Blog Jurišić

To content | To menu | To search

Setting up Samba as an Active Directory Domain Controller on Debian 9 Stretch


Samba is great project and if wont make Samba AD DC today is very simple. More about Samba look at

Preparing the Installation

  • select hostname(,domain name(
  • installation and configure of time server (ntp)
  • installation and configure of domain name system (bind9)


Set hostname of my Samba ad dc server:

hostnamectl set-hostname

Edit hosts:

nano /etc/hosts dc1

Installation and configure of time server (ntp):

apt-get install ntp

Change settings in ntp.conf

nano /etc/ntp.conf

logfile   /var/log/ntp.log
driftfile /var/lib/ntp/ntp.drift
ntpsigndsocket /var/lib/samba/ntp_signd/

pool iburst
pool iburst
pool iburst
pool iburst

restrict -4 default kod notrap nomodify nopeer noquery limited
restrict source notrap nomodify noquery
restrict default kod nomodify notrap nopeer mssntp

Fix bug apparmor (Thanks to  Louis van Belle):

Enable the local file part for ntpd:

sed -i 's[#include <local/usr.sbin.ntpd>[include <local/usr.sbin.ntpd>[g' /etc/apparmor.d/usr.sbin.ntpd

NTPD fix.:

echo "
  # To sign replies to MS-SNTP clients by the smbd daemon /var/lib/samba
  /var/lib/samba/ntp_signd r,
  /var/lib/samba/ntp_signd/{,*} rw,

  # samba4 winbindd pipe
  /{,var/}run/samba/winbindd r,
  /{,var/}run/samba/winbindd/pipe rw,

  # samba4 winbindd privileged pipe ? Needed?
  /var/lib/samba/winbindd r,
  /var/lib/samba/winbindd/pipe rw,

" >> /etc/apparmor.d/local/usr.sbin.ntpd

Installation and configure of domain name system (bind9):

Instalirati bind9 paket:

apt-get install bind9

Configure neamed.conf.options

nano /etc/bind/named.conf.options

//  Add any subnets or hosts you want to allow to use this DNS server
acl internal {;;

options {

        auth-nxdomain yes;
        directory "/var/cache/bind";
        notify no;
        empty-zones-enable no;
        listen-on-v6 { none; };

        forwarders {

        allow-query { internal; };
        allow-recursion { internal; };
        allow-transfer { none; };

Finale step start service and test ntp and bind9:

systemctl restart ntp.service bind9.service

Set in resolv.conf our bind9:

nano /etc/resolv.conf


Now test bind9:

Test the localhost forward zone):

host -t A localhost 

Default respond is:

Using domain server:

localhost has address

To test the reverse zone:

host -t PTR 

Default respond is:

Using domain server:
Aliases: domain name pointer localhost.

Test NTP server:

ntpdate -q

Default respond is:

server, stratum 2, offset -0.000073, delay 0.02602
24 Apr 12:10:30 ntpdate[10143]: adjust time server offset -0.000073 sec


Installing Kerberos & Samba and configure Bind9 with Samba:

  • Installing Kerberos and configure
  • Installing Samba and configure
  • Configure Bind9 to work with Samba

Installing Kerberos and configure:

apt-get install krb5-config krb5-user

Configure krb5.conf

nano /etc/krb5.conf

        default_realm = INTERNAL.EXAMPLE.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true


Installing Samba and configure:

Debian bring Samba 4.5.16 but that version don't have JSON module (Need 4.7+ for JSON), and I find great repository by Louis van Belle (Please feel to free Donate to Louis).

Add repos:

wget -O - | apt-key add -

echo "# AptVanBelle repo for samba." | sudo tee /etc/apt/sources.list.d/van-belle.list

echo "deb stretch-samba410 main contrib non-free" | sudo tee -a /etc/apt/sources.list.d/van-belle.list

apt-get update

Install samba:

apt-get install samba winbind attr acl

Configure service samba for AD DC:

systemctl stop smbd nmbd winbind
systemctl mask smbd nmbd winbind
systemctl disable smbd nmbd winbind
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
systemctl daemon-reload

Configure Samba as AD DC:

If exist old configuration of samba /etc/samba/smb.conf then make backup of config and delete.

cp /etc/samba/smb.conf /etc/samba/smb.conf.bck
rm /etc/samba/smb.conf

samba-tool domain provision --use-rfc2307 --realm INTERNAL.EXAMPLE.COM --domain EXAMPLE --server-role dc --dns-backend=BIND9_DLZ  --adminpass StrongPassword

Configure Bind9 to work with Samba:

Add under section options { }

nano /etc/bind/named.conf.options

allow-update {; };

// DNS dynamic updates via Kerberos (optional, but recommended)
//tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";    //samba 4.8 and lower
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";    // samba 4.9 and up


Add rndc.key, bind-dns include in named.conf

nano /etc/bind/named.conf.local

include "/etc/bind/rndc.key";
    controls {
     inet allow { localhost; } keys { rndc-key;};

include "/var/lib/samba/bind-dns/named.conf";

Set pemission for Bind9:

setfacl -m g:bind:r /etc/krb5.conf
setfacl -m g:bind:r /var/lib/samba/bind-dns

Set permission for NTP:

chown root:ntp /var/lib/samba/ntp_signd/
chmod 750 /var/lib/samba/ntp_signd/

Restartati all services:

systemctl restart bind9.service ntp.service samba-ad-dc.service

Test Kerberos:

kinit administrator

Test DNS over Samba:

samba_dnsupdate --verbose

* Change from internal samba dns to bind9_dlz use (If you are running a older samba ad-dc and then upgrade as shown, The file dns.keytab isnt move the the new folder, you need todo that manualy. Its already in the debian bugreport for samba):

samba_upgradedns --dns-backend=BIND9_DLZ

Tweak service start order for Samba then Bind9 and disable reload for Bind9(bug sometime confuze Samba) :


systemctl edit samba-ad-dc.service 

Add in file:

[Unit] bind9.service


systemctl edit bind9.service

Add in file:


Test Samba:

samba-tool domain info
net ads info
net rpc info -U administrator
wbinfo -P
wbinfo -t
wbinfo -pPt 

Congratulations enjoy in Samba World.