In today’s enterprise environments, Active Directory (AD) has long been the backbone of identity management, authentication, and access control. Traditionally, Microsoft’s implementation dominates the market, but open-source alternatives are gaining significant traction. Among these, Samba 4 stands out as a robust, scalable, and flexible solution that can provide full Active Directory domain services on Linux systems. In this post, we’ll walk through installing Samba 4 as an Active Directory Domain Controller (AD DC) on Red Hat Enterprise Linux 10 (RHEL 10), and explore why many organizations are starting to prefer it over Microsoft’s AD.
Why Choose Samba 4 Over Microsoft AD?
Before diving into installation, it’s worth understanding why Samba 4 is often considered superior in certain contexts:
- Cost Efficiency
Microsoft AD licensing can be expensive, especially for enterprises scaling into hundreds or thousands of users. Samba 4 is open-source and free, eliminating licensing fees while offering almost identical AD functionality. - Cross-Platform Flexibility
Samba runs natively on Linux, which allows organizations to integrate AD services without relying on Windows servers. This is particularly advantageous for organizations heavily invested in Linux infrastructure. - Simplified Management
Samba 4 leverages standard Linux tools for monitoring, scripting, and automation. Tasks like backup, restore, and system integration are often simpler and more transparent compared to Windows AD. - Transparency and Customization
Open-source code means you can inspect, modify, and optimize Samba to suit your environment. Microsoft AD, in contrast, is a closed ecosystem with limited flexibility. - Rapid Development and Community Support
Samba has an active community and frequent updates, making it a cutting-edge alternative that quickly adapts to new authentication protocols and security standards.
Prerequisites for Installing Samba 4 on RHEL 10
Before starting, ensure your system meets the following requirements:
- RHEL 10 server with root or sudo privileges
- Static IP address configured
- Properly configured hostname (FQDN recommended)
- Firewall configured to allow AD-related ports (TCP/UDP 88, 135, 137–139, 389, 445, 464, 636, 3268–3269)
Additionally, update your system:
sudo dnf update -y
sudo dnf install -y vim wget curl
Step 1: Installing Samba 4
RHEL 10 ships with Samba in its repositories, but for Active Directory features, we need the full suite including the AD DC functionality:
sudo dnf install -y samba samba-common samba-client samba-dc
Confirm the installation:
samba --version
You should see Samba 4.x displayed, confirming you have the AD-capable version installed.
Step 2: Provisioning the Domain Controller
Now, we can provision Samba as an Active Directory Domain Controller. Replace example.com with your domain:
sudo samba-tool domain provision \
--use-rfc2307 \
--domain=EXAMPLE \
--realm=EXAMPLE.COM \
--adminpass='YourStrongPassword' \
--server-role=dc
What this does:
--use-rfc2307enables Unix attributes support--domainsets the NetBIOS name--realmsets the Kerberos realm--server-role=dcensures this instance is a Domain Controller
After provisioning, Samba will create /etc/samba/smb.conf with all necessary configurations.
Step 3: Configuring Kerberos
Samba relies on Kerberos for authentication. Ensure your /etc/krb5.conf matches your AD domain:
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
Test Kerberos authentication:
kinit administrator
klist
You should see a valid ticket if everything is correctly configured.
Step 4: Starting Samba as a Service
Enable and start the Samba AD DC service:
sudo systemctl enable samba
sudo systemctl start samba
sudo systemctl status samba
At this point, your RHEL 10 server is functioning as a fully operational Active Directory Domain Controller.
Step 5: Integrating Clients
Samba 4 can seamlessly integrate both Windows and Linux clients. On a Windows machine, simply join the domain:
- Open System Properties → Computer Name → Change
- Enter your Samba AD domain (
example.com) - Provide the
administratorcredentials set during provisioning
Linux clients can use realmd or sssd to join the domain:
sudo dnf install -y realmd sssd
sudo realm join example.com -U Administrator
Once joined, your clients can authenticate using AD accounts, access domain resources, and enjoy centralized identity management.
Step 6: Managing Users and Groups
Samba 4 provides tools like samba-tool to manage users, groups, and policies. Examples:
# Add a user
sudo samba-tool user add john.doe P@ssw0rd
# Create a group
sudo samba-tool group add IT-Admins
# Add user to group
sudo samba-tool group addmembers IT-Admins john.doe
For administrators familiar with Windows AD, Samba offers nearly identical management workflows, including the ability to use RSAT tools from a Windows machine.
Why Samba 4 Is Often Better Than Microsoft AD
After seeing Samba 4 in action, the advantages become clear:
- No Vendor Lock-In: You’re free to customize and migrate systems without being tied to Windows licensing.
- Linux Ecosystem Integration: Automate AD tasks with scripts, Ansible, or Puppet.
- Lower Cost of Ownership: Avoid Windows Server CALs and licensing fees.
- Security Control: You can audit and tweak Samba’s open-source code to meet strict security policies.
- Scalability: Multiple Samba DCs can be deployed across regions without expensive hardware or software investments.
In short, Samba 4 allows organizations to achieve all the benefits of Active Directory while leveraging Linux’s flexibility, cost-effectiveness, and transparency.
Conclusion
Samba 4 on RHEL 10 provides a powerful, fully compatible Active Directory environment without the constraints and costs of Microsoft AD. By following the installation steps outlined above, enterprises can deploy a secure, scalable, and high-performing domain controller that integrates seamlessly with Windows and Linux clients alike.
For organizations looking to reduce costs, gain control over their infrastructure, and embrace open-source solutions, Samba 4 is not just an alternative—it’s often the better choice.
Leave a Reply