Provisioning Samba Active Directory Domain Controller and Windows Domain Integration

2025-04-264 min read
SambaActive DirectoryDomain ControllerWindows DomainHome LabNetworkingLDAP Server

Running Active Directory in a home lab doesn't require Windows Server — Samba 4 can provision a fully functional AD Domain Controller on Linux. This post covers how I stood up a Samba AD DC on Ubuntu Server, joined a Windows 11 client to the domain, and migrated a local user profile to a domain account.

1. Server Preparation

  • OS: Ubuntu Server 24.04.2 LTS

  • Initial Setup:

    • Static IP address manually configured

      • IP: 172.30.30.30/24

      • Gateway: 172.30.30.1

      • DNS (initially): 172.21.21.21 (Pi-hole)

    • Installed basic utilities (OpenSSH, networking tools)

2. Samba Installation and Configuration

  • Installation Commands:

    hljs bash
    sudo apt update
sudo apt full-upgrade
sudo apt install samba krb5-config krb5-user winbind smbclient

  • Service Management:

    • Disabled default Samba services to prepare for AD DC mode:

      hljs bash
      sudo systemctl disable smbd nmbd winbind
sudo systemctl stop smbd nmbd winbind

  • Provision Domain Controller:

    hljs bash
    sudo samba-tool domain provision --use-rfc2307 --interactive

    • Realm: TILLYNET.LAN

    • Domain: TILLYNET

    • Server Role: Domain Controller (DC)

    • DNS Backend: SAMBA_INTERNAL

    • DNS Forwarder: Initially pointed to Pi-hole (172.21.21.21)

  • Post-Provision:

    • Samba auto-generated a clean /etc/samba/smb.conf.

3. Troubleshooting During Provisioning

  • Provisioning Error — Existing smb.conf:

    • Deleted the pre-existing /etc/samba/smb.conf before reprovisioning.

  • DNS Conflict with systemd-resolved:

    • Overwrote /etc/resolv.conf to manually point to 127.0.0.1.

  • Kerberos KDC Lookup Failure:

    • Encountered "Cannot find KDC" errors until DNS was pointed correctly to the local Samba DNS.

  • DNS Port 53 Not Listening Initially:

    • Restarted samba-ad-dc to bind correctly.

  • Benign DNS Update Errors (Exit Code 29):

    • Ignored initial race conditions during service startup — these resolved on their own.

  • SRV Record Lookup Failure:

    • SRV records appeared correctly after the service stabilized.

  • No dns forwarder Command:

    • Confirmed that the DNS forwarder must be set during samba-tool domain provision; there is no post-provision command to change it.

4. Kerberos Configuration

  • Kerberos File Setup: Overwrote /etc/krb5.conf with the following minimal configuration:

    hljs bash
    [libdefaults]
    default_realm = TILLYNET.LAN
    dns_lookup_realm = false
    dns_lookup_kdc = true

5. DNS Forwarding and Testing

  • DNS Forwarding:

    • Set during provisioning; no samba-tool command is available to change it post-provision.

  • DNS Functionality Testing:

    hljs bash
    dig @127.0.0.1 google.com
host -t SRV _kerberos._udp.tillynet.lan
samba-tool dns query 127.0.0.1 tillynet.lan @ ALL

  • Confirmed correct A records and SRV records.

6. Windows Client Domain Join

  • Windows Version: Windows 11 Pro

  • Actions:

    • Configured the PC to use the Samba server as its primary DNS server.

    • Joined the domain TILLYNET.LAN via System Properties.

    • Created a new domain administrative account: tillyadmin.

7. Profile Migration

  • Tool Used: ForensIT User Profile Wizard (Community Edition)

  • Action: Migrated old local user profile to domain user (tillyadmin).

  • Outcome:

    • Files migrated successfully.

    • Some environmental conflicts detected (e.g., SSH agent issues, mismatched user folders).

8. Git and SSH Environment

  • Setup Challenges:

    • SSH agent issues (error connecting to agent: No such file or directory).

    • Incorrect user profile folder (C:\Users\micha used instead of C:\Users\tillyadmin).

  • Diagnosis:

    • Domain login identity was correct (tillynet\tillyadmin).

    • Filesystem path was inherited from the old local user profile.

  • Plan for Correction:

    • Fully remove the broken tillyadmin profile.

    • Reprovision a fresh tillyadmin domain account.

    • Create a clean C:\Users\tillyadmin profile.

    • Reconfigure SSH keys and Git environment under the clean domain context.

Lessons Learned

  • Delete smb.conf before provisioning. Samba's provisioning tool will fail if an existing config is present. Start clean.
  • Point DNS to localhost immediately after provisioning. Samba AD DC is its own DNS server — /etc/resolv.conf must point to 127.0.0.1, not an external resolver.
  • Profile migration is messy. ForensIT works well for files, but environment paths (SSH agent sockets, user profile directories) don't always follow. A clean profile is often better than a migrated one.
  • Set the DNS forwarder at provision time. There is no samba-tool command to change it afterward without reprovisioning.

Provisioning Authentik for SSO on a Self-Hosted Ubuntu Server (Docker-Based) Integrating Samba 4 Active Directory with Authentik via LDAPS

← Previous

Resolving Internet Connectivity Issues for Proxmox VMs on a Routed Subnet

Next →

Provisioning Authentik for SSO on a Self-Hosted Ubuntu Server (Docker-Based)