Compiling Samba 4 on Debian Wheezy – Active Directory Domain Controllers Ho!

Samba SI’ve managed to avoid working with Microsoft’s Active Directory for many years, which is actually somewhat of a skill. But recently a client, unhappy with the support and the direction their MS “specialist” was taking them, asked me to see what I could do with their network.

Long ago I advised them to steer clear of Active Directory if they could, because it would only tie them in to more and more expensive MS “necessities” over time. This is the position they found themselves in, years later, having to shell out more and more money to MS and their MS-oriented “consultant” just to keep things running – and not running well, either.

It was important to this company that they remain able to manage user identity and authentication from a central place, as well as authorities and permissions. So I thought it might be a good time to at last examine Samba-4 and its claims to support Active Directory.

The Samba-4 guys can claim anything they like related to Active Directory and I would be none the wiser. I knew nothing of AD. But that soon changed as I delved into Samba-4. I must point out that the things I say here are my own impressions and conclusions based upon next to no research – so I could be quite wrong in some places.

It turns out that Active Directory is an unholy marriage of DNS, Kerberos, LDAP and CIFS. Unholy only in that it tries to obscure the individual technologies. On the MS side of things, they like to include DHCP, but it isn’t necessary at all.

Maybe I shouldn’t say that it tries to obscure the individual technologies. Maybe I should say it tries to unite them in holy simplicity for the good user.  Yes, that’s it.

The tricky key (and shackle) is DNS. I always wondered why Windows clients had to use the Active Directory server as their DNS server – it seemed so limiting (and error-prone). It turns out that Active Directory will “inject” funny yet specific DNS names into your domain that identify the AD server to clients. It’s not necessary to be designed that way of course, really – but it’s a good hook. Windows clients joining a “domain” expect these funny DNS entries, and it does no good just specifying the AD server to connect to, unless you have these DNS entries being injected there as well. (salutes and rifle fanfare, etc.)

As for Kerberos and LDAP – anyone who’s worked with them knows it can take some strenuous wrestling to get stuff seated and right for handling your user auth stuff. And in this I am actually impressed with Active Directory. MS has done a great job integrating these Free technologies into something standardized on a platform. Although there are many ways this can be accomplished, Microsoft’s dominance on client machines made a standardization possible. And I’m happy that the European courts saw fit to rule in a way that allowed these Free technologies to be free once again — and this is where Samba-4 comes in.

If you have worked with Samba in the past, you know how versatile it is for file serving, and how complicated it can get. I don’t think I’ve ever dealt with a longer man page with more options. Samba 4 is no different. However, in some ways, it’s much easier than Samba 3 if you’re using the standard Windows administration tools to administer the users and shares. From my understanding so far, you basically just put the shares you want into the smb.conf file with minimal definitions, and define the user authority stuff through the Windows tools connected as an Administrator to Samba 4. If you’re managing rights on share servers other than your Samba 4 DC, then you don’t even have to worry about defining them in the smb.conf file.

But of course you can if you want – there is a  command line tool that gives you access to the same stuff that tweaks this marriage of Kerberos, LDAP and DNS – without the need of Windows at all.

Anyway, enough of these background thoughts. The Samba team has done a great job. A really great job. And I’m going to donate some dollars to them, because they do need pizza, even though they say they don’t.

So, being mostly a Debian guy, I decided to try this Samba-4 out in Debian Wheezy. The Wheezy repositories have an older version of Samba-4, of course. This is one of those rare instances where I will compile my own version of a package outside the normal Debian space, since Samba-4 is such a newer and only recently became stable, in the more unix-y sense of stability.

And it’s not that hard to compile and get Samba-4 running in Debian Wheezy. And it’s certainly worth the time if you want to replace an Active Directory Domain Controller with Samba-4 or to just play with it, to see what it’s all about. I took some notes while I was doing it, which I decided to share here, since other people have found my doing so helpful previously, on other systems.

Note: It looks like Debian Backports is updated with a newer version of Samba4 at last. This is a great way to go to avoid compiling and maintaining your own. I’ve tried it, and it works well. FYI

Do Your Debian

I used a KVM virtual machine to create a Debian Wheezy installation that would run Samba-4. I think it’s probably a good idea not to use a production server at first. If you use a VM, you can always just trivially put it into production later.

During the install, I chose the most minimal installation package option with the addition of an SSH server.

Of course, this will probably work just as well with other distributions if you get your library dependencies right. Ubuntu may work with no modification, but I’m not sure.

Kerberos is very finicky about time. You will need an ntp server to keep your clock well synchronized.

apt-get install ntp

Also, generally I like to assign my servers static IP’s. And it also seems like the AD stuff does not like changing IP addresses once it’s been set up. Seriously. It’s probably an ingredient in the unholy glue.

edit /etc/network/interfaces

Change your “dhcp” flag to “static” and give yourself your proper address and routing info.

auto eth0
iface eth0 inet static

Unless you’re right on top of your DNS zone information, including PTR records, you should probably edit your /etc/hosts file too, to include the machine name you’re going to use:

edit /etc/hosts

I’m not really sure about the entry here, but it freakishly seemed to work for me. And I’m not sure why I did it. And it may not be necessary. I think it must not be.       localhost    samba    samba

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

As for DNS, you can use Bind9 just fine with Samba 4 — but Samba 4 also has its own built-in DNS server that does that filthy injection. If you want to use Bind9 as your backend DNS server, you can, but you will need to allow the Samba 4 server to dynamically update the zone for your domain with Kerberos. There are howto’s on that. I chose to just let Samba 4 use its own built-in DNS server. Because I’m lazy. And I’m just playing for now. And I don’t like a “domain controller” being able to update my real DNS zone file.

This leads to an interesting, and by that I mean boring and unnecessary, discussion of how you should name your Active Directory “domain”. There are a few schools of thought on it, and even Microsoft has changed their tune over time on the subject. I have chosen to name my Samba 4 “domain” as a “subdomain” of my root domain – that way the Active Directory stuff doesn’t have to be authoritative for my whole domain, and I don’t have to make up a fake domain either.

And leave it to Microsoft to terribly confuse everyone by “making it easy”. By domain they do not mean a DNS domain. It’s a hybrid abomination of DNS and what is known in Kerberos as a “realm”.

So yes, well, I made Samba 4 be the DNS server, but it will also do sensible lookups to the real DNS information from my proper DNS server when it doesn’t know a name. That’s why I named it as a DNS “subdomain” (host) rather than the whole domain. For resolution:

edit /etc/resolv.conf

Now, in Ubuntu you’re going to have to do some special editing of configs to keep Network-Manager from overwriting your resolv.conf file after you make these changes.


The first should be your Samba 4 installation IP. The second should be your real DNS server.

Probably quick & dirtiest to reboot after all this, if you like that sort of thing. BTW – make sure your /etc/hostname matches your DNS hostname. I don’t know if it’s necessary, but how can you stand it otherwise??

Debian Requirements to Compile Samba 4

I should mention, if you plan on having your Samba 4 server also be a filesharing server, and for the Active Directory stuff to manage the users and permissions for you, you need to make sure that whatever filesystem you’re going to be serving out is supporting ACL’s and extended attributes. In Debian this is a normal part of their ext4 mounts, and I think their ext3 ones as well. So you’re set!

But still, might be good to put it in, in your /etc/fstab, just as a reminder. Do, of course, use your own partition’s UUID. And whatever mountpoint you want to share.

UUID=b99750a8-9c39-11e3-82f1-525400990c6c   /home ext4      user_xattr,acl  0       2

Many docs also want you to specify barrier=1 as a mount option, to make sure stuff doesn’t get corrupt in a power failure. This is enabled by default in ext4, but you may want to in ext3. And if you’re using LVM volumes, this is passed through and respected now. Ah, the wonders of the modern world.

Now, what you really want to know: which Debian packages do I need to install when compiling Samba 4? Well, how about these?

apt-get install build-essential pkg-config libacl1 acl libacl1-dev libblkid-dev libblkid1 attr libattr1 libattr1-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb libpopt-dev libldap2-dev dnsutils libbsd-dev krb5-user docbook-xsl libcups2-dev libncurses-dev libpam0g-dev libdm0-dev libfam0 fam libfam-dev xsltproc libnss3-dev docbook-xsl-doc-html docbook-xsl-ns

If you don’t have other Kerberos servers, well, I just used this server as my kerberos ones, and it works just fine. The initial realm, where it defaults to your domain name in upper-case — I made that the FQDN in upper-case as well. Apparently the realm likes to be upper-case.

Maybe you’ll want to reboot again, after the acl stuff. Maybe not. Maybe you didn’t reboot a few minutes ago, so it will only be this one reboot. Or none. I don’t care.

Compile Samba 4

The version of Samba I grabbed was their latest at the time, listed below. They may have a newer version when you read this, so always check the Samba site for the version you want.

I like compiling in /usr/src — and I’m letting Samba 4 install to its default location, which I know is a horrific violation of Debian policy. But I’m naughty.

cd /usr/src
tar -xzf samba-4.1.4.tar.gz
cd samba-4.1.4
./configure && make && make install

Oh, the places we’ll go.

After that completes successfully the first try and love descends upon all humanity, you might want to put the install directory into your PATH environment variable so you can avoid over-stressing your poor little phalanges. Put this in your .bashrc

export PATH=/usr/local/samba/bin:/usr/local/samba/sbin:$PATH

If you’re feeling particularly cavalier, trusting in the goodness of strangers that is. And source it! (or log out/in, open a new terminal, whatever)

I also symlinked my /usr/local/samba/etc to /etc/samba to make it less typing to edit configs:

ln -s /usr/local/samba/etc /etc/samba

Then you’ll want to make the Samba 4 stuff work. Right? First thing is to provision the so-called domain. I’m leaving it open to do some Un*x-side integration later here – that’s why the “rfc” switch.

samba-tool domain provision --use-rfc2307 --interactive

It will ask you some questions, and here’s where we get into the “domain” naming philosophy again. Just make it the same as your DNS decision above. In my example, the Realm I chose was SAMBA4.MYDOMAIN.COM

Do do the upper-case! Why? I don’t know!

And for the “Domain” I chose “MYDOMAIN” (without the .COM). It’s pretty much like your workgroup setting, is all I can figure.

If you do it this way, then all machines joining your Active Directory “domain” will get the right DNS information for your DNS zone — because the AD server will only consider itself authoritative for SAMBA4.MYDOMAIN.COM and “higher”, but not for all of MYDOMAIN.COM itself — and it will forward those DNS requests on to your proper DNS server when it doesn’t know about them.

So be sure to set your DNS forwarder here to your real DNS server.

Cold, Cruel Kerberos

I’ve never know it to be so easy. I’m leaping with joy inside. Or maybe that’s lasagna.

cd /etc
cp krb5.conf krb5.conf.original
cp /usr/local/samba/share/setup/krb5.conf .

Then edit your new /etc/krb5.conf and change the REALM variable to the realm you chose: SAMBA4.MYDOMAIN.COM

I know! Can you believe it! It’s here where I feel a twinge of almost… non-sickness about MS. Ok it may even be stronger than that. A little.

Reboot again. Hahaha!

You Can Dance

Now, just start Samba 4 by typing in “samba”

It will give minimal info in /var/log/syslog – mine complained about CUPS not being there, but it wasn’t enough trauma for it to die, thankfully.

Now you’ll want to set up your administrator auth-y stuff, yes?

kinit administrator@SAMBA4.MYDOMAIN.COM
samba-tool user setexpiry administrator --noexpiry

Bad idea that no-expiry flag probably. But we’ve already established I’m naughty.

That’s about it! You can now fully administer it just like an Active Directory domain controller from Windows, using their remote server administration tools. Crazy, I know! That link is for Windows 8.1 download, BTW.

Also, the Samba website has a good howto on stuff like this.

The thing is, when you join a Windows machine into the “domain”, you have to make sure that you’re using your Samba 4 server as the DNS server for that machine, just like you would have to do with Microsoft’s Active Directory domain controllers. They need the filthy DNS injection.

Home Directories for Windows Users

If you want to have your Samba 4 server serve out home directories to your users, you accomplish that pretty easy. It just requires a “[home]” section in your smb.conf file.

That’s not a “[homes]” section like in Samba 3 by the way — just a singular “[home]”. It’s special. Apparently.

That section only requires a path and a not-read-only:

        path = /home/
        read only = no

You don’t really need local accounts for your users. Samba 4 will create crazy high-numbered fictional users and groups to service your Windows throngs. Just make sure that mountpoint has the acl and xattr flags.

Oh, and your administrator account will need the “SeDiskOperatorPrivilege” I think:

net rpc rights grant 'MYDOMAIN\Domain Admins' SeDiskOperatorPrivilege -Uadministrator

This will make it so that, if you use the Windows remote administration tools in Windows, you can create users that can have a drive automatically mapped to their Windows machine when they log in, and Samba 4 will create their home directory automatically.

The setup in Windows is a little convoluted. I’m no Windows person. But here’s a step by step that I followed and it worked great.

It should also be noted that the default setup seems to allow normal workgroup functioning to continue working as well. So even if you have Windows machines that aren’t the insanely more expensive “Pro” version of Windows, you can still map to the shares like  you could to a workgroup.

But then again, that begs the question, why then bother with an Active Directory Domain Controller at all? Unless you want to spend a lot more money per seat on Windows.

Final Comments

I am impressed with Microsoft’s ability to impose a standardized way of implementing LDAP in conjunction with Kerberos. I am less impressed with their shameless violations of DNS to rope this in.

I haven’t tried it yet, but apparently you can pretty easily have your Linux boxes authenticate against Samba 4 as well. I think I may not be doing that. Well, maybe I will.

It is really nice and compelling that it’s all tied together. And it’s not so bad since Samba 4’s been able to bring it into the light. I’m undecided. It seems to work well.

Anyway, I hope this helped someone. I was very daunted by the whole Active Directory integration mess at first. But these Samba guys really have done a great job. I’ll be showing them some love. Of the monetary type! Well, I suppose unless…

This article is published at Linux Tricks of the Trade.

  • codeFoil

    Hey. You definitely helped me. It always comforting to see someone has already been down the road…. And thanks most for gathering the dependencies into one command line.

  • Hey, thanks for the thanks codeFoil. Hope it works out well for you. Should mention that Debian backports now has a newer version of Samba4 that seems to work really well.

  • Daniel

    I was just wandering and found this and started to read. I liked. I alrady use samba4 but you did a very good job. Congratulations.

  • Thanks for the kind words Daniel 🙂

  • my2cents

    have to agree here. iam using backported samba4 and iam impressed.

    but just for the record, even your arguments against ADS in the past where correct the fact that you dont know anything about it is a little bit sad. it apears like just alinux guy has no clue about another technology thats why he is talking against.

    well to be fair – youre right – MS did a great job on active directory.
    well the DNS thing is a bit anoying but easily to manage in your current DNS situation.

    while you could use dynamic bind i personally stick with the built in.
    but i use a complete seperate DNS subzone for my ADS and simply define it in my regular bind servers. all clients get the regular DNS and only request for ADS will be handled then by the samba/windows DNS server – no headaches here.

    you can even use ADS to manage your linux enviroment. MS made it possible to manage posix accounts in their usertab as an attemp to migrate +nix to windows ADS – well great news for us because it means you can have a directory for all you linuxusers as well

    why you want use ADS for this – well be honest – LDAP alone isnt really an alternative – other directorys are either dead or closed source with little support for them – there are already a lot of support for auth against ADS by many many many software products on all plattforms but even better you get full blown adminstrative tools developt for free by MS :))

    personally iam more than happy with samab4 and the new possibilitys emerging right now – and hey ife even full licensed datacenter 2008r2 as members running – iam not using samba4 for saving bucks but because it does have some advantages over windows i really need (like roll back your ADS in seconds by simply filecopy in case of lets say you tried something out or another disaster – which you cant do that easy on ms platforms)

  • “Just a linux guy who has no clue about another technology”? 😉 Well, considering Active Directory is just a packaging together of technologies that Microsoft didn’t invent… I’m not really sure what you’re saying. Do you mean that I’m not familiar with the manner in which Microsoft bundled them together? Or the way Windows machines attempt to utilize them in aggregate, under this banner of “Active Directory”?

    Because if you’re saying I don’t know exactly how Microsoft decided to bundle these other people’s technologies up, and how Microsoft decided to configure them, you’re absolutely right! Lots of companies and people will take technologies and rebrand/rebundle them – and it’s a learning curve to try figuring out what they had in mind in doing so. And you decide whether or not it’s worth it to you to try figuring out what they intended, or if it’s better just to roll your own. Not really sure why that makes me “sad”… ?

    Actually, it does make me sad, but in a different way, I think. 😉

    I certainly prefer running Samba4 instead of a Microsoft Active Directory server, too. For much the same reasons you mention. It seems to be far less headache, and much more flexible.

    And like I said in the article, I think it’s a good thing that Microsoft used their weight to standardize a way to configure LDAP, Kerberos and DNS together and let their Windows machines take advantage of it. And I totally agree that Linux machines can pretty easily take advantage of that manner of configuration to centralize administration of auth and privs if they want to, by adopting Samba4. I’m not so sure about using MS’s servers for it, though — I’d stick to Samba4 — since you probably won’t fall victim to all your auth breaking one day because MS decided to change some little “secret” thing that suddenly makes anything not Windows unable to join their domains.

  • Vijay

    Very nice! Thanks very much

  • Vijay

    You mentioned “If you use a VM, you can always just trivially put it into production later.” If you have the time, it will be great if you could elaborate on this. Are there any specific utilities you would use for this purpose?

  • Sure thing Vijay! 🙂

  • I often use LVM in conjunction with VMs, so you can snapshot your LVM drive after you get the pristine install done, then do all the testing you like, and when you’re satisified, just restore back to that snapshot and you’re good to go for production (with just the necessity of doing any customizations you might have determined are necessary for you).

    I’ve been meaning to write up a little piece on that….

  • dubya

    Great post, as everyone else said…but it generated one question for me:

    Is it possible/advisable to bypass the need for a Windows-based DNS server altogether? You mention pointing Samba DNS at a Windows server but not the other possibility. Also…I’d like to full-out *replace* a Windows DC with a Samba4 one, but have them both around at the same time. Does this scenario seem workable to you?
    1) create SambaDC with DNS and all that
    2) let it sit for a while (any idea how long for a ~300 user domain?) to replicate/populate
    3) decommission the old PDC
    4) change IP of new SambaDC to match the old one, edit DNS records to reflect the new names

    Or am I completely missing a step or a complication?


  • Actually you can use Samba4 as a replacement that includes all the DNS nastiness that Active Directory Domain Controllers require. In fact, by default, that’s the way it wants to operate. It will handle creating all those entries for you. It can use it’s own internal DNS server, or a real Bind9 one that lets it write to it.

    As for the replication of data, I don’t know for sure, but I’ve read around it bit that it should work to copy everything over, but I’m not sure. That’s a process I would feel nervous about even using only Microsoft products themselves. There seems to be something a little rickety about the whole way MS have these technologies married — in that as long as there are no hiccups, everything is fine, but if there is a hiccup, it seems like there can be hell to pay.

    You could probably make it a secondary, and later promote it to the primary. I don’t know, though — this pre-packaged way of doing things I know very little about.

    Depending on how you’re organized, and how complex this organization is, with 300 people you could always create a whole new domain and migrate people over one by one — and do house cleaning along the way! It’s a good excuse to clean up and reorganize everything. I’ve found most places get very messy over time, taking lots of shortcuts, and few even know what’s going on any more with their networks, having left all kinds of things open/unsafe in the name of easy expedience, with the intention to go back and “fix it” later. But then forget. And after a few years….

    Well, after a few years, the only thing left when change needs to happen is…. I don’t know what’s going on! I just want to copy everything as it is!

    So really, you might just want to bite the bullet, and put everyone through a bit of hell, and have a clean system that’s organized afterward and designed by you.

    I have no experience at all trying to copy everything as-is. I might look into making it as a secondary, then promoting it later.

  • dubya

    I thought about starting fresh but the servers aren’t here yet and school starts in two weeks lol…not to mention that there’s certain offices that need non-stop service. I *might* be able to get away with it over Christmas, but the other worry is data loss on certain workstations, or at least a less-than-seamless transition! I definitely plan to clean things up like crazy regardless of which angle I take though, especially since I inherited it and am not sure if the last guy did too

    Thanks for the post and the response!

  • Yeah, I was thinking you probably inherited it. But hey, sometimes good things take a little bit of suffering at first — and users will always whine, regardless. 😉 Maybe you could migrate them in organized blocks — just some at a time? But hey, hope you have a great school year! 🙂

  • aaron83

    Perfect post!!!! at last i find a samba4 perfect guide….thanks a lot, i have a funtional samba4 service and all thanks you….now i have a hard work…migrate zimbra-squid-openfire-freeradius login into samba4 server…..any suggestion???…..thank agains!

  • Thank you for the kind words Aaron! And thanks to the Samba team for letting me have a nice functional Samba4 service as well!

    As for the migration – nope! No suggestions. It sounds like a small nightmare though. Hope you manage to get it all tied together perfectly well!

  • Pingback: Samba4 Domain ControllerFREE Computer Repair Services!()

  • Lippyrich

    Hi, sorry but I keep getting “kinit: Cannot contact any KDC for realm ‘FISH-BROS.LOCAL’ while getting initial credentials” Can anyone advise what my krb5.conf should look like please ?

  • Arnold

    I must have mist a step. I have a Raspberry Pi B+ (512MB) and started with a clean image of Debian Wheezy. I want it to be my PDC at home. After the download of Samba 4.1.4 (and also with 4.3.1) I got errors:
    WAF_MAKE=1 python ./buildtools/bin/waf build
    Waf: Entering directory `/usr/src/samba-4.1.4/bin’
    symlink: -> python/
    /usr/src/samba-4.1.4/wscript: error: Traceback (most recent call last):
    File “/usr/src/samba-4.1.4/buildtools/wafadmin/”, line 647, in recurse
    exec(compile(txt, file_path, ‘exec’), dc)
    File “/usr/src/samba-4.1.4/wscript_build”, line 33, in
    File “./buildtools/wafsamba/”, line 471, in RECURSE
    return ctx.add_subdirs(relpath)
    File “/usr/src/samba-4.1.4/buildtools/wafadmin/”, line 993, in add_subdirs
    self.recurse(dirs, ‘build’)
    File “/usr/src/samba-4.1.4/buildtools/wafadmin/”, line 634, in recurse
    File “/usr/src/samba-4.1.4/lib/tevent/wscript”, line 121, in build
    File “./buildtools/wafsamba/”, line 690, in SAMBA_SCRIPT
    os.symlink(link_src, link_dst)
    OSError: [Errno 13] Permission denied

    Makefile:8: recipe for target ‘all’ failed
    make: *** [all] Error 1
    pi@srv-domein2 /usr/src/samba-4.1.4 $

    I have no clue of what i did wrong, or what I missed. Any help or clues?

  • Hey for some reason my kerberos is not working, and its always gives me the error “Cannot find KDC for realm “SAMBA.MYDOMAIN.COM” while getting initial credentials”

  • Well, you shouldn’t use “SAMBA.MYDOMAIN.COM” as your kerberos realm, unless that’s the realm you’re choosing to use in Samba — just make sure you’re using the same kerberos realm in both.

  • Hey i was wondering if u could help me some more, I can now run all the tests and eveything seems fine (i was doing something stupid before, there wasnt even any error xD) but when i try to change my domain in Windows it says an error has ocurred and it failed to resolve the name of the domain MYDOMAIN. That was suposed to be the domain name by following your guide right? And if so do you have any idea has to why is ocurring? Many thanks for the previous help.

  • Not sure but I’d bet you didn’t change the DNS server on the Window machine to use your new Samba DC. Microsoft did freakish things with DNS — special names must be returned to the Windows machines, and that only happens if you are using your DC as your DNS server. (or have manually configured another DNS server with the proper values or to be updated with the proper values)

  • Thank you for the quick replies but that doesn’t seem to be it, even when i do change the DNS server of my Windows machine to my DC it still gives the same error when i do try to connect to my Domain.

  • Okay after a bit fiddling around I realized i was tricked by my own stupidity again. I was able to make it work, thank you so much for your guide!!

  • 🙂 Excellent! 🙂 Happy I could help a little bit!

  • And just in case do you know of any tutorial on how to use/manage users and groups on the AD?

  • I don’t – but the Windows people seem to use the standard Microsoft Active Directory management GUI that you install in Windows — you can manage your Samba server with it as well. I think that’s probably the easiest way to start out.

  • Jan Marti

    In Debian 7.11 for Sparc CPU platform (Sun Blade 2500 Silver) with kernel 3.16.x from “wheezy-backports”, i need to do that step BEFORE executing “samba-tool domain provision –use-rfc2307 –interactive”:

    cd /etc
    cp krb5.conf krb5.conf.original
    cp /usr/local/samba/share/setup/krb5.conf .

    …otherwise, i will get the error as described here:

    With best regards,

  • Jan Marti

    In Debian 7.11 for Sparc CPU platform (Sun Blade 2500 Silver) with kernel 3.16.x from “wheezy-backports”, i need to do that step BEFORE executing “samba-tool domain provision –use-rfc2307 –interactive”:

    cd /etc
    cp krb5.conf krb5.conf.original
    cp /usr/local/samba/share/setup/krb5.conf .

    …otherwise, i will get the error as described here:

    With best regards,

    P.S.: Please delete my 2nd (same text but wrong place) post at the end, thx.