The nethserver-dc package runs a systemd-nspawn container (nsdc) with a vanilla Samba 4 inside of it. It downloads, installs, configures and provision an Active Directory domain controller based on Samba.

The nsdc container needs an IP address in a green network, different from the host machine one. It enslaves its network interface to a host bridge, with green role. If needed, this bridge is created automatically.

This is a typical configuration:

# config show nsdc

nethserver-dc-save event

  • it creates and configures systemd-nspawn machine (nethserver-dc-install action). The Samba domain is provisioned by the samba-provision.service unit, according to the ProvisionType prop value. Supported values are:
    • newdomain (default): domain and realm are taken from local system and won’t be possible to change them anymore. For instance if system domain is domain will be NETHSERVER and realm
    • ns6upgrade: connect the LDAP service running on the host machine and migrate the WS/PDC domain from ns6 backup to an Active Directory domain. The realm and domain name are set as described in the newdomain provision type.
    • sme8migration: this provision procedure is driven by nethserver-dc-migrate action. It requires a running NSDC, provisioned as newdomain. It copies Samba 3 files from the migration source directory to the NSDC chroot, then restarts the samba-provision and samba services in the running NSDC container.
  • it creates a network bridge if needed, or select an existing one and save it in nsdc bridge db prop (nethserver-dc-create-bridge action)
  • it waits for the machine to come up (nethserver-dc-waitstart)
  • it joins the domain of new machine using default credentials (nethserver-dc-join).
  • it sets the password policy (nethserver-dc-password-policy)

Realmd writes a lot of information on the system journal. See journalctl command.

Running commands in nsdc

To get a shell inside the nsdc container, you can run

# systemd-run -M nsdc -t /bin/bash

As alternative, run a specific command in the container with the nsdc-run helper:

# nsdc-run cat /etc/hostname

The -- string helps to separate the argument list:

# nsdc-run -- ls --help

For more information:

# nsdc-run --help

Always make sure to close interactive sessions to avoid errors like:

Failed to get machine PTY: No such file or directory

To get a list of sessions run


Manual Join

nethserver-dc-join action joins automatically to domain. If for any reason the join is invalid you can attempt a manual join following this procedure

Check nsdc is running:

systemctl status nsdc

Check the DNS is responding:

# host -t SRV _ldap._tcp.$(config getprop sssd Realm) has SRV record 0 100 389

Clean up any previous join state:

config setprop sssd Provider none
signal-event nethserver-sssd-leave

Join the domain:

realm join -v -U admin $(config getprop sssd Realm)

You can replace admin with any other administrative account name. The command above prompts for a password. When join is successful:

config setprop sssd Provider ad
signal-event nethserver-sssd-save

If everything goes well

getent passwd administrator@$(hostname -d)
# output:*:261600500:261600513:Administrator:/home/

/usr/libexec/nethserver/list-users -s administrator
# output: {"administrator": ...

Once domain is joined, you can manage users from interface. From command line, you can use net command

# net ads info

Factory reset

The “Start DC” procedure from the “Accounts provider” page is designed for a single run. If it fails, re-installing the whole server can be avoided by running the following command

signal-event nethserver-dc-factory-reset

The command cleans up the DC state and prepare it for new provisioning run. Any existing user and group account is erased.

If a full DC re-install is desired, after factory reset event, run also

rm -rf /var/lib/machines/nsdc

Uninstall nethserver-dc


signal-event nethserver-sssd-remove-provider

Upgrade the container

The upgrade procedure will:

  • stop the container
  • upgrade the chroot base system
  • upgrade samba
  • restart the container

To upgrade, execute:

signal-event nethserver-dc-upgrade

Changing the IP address of DC


Before applying this procedure, read carefully the official Samba wiki page.

The IP address of nsdc container must be in the same network of the bridged green interface. If needed, first change the address of the green interface, then proceed with the following.

Example, change the network address:

  • current host IP:
  • current nsdc container IP:
  • new nsdc container IP:

Execute the nethserver-dc-change-ip with the new ip address:

signal-event nethserver-dc-change-ip <new_ip_address>


signal-event nethserver-dc-change-ip

Note that the event will fail if the new nsdc ip address is not in the same network of the green interface.

Alternate UPN suffix

The default UPN (User Principal Name) suffix for a user account is the SSSD realm, but the nsdc container is configured to use also an extra UPN suffix set to the FQDN of the host machine.


  • Host FQDN:
  • SSSD realm:
  • Default UPN:
  • Extra UPN:

If required, the administrator can use RSAT tools to select the extra UPN for a specific user.


Enable check password script

This manual fix is only needed for old installations.

Edit /var/lib/machines/nsdc/etc/samba/smb.conf and add

check password script = /usr/local/sbin/

to the global section. Restart samba on the NSDC container:

systemctl -M nsdc restart samba

Apply the current system password policy to the Samba DC:

signal-event password-policy-update

ns-samba binary build

  1. Clone the git repo at, enter its directory

  2. Download pristine sources from the Samba project

  3. Check the sources signature

    gunzip -c samba-4.8.6.tar.gz | gpg --verify samba-4.8.6.tar.asc -
  4. Bump the source hash sum

    sha1sum samba-4.8.6.tar.gz > SHA1SUM
  5. Edit ns-samba.spec to fix version references and %changelog section

  1. Commit changes and add (signed) tag (i.e. 4.8.6)
  2. Push commit and tag to remote git repository to start the automated x86_64 build
  3. Once the automated build has finished successfully, fill the new relase page here:
  4. Copy the RPM URL to the local nethserver-dc.spec file
  5. Update SHA1SUM with the new RPM hash sum