I finally got SAMBA4 working as an Active Directory Domain Controller. Here’s what I did. This is for OpenSuSE Leap 15. It should apply to prior OpenSuSE versions but not to versions of SAMBA4 before 4.7.
I couldn’t find any good instructions for installing SAMBA4 as an AD DC on OpenSuSE. Wish there were because so many other things in Yast work so well.
The way Yast, Samba Server appears is that it is intended to possibly set up a domain controller (PDC) but not specifically an Active Directory Domain Controller. There are at least 3 reasons that make me believe this. The two biggies are settings for LDAP and Winbind. It could be that the YAST module hasn’t caught up with the latest version of SAMBA.
Having given up on finding OpenSuSE specific documentation/methods I used the more generic documentation at the SAMBA site (https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller). It’s broken into two sites. The main installation site points to the dependencies site.
I ended up installing or making sure all of the required dependencies were installed and then ran the Zipper command that follows. All of the packages may not be required but I found that some dependencies required to configure SAMBA after it’s provisioned and running didn’t exist by default on the OpenSuSE server. Due to the problems I experienced, I figured more packages were better. Some SAMBA guru may be able to document the dependencies better.
I followed the installation instructions almost to the letter. One of the changes I made was to start SAMBA using sudo samba i before the documentation said too. Otherwise, I couldn’t finish up the install.
The mysterious issue for me is that provisioning didn’t go well. The smb.conf file didn’t look right after provisioning. The biggest issue was that the security was set to ADS but the smb.conf file that works doesn’t have that setting. Even after provisioning appeared to work correctly it was still missing 2 lines in the [global] section. The way I figured all of this out is that I have a SAMBA4 server running in Ubuntu and could compare the smb.conf files. The main take-away is that the smb.conf file that is created after provisioning will be quite short. It only has two administrative shares and no user or printer shares. I believe the assumption is that you will create printer and file shares on a different server.
The first clue that provisioning was incorrect is that I couldn’t create a reverse zone. That lead me to check to see if the SAMBA server was running and it wasn’t.
Another issue is that when using Yast to join the domain on the SAMBA server, the process complains that Winbind couldn’t be started. This is because a SAMBA AD DC starts up it’s own copy of winbindd and the Yast joining process is apparently unaware of this. Once SAMBA is working there is no problem joining the domain from other clients.
Due to provisioning not working correctly, I had to remove the user folders on one of the client boxes and then joing the domain again. The symptom was that the login worked and the user home folders were created but the login would jump back to the login screen. This is a known problem and most people suggest changing the permissions on a couple files. I didn’t have any user data yet so I just deleted the folders.
I am going to post the instructions and additional comments in the Articles section of this support site, if I have the right permissions.