How to install Linux AD controller samba4 on Debian 10

fix problem windows xp not create User Profile on AD server because SAMBA V.4 up not support smbv1 them support smbv2 up

add this to /etc/samba/smb.conf
ntlm auth = ntlmv1-permitted

systemctl restart samba-ad-dc
systemctl status samba-ad-dc

Add AD user with Profile

samba-tool user add user01 --profile-path=\\\IP\Profiles\\user01

Or change by Active Directory on windows

GPO command
Execute command
gpupdate /force

display execute
gpresult /r

How to setup additional failover replication AD with debian 10.03

1. setup IP and host name
vim /etc/network/interfaces
iface ens192 inet static
address 172.16.x.78/24
gateway 172.16.x.1
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 172.16.x.77 172.16.x.67 172.16.x.68

vim /etc/hosts localhost
172.16.x.77 dc1
172.16.x.78 dc2

vim /etc/resolv.conf 
nameserver 172.16.x.77
nameserver 172.16.x.67
nameserver 172.16.x.68

Reboot system


2. install package
apt install samba attr dnsutils net-tools smbclient krb5-user krb5-config winbind libpam-winbind libnss-winbind libpam-krb5

Disable lecacy samba daemons
systemctl stop smbd nmbd winbind
systemctl disable smbd nmbd winbind

Move or delete to default smb.conf file
mv /etc/samba/smb.conf /etc/samba/

Configure kerberos to use the existing Active Directory. Copy the krb5.conf from Primary domain
scp /etc

And get a kerberos ticket for the Active Directory.
kinit administrator
Warning: Your password will expire in 40 days on Mon 01 Feb 2021 02:29:25 PM +07
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@AD.DOMAIN.COM

2. run samba-tool command to join the realm using an account with administrative privileges on your domain
#samba-tool domain join DC -U"administrator"
Finding a writeable DC for domain ''
Found DC
Password for [WORKGROUP\adminstrator]:

3. Adding configure samba file
vim /etc/samba/smb.conf

       dns forwarder = 172.16.x.67 (IP DNS)
       idmap_ldb:use rfc2307 = yes
        template shell = /bin/bash
    winbind use default domain = true
    winbind offline logon = false
    winbind nss info = rfc2307
        winbind enum users = yes
        winbind enum groups = yes

4. Enable samba service
        systemctl restart samba-ad-dc.service 
        systemctl status samba-ad-dc.service
        systemctl enable samba-ad-dc.service

5. Check replication. Warning: No NC replicated for Connection! can be ignored
#samba-tool drs showrepl
Warning: No NC replicated for Connection!

6. create link krb5.conf
        mv /etc/krb5.conf /etc/krb5.conf.initial
        ln -s /var/lib/samba/private/krb5.conf /etc/
Test kerberos
# kinit administrator
Password for administrator@AD.DOMAIN.COM:
Warning: Your password will expire in 40 days on Mon 01 Feb 2021 02:29:25 PM +07
# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@AD.DOMAIN.COM

7. finish test create user AD
root@dc2:~# samba-tool user add 5712016

8. Check user at
root@dc1:~# samba-tool user list
Unknown parameter encountered: "profile acls"
Ignoring unknown parameter "profile acls"

9. fix join domain debian to debian fail
root@proxy01:~# realm join -U AD.DOMAIN.COM --verbose
 * Resolving:
 * Resolving:
 * Performing LDAP DSE lookup on:
 * Successfully discovered:
Password for 
 * Unconditionally checking packages
 * Resolving required packages
 ! PackageKit not available: The name org.freedesktop.PackageKit was not provided by any .service files
 ! Necessary packages are not installed: sssd-tools sssd libnss-sss libpam-sss adcli
realm: Couldn't join realm: Necessary packages are not installed: sssd-tools sssd libnss-sss libpam-sss adcli

msktutil --auto-update --verbose -k /etc/squid/proxy.keytab --computer-name proxy01

fix with install package packagekit
apt install packagekit


# sudo su

Display domain users list
 root@smb:~# samba-tool user list

Add a domain user
 root@smb:~# samba-tool user create ubuntu

Delete a domain user
 root@smb:~# samba-tool user delete ubuntu

Reset password for a user
 root@smb:~# samba-tool user setpassword ubuntu

Set expiry for a user
 root@smb:~# samba-tool user setexpiry ubuntu --days=7

Disable/Enable user account
 root@smb:~# samba-tool user disable ubuntu

Display domain groups list
 root@smb:~# samba-tool group list

Display members in a group
 root@smb:~# samba-tool group listmembers "Domain Users"

Add a domain group
 root@smb:~# samba-tool group add ServerWorld

Delete a domain group
 root@smb:~# samba-tool group delete ServerWorld

Add a member from a domain group.
 root@smb:~# samba-tool group addmembers ServerWorld ubuntu

Remove members to group ServerWorld
 root@smb:~# samba-tool group removemembers ServerWorld ubuntu

Change Domain User Password
# sudo smbpasswd -a username
 [sudo] password for admin: 
 New SMB password:
 Retype new SMB password:

