the following entries:

    1 /var/lib/samba/private/** rkw,
    2 /var/lib/samba/private/dns/** rkw,
    3 /usr/lib/x86_64-linux-gnu/samba/bind9/** rm,
    4 /usr/lib/x86_64-linux-gnu/samba/gensec/** rm,
    5 /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** rm,
    6 /usr/lib/x86_64-linux-gnu/samba/ldb/** rm,

    Now reload the configuration to take effect:

    1 /etc/init.d/apparmor reload

    Step 4: Start and test Bind

    Run the following command to start Bind:

    1 /etc/init.d/bind9 start

    To make sure that everything worked as expected, run the following commands and watch their output. It should return a result on every command:

    1 host -t SRV _ldap._tcp.demo.local.
    2 root@vupapsam401:/var/lib/samba/private# host -t SRV _kerberos._tcp.demo.local.
    3 root@vupapsam401:/var/lib/samba/private# host -t A vupapsam401.demo.local.

    The output should something like:

    1 _ldap._tcp.biomerx.local has SRV record 0 100 389 vupapsam401.demo.local.
    2 _kerberos._tcp.biomerx.local has SRV record 0 100 88 vupapsam401.demo.local.
    3 vupapsam401.biomerx.local has address

    Step 5: Allow dynamic DNS updates

    We want our clients to be able to update their DNS entries automatically. Edit /etc/bind/named.conf and append the following line:

    1 tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

    I have put tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; in the named.conf.options file, if I put it in named.conf bind fails.
    Step 6: Configure Bind as a Forwarder

    If you have another DNS Server (like a SOHO ROuter) on your Network which provides DNS Service to resolve external names (like Google), you’ll need to configure Bind to use this DNS to resolve entries.

    First we need to disable IPv6 in Bind by editing /etc/default/bind9 and appending:

    1 OPTIONS="-4 -u bind"

    Now modify /etc/bind/named.conf to include the following directives in the options

    1 allow-query { any; };
    2 allow-recursion { any; };
    3 forwarders {; };
    4 dnssec-validation no;


    Step 1: Install the Kerberos Utilities

    1 apt-get install krb5-user

    When asked for the default realm, enter demo.local and ‘vupapsam401′ as the host. Test out if Kerberos works by executing:

    1 kinit administrator@DEMO.LOCAL

    The Domain Name needs to be written in UPPERCASE letters. If the command succeeds, run the following command to check if we have gotten a kerberos ticket:

    1 klist -e

    Network Time Protocol

    As Samba provides the correct time to it’s domain members we want to make sure that our host has the correct time. We do so by installing and configuring NTP to retrieve the time from internet time servers.

    Step 1: Install NTP

    1 apt-get install ntp

    Step 2: Configure NTP

    Edit /etc/ntp.conf and replace the ‘server’ line with the NTP Timeserver of your choice. I used my border gateway as it provides NTP:

    1 server vupapgate01.demo.local

    Now, do a initial time setup:

    1 service ntp stop
    2 ntpdate -B vupapgate01.demo.local
    3 service ntp start

    Check if everything works with:

    1 ntpq -p

    Other configuration items and Troubleshooting

    ACL Support

    To make sure that your operating system can support Access control lists (Samba
    uses them for storing Windows permissions) do the following

    1 apt-get install attr

    Test out if your filesystem supports ACL’s (most should):

    1 touch test.txt
    2 setfattr -n user.test -v test test.txt
    3 setfattr -n security.test -v test2 test.txt
    4 getfattr -d test.txt
    5 getfattr -n security.test -d test.txt

    DNS Server delivery via DHCP

    You want to make sure that your DHCP Server sets your Samba server as the one and only DNS Server for your clients

    Joining the Domain

    Make sure that you use uppercase letters, like ‘DEMO.LOCAL’ as the domain name

    Testing the AD

    Run ‘dsa.msc’ on your Windows client (after you installed the Windows Remote Server Administration Tools)

    If something did not work as expected (Domain not available), make sure that your DNS resolution works smooth.

    Creating shares

    To create shares you need to perform the following actions:

    1 mkdir /data/global
    2 chmod 777 /data/global

    Then add an entry to /etc/samba/smb.conf:

    1 [global]
    2 comment = Global share for all users
    3 path = /data/global
    4 read only = No

    Restart samba:

    1 initctl restart samba4

    When I try to add a user:
    smbpasswd -a janv
    the output is:
    No builtin nor plugin backend for samba4 found
    PANIC (pid 2885): pdb_get_methods_reload: failed to get pdb methods for backend samba4
    BACKTRACE: 7 stack frames:
     #0 smbpasswd(log_stack_trace+0x1a) [0x7f5eb2c3bc0a]
     #1 smbpasswd(smb_panic+0x25) [0x7f5eb2c3bce5]
     #2 smbpasswd(+0x19f9f3) [0x7f5eb2be79f3]
     #3 smbpasswd(initialize_password_db+0x14) [0x7f5eb2bea6a4]
     #4 smbpasswd(main+0x474) [0x7f5eb2af3134]
     #5 /lib/x86_64-linux-gnu/ [0x7f5eb025d76d]
     #6 smbpasswd(+0xab829) [0x7f5eb2af3829]
    Can not dump core: corepath not set up
    Adding users

    When adding new uses, set their homedirectory to

    1 \\vupapsam401\users\

    The directory will be created automatically.

    Adding new DNS entries

    Use the DNS Snap-In in the Management Console

    Error while copying

    If you copy files from a windows system to samba and get something like ‘Not enough memory’, this could be because of NTFS Streams within the files (Hidden Metadata). You can
    remove them with the tool ‘streams’ available at:


    and executing the following command:

    1 streams -s -d C:\data

    Permission problems

    If you have problems with access to files created by different users (even if the permissions look correct), append the following in /etc/samba/smb.conf (in the share section):

    1 directory mask = 0777
    2 create mask = 0777

    and restart samba:

    1 service samba4 restart

    ******************************end of the howto********************************

    I have to admit that I don't unerstand everything in the howto. The only knowledge I have regarding Samba is from the book Using Samba. It covers version 3 so there is no information on Kerberos, very little about LDAP and so forth.

    Contents of the generated smb.conf:

    # Global parameters
            server role = domain controller
            workgroup = VITRONIX
            realm =
            netbios name = VIRTUAL
            passdb backend = samba4
            security = user
            path = /var/lib/samba/sysvol/
            read only = No
            path = /var/lib/samba/sysvol
            read only = No
    Anyone any ideas.

    Thanks in advance.
    I think it is a matter of the passwd backend.

  2. #2
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Well, this was posted 8 months ago, and there have been no replies. I suspect that is because of the length of the posting - it is very tedious to dig all the way through. In any case, I hope you have sorted out your problem. If not, then post again, but try to keep things as simple as possible and focused only on the specifics of your problem. We can then ask for more information as needed.
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts