Does anybody know what the "SUSE" way is of using samba 4 as and ad controller

Hello all,

I want to use my opensuse machine as an samba active domain controller.

I already found this page
Which works, great if you wish to build samba from scratch each time that an update arrives.

But the good people of opensuse have decided to not include the samba-tool and a whole lot of other tools that the guide mentions in their build of the samba4 rpm.
So I am entirely in the dark on how to get the ad controller working.

I tried these repos for my samba4 rpms :
Index of /repositories/network:/samba:/STABLE
Index of /repositories/network:/samba:/TESTING

I also looked at the other user build repos, but they are either outdated or not fully functional yet, and to be honest, I rather use opensuse default repos to make sure they don’t bite the other rpms.

I’ve also looked at this nice appliance, which does NOT use the standard samba4 rpms provided by the above mentioned repo(s).
Excellent Samba4 Appliance – SUSE Gallery.
Very usefull temporary solution that really is a script that does the compiling for you, which you need to tweak for your own use.

As I said, I already got it working compiling it from scratch and using alternate unofficial user repos.
But I would like to know how to deal with it the suse way so that my setups don’t go kaploof when the official rpms start biting my setup.

So did anybody figure out how to do it the suse way ?

> So did anybody figure out how to do it the suse way ?

-=WELCOME=- new poster!

one of the moderators on this forum has samba info on his personal
web site, see if it is useful (while waiting for a direct answer from
samba gurus here):


On 2013-02-15 15:36, robverduijn wrote:
> So did anybody figure out how to do it the suse way ?

Not yet.

There is a person in the opensuse mail list that has been using samba4
even before it was released, he/she should know more than many of us.

Cheers / Saludos,

Carlos E. R.
(from 12.1 x86_64 “Asparagus” at Telcontar)


thinking on how to google that … person … forum suse …samba 4 …

could you help me a bit here by providing a bit more info that I can use to narrow it down to less than 1M hits?



I’ve used that one in the past, checked it again, and i see only configurations that are samba3 not samba4.

and the tools are also samba3


On 02/15/2013 05:46 PM, robverduijn wrote:
> could you help me a bit here by providing a bit more info that I can
> use to narrow it down to less than 1M hits?

see the “how to” section here:

or use these as a rudimentary guide:

~400 hits from the mail lists:“samba4”+OR+“samba+4”

84 hits from these forums:“samba4”+OR+“samba+4”

openSUSE®, the “German Engineered Automobile” of operating systems!

> i see only configurations that are samba3 not samba4.

sorry, i don’t know enough about samba (never used it) to recognize
his is 3 and you need help for 4…


  1. If you find something that’s missing that’s desirable(SAMBA Tools), i highly recommend you submit a bugzilla “Feature Request” but mention how important the missing feature is (maybe even rate it “Normal” instead if very important). If SAMBA Tools is available as separate code, maybe you can compile that separately and on your own. I don’t know what SAMBA Tools is supposed to do for you, but supposedly if you simply promote to be an AD DC, you should be able to use standard Windows AD tools to manage your SAMBA DC.

  2. Reading a few reviews about the very recent SAMBA 4 release (approx 2.5 months ago), apparently there is some unfinished feature related to AD file replication which could be related to what you are describing about the re-building process. The current recommendation as of today seems to consider deploying only in very small, single DC networks (Hmmm… If the SAMBA DC is replicating from a Windows DC, what does that mean? Take one offline?). Directory replication should be OK, but anything else might be a bump in the road for now.


On 2013-02-15 17:46, robverduijn wrote:
> hmmm
> thinking on how to google that … person … forum suse …samba 4
> …
> could you help me a bit here by providing a bit more info that I can
> use to narrow it down to less than 1M hits?

opensuse at is not such a big

I think the name is lynn, but just use “samba 4” and “samba4” as a
search word. I found 54 hits since 2012. Try also the factory mail list.

Or just post the question there.

Cheers / Saludos,

Carlos E. R.
(from 12.1 x86_64 “Asparagus” at Telcontar)

have you seen this

Excellent Samba4 Appliance – SUSE Gallery

it uses a script that is easy to read…

I did indeed see that , it’s the main reason why I included it in the original post.

But thanx for the tip.

p.s. that appliance is not the suse way of dealing with samba4

Sorry about the cranky response, but i’ve been googling this one for some time now, and have gotten rather tired of seeing the same answers over and over again without any usefull content. When you then decide to ask questions in the forums and get answers that are like google it, here look at this link to an obsolete page, or even links that you already used in the first post, you could get a bit miffed.

The kindly provided link to the google search howto sadly did not provide any tricks that i didn’t know yet, although I admit that I’ve never seen that page before. (googling howto google…ah wel there’s a man page for man as well:P)

I guess I’ll hit the feature request board (again) and the factory mailinglist to see if I can get them to include the samba4 tooling.

I just keep with my own build package, it’s not as clean and mean as I would like it to be (still gotta write a propper start script/systemd entry, split it up so you get a smaller install), but it installs the whole samba 4 thingy. And when you google “<something> samba4” you can actually apply the instructions to your own system.


After some serious googling I’ve come to the conclusion there is no suse way of using samba4.

Suse has limited it’s implementation of samba 4 to the file server part due to the fact that samba 4 used only heimdal kerberos. (note the past tence)

I don’t know when, but somewhere in the past the option —with-system-mitkrb5 was added to the samba configuration

This is the explanation why the samba4 ad part is not implemented by openSUSE yet :

I guess I will have to wait a while before there a default samba 4 packages that include more than just the file server bit.


If you have some spare time please create openFATE request for this :

It may or may not speed things up a bit. If there will be an openFATE request for this you’ve got my vote already :slight_smile:


I don’t have the spare time to gather a movement to convince novell/opensuse to switch from system wide MIT kerberos to heimdal kerberos.
They had good reasons to abandon heimdal for mit in the past.
If you wish to start that suggestion on openfate be my guest.


I’m not sure I have the knowledge on Samba to phrase this properly :slight_smile: So from what your saying the only thing needed is to switch to a different type of kerberos and this should work ? I realize that this might be a massive change but still is it the only thing that needs to change ?

I have no idea what is required for openSUSE to switch to heimdal kerberos. In the past there has been made a decision to abandon heimdal in favor of MIT kerberos. The reasons for this are not known to me.

If you insist on going down this path here is some info that I pieced together so far.

After doing some digging around I found that the samba4 developers had better ties with the heimdal developers and thus choose to work with heimdal in their samba4 ad build.
It seems you first would have to figure out what the reasons for switching to MIT were in the first place, then also find out what dependencies are there in suse on the MIT kerberos and what the impact would be on them when they would make the switch.
For instance everything LDAP related is likely to receive an impact since that uses kerberos as well. Not to forget all the yast tools that work with it (samba/ldap/kerberos)
That’s just the packages I can come up with, I would not be surprised it there were more.

Also take into consideration that the samba devs are working on MIT compatibility see MIT Build - SambaWiki
It will be a matter of time before samba4 starts to work with MIT kerberos.

The question is which traject is the quicker one ?
openSUSE switching to MIT or samba4 obtaining MIT compatibility.
The one with the least work is the latter ofcourse.(for us lazy admins)

More things to consider come to mind, does it really matter that samba4 runs heimdal and the rest of suse runs MIT ?
I mean samba4 runs its heimdal kerberos internally, does it really conflict with the MIT kerberos ?
Can heimdal kerberos talk to mit kerberos ?
Can samba4 run alongside MIT kerberos on the same box, or does it need to be on seperate boxes ?
All these things require testing and checking out, the compatibility answer between kerberos and mit should be only a few google sessions away I think.
The others require testing.

Darn that’s already a lot to check out.

If you are still with me here comes more.

I’ve packaged my own samba4 with heimdal on the obs here :
And the repo is here :
Index of /repositories/home:/robverduijn:/samba
It’s not user friendly**, all startscripts are still missing (sysV and systemd) and no config examples.
I strongly suggest you use a vm for this.

how to configure samba4 can be read here :

A little tip, use the internal dns it really works great and it’s a lot easier to setup than the integration with bind or dnsmasq (which also work very well in combination with samba4 btw)
The use of the forwarder setting in the ad config eases everything up a lot.
Make sure you check this page for your filesystem settings :
Especially the hints for gentoo, they explain a lot about the requirements.
(I more than once wished suse docs were on the level of gentoo or arch-linux, and thank the gods on my knees each time I see another ubuntu forum post suse is way above that of ubuntu)

A few tips when googling,

  • make sure you check the date of the article, you can almost blindly ignore everything from before december 2012, the chances of anything being obsolete increase signifficantly before that date
  • arch-linux and gentoo docs and forums contain highly valuable information, they simply know how to write good howtos and to explain the why things work some way
  • AVOID all the ubuntu forums, they are so full of obsolete,flawed, incomplete and outright wrong tips its almost impossible to find anything usefull in there.
    If you insist on digging ubuntu forums
    * first check the date of the post, if its old stop reading
    * second check the ubuntu release they talk about, if its old stop reading
    the definition of old for ubuntu is anything that has been released more than 6 months ago, including the LTS releases

Hope this helps a bit

This helps a lot but it will take me some time to process it :slight_smile: hopefully at the end I will be able to create openFATE. If worst comes to the worst copy pasting the description might be sufficient.

Just to let you know I’m not insisting on anything. This is just one of the possibilities to draw the developers attention to the problem. Another approach would be to create a bug report or simply live with it and wait until the situation resolves itself.

You might also want to take a look at the date the packages were built, esp when the features you need might have been officially released only very recently.


It is always a good point to check the latest release of a bleeding edge package again every few days/weeks, but alas no ad functionality yet.
Neither samba4 client since it is still missing the --with-system-mitkrb5 option in the configure part.