Using Samba 4 As A Microsoft Windows Active Directory Domain Controller
                                My Opinion

    I have no idea how well Samba 4 would work as an Active Directory
    Domain Controller, because I never got it out of the testing and
    evaluation stage.  That testing/eval was all of *two* computers and
    *one* domain account.

    The final stopper, in attempting to make it work, was bugginess
    in a component called "winbind," which is part of Samba4's AD DC
    authentication mechanism.  It allegedly "unifies UNIX and Windows
    NT account management" (that's directly from samba.org's site).
    Ironically: winbind has a bug that prevents it from actually
    providing full user account information from the "Windows side"
    to the "Unix side."  So it doesn't really "unify" the two very well.

    Between my experience, and reading the traffic on the Samba users
    mailing list: Even had I managed to hack around winbind's b0rk3dness:
    It's unlikely Samba 4 would have ever been put into service as an AD
    DC on the production LAN. I was having grave forebodings about being
    on vacation and getting panicked calls to the effect of "The Windows
    network is down" or happily cruising along on a Friday afternoon,
    looking forward to the weekend and having somebody walk in and tell
    me "I can't log into the network, anymore," the phone start ringing,
    the HelpDesk start lighting up...

    Samba is certainly fine as a straight MS-Win workgroup (e.g.: File and
    printer) server. Been using it, successfully, in that role for years.
    It *may* be ok as a MS-Win AD member. But as an MS-Win AD DC? I
    would not trust it.

    Beside its wonky integration with PAM (Unix' Pluggable Authentication
    Module mechanism): It requires a 3rd-party plug-in to work with
    BIND DNS (the resulting dynamic zones, which, btw, apparently
    don't support updates to secondary servers), doesn't work with
    standard LDAP (e.g.: OpenLDAP) at all, and, near as I could tell,
    completely (?) disregards Unix file and directory ownerships and
    permissions. (Unless, allegedly, you use [only?] POSIX ACLs.)

    And the documentation absolutely sux0rz. Where it's not incomplete
    it's often down-right wrong--often leading one in a direction that
    does not, could not possibly work. (Had one mailing list participant
    tell me "I don't know what docs you're using" and point me right to
    the broken docs I had been using.) The last thing I tried to do was
    typical of my entire experience: Had the "How To" instructing to use
    a certain switch+argument to the samba-tool utility. samba-tool did
    not complain about the use of that switch, but cheerfully refused
    to supply the desired result. That switch was not documented in
    the utility's manual page *at all*. Eliminating it (on a hunch)
    produced output, but the correct output? Could never find a way
    to verify.

    In brutal summary: Samba4 as an Active Directory Domain Controller
    strikes me as what you'd get if a bunch of refugees from the Microsoft
    campus in Redmond got together and decided to make a Unix-based
    MS-Win AD server in as unlike a Unix way as they possibly could.