出自 Arch Linux 中文维基

本文描述了如何使用 Samba 搭建 Active Directory 域控制器。它假設所有配置文件都處於安裝後的狀態,未作任何更改。文章內容已在全新安裝系統上驗證過,沒有(也不需要)除靜態 IPv4 地址外的其它網絡配置。最後,下面的大多數命令都需要提權。在不考慮操作規範的前提下,使用根用戶會話運行命令會比按需提權更方便些。

安裝

注意: 確保在你的網絡上可以通過主機名訪問到伺服器。詳細信息請查看網絡配置#區域網主機名解析

除 Samba 的自帶程序外,一個完整可用的 samba 域控制器還需要一些其它軟體。先從官方倉庫安裝 krb5ntppython-dnspythonpython-markdown,openresolvsamba

Samba 內置了一個全功能的 DNS 伺服器,但如果你需要為外部域名維護 DNS 域,強烈建議換用 BIND。如果需要共享印表機,同時也要用到 CUPS。如有這些需要,請安裝 bind 和/或 cups

創建新目錄

置備

創建 Active Directory 域的第一步是進行置備。這包括配置內部 LDAPKerberos 和 DNS 伺服器,並按目錄需求進行基礎設置。如果你有配置目錄伺服器的經驗,那你肯定知道多組件協同工作很可能會產生些問題。這也是為什麼 Samba 的開發者選擇提供內置版本的這些組件,上面安裝的伺服器包僅作為客戶端工具進行安裝。為 Samba 進行置備較為簡單,只需執行以下命令:

# samba-tool domain provision --use-rfc2307 --interactive

參數說明

--use-rfc2307
該參數將 POSIX 屬性(UID/GID)添加到了 AD Schema 中。如果你需要認證 Linux,BSD 或是 macOS 客戶端(包括本地主機),就需用到該參數。
--interactive
該參數強制置備腳本以交互模式運行。

你也可以使用 samba-tool domain provision --help 查看置備步驟的文檔。

Interactive provision explanations

Realm
INTERNAL.DOMAIN.COM - This should be the same as the DNS domain in all caps. It is common to use an internal-only sub-domain to separate your internal domain from your external DNS domains, but it is not required.
Domain
INTERNAL - This will be the NetBIOS domain name, usually the leftmost DNS sub-domain but can be anything you like. For example, the name INTERNAL would not be very descriptive. Perhaps company name or initials would be appropriate. This should be entered in all caps, and should have a 15 character maximum length for compatibility with older clients.
Server Role
dc - This article assumes that your are installing the first DC in a new domain. If you select anything different, the rest of this article will likely be useless to you.
DNS Backend
BIND9_DLZ or SAMBA_INTERNAL - This is down to personal preference of the server admin. Again, if you are hosting DNS for external domains, you are strongly encouraged to use the BIND9_DLZ backend so that flat zone files can continue to be used and existing transfer rules can co-exist with the internal DNS server. If unsure, use the SAMBA_INTERNAL backend.
DNS forwarder IP address
xxx.xxx.xxx.xxx or none - This option is only presented when using the SAMBA_INTERNAL DNS backend. Supply the IP address of a DNS server for forwarding non local DNS queries, or use the string none to always do root lookups.
Administrator password
xxxxxxxx - You must select a strong password for the administrator account. The minimum requirements are one uppercase letter, one number, and at least eight characters. If you attempt to use a password that does not meet the complexity requirements, provisioning will fail.

配置守護進程

NTPD

為你網絡下的時間伺服器創建 NTP 配置文件。相關介紹及額外配置可參考 Network Time Protocol daemon 一文。

按照如下內容修改 /etc/ntp.conf

/etc/ntp.conf
# Please consider joining the pool:
#
#     http://www.pool.ntp.org/join.html
#
# For additional information see:
# - https://wiki.archlinux.org/index.php/Network_Time_Protocol_daemon
# - http://support.ntp.org/bin/view/Support/GettingStarted
# - the ntp.conf man page

# 关联到 Arch 的 NTP 池
server 0.arch.pool.ntp.org
server 1.arch.pool.ntp.org
server 2.arch.pool.ntp.org
server 3.arch.pool.ntp.org

# 限制
restrict default kod limited nomodify notrap nopeer mssntp
restrict 127.0.0.1
restrict ::1
restrict 0.arch.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
restrict 1.arch.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
restrict 2.arch.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
restrict 3.arch.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery

# 偏移文件位置
driftfile /var/lib/ntp/ntpd.drift

# Location of the update directory
ntpsigndsocket /var/lib/samba/ntp_signd/

創建狀態目錄並配置權限:

# install -d /var/lib/samba/ntp_signd
# chown root:ntp /var/lib/samba/ntp_signd
# chmod 0750 /var/lib/samba/ntp_signd

啟用並啟動 ntpd.service

BIND

如果你選擇了 BIND9_DLZ 作為 DNS 後端,需要安裝 bind 並創建如下 BIND 配置,相關介紹及額外配置可參考 BIND 一文。別忘了將 x 替換成實際值:

創建 /etc/named.conf 文件:

/etc/named.conf
// vim:set ts=4 sw=4 et:
acl local-networks {
    127.0.0.0/8;
    xxx.xxx.xxx.xxx/xx;
// 如要使用 IPv6,需移除下面的注释
    //::1/128;
    //xxxx:xxxx:xxxx:xxxx::/64;
};

options {
    directory "/var/named";
    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";

    // 将该行取消注释以启用 IPv6 连接支持
    //  listen-on-v6 { any; };
    // 为无 IPv4 环境添加该行:
    //  listen-on { none; };

    // 将允许的子网或主机加入到 local-networks acl 中
    allow-query       { local-networks; };
    allow-recursion   { local-networks; };
    allow-query-cache { local-networks; };
    allow-transfer    { none; };
    allow-update      { none; };

    version none;
    hostname none;
    server-id none;

    auth-nxdomain yes;
    datasize default;
    empty-zones-enable no;
    tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";

    // 将该行取消注释以使用 ISP 的转发器
    //  forwarders { xxx.xxx.xxx.xxx; xxx.xxx.xxx.xxx; };
};

zone "localhost" IN {
    type master;
    file "localhost.zone";
};

zone "0.0.127.in-addr.arpa" IN {
    type master;
    file "127.0.0.zone";
};

zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
    type master;
    file "localhost.ip6.zone";
};

// 加载 AD 内置区域
include "/var/lib/samba/bind-dns/named.conf";

//zone "example.org" IN {
//    type slave;
//    file "example.zone";
//    masters {
//        192.168.1.100;
//    };
//    allow-query { any; };
//    allow-transfer { any; };
//};

logging {
    channel xfer-log {
        file "/var/log/named.log";
            print-category yes;
            print-severity yes;
            severity info;
        };
        category xfer-in { xfer-log; };
        category xfer-out { xfer-log; };
        category notify { xfer-log; };
};

配置權限:

# chgrp named /var/lib/samba/private/dns.keytab
# chmod g+r /var/lib/samba/private/dns.keytab
# touch /var/log/named.log
# chown root:named /var/log/named.log
# chmod 664 /var/log/named.log

啟用並啟動 named.service

轉發器值可以選用你的 ISP 的 DNS 伺服器,谷歌(8.8.8.8,8.8.4.4,2001:4860:4860::8888 和 2001:4860:4860::8844)及 OpenDNS(208.67.222.222,208.67.220.220,2620:0:ccc::2 和 2620:0:ccd::2)也免費提供了公共 DNS 伺服器,具體最佳值取決於你的現有網絡。

Kerberos 客戶端工具

上面的置備步驟會創建一個可與 Samba 域控制器搭配使用的 krb5.conf 文件。使用如下命令進行安裝:

# mv /etc/krb5.conf{,.default}
# cp /var/lib/samba/private/krb5.conf /etc

DNS

你現在需要使用本地 DNS 伺服器了,重新配置 resolvconf 以僅使用 localhost 進行 DNS 查詢。創建 /etc/resolv.conf.tail 文件(不要忘了將 internal.domain.tld 替換為你的內部域名):

# Samba 配置
search internal.domain.tld
# 如要使用 IPv6,需移除下行注释
#nameserver ::1
nameserver 127.0.0.1

配置權限並生成新的 /etc/resolv.conf 文件:

# chmod 644 /etc/resolv.conf.tail
# resolvconf -u

Samba

啟用並啟動 samba.service。如果你想使用 LDB 工具,需額外通過創建 /etc/profile.d/sambaldb.sh 來設置 LDB_MODULES_PATH

export LDB_MODULES_PATH="${LDB_MODULES_PATH}:/usr/lib/samba/ldb"

設置權限並對其使用 source:

# chmod 0755 /etc/profile.d/sambaldb.sh
# . /etc/profile.d/sambaldb.sh

Testing the installation

DNS

First, verify that DNS is working as expected. Execute the following commands substituting appropriate values for internal.domain.com and server:

# host -t SRV _ldap._tcp.internal.domain.com.
# host -t SRV _kerberos._udp.internal.domain.com.
# host -t A server.internal.domain.com.

You should receive output similar to the following:

_ldap._tcp.internal.domain.com has SRV record 0 100 389 server.internal.domain.com.
_kerberos._udp.internal.domain.com has SRV record 0 100 88 server.internal.domain.com.
server.internal.domain.com has address xxx.xxx.xxx.xxx

NT authentication

Next, verify that password authentication is working as expected:

# smbclient //localhost/netlogon -U Administrator -c 'ls'

You will be prompted for a password (the one you selected earlier), and will get a directory listing like the following:

  .                                   D        0  Wed Nov 27 23:59:07 2013
  ..                                  D        0  Wed Nov 27 23:59:12 2013

		50332 blocks of size 2097152. 47185 blocks available

Kerberos

Now verify that the KDC is working as expected. Be sure to replace INTERNAL.DOMAIN.COM and use uppercase letters:

# kinit administrator@INTERNAL.DOMAIN.COM

You should be prompted for a password and get output similar to the following:

Warning: Your password will expire in 41 days on Wed 08 Jan 2014 11:59:11 PM CST

Verify that you actually got a ticket:

# klist

You should get output similar to below:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@INTERNAL.DOMAIN.COM

Valid starting       Expires              Service principal
11/28/2013 00:22:17  11/28/2013 10:22:17  krbtgt/INTERNAL.DOMAIN.COM@INTERNAL.DOMAIN.COM
	renew until 11/29/2013 00:22:14

As a final test, use smbclient with your recently acquired ticket. Replace server with the correct server name:

# smbclient //server/netlogon -k -c 'ls'

The output should be the same as when testing password authentication above.

Additional configuration

DNS

You will also need to create a reverse lookup zone for each subnet in your environment in DNS. It is important that this is kept in Samba's DNS as opposed to BIND to allow for dynamic updates by cleints. For each subnet, create a reverse lookup zone with the following commands. Replace server.internal.domain.tld and xxx.xxx.xxx with appropriate values. For xxx.xxx.xxx, use the first three octets of the subnet in reverse order (for example: 192.168.0.0/24 becomes 0.168.192):

# samba-tool dns zonecreate server.internal.domain.tld xxx.xxx.xxx.in-addr.arpa -U Administrator

Now, add a record for you server (if your server is multi-homed, add for each subnet) again substituting appropriate values as above. zzz will be replaced by the fourth octet of the IP for the server:

# samba-tool dns add server.internal.domain.tld xxx.xxx.xxx.in-addr.arpa zzz PTR server.internal.domain.tld -U Administrator

Finally, test the lookup. Replace xxx.xxx.xxx.xxx with the IP of your server:

# host -t PTR xxx.xxx.xxx.xxx

You should get output similar to the following:

xxx.xxx.xxx.xxx.in-addr.arpa domain name pointer server.internal.domain.tld.

TLS

默認不啟用 TLS,但在初始化 DC 時會創建一個默認證書。從 Samba 4.3.8 和 4.2.2 開始,默認禁用非加密 LDAP 綁定。在不影響安全性的前提下,你必須要配置 TLS 才能將 Samba 作為認證源使用。如要使用默認證書,請將下列內容添加到 /etc/samba/smb.conf 的「[global]」部分下:

/etc/samba/smb.conf
[global]
tls enabled  = yes
tls keyfile  = tls/key.pem
tls certfile = tls/cert.pem
tls cafile   = tls/ca.pem

如果需要可信證書,請創建一個簽名密鑰和一個證書請求(詳細步驟參見 OpenSSL)。讓你選擇的證書機構對請求籤名,然後將其放置在配置的文件夾下。如果證書機構要求使用中間證書,可以將證書串在一起(先是伺服器證書,然後是中間證書),然後將 tls cafile 留空。

重啟 samba 以應用更改。

Adding a second domain controller to an existing domain

Prerequisites

As with the provisioning setup when setting up a new domain, you must have ntp configured per the above instructions. Additionally, some of the arguments and parameters on the original domain setup must be replicated here.

Argument explanations

--option='idmap_ldb:use rfc2307 = yes'
this is required if you elected to include Unix UID/GID support on your existing domain (using the --use-rfc2307 option for Samba's provision step or applied the RFC 2307 schema extensions).
--dns-backend=DNSTYPE
replace DNSTYPE with BIND9_DLZ or SAMBA_INTERNAL - This is again down to personal preference of the server admin. If using BIND9_DLZ backend, you will need to configure bind as per the above instructions after joining the domain.
--option="dns forwarder="xxx.xxx.xxx.xxx"
this is only valid for the SAMBA_INTERNAL DNS backend which allows you to specify a DNS forwarder. Replace xxx.xxx.xxx.xxx with appropriate value.
--site=SITE
if you have multiple sites defined, use this to join directly in that site.

See the output of samba-tool domain join --help for additional options.

Joining an existing domain as a new DC

Execute the following command (adding any necessary parameters above to the end of the command):

# samba-tool domain join internal.domain.tld DC -U"INTERNAL\administrator"

Now copy the krb5.conf:

# cp /var/lib/samba/private/krb5.conf /etc/krb5.conf

If you used the RFC 2307 schema extensions, you need to copy the idmap from an existing DC. If using Samba, execute the following command from another DC:

# tdbbackup -s .bak /var/lib/samba/private/idmap.ldb

This will generate a file /var/lib/samba/private/idmap.ldb.bak, transfer this file to the new server in the /var/lib/samba/private directory, removing the .bak extension. If you intend to keep multiple DCs, you will need to automate this process going forward using one of the methods listed on the Samba website here. This also applies to transferring the idmap from Windows DCs.

Enable and start the samba.service unit.

If using BIND9_DLZ DNS backend, you'll need to follow the BIND section above. Check if the /var/lib/samba/private/dns directory is created, and if not, run the following command (ignore warning about updating named.conf):

# samba_upgradedns --dns-backend=BIND9_DLZ

Restart the named.service and then update the DNS records with the following command:

# samba_dnsupdate --all-names --use-samba-tool --verbose

Now proceed with LDB configuration and testing as with a new domain here.

Transferring the FSMO roles

If this is intended to replace an existing domain controller, you will need to transfer the FSMO roles before demoting the existing DC. This is currently outside the scope of this document. See the Samba wiki here.

額外服務

列印

作為域控制器的 Samba 伺服器默認不會啟用列印服務。你需要在 /etc/samba/smb.conf 的 global 部分添加下列內容:

/etc/samba/smb.conf
[global]
...
        rpc_server:spoolss = external
        rpc_daemon:spoolssd = fork
        printing = CUPS
...
[printers]
       path = /var/spool/samba/
       printable = yes

以上示例會為所有 CUPS 列印隊列啟用自動共享。如果你只想共享特定列印隊列,可以添加如下內容(先將上面的 [printers] 共享移除):

/etc/samba/smb.conf
[global]
...
        load printers = no
...
# 打印共享示例
[HPDJ3050]
       path = /var/spool/samba/
       printable = yes
       printer name = hpdj3050

Tips and tricks

DHCP with dynamic DNS updates

It should be noted that using this method will affect functionality of windows clients, as they will still attempt to update DNS on their own. When this occurs, the machine will be denied permission to do so as the record will be owned by the dhcp user rather than the machine account. While this is essentially harmless, it will generate warnings in the system log of the offending machine. You should create a GPO to overcome this, but unfortunately, Samba does not yet have a command line utility to modify GPOs. You will need a Windows PC with the RSAT tools installed. Simply create a dedicated GPO with the Group Policy Editor, and apply only to OUs that contain workstations using DHCP (so that Samba/Windows servers and statically configured Samba/Windows clients can still update using 'ipconfig /registerdns') and configure the following settings:

Computer Configuration
  Policies
    Administrative Templates
      Network
        DNS Client
          Dynamic Update = Disabled
          Register PTR Records = Disabled

Install the dhcp, sudo, and the samba-dhcpd-updateAUR packages.

Create an unprivileged user in AD for performing the updates. When prompted for password, use a secure password. 63 random, mixed case, alpha-numeric characters is sufficient. Optionally samba-tool also takes a random argument:

# samba-tool user create dhcp --description="Unprivileged user for DNS updates via DHCP server"

Since this is a service account, disabling password expiration on the user account is recommended, but not required:

# samba-tool user setexpiry dhcp --noexpiry

Give the user privileges to administer DNS:

# samba-tool group addmembers DnsAdmins dhcp

Create an SPN and export the users credentials to a private keytab:

# samba-tool spn add server/server.internal.domain.tld@INTERNAL.DOMAIN.TLD dhcp
# samba-tool domain exportkeytab --principal=dhcp@INTERNAL.DOMAIN.TLD dhcpd.keytab
# install -vdm 755 /etc/dhcpd
# mv dhcpd.keytab /etc/dhcpd
# chown root:root /etc/dhcpd/dhcpd.keytab
# chmod 400 /etc/dhcpd/dhcpd.keytab

Modify the dhcpd-update-samba-dns.conf file with the following commands (substituting correct values for server, internal.domain.tld, and INTERNAL.DOMAIN.TLD):

/etc/dhcpd/dhcpd-update-samba-dns.conf
# Variables
KRB5CC="/tmp/dhcpd4.krb5cc"
KEYTAB="/etc/dhcpd/dhcpd.keytab"
DOMAIN="internal.domain.tld"
REALM="INTERNAL.DOMAIN.TLD"
PRINCIPAL="dhcp@${REALM}"
NAMESERVER="server.${DOMAIN}"
ZONE="${DOMAIN}"

Grant the dhcp user account permissions to run the update script without a password prompt (replace server with the hostname of the server):

/etc/sudoers.d/dhcp-update
dhcp server = (root) NOPASSWD: /usr/bin/dhcpd-update-samba-dns.sh

Configure the dhcpd server following the dhcpd article and add the following to all subnet declarations in the /etc/dhcpd.conf file that provide DHCP service:

  on commit {
    set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
    set ClientName = pick-first-value(option host-name, host-decl-name);
    execute("/usr/bin/sudo", "/usr/bin/dhcpd-update-samba-dns.sh", "add", ClientIP, ClientName);
  }

  on release {
    set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
    set ClientName = pick-first-value(option host-name, host-decl-name);
    execute("/usr/bin/sudo", "/usr/bin/dhcpd-update-samba-dns.sh", "delete", ClientIP, ClientName);
  }

    on expiry {
    set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
    set ClientName = pick-first-value(option host-name, host-decl-name);
    execute("/usr/bin/sudo", "/usr/bin/dhcpd-update-samba-dns.sh", "delete", ClientIP, ClientName);

Here is a complete example /etc/dhcpd.conf file for reference:

/etc/dhcpd.conf

subnet 192.168.1.0 netmask 255.255.255.0 {
  range 192.168.1.100 192.168.1.199;
  option subnet-mask 255.255.255.0;
  option routers 192.168.1.254;
  option domain-name "internal.domain.tld";
  option domain-name-servers 192.168.1.1;
  option broadcast-address 192.168.1.255;
  default-lease-time 28800;
  max-lease-time 43200;
  authoritative;

  on commit {
    set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
    set ClientName = pick-first-value(option host-name, host-decl-name);
    execute("/usr/bin/sudo", "/usr/bin/dhcpd-update-samba-dns.sh", "add", ClientIP, ClientName);
  }

  on release {
    set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
    set ClientName = pick-first-value(option host-name, host-decl-name);
    execute("/usr/bin/sudo", "/usr/bin/dhcpd-update-samba-dns.sh", "delete", ClientIP, ClientName);
  }

    on expiry {
    set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
    set ClientName = pick-first-value(option host-name, host-decl-name);
    execute("/usr/bin/sudo", "/usr/bin/dhcpd-update-samba-dns.sh", "delete", ClientIP, ClientName);
  }
}

Finally, enable and start (or restart) the dhcpd4 service.

Transferring users from one directory to another

Unfortunately, there is no built-in utility to export users from one directory to another. This is one way, albeit exceptionally ugly, to get the user specific fields out of your existing SAM and into a suitable LDIF format for ldbmodify:

# ldbsearch -H /var/lib/samba/private/sam.ldb \
    -s sub -b cn=Users,dc=internal,dc=domain,dc=tld '(objectClass=user)' | \
    grep -e "^\# record" -e "^accountExpires:" -e "^c:" -e "^cn:" -e "^co:" -e "^codePage:" \
         -e "^comment:" -e "^company:" -e "^countryCode:" -e "^department:" \
         -e "^description:" -e "^displayName" -e "^displayNamePrintable:" \
         -e "^distinguishedName" -e "^division:" -e "^dn:" -e "^employeeID:" \
         -e "^facsimileTelephoneNumber:" -e "^generationQualifier:" \
         -e "^givenName" -e "^homeDirectory:" -e "^homeDrive:" -e "^homePhone:" \
         -e "^homePostalAddress:" -e "^info:" -e "^initials:" \
         -e "^internationalISDNNumber:" -e "^ipPhone:" -e "^l:" -e "^mail:" \
         -e "^manager:" -e "^middleName:" -e "^mobile:" -e "^name:" -e "^o:" \
         -e "^objectClass" -e "^otherFacsimileTelephoneNumber:" \
         -e "^otherHomePhone:" -e "^otherIpPhone:" -e "^otherMailbox:" \
         -e "^otherMobile:" -e "^otherPager:" -e "^otherTelephone:" -e "^pager:" \
         -e "^personalTitle:" -e "^physicalDeliveryOfficeName:" -e "^postalAddress:" \
         -e "^postalCode:" -e "^postOfficeBox:" -e "^proxyAddresses\: SMTP" \
         -e "^proxyAddresses: smtp" -e "^referredDeliveryMethod:" \
         -e "^primaryInternationalISDNNumber:" -e "^primaryTelexNumber:" \
         -e "^profilePath:" -e "^registeredAddress:" -e "^sAMAccountName:" \
         -e "^scriptPath:" -e "^sn:" -e "^st:" -e "^street:" -e "^streetAddress:" \
         -e "^telephoneNumber:" -e "^teletexTerminalIdentifier:" \
         -e "^telexNumber:" -e "^title:" -e "^userAccountControl:" -e "^userPrincipalName:"\
         -e "^url:" -e "^userSharedFolder:" -e "^userSharedFolderOther:" -e "^wWWHomePage:" | \
    sed '/^dn:.*/ a\changetype: add' | sed '/^# record/ i\\n' > user-export.ldif

Explanation: Run an ldbsearch in the users container only, using sub-tree search for objectclass=user. If you need the whole directory, you can modify the search base to use the root or some other OU. The output from ldbsearch is then piped into a really long grep command that returns only appropriate attributes to keep in the new directory. This is obviously subjective, and probably should be tailored to your specific use case. Finally, we use sed to insert the changetype line (needed to tell ldbmodify that we are adding a user), and prefix with a blank line (to make it easier to read) for each exported object.

注意: You will need to modify the output file and remove any objects that you do not want transferred. The output file will contain objects (service users, built-ins, etc.) that can break your new directory if you fail to remove them! It will also contain the old domain in both the "dn" and "distinguishedName" attributies that must be changed before import.

To import, after editing the file and transferring to the new server, simply run the following command on your new samba domain controller:

# ldbmodify -H /var/lib/samba/private/sam.ldb user-export.ldif

Password Complexity

By default, Samba requires strong passwords. To disable the complexity check, issue the following command:

# samba-tool domain passwordsettings set --complexity=off

Set Password Settings Objects in the Samba wiki for more information

# samba-tool domain passwordsettings set --complexity=off

Set Password Settings Objects in the Samba wiki for more information