buidling a WORKING Debian AD DC


Nov 2, 2010
NOTE: cleaned up some things, 4/3/18

my original debian AD DC is based on Debian 6 and it has been upgraded a couple times but is starting to show wierd errors, time to just build a new one. problem is none of the ubuntu guides work out of the box on debian. so this is my alterations to build a Debian 9.4 AD DC.

samba4 samba 4 active directory domain controller guide (REAL ACTIVE DIRECTORY, NOT LDAP)

NOTE: for the moment this is a notes dump (so i can get to it at home and work easily.) i will clean it up and add more pictures next week.

built on a Debian 9.4 install, BASE SYSTEM ONLY.

first boot, apt-get install acl attr ntp ntpdate openssh-server dnsutils

Nano /etc/fstab
add user_xattr,acl,barrier=1,noatime options on disks where samba connects
mount -a (no errors reboot)

apt -y install samba krb5-user krb5-config winbind libpam-winbind libnss-winbind
NOTE: borking this step causes unfixable failure and needs reinstall
screen 1 needs CAPS DOMAIN.NAME
screen 2 needs no caps FQDN servername.domain.name
screen 3 needs no caps FQDN servername.domain.name

systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service
systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service

mv /etc/samba/smb.conf /etc/samba/smb.old

samba-tool domain provision --use-rfc2307 --interactive

mv /etc/krb5.conf /etc/krb5.old
mv /var/lib/samba/private/krb5.conf /etc/krb5.conf

nano /etc/hosts add domain.name servername and ipaddy FQDN servername do not remove anything
nano /etc/network/interfaces -- add lines dns-nameservers 'your-ip' dns-search 'domain.name'
nano /etc/hostname 'may or may not need fixed
nano /etc/resolv.conf will need 'fixed' lots of options for this
nano /etc/samba/smb.conf in global add "server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns, s3fs" no quotes (it will NOT work correctly with out this and you will be confused by the errors, you have been warned)

systemctl unmask samba-ad-dc.service
systemctl start samba-ad-dc.service
systemctl enable samba-ad-dc.service
systemctl status samba-ad-dc.service

samba-tool domain level show should = windows 2008R2



ping FQDN, domain.name, server name

host –t A tecmint.lan
host –t A adc1.tecmint.lan
host –t SRV _kerberos._udp.tecmint.lan # UDP Kerberos SRV record
host -t SRV _ldap._tcp.tecmint.lan # TCP LDAP SRV record

kinit administrator
kinit administrator@DOMAIN.NAME

finally test joining some windows machines too the domain

this system can be managed by a windows machine running RSAT. DNS, gp, active directory all functional normally in RSAT. DHCP MUST be handled by a different system.

in DNS make sure to create your reverse lookup zones.

boot issue samba-ad-dc needs delay added post net

nano /lib/systemd/system/samba-ad-dc.service add

systemctl daemon-reload
systemctl restart samba-ad-dc
Last edited:


Limp Gawd
Jul 30, 2013
I appreciate you posting this. hopefully i can find some time to give this a try my self, and get it working with my setup. I currently use openldap with sasl pointers to mit kerberos for the passwords, this works fine for most normal linux things, but leaves a lot to be desired getting it playing nicely with my samba fileservers, and is not much use for my windows gaming machine. I had been thinking for a while if i used an AD DC as the kerberos backend i could still use that as the password backend for openldap, but get better control over my samba installs, and windows gaming box. Its always a mater of time and energy to motivate doing something like that though,I am hoping your post gets me to actually do it.


Nov 2, 2010
as motivation, i have more linux boxes connecting to Freenas smb/cifs shares using AD for security than i do windows. i do have a mixed environment, and this set up makes it the easiest to manage everything. join windows machines to the domain, and either join the linux boxes to the domain too, or build mappings in the fstab if the linux box is more of a dedicated system. this system will actually save you time long term.

the coolest part is managing users via the windows RSAT package. its almost mind boggling that the MS management tools can not tell the difference. i can build a user and add them to the groups for whatever files and folders they need in about 10 seconds, if i spell their name correctly.


Nov 2, 2010
just thought i would update these samba 4 deployments for Active Directory work beautifully.

i did have to add an NTS system to my Debian DC but that was super simple. the RSAT utility, windows 10 computers, server 2016, (have not tried 2019 yet but it is on my todo list) and even OSX Catalina and other linux distros all bind to the active directory environment easily. i also have FreeNAS installed at my home site and i do all permissions for file sharing through active directory users and groups permissions.