SAMBA working as Active Directory domain controller

We use Windows Server 2012/2016/2019 in our environment.
Some of those servers are NOT in Active Directory.
We would like to include them into AD
and install a Linux server playing the role of AD domain controller.

By using IPFire, we try to combine AD domain controller, firewall and VPN sever into one server.

Is this possible?
If yes, how to do it?

Hi @sysadmin-pg

Welcome to the IPFire community

In the IPFire wiki there is a section in the samba material about setting up a Samba PDC

Samba as PDC

IPFire version: 2.27
CPU arch: x86_64
	Name: samba
	ProgVersion: 4.15.5
	Release: 83


I install IPFire into a VM having 2 network interfaces.

Network configuration type: GREEN + RED
Address settings
	IP address:
	Network mask:
	Hostname: ipfire
	IP address:
	Network mask:

DHCP server: Disabled

When I login to the web user interface at
and  I go to menu IPFire -> Pakfire
and  choosing from "Available Addons" choose "samba"
then the package installs with its dependencies without any problem.

When I check status of SAMBA via menu IPFire -> Samba
then I see the the services are running.

When I try to configure SAMBA as PDC by following the manual
and  I go to "Security Options -> Security"
then the available options are
  - Standalone
  - Domain Member

The manual shows a completely different screenshot.
This is the problem.
There is no "Security: User".

Okay, had a search through the IPFire blog and found that in Core Update 152 (July 2020) Samba was updated from Samba 3 to Samba 4 and at the same time some aspects of Samba were removed due to lack of use. Using Samba on IPFire as a Primary Domain Controller for Windows NT domains was one of them.

So I am sorry but you will not be able to use Samba on IPFire as a Domain Controller.

The wiki needs to be updated to remove that whole section about Primary Domain Controller.



indeed, I vaguely recall this decision back then.

Samba is a very powerful and versatile beast, and to the best of my knowledge, nobody in the core developer team really uses it (though we do have some users running Samba against their AD), so it was a bit difficult to keep track on all the functionality it provided over time.

Generally, domain controllers are so sensitive that they should not run as an additional service on a firewall, since that greatly increases the attack surface. Please consider running the domain controller on a dedidcated machine, and have robust firewall and IPS configurations in place.

Sorry to disappoint, and best regards,
Peter Müller


What has been removed is the usage of Samba as a Domain Controller for Windows computers.
File sharing via Samba shares is still able to be done.

So you can still have a samba share defined to hold the pxe boot files that are required and you can install a tftpd server to support the booting via pxe. The wiki page describes an example with Suse using an nfs server share. You would need to change this to using a samba share.

More details than are in the samba or tftpd wiki pages I can’t help with as I don’t use either of those addons myself.

1 Like

Yes, I agree with Peter.
Not a good idea and you wont necessarily have all the right bits to do it anyhow.
The active directory function will require Kerberos libs which may not be present.
If you are to build a server best to go with a debian distrubution as this will make the seup a lot easier.
Redhat versions will not include all that is necessary in their packages and you will have to build the samba packages by hand. Not for the faint hearted.
In order to align your sids/uid’s you will need to pay close attention to the idmaps.

Something like:-

workgroup = SAMDOM

log file = /var/log/samba/%m.log
log level = 1

# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# - You must set a DOMAIN backend configuration
# idmap config for the SAMDOM domain
idmap config SAMDOM:backend = ad
idmap config SAMDOM:schema_mode = rfc2307
idmap config SAMDOM:range = 10000-999999
idmap config SAMDOM:unix_nss_info = yes

vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes

check here for a good write up:-

Best regards