Now Reading: Ubuntu Samba AD DC Installation
1
-
01
Ubuntu Samba AD DC Installation
Setting Up Samba AD DC on Ubuntu
IMPORTANT: All domain names, IP addresses, usernames and similar values below are examples.
Replace them with your own environment’s details!
Replace them with your own environment’s details!
| Placeholder | Meaning | Sample Value |
|---|---|---|
example.local |
Your domain name | teknokafe.local |
EXAMPLE |
Short domain (WORKGROUP) | TEKNOKAFE |
dc1 |
Domain controller hostname | dc1 |
192.168.10.5 |
DC IP address | 192.168.0.10 |
adminuser |
Domain admin username | arslan.gural |
1. Getting Started: Server & Network Prep
It’s best to use Ubuntu 22.04 or 24.04 LTS for Samba AD DC. The server’s hostname and IP should be static.
In your terminal:
sudo hostnamectl set-hostname dc1
sudo nano /etc/hostsAdd or edit the following line (use your own IP and names!):
192.168.10.5 dc1.example.local dc1Tip: The DC’s DNS name and IP should be reachable from all clients!
2. Networking: Set Static IP via Netplan
Netplan is Ubuntu’s tool for network configuration. If you skip this, your DC may not be accessible.
Example /etc/netplan/01-netcfg.yaml:
network:
version: 2
ethernets:
ens18:
dhcp4: no
addresses:
- 192.168.10.5/24
gateway4: 192.168.10.1
nameservers:
addresses:
- 192.168.10.5
- 8.8.8.8
Attention! Replace ens18 with your server’s interface name. Unsure? Run
ip a to check.After saving:
sudo netplan applyTip: Use
ping 8.8.8.8 and ping google.com to confirm internet access.3. Install Required Packages
sudo apt update && sudo apt upgrade -y
sudo apt install samba krb5-user winbind smbclient -y
Note: You can ignore Kerberos prompts during install; provisioning will ask again.
4. Clean Up Old Samba Files
If you’ve previously installed Samba, old files can cause trouble. Clean them up:
sudo systemctl stop smbd nmbd winbind
sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
sudo rm -rf /var/lib/samba/*
sudo rm -rf /var/cache/samba/*
5. Samba AD DC Setup (Provision)
Provisioning turns Samba into an Active Directory Domain Controller.
Run:
sudo samba-tool domain provision --use-rfc2307 --interactiveWhen prompted:
- Realm: EXAMPLE.LOCAL
- Domain: EXAMPLE
- Server Role: [dc] (just press ENTER)
- DNS backend: [SAMBA_INTERNAL] (press ENTER)
- DNS forwarder IP: 8.8.8.8
- Administrator password: (set a strong password)
Tip: Password must be complex: use uppercase, lowercase, numbers, and symbols (!@# etc).
6. Kerberos Configuration
Your /etc/krb5.conf file should look like:
[libdefaults]
default_realm = EXAMPLE.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
7. Start the Correct Samba Service
Do NOT use classic smbd/nmbd! Only samba-ad-dc should run!
sudo systemctl stop smbd nmbd winbind
sudo systemctl disable smbd nmbd winbind
sudo systemctl enable samba-ad-dc
sudo systemctl start samba-ad-dc
sudo systemctl status samba-ad-dc
Note: You should see
Active: active (running). If not, check the error and fix accordingly.8. Configure Firewall (UFW)
These ports must be open:
sudo ufw allow 53,88,135,137,138,139,389,445,464,636,3268/tcp
sudo ufw allow 53,88,137,138,464/udp
sudo ufw reload
9. Check DNS Port Listening
sudo ss -tulnp | grep :53You should see:
If another service (like systemd-resolved) shows up, disable it!
users:(("samba",...)).If another service (like systemd-resolved) shows up, disable it!
10. Add A Record for Your Server
sudo samba-tool dns add localhost example.local dc1 A 192.168.10.5 -U administrator
Tip: Without this, domain join or RSAT connections may fail.
Verify with:
nslookup dc1.example.local 127.0.0.111. Create Domain User and Admin
sudo samba-tool user create adminuser
sudo samba-tool group addmembers "Domain Admins" adminuser
sudo samba-tool user setprincipalname adminuser ad*******@*****le.local
Tip: You can now use (e.g. ad*******@*****le.local) for domain join and RSAT.
12. Join Windows PC to Domain
- On the PC, set DNS to
192.168.10.5. - Domain:
EXAMPLE.LOCAL - User:
administratororadminuser - Password: What you set during provisioning
Attention! If clocks differ, Kerberos authentication will fail, and domain join won’t work.
Hint: Run
Hint: Run
w32tm /resync on Windows to resync time.13. Easy Management with RSAT
- Install RSAT tools in Windows (“Active Directory Users and Computers”, “DNS”, “Group Policy Management”)
- Manage all AD and DNS operations via the GUI.
Tip: RSAT makes zone, record, user, group and GPO management a breeze!
Extra Info & Troubleshooting
- systemd-resolved should be disabled:
sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved
sudo nano /etc/resolv.conf
# Contents: nameserver 127.0.0.1
- Do not use BIND9 at the same time as internal Samba DNS.
- More helpful commands:
sudo samba-tool user list sudo samba-tool dns query localhost example.local @ ALL -U administrator
