Implementing Samba 4

4 (3 reviews total)
By Marcelo Leal
    What do you get with a Packt Subscription?

  • Instant access to this title and 7,500+ eBooks & Videos
  • Constantly updated with 100+ new titles each month
  • Breadth and depth in over 1,000+ technologies
  1. Free Chapter
    Installing the Samba 4 Server

About this book

Samba is a drop-in replacement for the heart of the thousands and thousands of networks that run on Microsoft Windows domain controllers. Now with a compatible Active Directory implementation, it will definitely put its name inside every datacenter that wants a cost reduction for the Open Source solutions, without losing the security, stability, and flexibility of any resilient solution.

Implementing Samba 4 starts off with installing dependencies and building the Samba 4 software, deploying it as an Active Directory Domain Controller, and enabling the reader to understand the different roles the software can play on the network. This book looks at the Samba 4 Server roles, and breaks down the mystery and confusion that surrounds each role.

This book will take you through some clear, practical, and complete examples that will help you to take advantage of the Samba 4 Server quickly and in a simple way.

Publication date:
April 2014


Chapter 1. Installing the Samba 4 Server

In this chapter, we will begin with the GNU/Linux distribution, which we will use as the base operating system (OS) to run the Samba 4 software. We will install packages and execute some basic and fundamental configurations on the system. We will cover the following subtopics:

  • A quick overview of the installation process of the GNU/Linux distribution Debian 7.0 (Wheezy). This OS installation procedure will not be covered in much detail, because it should be really straightforward for the reader. Also, there are many excellent resources available online for further reading in case of any doubts regarding the installation process of GNU/Linux.

  • How to install and configure all the dependencies needed for a proper Samba 4 installation.

  • Step-by-step procedures and explicit command line examples to install the Samba 4 software.

  • How to use the Debian's official packages and repositories for all the dependencies.

  • How to install the Samba 4 Server using the source code (stable branch) from the official GIT repository of the project.

  • How to perform basic validations of the Samba 4 Server installation to be sure that the environment is ready for configuration and to provide a full range of the network services for which it's intended.

It's really important to have a sane environment on which the user can rely on and be sure that any issues faced later at the production phase are not caused by an unmet dependency, misconfiguration of one of the needed core parts of the OS, or even caused upon an auxiliary service (for example, the dhcp server) that is not properly configured or enabled.


Installing Debian 7.0 (Wheezy)

To get started with our Samba environment, we need to install the OS, and for that, the first task must be to choose of the right installation media. To install the Debian 7.0/Wheezy, released in May 04, 2013, we will use the network-installed ISO image. The installation is a very simple and quick process where we will go through using all the default configuration options. You can download the latest ISO (net install) 32-bit image file from the following link (for example, debian-7.0.0-i386-netinst.iso at the time of this writing):

Take a look at the proper hardware architecture for the system that you will install, and then choose the right ISO image file accordingly for your system's hardware. The Debian GNU/Linux distribution is available for many different platforms (amd64, ia64, powerpc, and sparc, just to name a few). We did choose i386, because our hardware is 32-bit.

We will run the dhcp, ntp, and Samba 4 Servers on the same system. Our Samba 4 Server will be the default gateway for our Microsoft Windows and GNU/Linux systems that will rely on our AD services. Therefore, it will perform Network Address Translation (NAT) for our clients, as in our example network our clients do not have direct access to the Internet; they will have Internet access using our Samba 4 Server as an intermediate machine. For this configuration, our Samba 4 Server will have two network cards—one in our private network (eth1) with IP and another with Internet access (eth0).

It's really important for any environment to have all systems with the time properly synchronized. Because Samba 4 uses Kerberos as the authentication mechanism, it's even more important to have the system time in sync, so we will configure the ntp services on our server. The dhcp server provides us with a powerful solution to manage the IPs on the network, integrate them with DNS services, and also automatically register their hostnames (another essential feature for AD services). If you already have a dhcp server on your network, you don't need to configure this service again on the Samba 4 Server.

If you already have an installed OS where you intend to install the Samba 4 Server, you can directly go to the installation and configuration phases of the dependencies and auxiliary software sections in this chapter. In the book, we will assume a configuration where dhcp and Samba 4 Servers will run on the same system and will provide the basic configuration files for all these services. Another important service that is crucial for the Samba 4 Server deployment is DNS. Samba 4 itself provides a basic but sufficient DNS server for most installations, and that's why we'll use it. As in the case of the dhcp service, if you already have DNS servers on your network, you can continue using them instead.

Just after you boot the system with your chosen installation CD, you will receive a screenshot similar to the following (this one is from the netinst ISO image) one:

You just need to follow the screens as the default options should be sufficient for most installations. When the installation is completed, don't forget to update and upgrade the OS:

leal@debian7:~$ sudo apt-get update && sudo apt-get upgrade

This is an important point, and will guarantee that you will be working with all the security patches that are available up to this point, and your running system will not start production with any known security flaws.


Installing and configuring Samba 4 Server's dependencies

With our system up, running, and up to date, we can start installing and configuring the Samba 4 Server's dependencies. Working with all the dependencies provided directly by the GNU/Linux distribution gives us all the support from the Debian community to maintain our system that is patched against security issues. It also saves a large number of working hours as we can install ready binaries for our system. All we need to do is issue the following command at the terminal:

leal@debian7:~$ su – root
root@debian7:~# apt-get install build-essential python-dev pkg-configlibcups2-dev cups krb5-user docbook-xsl libldap2-dev libattr1-devlibacl1-dev libgnutls-dev attr python-dnspython libreadline-devlibbsd-dev libblkid-dev libpopt-dev cups git acl gdb xsltproclibsasl2-dev libaio-dev libpam-dev valgrind resolvconf autoconf ldaputils ntp isc-dhcp-server && echo OK
root@debian7:~# exit

It's recommended and is a best practice to just use the root account as needed, and to use su or sudo to execute the commands that need super user privileges (for example, to install the software). So, if you want to follow the sudo approach, you need to have it installed and configured, and in case of using su, don't forget to leave the root shell after the needed administration task is performed. We will use both approaches as examples throughout the book.

The previous command will install some auxiliary components, such as Kerberos, dhcp server, cups (for printing services), and many libraries and other packages, which are needed to compile the Samba 4 Server. We just listed the main packages that we want to install on the command line as the GNU/Linux distribution will take care of and install all the other dependencies that are needed by these packages, in order to properly install them in the server. This is a powerful feature of the Debian package management system and saves a lot of time, as you see that many other packages are required to fulfill the installation command that we discussed previously.

While the installation of these packages is running, we only need to provide some information for the Kerberos configuration. If you have provided your domain information during the installation of the system, the Default Realm will already be filled with the right information. If not, you can do it now and add the information about the Realm and Administrative Server in the dialog box that apt-get install will bring up while installing krb5-user:

Default Realm: EALL.COM.BR
Administrative Server:


It's crucial to write the Kerberos Default Realm (FQDN) in uppercase.

If you have installed Debian 7.0 with the default options, it has been configured with the ext4 filesystem. So, let's just make sure that we have availability for all that we need in terms of filesystem features for a proper Samba 4 installation. To do that, we will inspect the kernel's config file placed in the /boot directory.

In a standard Debian installation, we can check the availability of the features of filesystems we need just by issuing the following script on the command-line prompt:

leal@debian7:~$ grep CONFIG_EXT4_FS /boot/config-`uname -r`


If you have a custom kernel and have the config file in a different location, change the file's path at the previous command to adjust it to your settings.

The output for that command must be like the following:


What the previous output tells us is that the ext4 filesystem was configured as a dynamically loadable module and the features of xattr (extended file attributes), posix_acl (access control lists), and security have been built on it.


You can use a script such as grep CONFIG_EXT\[2-4\]_FS /boot/config-`uname -r` to check ext2, ext3 and ext4 filesystems' features on your kernel.

All these extensions are needed by the Samba 4 Server for its proper execution, as it's needed by the Samba 4 AD/DC functions (for example, ACLs are required to handle Microsoft Windows OS permissions properly). With all these features available, we are in good shape and ready to proceed.

Now we will edit the fstab file of the OS to configure our system, thus enabling that features on our ext4 filesystem and providing them to the Samba 4 Server later on. Remember that any misconfiguration on your fstab file can make your system unbootable. So, after any changes on it, take a closer look at the edited fstab file to check if everything is as it should be.

First, it's a good practice to create a backup of the fstab file before editing:

leal@debian7:~$ su – root
root@debian7:~# cp -pRf /etc/fstab /etc/fstab-bkp && echo "OK"
root@debian7:~# exit

The output of the preceding command must be OK as it is a confirmation that our original fstab file has a backup copy to restore the file in case of any issues. After that, the following one-line script will handle the edition task of fstab for us:

leal@debian7:~$ su – root
root@debian7:~# FFILE=/etc/fstab; cp -pRf $FFILE $FFILE-`date'+%m%d%Y'` && sed -e 's/^UUID.* \/ .*errors=remount-ro/&,user_xattr,acl,barrier=1/' $FFILE > $FFILE-new && mv $FFILE-new$FFILE && echo "$FFILE edited OK."
/etc/fstab edited OK.
root@debian7:~# exit

The output must be like the following code:

/etc/fstab edited OK.

If the result is not like the output, as mentioned in the preceding code, check the special characters that we have on the script, because that can be a common source of mistakes. Any errors found on the script execution must not change anything on your original fstab file. Anyway, if the output suggests an error, take a look at the original file and in case of doubt, restore it from the backup we did before the patch (for example, /etc/fstab-bkp).

What the preceding one-liner script does is that it replaces any line in the fstab file that starts with UUID and has the pattern errors=remount-ro (characteristic for an ext3 or ext4 filesystems line) with a patched version that includes the needed directives—xattr and acl. Even if you have any customized partition scheme (for example, a separated /usr/ partition), it will work, and all the lines will be patched. Take a closer look at it before you go to the next step.

Another important OS configuration is the network interfaces' file (as they are configured as dynamic by default), our domain, and DNS servers. We will configure our Samba 4 Server for the IP on the eth1 interface of our system. So, this is the configuration that we need in our /etc/network/interfaces file for our eth1 card:

iface eth1 inet static


Don't forget to add the second interface (eth1) to the allow-hotplug directive, and the right configuration for your eth0 interface (the one with Internet access and a default gateway).

The configuration specified in the preceding code creates our interface eth1 static, sets the IP and netmask addresses, and configures our domain. Remember to change the domain in the previous example with your domain. We will work with the examples in this book with the EALL.COM.BR domain.

Note that dns-nameservers is configured to be this server itself; this is because we will soon configure the Samba 4 Server, and it has a built-in DNS server. We can perform some final checks on the edited files, and if everything is good, we will restart our server:

leal@debian7:~$ sudo shutdown -r now

After the restart, we can continue with our configuration, and the next step is the configuration of two auxiliary packages that we mentioned earlier. We need this for a proper Samba 4 Server execution of ntp and dhcp. We already have both of them installed since our previous dependencies' installation phase; we just need to configure and enable them.

Let's start with the Network Time Protocol (NTP) configuration (/etc/ntp.conf). Just add the following lines to the standard Debian NTP configuration file:

#Implementing Samba 4
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
restrict default mssntp

The first line in the preceding code is a comment, and it's always a good idea to add descriptive information about what and why something is being changed, added, or removed in any configuration (for example, you should replace the comment in the preceding example with something more descriptive). Another good practice is to add your name and date close to the change that makes everything easier when we need to understand what has been changed and why something is not working as it should. The next two lines are for the configurations that are needed for signed ntp and ms-sntp (authentication extensions).

The Dynamic Host Configuration Protocol (DHCP) configuration is not complex; we just need to add a few more lines to it. In a terminal window, just edit the /etc/dhcp/dhcpd.conf file, and replace all its content with the following lines:

# Implementing Samba 4
ddns-updates on;
option domain-name "";
option domain-name-servers,;
option netbios-name-servers;
option ntp-servers;
default-lease-time 600;
max-lease-time 7200;
log-facility local7;
subnet netmask {
option routers; }


If you use the vi editor, you can replace the whole content of the file (just after the file is opened), issuing: dGi. After that, just add the lines in the preceding command and close and save the file, issuing: Esc:x.

In some of the configuration lines in the preceding code, it is important to get a detailed explanation as they are directly involved in Samba 4's server operations. After the comment line (the first one, starting with the # character), we have ddns-updates on. This is the directive that tells the dhcp server to update the DNS server about the new IP releases and register the client's hostname. All the option lines are information that the dhcp server will forward to its client's OSes when they get a dhcp lease. So, they will have a proper domain name server, netbios name server, ntp, and router information.

Before starting the dhcp server, the last step is to edit the /etc/default/isc-dhcp-server file and configure the interface on which the dhcp server will listen:


Now we are ready to start the dhcp server, as the installation process has already added it to init.d runlevel in order to start it at the server's boot time. To start the dhcp server now, just issue the following command:

leal@debian7:~$ su – root
root@debian7:~# /etc/init.d/isc-dhcp-server start

The output of this command must be like the following:

[ ok ] Starting ISC DHCP server: dhcpd.

Installing Samba 4 Server step by step

For the installation of the Samba 4 software, we will use GIT. So, we should start creating a workspace (for example, directory) to download the sources of the Samba 4 Server stable branch into it. In a terminal window, just execute the following command:

leal@debian7:~$ mkdir ~/workspace; cd ~/workspace && echo "OK"

We must receive an OK output in our terminal, and that is sufficient to be aware that the workspace was created successfully and we are already inside it. Now, let's download the Samba 4 source code and continue our installation process.


The previous command will create the workspace directly on our home directory.

Now, we will clone the Samba 4 stable branch from the official project's repository, configure it, and compile the software:

leal@debian7:~$ git clone -b v4-0-stablegit:// samba4

This command will take some time to complete as all the Samba 4 source code will need to be downloaded (the total time will vary depending on your Internet connection). Next, note the use of the --enable-self test option it the following configure command, as we will need the features added by this option in a later phase:

leal@debian7:~$ cd samba4
leal@debian7:~$ ./configure --enable-debug --enable-selftest
leal@debian7:~$ make && echo "OK"

This command will take some time to actually compile all the sources of the Samba 4 Server, and at the end, the output must be OK (the total time will vary depending on your system's resources). Here, you can see the last lines of the compilation process that I got on my system, along with the final successful result and the total elapsed time:

Waf: Leaving directory '/home/leal/workspace/samba4/bin'
'build' finished successfully (13m0.539s)

We will not install it on its definitive place in our system just yet. First, we will execute some validations to make sure that our resulted binaries are fully operational.


Basic validations of the Samba's installation

We need to have automated deployments, and that includes automated tests. It's really important to have proper tests for all of our deployments, because that is the guarantee that everything is the way we are used to and the way we expect it to be. I'm used to saying that in IT, everything needs to be an "Automated beast" and not a "Masterpiece". With that in mind, we do not stand in front of the servers to draw like Da Vinci (even if we could). However, we need to have everything automated (scripted), so it can be easily reproduced, and we can create, destroy, and recreate the whole environment without any effort.

The Samba 4 project helps us a lot with its built-in test suite, which is a great starting point for our environment's validation. Just issue the following command:

leal@debian7:~$ sudo make quicktest

We will receive a verbose output that will report the execution of many invaluable tests to verify whether our Samba 4 Server's installation is fully working. Pay close attention to each line as you'll be able to follow the status of each test that is being executed.

In case of any failure, we will need to review all of our installation and configuration steps to see what point was not executed properly. We need to pass this step cleanly to actually proceed to our Samba 4 Server configuration. The following is an excerpt of an example execution of the test suite:

[250/310 in 43m52s] samba4.raw.write(dc)
[251/310 in 43m53s] samba4.raw.rename(dc)
[252/310 in 43m55s] samba4.raw.qfsinfo(dc)
[253/310 in 43m55s] samba4.raw.qfileinfo(dc)
[254/310 in 43m56s] samba4.raw.close(dc)
[255/310 in 43m56s] samba4.raw.mkdir(dc)
[256/310 in 43m56s] samba4.raw.ioctl(dc)
[257/310 in 43m56s]
[258/310 in 43m57s] samba4.raw.eas(dc)
[259/310 in 43m57s] samba4.raw.qfileinfo.ipc(dc)
[260/310 in 43m57s] samba4.ntvfs.cifs.krb5.base.delete(dc)

ALL OK (2061 tests in 310 testsuites)

A summary with detailed information can be found in:

'testonly' finished successfully (50m11.201s)

All tests must pass OK, as you can see in the preceding code so we can perform the installation of the binaries into their final destination (/usr/local/).

You can do this by issuing the following command:

leal@debian7:~$ sudo make install

This command will copy all the required files to their final destination on our filesystem. So, we will have the Samba 4 Server properly installed and ready to be configured and provide our network services.



In this chapter, we were introduced to the GNU/Linux distribution that we will work on as a base throughout the book. We got a quick overview of the Debian installation process and some specific operating system configurations that are needed to prepare it for the Samba 4 network services. In the next chapter, we will learn how to provide the Samba 4 Server we just installed as Active Directory Domain Controller for our network. So, we can start to use some of the many features with which Samba 4 software provides us.

About the Author

  • Marcelo Leal

    Marcelo Leal studied at Unisinos, where he undertook a Bachelor's degree in Computing Science. Having worked in the IT industry for more than 15 years, he has gained experience as a network/system administrator, support manager, Unix/Linux specialist, storage architect, and most recently, as a solutions architect. He was involved in open source projects since the beginning of his career and has developed some open source tools and submitted patches to the GNU/Linux and FreeBSD kernel. In 2005, he was honored for his participation in the Prêmio TI e Governo for the project ""Metrópole"", Porto Alegre/RS. He was one of the founders of the Porto Alegre OpenSolaris User Group (PoaOSUG) and was a contributor for the Open High Availability Cluster Community (OHAC) within the OpenSolaris Project; he was the first person outside Sun Microsystems to contribute code to the Open Cluster software. He received three prizes at the OpenSolaris innovation awards program (2007-2008), and presented a solution for Storage High Availability using nonshared disks at the first OHAC Summit in San Francisco/California, USA (2009). In 2013, he presented a highly available, scalable, and high performance three-layer storage solution at SNIA SpeedConf, Santa Clara/California, USA, which, besides adding a lot of value to the storage service, provided huge savings in capex and opex costs (millions of dollars in three years). He has led the architecture and development of a distributed Storage Appliance that, in three years, provided more than 1.5 million operations per second (CIFS, NFS, and iSCSI) for almost 10PB in an area available for a diverse range of products. In 2010, he wrote ZFS -Para usuários OpenSolaris,Windows, Mac e Linux, Brasport, the first book about ZFS in Brazilian Portuguese and actually one of the few books about ZFS available in a language other than English. He tries to write regularly on his blog at Marcelo profile can be found on LinkedIn( Recently a contest was held on Marcelo's blog( which was received with good response.

    Browse publications by this author

Latest Reviews

(3 reviews total)
Provided a great service!
The book (implementing samba 4) lacks of some details, I am using it to implement samba 4 and I've required review another sources.
Implementing Samba 4
Unlock this book and the full library FREE for 7 days
Start now