Setting up Samba as an Active Directory Domain Controller on Debian 9 Stretch


Samba is great project and if wont make Samba AD DC today is very simple. More about Samba look at

Preparing the Installation

  • select hostname(dc1.mydomain.local),domain name(mydomain.local)
  • installation and configure of time server (ntp)
  • installation and configure of domain name system (bind9)


Set hostname of my Samba ad dc server:

hostnamectl set-hostname dc1.mydomain.local

Edit hosts:

nano /etc/hosts      localhost localhost.localdomain      localhost localhost.localdomain  dc1.mydomain.local dc1

Installation and configure of time server (ntp):

apt-get install ntp

Change settings in ntp.conf

nano /etc/ntp.conf

logfile   /var/log/ntp.log
driftfile /var/lib/ntp/ntp.drift
ntpsigndsocket /var/lib/samba/ntp_signd/

pool iburst
pool iburst
pool iburst
pool iburst

restrict -4 default kod notrap nomodify nopeer noquery limited
restrict source notrap nomodify noquery
restrict default kod nomodify notrap nopeer mssntp

Installation and configure of domain name system (bind9):

Instalirati bind9 paket:

apt-get install bind9

Configure neamed.conf.options

nano /etc/bind/named.conf.options

acl internal {;;

options {

        auth-nxdomain yes;
        directory "/var/cache/bind";
        notify no;
        empty-zones-enable no;
        listen-on-v6 { none; };

        forwarders {

        allow-query { internal; };
        allow-recursion { internal; };
        allow-transfer { none; };

Finale step start service and test ntp and bind9:

systemctl restart ntp.service bind9.service

Set in resolv.conf our bind9:

nano /etc/resolv.conf

search mydomain.local

Now test bind9:

Test the localhost forward zone):

host -t A localhost

Default respond is:

Using domain server:

localhost has address

To test the reverse zone:

host -t PTR

Default respond is:

Using domain server:
Aliases: domain name pointer localhost.

Test NTP server:

ntpdate -q

Default respond is:

server, stratum 2, offset -0.000073, delay 0.02602
24 Apr 12:10:30 ntpdate[10143]: adjust time server offset -0.000073 sec


Installing Kerberos & Samba and configure Bind9 with Samba:

  • Installing Kerberos and configure
  • Installing Samba and configure
  • Configure Bind9 to work with Samba

Installing Kerberos and configure:

apt-get install krb5-config krb5-user

Configure krb5.conf

nano /etc/krb5.conf

        default_realm = MYDOMAIN.LOCAL
        dns_lookup_realm = false
        dns_lookup_kdc = true

        MYDOMAIN.LOCAL = {
                kdc = dc1.mydomain.local
                admin_server = dc1.mydomain.local
                default_domain = mydomain.local


        .mydomain.local = MYDOMAIN.LOCAL
        mydomain.local = MYDOMAIN.LOCAL

Installing Samba and configure:

Debian bring Samba 4.5.16 but that version don't have JSON module (Need 4.7+ for JSON), and I find great repository by Louis van Belle (Please feel to free Donate to Louis).

Add repos:

wget -O - | apt-key add -

echo "# AptVanBelle repo for samba." | sudo tee /etc/apt/sources.list.d/van-belle.list

echo "deb stretch-samba410 main contrib non-free" | sudo tee -a /etc/apt/sources.list.d/van-belle.list

apt-get update

Install samba:

apt-get install samba winbind attr

Configure service samba for AD DC:

systemctl stop smbd nmbd winbind
systemctl mask smbd nmbd winbind
systemctl disable smbd nmbd winbind
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
systemctl daemon-reload

Configure Samba as AD DC:

If exist old configuration of samba /etc/samba/smb.conf then make backup of config and delete.

cp /etc/samba/smb.conf /etc/samba/smb.conf.bck
rm /etc/samba/smb.conf

samba-tool domain provision --use-rfc2307 --realm MYDOMAIN.LOCAL --domain MYDOMAIN --server-role dc --dns-backend=BIND9_DLZ  --adminpass StrongPassword

Configure Bind9 to work with Samba:

Add under section options { }

nano /etc/bind/named.conf.options

allow-update {; };
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";

Add bind-dns include in named.conf

nano /etc/bind/named.conf

include "/var/lib/samba/bind-dns/named.conf";

Set pemission for Bind9:

chown root:bind /etc/krb5.conf

Set permission for NTP:

chown root:ntp /var/lib/samba/ntp_signd/
chmod 750 /var/lib/samba/ntp_signd/

Restartati all services:

systemctl restart bind9.service ntp.service samba-ad-dc.service

Test Kerberos:

kinit administrator

Test DNS over Samba:

samba_upgradedns --dns-backend=BIND9_DLZ
samba_dnsupdate --verbose

Test Samba:

samba-tool domain info
net ads info
net rpc info -U administrator
wbinfo -P

Congratulations enjoy in Samba World.










How to install self hosted Mozilla Sync for Pale Moon in 3 min on Debian 9

Introduction My default internet browser is Pale Moon and I'm very satisfied. Very stable, in six months of use has never collapsed or obstructed. The rendering speed of the web site is great thanks to the Goanna layout engine. Compatibility with NPAPI plugin is supported (some apps need that  […]

Continue reading

Nextcloud 14.0.2 & 14.0.3

Updated nextcloud server package from 14.0.0 to 14.0.1 for Debian Stretch and 13.0.6 to 13.0.7 for Debian Jessie. I highly recommend upgrading, check list of changes. Changes (source from Fixes the upload progress bar layout - 14 backport (server#11039) Fix markup  […]

Continue reading

De-Googling my phone

For a long time I've been using the Xiaomi Mi 5 phone with MUI interface that is base on based Android. That means that on my phone I have installed Bloatware that came with MIUI and additionally with Android. The result of all this is the weaker performance of mobile phone, faster battery  […]

Continue reading

Page top