Samba4 AD DC Virtual Machine


Samba4 can act as an Active Directory Domain Controller. Setting it up is a bit cumbersome, but here I have done most of the work for you. The link below leads to a VirtualBox VM exported using OVA format. The virtual machine runs Debian8. The root password is “Passw0rd”. That's a zero instead of an o.

Changing the Server Name, IP address, Domain, Etc.

Before you use the virtual machine, you will probably want to change the server name, domain, IP address, etc. As far as I know there is no GUI or script to easily change these values. You must edit the configurations files. Below are the instructions for customizing the VM.

1. decide on your server parameters. For this example I will use:

Hostname: Server
DC is also DNS server: no
forwarder DNS server:
Domain Information
NT4 domain name: SAMBADOMAIN
DNS Domain name:
Administrator password: Passw0rd

2. Set the hostname

# echo Server > /etc/hostname

3. You must delete the existing smb.conf file otherwise the samba-tool script will generate an error message:

# rm -fr /etc/samba/smb.conf

4. Run the samba-tool domain provision script, see step 5 regarding answers to the script's questions.

# samba-tool domain provision --use-rfc2307 --interactive

5. samba-tool will require input. Given my example configuration in item 1, the input is:

Server Role: dc
DNS forwarder IP address:
Administrator Password: Passw0rd

6. The samba-tool script generates a new krb5.conf file. Copy the krb.conf file to /etc

# cp /var/lib/samba/private/krb5.conf /etc/krb5.conf

7. Add your server name as a loopback address in /etc/hosts: Server

8. Edit /etc/network/interfaces to set your static IP address

9. Verify the time. If necessary edit the /etc/timezone file and restart the ntpd server. The domain controller and windows clients must have the same time or the windows client will fail to connect to the domain controller. Windows will say bad username/password but it is actually the clock.

10. Reboot the AD DC Virtual machine

11. The virtual machine doesn't generate enough entropy to initialize a kerberos realm. So I cheat and use the haveged tool. It is in the /root home directory. Start the haveged server to create entropy:

# /root/haveged-1.9.1/src/haveged -w 1024

12. Create a new kerberos realm

# krb5_newrealm

13. Add the domain and IP addresses to /etc/resolv.conf :


14. Reboot

15. Test samba

# smbclient -L localhost -U%

# smbclient //localhost/netlogon -UAdministrator -c 'ls'

16. Test dns

# host -t SRV

# host -t SRV

# host -t A

17. Join a Windows 7 Pro machine to the domain.