From Indie IT Wiki
Jump to: navigation, search


How to configure Samba to use SMBv2 and disable SMBv1

Samba4 AD DC Ubuntu Install

Samba4 and DNSMasq


Network Performance Issues Errors

30 second delay when browsing fixed

Sage Accounts Performance Fix with Oplocks

Subnet Interface Errors

If you cannot access your samba server, and in the /var/log/samba/log.nmbd you see this error...

create_subnets: No local IPv4 non-loopback interfaces
create_subnets: Waiting for an interface to appear

...then change your interfaces parameter in /etc/samba/smb.conf to match your actual network interface card. For example...


interfaces =


interfaces =

Weird, but it works. :-/

SAMBA4 DC SysVol Replication

crontab -e

# samba4 dc sysvol replication
@hourly /usr/bin/rsync -XAavz --delete-after --password-file=/usr/local/samba/etc/rsync-sysvol.secret rsync:// /usr/local/samba/var/locks/sysvol/

# samba4 rebuild sysvol and check
01 * * * * samba-tool ntacl sysvolreset
02 * * * * samba-tool ntacl sysvolcheck

SAMBA4 Error In DC Replication

If you are getting these errors in your logs...

[2013/05/31 12:21:57,  0] ../source4/dsdb/repl/drepl_ridalloc.c:43(drepl_new_rid_pool_callback)
 ../source4/dsdb/repl/drepl_ridalloc.c:43: RID Manager failed RID allocation - WERR_BADFILE - extended_ret[0x0]

...and domain replication does not appear to be working, then you have the glibc (at least 2.17) nss dns resolver bug - where the resolver cannot look up names with an _ underscore.

To find your _msdcs_ name, look it up...

ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationid=*)' --cross-ncs objectguid

To test this, try to ping the _msdcs_ name. You will receive an unknown host error...


To fix this, first add the _msdcs_ entry to /etc/hosts       localhost.localdomain localhost
#  samba2 samba samba2 

Second, make sure you add all the correct CNAME and A record entries in your Samba4 DCs DNS... that is, details of the secondary DC2 to _both_ DCs...

samba-tool dns add samba2 A
samba-tool dns add samba2 A
samba-tool dns add f0605966-1d4f-4fef-8a75-2a24863dbaa9 CNAME -UAdministrator
samba-tool dns add f0605966-1d4f-4fef-8a75-2a24863dbaa9 CNAME -UAdministrator

Now try to ping the _msdcs_ name. It will work...


And you will see two-way tcp connections in netstat...

tcp        0      0     ESTABLISHED 582/samba       
tcp        0      0      ESTABLISHED 589/samba       

Amazingly simple, but it fixes it.

You should see the extra Domain Computers that were not on your Secondary Samba4 Domain Controller.

To confirm all is working, add or edit a user and check it on the DC2...

samba-tool group listmembers "Domain Computers" |sort -f


samba-tool user list |sort -f

And look at the Replication status log...

samba-tool drs showrepl

DSA Options: 0x00000001
DSA object GUID: f0605966-1d4f-4fef-8a75-2a24863dbaa9
DSA invocationId: d84e13de-4ed4-45e5-ba94-f04954536c51


        Default-First-Site-Name\SAMBA via RPC
                DSA object GUID: 5813325c-fa80-4e0e-b76e-4666f6afe1e2
                Last attempt @ Fri May 31 13:17:06 2013 BST was successful
                0 consecutive failure(s).
                Last success @ Fri May 31 13:17:06 2013 BST


        Default-First-Site-Name\SAMBA via RPC
                DSA object GUID: 5813325c-fa80-4e0e-b76e-4666f6afe1e2
                Last attempt @ NTTIME(0) was successful
                0 consecutive failure(s).
                Last success @ NTTIME(0)


Connection --
        Connection name: 32efa02a-2852-45e8-bb49-78f0f3927895
        Enabled        : TRUE
        Server DNS name :
        Server DN name  : CN=NTDS Settings,CN=SAMBA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xyz,DC=com
                TransportType: RPC
                options: 0x00000001

And check the Active Directory database consistency, etc...

root@samba:~# samba-tool drs kcc
Consistency check on successful.

root@samba2:~# samba-tool drs kcc
Consistency check on successful.
samba-tool dbcheck
Checking 274 objects
Checked 274 objects (0 errors)

Both DC1 and DC2 should give the same number of objects.

Error - process_usershare_file: stat of /var/lib/samba/usershares

sudo apt-get install libpam-smbpass
sudo service samba restart

Thanks to Stackoverflow.

Error - protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE

You may see this if you try smbclient with the server name instead of an IP address...

smbclient -U username //server1/shared
Enter username's password: 
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE

To fix it, use the IP address instead...

smbclient -U username //
Enter username's password: 
Domain=[COMPANY] OS=[Unix] Server=[Samba 4.1.3-Ubuntu]
smb: \>

SAMBA4 Time Synchronisation

gvfsd-smb-browse taking 100% CPU in Ubuntu 16.04

sudo chmod 744 /usr/lib/gvfs/gvfsd-smb-browse

Thanks to Its FOSS.

SAMBA4 Administrator 3000000 User Id Ownership In Windows Explorer Files

samba-tool group addmembers 'Users' Administrator

SAMBA4 Group Policy Error


The processing of Group Policy failed. Windows attempted to read the file \\\sysvol\\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.


find /usr/local/samba/ -type d -name 'Policies'

smbcacls // -U
smbcacls //{31B2F340-016D-11D2-945F-00C04FB984F9}/gpt.ini -U


samba-tool ntacl sysvolreset
samba-tool ntacl sysvolcheck

Secondary DC

For some reason, the file replication did not work and the Group Policy files and folders were missing on the secondary domain controller.

Copy the Group Policies folder to the secondary domain controller...

rsync -h -a -v /usr/local/samba/var/locks/sysvol/ root@

Then, run the same 2 commands on the secondary dc to fix that as well...

samba-tool ntacl sysvolreset
samba-tool ntacl sysvolcheck

Job, done.

Thanks -


All Domain Users

wbinfo -u |sort

All Domain Groups

wbinfo -g |sort

HOWTO: Create A Share With Read And Write But NOT Delete

HOWTO: Use Ubuntu Nemo File Manager With Specific User Name

Type the following into the address bar of Nemo...


HOWTO: Installing RSAT on Windows for AD Management

INFO: Samba4/videos

HOWTO: Hide desktop.ini and $RECYCLE.BIN

nano /etc/samba/smb.conf
     hide files = /desktop.ini/$RECYCLE.BIN/

HOWTO: Shut Down Or Restart Windows PC

Shut down...

net rpc shutdown -U -S


net rpc shutdown -r -U -S

HOWTO: Set Date And Time On A Remote Windows Desktop

Download, compile and install the winexe software...

sudo -i
tar xzvf winexe-1.00.tar.gz
cd winexe-1.00/source4/
make basics bin/winexe
cp -v ./bin/winexe /usr/local/bin/


winexe -V

Thanks -

Then, use it to run a Windows command prompt on a remote desktop... (type exit to quit)

winexe --user Administrator%Password --runas Administrator%Password // "cmd.exe"

Or, use it to set the date and time on a remote Windows desktop... (note the extra double \\ to escape)

winexe --user Administrator%Password --runas Administrator%Password // "net time \\\\ /set /yes"

HOWTO: Troubleshooting Samba

HOWTO: Test Host Access To Shares

Usage: testparm /path/to/configfile machinename ipaddress

testparm /etc/samba/smb.conf dt01

Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[shared]"
Loaded services file OK.
Allow connection from dt01 ( to homes
Allow connection from dt01 ( to shared

HOWTO: Find SMB Hosts On A Network


HOWTO: Discover Hosts With Shares

Discover what hosts have NMB port 139 open...

nmblookup -d2 '*'
nmap -p 139 -sT 192.168.0.*

Scan a host to find its NETBIOS hostname...

nmblookup -A

List a host shares...

smbclient -L \\COMPUTERNAME   (just pressing Enter might work here)


smbclient -L \\COMPUTERNAME -Uusername


smbclient -L \\COMPUTERNAME -Uusername -I ip-address


smbtree -b -N

Find Master Browser

nmblookup -M -- -

Check NetBIOS Names IP Addresses

       \\SERVER1                       server1 server (Samba, Ubuntu)
               \\SERVER1\shared                Shared file space
               \\SERVER1\IPC$                  IPC Service (server1 server (Samba, Ubuntu))
nmblookup -U WORKGROUPNAME -R 'DT01' DT01<00>

SAMBA4 - A Little Light Reading


eselect python set python2.7
emerge --unmerge --ask app-crypt/mit-krb5
emerge --ask --quiet app-crypt/heimdal
revdep-rebuild -- -ask

echo "net-dns/bind berkdb dlz gssapi" >>/etc/portage/package.use
echo "net-dns/bind-tools gssapi" >>/etc/portage/package.use

emerge --ask --quiet net-dns/bind net-dns/bind-tools

nano /etc/portage/package.keywords
# required by samba4
sys-libs/tevent ~amd64
sys-libs/tdb ~amd64
sys-libs/ldb ~amd64
sys-libs/talloc ~amd64

nano /etc/portage/package.use
sys-libs/tdb python
sys-libs/talloc python 

emerge --ask --quiet sys-libs/talloc sys-libs/tdb sys-libs/tevent sys-libs/ldb   
emerge --ask --quiet net-libs/gnutls sys-apps/acl dev-libs/cyrus-sasl dev-python/subunit dev-python/dnspython net-dns/libidn

nano /etc/fstab
/dev/md4   /home     ext4     user_xattr,acl,barrier=1,noatime         1 1

cd /usr/src/linux
make menuconfig
make && make modules_install
cp -av arch/x86/boot/bzImage /boot/kernel-3.3.8-gentoo 
cp -av /boot/ 
cp -av .config /boot/config-3.3.8-gentoo 

mkdir /root/misc/
cd /root/misc/
touch test.txt
setfattr -n user.test -v test test.txt
setfattr -n security.test -v test2 test.txt
getfattr -d test.txt
getfattr -n security.test -d test.txt
touch test3.txt
setfacl -m g:adm:rwx test3.txt
getfacl test3.txt

eselect python set python2.7

mkdir /usr/src/samba4
cd /usr/src/samba4
git clone git:// samba-master
cd samba-master
./configure --enable-debug --enable-selftest
Waf: Leaving directory `/usr/src/samba4/samba-master/bin'
'build' finished successfully (11m54.988s)

make install
Waf: Leaving directory `/usr/src/samba4/samba-master/bin'
'install' finished successfully (3m15.214s) ~ $ samba-tool domain provision
 Domain [EXAMPLE]:
 Server Role (dc, member, standalone) [dc]:
 DNS forwarder IP address (write 'none' to disable forwarding) []:
Administrator password:
Retype password:
Looking up IPv4 addresses
More than one IPv4 address found. Using
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=EXAMPLE,DC=com
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=EXAMPLE,DC=com
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role:           active directory domain controller
Hostname:              samba
NetBIOS Domain:        EXAMPLE
DNS Domain:  
DOMAIN SID:            S-1-5-21-1142887457-1374467446-1811036830

cp /usr/local/samba/private/krb5.conf /etc/

cat /etc/resolv.conf

cat /usr/local/samba/etc/smb.conf
# Global parameters
       workgroup = EXAMPLE
       realm = EXAMPLE.COM
       netbios name = SAMBA
       server role = active directory domain controller
       dns forwarder =

       path = /usr/local/samba/var/locks/sysvol/
       read only = No

       path = /usr/local/samba/var/locks/sysvol
       read only = No

samba -i -M single
(separate terminal)

$ smbclient --version
Version 4.1.0pre1-GIT-8aae8b5

$ smbclient -L localhost -U%
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-8aae8b5]

       Sharename       Type      Comment
       ---------       ----      -------
       netlogon        Disk
       sysvol          Disk
       IPC$            IPC       IPC Service (Samba 4.1.0pre1-GIT-8aae8b5)
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-8aae8b5]
smbclient //localhost/netlogon -UAdministrator%'passW0rd' -c 'ls'
host -t SRV has SRV record 0 100 389
host -t SRV has SRV record 0 100 88

kinit Administrator@EXAMPLE.COM
Administrator@EXAMPLE.COM's Password:
Credentials cache: FILE:/tmp/krb5cc_0
       Principal: Administrator@EXAMPLE.COM
Issued                Expires               Principal
Apr 10 15:52:04 2013  Apr 11 01:52:04 2013  krbtgt/EXAMPLE.COM@EXAMPLE.COM


host -t A has address has address has address

samba-tool dns zonelist

samba-tool dns delete samba @ A
samba-tool dns delete samba A
samba-tool dns delete samba @ A
samba-tool dns delete samba A

Testing From Windows

ipconfig /release
ipconfig /renew
ipconfig /all
net view /domain:$DOMAIN
net view \\$ADHOST
nbtstat -A $ADHOST_IP4









SAMBA4 HOWTO: Ports Used

SAMBA4 HOWTO: Add File Server As A Domain Member


testparm -s
smbclient -L \\   (just press enter when asked for password)
net ads info
wbinfo -u
wbinfo -g
getent passwd
smbclient -U Administrator //

SAMBA4 HOWTO: Stop Samba Daemons


sudo -i
start-stop-daemon --stop --pidfile /usr/local/samba/var/run/


sudo start-stop-daemon --stop --pidfile /usr/local/samba/var/run/


sudo -i
echo "export PATH=$PATH:/usr/local/samba/bin:/usr/local/samba/sbin" >>~/.bashrc
source ~/.bash_profile
which samba-tool

SAMBA4 HOWTO: Check Everything


samba --version


testparm -s
cat /etc/hosts
cat /etc/resolv.conf


tail /usr/local/samba/var/log.smbd
tail /usr/local/samba/var/log.samba
pidof samba


kinit Administrator




/usr/bin/host -t SRV
samba-tool dns query dc @ ALL -U Administrator
/usr/bin/nslookup dc


samba-tool dbcheck


samba-tool drs kcc


samba-tool fsmo show


smbclient -L localhost -U%


smbclient //localhost/netlogon -U username


samba-tool drs showrepl
netstat -ntp |grep 'samba'


samba-tool ntacl sysvolreset
samba-tool ntacl sysvolcheck
find /usr/local/samba/ -type d -name 'Policies'
smbcacls // -U
smbcacls //{31B2F340-016D-11D2-945F-00C04FB984F9}/gpt.ini -U

SAMBA4 HOWTO: Check Database And User Passwords In DC Replication

On PDC (Primary Domain Controller) DC #1...

samba-tool dbcheck
samba-tool ntacl sysvolcheck
samba-tool drs showrepl
smbclient //localhost/netlogon -U username

On SDC (Secondary Domain Controller) DC #2...

samba-tool dbcheck
samba-tool ntacl sysvolcheck
samba-tool drs showrepl
smbclient //localhost/netlogon -U username

SAMBA4 HOWTO: Move DC1 To A Virtual Computer

  1. check daily backup files on physical dc1
  2. make note of physical dc1 mac and ip address
  3. copy daily backup files from physical dc1 to virtual dc1
  4. restore daily backup files on virtual dc1 -
  5. rsync sysvol from physical dc1 to virtual dc1, reset and check
  6. rsync sysvol from physical dc1 to virtual dc2, reset and check
  7. shut down ALL other windows servers and pcs
  8. shut down virtual dc2
  9. shut down physical dc1
  10. take out power and network cables from physical dc1
  11. shut down virtual dc1
  12. change mac address and ip address on virtual dc1 to match physical dc1
  13. start virtual dc1
  14. check mac and ip address, route, ping, etc.
  15. follow "check everything" on wiki -
  16. say 3 hail mary's, do a rain dance and pray to your deity :)
  17. check a domain login with a windows pc
  18. start up a second pc
  19. start up the servers
  20. start up the rest :)
  21. backup virtual dc1... and breath a sigh of relief

SAMBA4 HOWTO: Move DC1 To Another Computer (OLD NOTES)

  1. Start up virtual DC1 with no Samba installed.
  2. Install exactly the same Samba version on virtual DC1, but do not start yet.
  3. Shut down real DC2.
  4. Backup real DC1 using Samba script.
  5. Shut down real DC1.
  6. Restore from real DC1 to virtual DC1 using Samba script.
  7. Basic DNS, LDAP and Kerberos checks.
  8. Start virtual DC1 Samba and test Windows logon and log files for errors.
  9. Start real DC2.
  10. Check replication.

SAMBA4 HOWTO: Windows Roaming Profiles

SAMBA4 HOWTO: Add New User, Specific Group, Non Expiring Password

samba-tool user create newuser P4ssw0rD --given-name=New --surname=User
samba-tool user setpassword newuser --newpassword=P4ssw0rD
samba-tool user setexpiry newuser --noexpiry
samba-tool group addmembers 'Users' newuser
samba-tool group addmembers 'Print Operators' newuser
samba-tool group listmembers 'Users' |sort
samba-tool group listmembers 'Domain Users' |sort

SAMBA4 HOWTO: Map Samba4 Users To Their UNIX UID

sudo cp -av /var/lib/samba/private/idmap.ldb /root/
sudo aptitude install -y ldb-tools
sudo id plittlefield
sudo wbinfo --name-to-sid plittlefield
sudo wbinfo --sid-to-uid S-1-5-21-3341700322-3244603124-2130708482-1109
sudo ldbedit -H /var/lib/samba/private/idmap.ldb objectsid=S-1-5-21-3341700322-3244603124-2130708482-1109
wbinfo --sid-to-uid S-1-5-21-3341700322-3244603124-2130708482-1109 1000 

Thanks -

SAMBA4 HOWTO: List All AD Groups

samba-tool group list |sort


samba-tool group add GroupName

SAMBA4 HOWTO: List AD Group Members

samba-tool group listmembers 'Administrators'

SAMBA4 HOWTO: Add AD Group Members

samba-tool group addmembers 'Administrators' username1
samba-tool group addmembers 'Administrators' username2,username3,username4

SAMBA4 HOWTO: Remove AD Group Members

samba-tool group removemembers 'Administrators' username

SAMBA4 HOWTO: Force DC Replication

samba-tool drs replicate CN=Configuration,DC=domain,DC=com -U Administrator

SAMBA4 HOWTO: Check DC LDAP Replication

Compare the entire directory on Domain Controller DC1 and DC2...

samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator

Compare single AD partitions on Domain Controller DC1 and DC2...

samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator domain
samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator configuration
samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator schema
samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator dnsdomain
samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator dnsforest

Thanks -

SAMBA4 HOWTO: Rsync based SysVol Replication

Set up rsync on DC1...

sudo apt-get install rsync
sudo nano /etc/rsyncd.conf

path = /var/lib/samba/sysvol/
comment = Samba Sysvol Share
uid = root
gid = root
read only = yes
auth users = sysvol-replication
secrets file = /etc/rsyncd.secret

sudo systemctl restart rsync

Install Rsync on DC2...

sudo apt-get install rsync

Test Rsync connection on DC2...

rsync dc1::

Run command in TEST mode, to PULL files from DC1...

sudo rsync -XAavz --delete-after --log-file=/var/log/rsync.log --password-file=/etc/rsync-sysvol.secret rsync://sysvol-replication@dc1/SysVol/ /var/lib/samba/sysvol/

Then add to crontab every 5 minutes...

sudo crontab -e
*/5 * * * * rsync -XAavz --delete-after --log-file=/var/log/rsync.log --password-file=/etc/rsync-sysvol.secret rsync://sysvol-replication@dc1/SysVol/ /var/lib/samba/sysvol/

SAMBA4 HOWTO: Check AD Schema Version

ldbsearch -H /var/lib/samba/private/sam.ldb -b 'cn=Schema,cn=Configuration,dc=example,dc=com' -s base objectVersion

SAMBA4 HOWTO: Transferring and Seizing FSMO Roles

Log in to the DC you want to become the new Primary DC.

samba-tool fsmo transfer --role=all --username=Administrator


Make sure you are using Python 2.7

python --version

Edit the Samba fsmo Python Library and add an extra line...

nano /usr/lib/python2.7/dist-packages/samba/netcmd/
import samba
import samba.getopt as options
import ldb
import samba.drs_utils
from ldb import LdbError

Now, run your transfer command again, and it will work :-)

samba-tool fsmo transfer --role=all --username=Administrator

Thanks -

HOWTO: FIX ERROR: uncaught exception - 'module' object has no attribute 'drs_utils'

Same fix as above.

SAMBA4 HOWTO: Show Domain Function Level

samba-tool domain level show

SAMBA4 HOWTO: Raising the Domain Function Levels

To raise the level of the AD Schema...

samba-tool domain level raise --domain-level=2008_R2 --forest-level=2008_R2

SAMBA4 HOWTO: Export LDAP Database

ldbsearch -H "/usr/local/samba/private/sam.ldb.d/DC=DOMAIN,DC=COM.ldb" >/path/to/ldbsearch_export.txt

SAMBA4 HOWTO: Samba Tool Documentation

SAMBA4 HOWTO: DNS Administration

SAMBA4 HOWTO: Query Server Information

samba-tool dns serverinfo server

SAMBA4 HOWTO: Query Root Hints Information

samba-tool dns roothints server

SAMBA4 HOWTO: List Zones

samba-tool dns zonelist server

SAMBA4 HOWTO: Query / Show All Entries In DNS

samba-tool dns query server @ ALL

SAMBA4 HOWTO: Edit Entries In DNS

A Record

samba-tool dns update server www A 123.456.789.0 123.456.789.1


samba-tool dns add dc DT01 A
samba-tool dns zonecreate dc
samba-tool dns add dc 101 PTR DT01
/etc/init.d/samba stop
/etc/init.d/samba start
samba-tool dns query dc @ ALL -U Administrator
samba-tool dns query dc @ ALL -U Administrator
host dt01
nslookup dt01
ping dt01

SAMBA4 HOWTO: Change Normal User Password

samba-tool user setpassword JoeBloggs --newpassword=MyNewPassword -U Administrator

SAMBA4 HOWTO: Change Administrator Password



samba-tool user setpassword Administrator
New Password: 
Enter it again:
Password changed.



sudo smbclient -L localhost -U%
session setup failed: NT_STATUS_OBJECT_NAME_NOT_FOUND


sudo apt-get install winbind
sudo reboot

SAMBA4 HOWTO: Windows 10

Problems Connecting To Shares - SMBv1 SMBv2

Thanks -

Problems Administering - Backup Key

Upgrade to Samba 4.3.

The problem is related to a buggy and/or incomplete implementation of the "Backup Key" sub-protocol that older Samba versions have. You'll probably notice that Credential Manager was also unusable for the same reason.

Alternatively, use an older OS to manage the directory – e.g. Server 2003 can create user accounts without any problems, since it doesn't use the "Backup Key" protocol for anything yet. (I am not sure about Server 2008.)

Unfortunately, 4.3 is not yet packaged for Ubuntu – still pending in Debian's "unstable" too – however, it's actually easy to build Samba from source code.

As for the [Users] block, it simply defines a shared folder.

In smb.conf, every section except [global] corresponds to a share definition – "netlogon" and "sysvol" are special AD shares, and "Users" is probably a custom one.

Thanks -

Problems RSAT - The RPC server is unavailable

Upgrade from 14.04 LTS to 16.04 LTS...

sudo do-release-upgrade

Then, follow this...


  • Updating From GIT

Shut down Samba on both DC1 and DC2.

git pull

...but may have to do:-

git clean -x -f -d

Make and Install as above.

Start Samba on both DC1 and DC2.

  • Ubuntu Startup Script

  • Secondary AD DC
samba-tool rds showrepl

1. On the server you have already installed what you want to match:-

  $ cd /usr/src/samba4/samba-master
  $ git log -1

This will show you have HASH revision number.

2. On the server you want to install the same:-

  $ mkdir /usr/src/samba4
  $ cd /usr/src/samba4/
  $ git clone git:// samba-master
  $ cd samba-master/
  $ git checkout 8aae8b5bad167ac732b7f8949dfb40aebb2f26a9
  $ git reset --hard

Proceed as above for installing the software.

  • List Domain Users
samba-tool user list |sort
  • Active Directory Windows Tool
  • DNS Editing

Adding an A record...

samba-tool dns add server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT data


samba-tool dns add samba www A 123.456.789.0

Record added successfully


nslookup samba
Server:         samba

Address: 123.456.789.0
  • Slow Logons
Fixed by deleting multiple incorrect IP addresses for Samba4 server.
  • Add New Users in Linux command-line
samba-tool user add jbloggs joe
  • Non Complex Passwords
samba-tool domain passwordsettings set --complexity=off
Password complexity deactivated!
All changes applied successfully!

samba-tool domain passwordsettings set --min-pwd-length=3
Minimum password length changed!
All changes applied successfully!
  • Backup and Restore

  • Gentoo Samba4 Startup Script
# Copyright 1999-2011 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/net-fs/samba/files/samba4.initd,v 1.3 2011/09/14 22:52:33 polynomial-c Exp  $


description="The samba daemon init script"
description_reload="Reloads the samba daemon"

depend() {
       need net

start() {
       ebegin "Starting samba"
       start-stop-daemon --start --exec samba
       eend $?

stop() {
       ebegin "Stopping samba"
       start-stop-daemon --stop --pidfile /usr/local/samba/var/run/
       eend $?

reload() {
       ebegin "Reloading samba"
       killall -HUP samba
       eend $?

HOWTO: Restrict File Sharing To Particular Users or Network Addresses

Shut Down A Windows PC Remotely

net rpc SHUTDOWN -C "Test of remote shutdown with Samba" -f -I "" -W DOMAIN -U username%password

Shutdown of remote machine succeeded

ERROR: read_data: Accessing Share From Windows 7

Windows PC cannot access Samba Share. This is from Samba log file (/var/log/samba/log.mypc)...

 [2012/06/08 12:03:21, 0] lib/util_sock.c:read_data(534)
 read_data: read failure for 4 bytes to client Error = Connection reset by peer

Fix #1:

Control Panel > System and Security > Administrative Tools > Local Security Policy
Local Policies > Security Options > Network Security
LAN Manager Authentication Level > Send LM & NTML Responses
Uncheck Require 128-bit Encryption on Clients
Uncheck Require 128-bit Encryption on Servers
Save and Reboot

Fix #2:

Control Panel > Credentials Manager > Browse to Samba Server and check or delete stored usernames and passwords
Save and Reboot

Adding And Testing Users


smbpasswd -a testuser


pdbedit -a -u testuser


grep 'testuser' /etc/passwd
testuser:*:1001:1001::0:0:Test User:/home/testuser:/usr/sbin/nologin
pdbedit -u testuser
testuser:1001:Test User
pdbedit -v -u testuser

Add Roaming Profile Machine Trust Account

useradd -c "Company 003 Machine Account" -d /dev/null -g machines -s /bin/false company-003$
smbpasswd -a -n -m company-003

You should have entries like the following:

/etc/passwd: company-010$:x:1016:101:Company-010 Machine Account:/dev/null:/bin/false
/etc/shadow: company-003$:!:15393:0:99999:7:::
/var/lib/samba/private/smbpasswd: company-003$:1035:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:2D6AF5372CEEE519054B3EAA0FC1B9D6:[W          ]:LCT-4F4664C3:

Test Samba Share Via Command Line ~ $ smbclient -U username //
Domain=[DOAMIN] OS=[Unix] Server=[Samba 3.0.28]
smb: \> ls
smb: \> quit

Tweaks For Network Browsing

smb port = 139
local master = yes
domain master = yes
preferred master = yes
os level = 35
interfaces =
bind interfaces only = yes

Windows 7: Domain Log On

There are currently two registry settings required to be added on the Windows 7 client prior to joining a Samba Domain. These are:

            DWORD  DomainCompatibilityMode = 1
            DWORD  DNSNameResolutionRequired = 0

Do not edit any other registry parameters (NETLOGON) that have been seen in the wild. If you have already modified your Windows 7 registry, please make sure to reset the keys to their default values.

If you have changed the NETLOGON Parameters, make sure and turn them back to '1' as shown below:

           DWORD  RequireSignOrSeal = 1
           DWORD  RequireStrongKey = 1

Primary Domain Controller