In case you’ll need another keytab for kerberos binding (e.g. mod_auth_kerb, creating and exporting keytabs can be done like this Random Password We do not need it later, it’s just necessary for importing the record. python import base64 base64.b64encode('myRandomPassword'.encode('utf-16-le')) 'MgAzAFcAawBhADUAdgBtAHoAagA=' Exit with CTRL+D LDIF for principal (if new one) $ cat > /tmp/PRINCIPAL.ldif << EOF dn: CN=HOSTNAME,CN=Users,DC=example,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user description: Service Account for ####### userAccountControl: 66048 accountExpires: 9223372036854775807 sAMAccountName: HOSTNAME servicePrincipalName: SERVICETYPE/HOSTNAME.lan.example.com clearTextPassword:: HASH-FROM-ABOVE EOF Import principal $ ldbadd -H ldap://DOMAINCONTROLLER -v -k yes /tmp/PRINCIPAL.ldif Export keytab $ samba-tool domain exportkeytab /tmp/PRINCIPAL.keytab --principal=PRINCIPAL Check $ kinit -V -k -t /tmp/PRINCIPAL.keytab Using default cache: /tmp/krb5cc_0 Using principal: PRINCIPAL@EXAMPLE.COM Using keytab: /tmp/PRINCIPAL.keytab Authenticated to Kerberos v5

Actually, reading the official docs should be fine. However, here are some experiences and hints. Prerequisites For successfully building SAMBA4, you need some extra packages on your Ubuntu machine/vm: apt-get install build-essential libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev autoconf python-dnspython gdb pkg-config bind9utils resolvconf krb5-user git-core screen acl python-dev libgcrypt11-dev libtalloc-dev libldb-dev libtevent-dev zlib1g-dev libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils Source code git clone git://git.samba.org/samba.git samba-master cd samba-master git checkout v4-0-stable Building We are just using the included Makefile. As we want to use LDAP with Start TLS later, we need to pass the appropriate parameter before actually compiling. Read more

ISC DHCPd is capable of sending dynamic dns updates against servers like BIND using shared-key authentication or or completely unauthenticated (e.g. BIND or Microsoft DNS with secure updates disabled). As SAMBA4 is a great alternative for Microsoft AD, i’d like to perform secured dynamic DNS updates against it using GSS/TSIG. UPDATE 2018-01-07 I’m now using the scripts from Arch Linux samba-dhcpd-update package, for more info see the wiki UPDATE 2016-02-17 Added info about ACLs for BIND UPDATE 2016-02-16 Read more