Samba4 – PDC – SSSD


Debian 8


  • Make sure that your future DC uses a static IP address. DHCP can cause trouble if the address changes.
  • Read carefully the Active Directory Naming FAQ for information, frequent pitfalls, etc. about choosing a DNS and NetBIOS name for your AD. Currently Samba AD does not support changing this, so this makes it to an important decision!
  • Check your /etc/hosts for a correct resolution of the hostname to its IP: (example)     localhost.localdomain      localhost     PDC.smere.lan     PDC
Ensure that your DC hostname resolves to its LAN IP and not to!
  • Remove any previous existing installation of Samba. If upgrading from a Samba NT4 domain to Samba AD, only keep your previous smb.conf and the databases.

Install Packages and Samba DC initial config

# Install Packages
[email protected]:~# apt-get install samba winbind krb5-config krb5-user sssd ntp
# rename or remove the default config file
[email protected]:~# mv /etc/samba/smb.conf /etc/samba/
# create domain - SMERE.LAN
[email protected]:~# samba-tool domain provision --use-rfc2307 --interactive
 Domain [SMERE]: SMERE
 Server Role (dc, member, standalone) [dc]: dc
 DNS forwarder IP address (write 'none' to disable forwarding) []:
Administrator password: Passw0rd
Retype password: Passw0rd
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=smere,DC=lan
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container                                                                                                                                                                                        
Modifying users container                                                                                                                                                                                     
Adding computers container                                                                                                                                                                                    
Modifying computers container                                                                                                                                                                                 
Setting up sam.ldb data                                                                                                                                                                                       
Setting up well known security principals                                                                                                                                                                     
Setting up sam.ldb users and groups                                                                                                                                                                           
Setting up self join                                                                                                                                                                                          
Adding DNS accounts                                                                                                                                                                                           
Creating CN=MicrosoftDNS,CN=System,DC=smere,DC=lan                                                                                                                                                
Creating DomainDnsZones and ForestDnsZones partitions                                                                                                                                                         
Populating DomainDnsZones and ForestDnsZones partitions                                                                                                                                                       
Setting up sam.ldb rootDSE marking as synchronized                                                                                                                                                            
Fixing provision GUIDs                                                                                                                                                                                        
A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf                                                                                                        
Setting up fake yp server settings                                                                                                                                                                            
Once the above files are installed, your Samba4 server will be ready to use                                                                                                                                   
Server Role:           active directory domain controller                                                                                                                                                     
Hostname:              PDC                                                                                                                                                                                    
NetBIOS Domain:        SMERE                                                                                                                                                                                 
DNS Domain:            smere.lan                                                                                                                                                                     
DOMAIN SID:            S-1-5-21-2614513918-2685075268-614796884

Parameter explanations:
–use-rfc2307: Enables NIS extensions. They allow a central management of Unix attributes (UIDs, shells, GIDs, etc.) inside Active Directory. It is recommended to always enable this feature during the provisioning. There are no disadvantages in not using it, but you may later find yourself in a situation where the central management of Unix account/group information becomes a requirement. Enabling it afterwards requires additional work such as manually extending the AD schema. For further information about RFC2307.

–interactive: Use interactive provisioning. The defaults are the values in the squared brackets, they will be used if no other input is made.

Realm: Kerberos Realm and AD DNS domain written in upper case. You should always use a subdomain of your domain name (e. g. Never use your domain name ( for your Active Directory DNS domain. This prevent you accessing accessing servers using that name, like web server, because the domain is resolved to the IP(s) of your Domain Controller(s) instead!

Domain: NT4 NetBIOS domain name in upper case used by AD for compatibility reasons. Maximum name length: 15 characters. Usually – and that’s what we recommend – this is the first part of the AD DNS name. In any case if using something different, make sure that it matches the naming conventions in Active Directory (section “NetBIOS domain names”). Please note, that even if some punctuation marks like periods are allowed, they can cause trouble in some situations and should be avoided!

Server Role: ‘dc’ for Domain Controller.

DNS backend: Supported DNS backends are the Samba internal DNS server and BIND9_DLZ. We used the default – the internal DNS – in our example above. It is the best choice if you do not have complex DNS requirements. See Which DNS backend should I choose? for a comparison and suggestions. If you have chosen BIND9_DLZ as backend, you must setup and configure BIND, before first starting your Domain Controller. See Configure BIND as backend for Samba AD for further setup information. If you later find out that your DNS backend choice doesn’t fit your needs, you can change it afterwards. Do not use BIND9_FLATFILE as the DNS backend. It isn’t documented and is not supported! Seeing as AD heavily relies on DNS, the first DC in an AD must act as a DNS server, so you can’t choose NONE here.

DNS forwarder IP address: You are only prompted for this information, if you choose the Samba internal DNS as the backend. It defines the IP address of one DNS server, to which DNS queries should be forwarded, when your DNS server isn’t authoritative for a zone. Commonly it is your providers DNS server IP address.

Administrator password: The Domain Administrators password. It must meet the complexity requirements (see

  • At least 8 characters
  • Containing at least three of the following five character groups
    • Uppercase characters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
    • Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
    • Base 10 digits (0 through 9)
    • Nonalphanumeric characters: [email protected]#$%^&*_-+=`|\(){}[]:;”‘<>,.?/
    • Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.
If the password doesn’t fulfil the complexity requirements, the provisioning will fail and you will have to start over (remove the newly generated “smb.conf” in this case).

[toggle title=”Check if RFC2307 is enabled on all Domain Controllers”]

Check if on all Domain Controllers, the following parameter exists and is set to “yes” in the [global] section of your smb.conf:

 idmap_ldb:use rfc2307 = yes

NIS Extensions installed inside the directory

Check if the “ypServ30” container exists in your directory. In this case, the NIS extensions are already installed in AD. The following command shows all attributes of the container, if it exists:

# ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=smere,DC=lan
# record 1
dn: CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=smere,DC=lan
objectClass: top
objectClass: container
cn: ypservers
instanceType: 4
whenCreated: 20160302205150.0Z
whenChanged: 20160302205150.0Z
uSNCreated: 3766
uSNChanged: 3766
showInAdvancedViewOnly: TRUE
name: ypservers
objectGUID: 10ad9cf7-0d89-4ea7-bc92-f06cc43cb951
objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=smere,DC=lan
distinguishedName: CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=smere,DC=lan

# returned 1 records
# 1 entries
# 0 referrals


[toggle title=”Setup RFC2307 and NIS Extensions in a Samba AD”]

During provisioning the first Domain Controller

Provision your domain with the “–use-rfc2307” parameter, to enable RFC2307 and install the NIS extensions.

# samba-tool domain provision --use-rfc2307 ...

On an already running AD

Enable RFC2307

  • Add the following to the [global] section of your smb.conf:
 idmap_ldb:use rfc2307 = yes
  • Restart Samba

Installing NIS extensions

This procedure extends your directory schema! This will effect your complete Active Directory Forest. Make sure that you have a recoverable backup of your AD, in case anything fails or breaks your installation!

  • You only need to do this if the first DC wasn’t provisioned with “–use-rfc2307” and now need to use the NIS extensions.
  • If running multiple Domain Controllers in your AD forest, locate the Schema Master:
# samba-tool fsmo show | grep SchemaMasterRole
SchemaMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
This indicates, that “DC1” is currently owing the Schema Master role in your forest. Continue with the next steps on this host.
  • Shutdown Samba
  • Create a copy of “ypServ30.ldif”:
# cp /usr/local/samba/share/setup/ypServ30.ldif /tmp/
  • Replace the variables in the LDIF file with the ones of your directory/domain:
# sed -i -e 's/${DOMAINDN}/DC=samdom,DC=example,DC=com/g' \
         -e 's/${NETBIOSNAME}/DC1/g' \
         -e 's/${NISDOMAIN}/samdom/g' \
  • Import the schema:
# ldbmodify -H /usr/local/samba/private/sam.ldb /tmp/ypServ30.ldif --option="dsdb:schema update allowed"=true
Modified 55 records successfully
  • Start Samba


Domain Level and User creation

# raise domain level to 2008 R2
[email protected]:~# samba-tool domain level raise --domain-level 2008_R2 --forest-level 2008_R2 
Domain function level changed!
Forest function level changed!
All changes applied successfully!

# confirm domain level
[email protected]:~# samba-tool domain level show 
Domain and forest function level for domain 'DC=smere,DC=lan'

Forest function level: (Windows) 2008 R2
Domain function level: (Windows) 2008 R2
Lowest function level of a DC: (Windows) 2008 R2

# add a user in domain
[email protected]:~# samba-tool user add smereghetti
New Password:   # set password
Retype Password:
User 'smereghetti' created successfully

Kerberos Configuration

The installation of krb5-user will prompt for the realm name (in ALL UPPERCASE), the kdc server (i.e. domain controller) and admin server (also the domain controller in this example.) This will write the [realm] and [domain_realm] sections in /etc/krb5.conf. These sections may not be necessary if domain autodiscovery is working. If not, then both are needed.

If the domain is, enter the realm as PDC.EXAMPLE.COM

Optionally, edit /etc/krb5.conf with a few additional settings to specify Kerberos ticket lifetime (these values are safe to use as defaults):


default_realm = SMERE.LAN
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h #
renew_lifetime = 7d

   krb4_config = /etc/krb.conf
   krb4_realms = /etc/krb.realms
   kdc_timesync = 1
   ccache_type = 4
   forwardable = true
   proxiable = true

   SMERE.LAN = {
      kdc = pdc.smere.lan
      admin_server = pdc.smere.lan
      default_domain = smere.lan

   .smere.lan = SMERE.LAN
   smere.lan = SMERE.LAN

If default_realm is not specified, it may be necessary to log in with [email protected] instead of “username”.

The system time on the Active Directory member needs to be consistent with that of the domain controller, or Kerberos authentication may fail. Ideally, the domain controller server itself will provide the NTP service.

Edit /etc/ntp.conf and add your NTP server:

server pdc.smere.lan

SSSD Configuration

  • Extract the keytab for a domain account (you can use the machines account for that, too) and make sure it is readable only by root. The following example uses the machine account of the host „PDC“
[email protected]:~# samba-tool domain exportkeytab /etc/krb5.sssd.keytab --principal=pdc$
[email protected]:~# chown root:root /etc/krb5.sssd.keytab 
[email protected]:~# chmod 600 /etc/krb5.sssd.keytab
  • There is no default/example config file for /etc/sssd/sssd.conf included in the sssd package. It is necessary to create one. This is a minimal working config file:
services = nss, pam
config_file_version = 2
domains = SMERE.LAN

id_provider = ad
access_provider = ad

# Use this if users are being logged in at /.
# This example specifies /home/DOMAIN-FQDN/user as $HOME.  Use with
override_homedir = /home/%d/%u

# Uncomment if the client machine hostname doesn't match the computer object on the DC.
# ad_hostname =

# Uncomment if DNS SRV resolution is not working
# ad_server =

# Uncomment if the AD domain is named differently than the Samba domain

# Enumeration is discouraged for performance reasons.
# enumerate = true

# location of the keytab

After saving this file, set the ownership to root and the file permissions to 600:

[email protected]:~# sudo chown root:root /etc/sssd/sssd.conf
[email protected]:~# sudo chmod 600 /etc/sssd/sssd.conf

If the ownership or permissions are not correct, sssd will refuse to start.

[toggle title=”sssd version before 1.10.0″]

  • If you are running a sssd version before 1.10.0, you must use the LDAP id_provider. In this case, use the following sssd.conf content instead:
services = nss, pam
config_file_version = 2
domains = default


id_provider = ldap
ldap_schema = rfc2307bis
ldap_referrals = false
ldap_uri = ldap://
ldap_search_base = dc=samdom,dc=example,dc=com
ldap_force_upper_case_realm = true

# See man sssd-simple
access_provider = simple
# Uncomment to check for account expiration in DC
# access_provider = ldap
# ldap_access_order = expire
# ldap_account_expire_policy = ad

# Enumeration is discouraged for performance reasons.
# enumerate = true

auth_provider = krb5
chpass_provider = krb5
ldap_sasl_mech = gssapi
ldap_sasl_authid = [email protected]
krb5_server =
krb5_kpasswd =
ldap_krb5_keytab = /etc/krb5.sssd.keytab

ldap_user_object_class = user
ldap_user_name = samAccountName
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_user_shell = loginShell

ldap_group_object_class = group
  • Append sss to the passwd and group entry of your /etc/nsswitch.conf, to let the system query sssd for these databases.
passwd:     files sss
group:      files sss
  • Start the sssd daemon.
  • All domain accounts/groups are now available to the local system.


[toggle title=”Method 2″]

Method 2: Connecting to AD via Bind DN and password

The following basic example of an sssd.conf let the daemon retrieve it’s information by binding via an AD account. Connections with this setup will be unencrypted, unless you have setup LDAP over SSL on your DC and change the following example sssd.confaccordingly!

  • Create a new user account in your AD that sssd will use to bind via LDAP and retrieve it’s information. Make sure that you configure this account with the „Password never expires“ option! It’s recommended to also set „User cannot change password“. Remember the DN (distinguished name) of the new account. The following example uses the DN „cn=ldap-connect,cn=Users,dc=SAMDOM,dc=example,dc=com“.
  • Use the following content in your sssd.conf:
config_file_version = 2
domains =
services = nss, pam
debug_level = 0



id_provider = ldap

ldap_uri = ldap://
ldap_schema = rfc2307bis
ldap_referrals = false
ldap_default_bind_dn = CN=ldap-connect,cn=Users,dc=SAMDOM,dc=example,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = xxxxxx

ldap_user_search_base = dc=SAMDOM,dc=example,dc=com
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_user_shell = loginShell

ldap_group_search_base = dc=SAMDOM,dc=example,dc=com
ldap_group_object_class = group

access_provider = ldap
ldap_access_order = expire
ldap_account_expire_policy = ad
  • Start the sssd daemon.
  • All domain accounts/groups are now available to the local system.


Verify nsswitch.conf Configuration

The post-install script for the sssd package makes some modifications to /etc/nsswitch.conf automatically. It should look something like this:

passwd:         compat sss
group:          compat sss
netgroup:       nis sss
sudoers:        files sss

Update DNS (/etc/resolv.conf)

Your Domain Controller requires a name server that is able to resolve queries to Active Directory zones. Because this is your first Domain Controller in your AD forest, use the DCs IP and domain name in your /etc/resolv.conf:

domain smere.lan

Testing DNS

To test that DNS is working properly, run the following commands and compare the output to what is shown:

# host -t SRV _ldap._tcp.smere.lan.
_ldap._tcp.smere.lan has SRV record 0 100 389 pdc.smere.lan.
# host -t SRV _kerberos._udp.smere.lan.
_kerberos._udp.smere.lan has SRV record 0 100 88 pdc.smere.lan.
# host -t A pdc.smere.lan.
pdc.smere.lan has address

If you receive any errors, check your system logs to locate the problem.

Join the Active Directory

Now, restart ntp and samba and start sssd.

# systemctl restart ntp.service
# systemctl restart smbd.service nmbd.service 
# systemctl start sssd.service

Test the configuration by obtaining a Kerberos ticket:

# kinit [email protected]
Password for [email protected]: Passw0rd

Verify the ticket with:

# klist

Testing identity lookups

Hint: If you change sssd.conf, you should clear the cache, to make sure that the new results really come from the source and not from the cache. Instead of removing the cache completely, you can also mark the cache entries as expired with sss_cache:

# sss_cache -UG
  • Test 1: Retrieving accounts via getent. This should show local and domain accounts with posix attributes. Please check that all fields contain the values set in AD (UID, primaryGroup, homeDirectory, shell).
# getent passwd Administrator
  • Test 2: Retrieving groups via getent. This should show local and domain groups with posix attributes. Please check that the output contains all fields set in AD (GID, members).
# getent group demo-group
  • Test 3: Change owner/group of of a file to a domain user/group:
# touch /tmp/testfile
# chown Administrator:"Domain Users" /tmp/testfile
# ls -l /tmp/testfile 
-rw-r--r-- 1   Administrator   Domain Users   0   30. Aug 19:30 /tmp/testfile

Home directories with pam_mkhomedir (optional)

When logging in using an Active Directory user account, it is likely that user has no home directory. This can be fixed with, which will create the user’s home directory on login.
Edit /etc/pam.d/common-session, and add this line directly after session required

session    required skel=/etc/skel/ umask=0022

This may also need override_homedir in sssd.conf to function correctly, so make sure that’s set.

Restart ssh service

Test ssh login

Test the remote connection to server PDC using Domain user.