I hit a Samba-based AD DC during an engagement, my usual Windows AD playbook face-planted, and the fix was simple: stop fighting the platform and use Samba-native mechanics.

During a recent pentest, I ran into something that sounds normal… until you actually touch it: an Active Directory Domain Controller running on Linux, backed by Samba.

And no — for the young Padawans reading this — my usual muscle memory didn’t help much.

I tried the “classic” toolkit: Impacket modules, BloodHound-python, the usual AD dumping tricks. But in this environment, those tools didn’t behave like they do against a Windows DC. Some things failed, other things returned incomplete results, and I spent a good few minutes staring at my terminal.

The catch: I already had root access via SSH on the Samba DC, but I didn’t know how to turn that into meaningful domain visibility. Everything I had learned about AD was basically tied to Windows services and Windows assumptions.

So I did what any responsible Jedi would do: I stopped swinging the lightsaber randomly and went to the Samba documentation. (Less “Jedi library,” more “read the manual before you embarrass yourself.”)

The “Oh…” moment: root on a DC is not “a foothold” — it’s the throne

Once you’re root on the Samba AD DC, you’re not near the domain… you’re inside the engine room.

At that point, you can manage the directory using Samba’s own admin tooling (the same way Windows admins would use native tools on a Windows DC). The key utility here is samba-tool, which is effectively the Swiss Army knife for Samba AD administration. The official man page shows it supports core user management actions like creating users and listing accounts.

Step 1: Spawn a Domain Admin — Because Why Not?

samba-tool user create pwneduser P@ssword123!
samba-tool group addmembers "Domain Admins" pwneduser

That’s when the path became obvious:

• If you can manage users and groups as an admin on the DC,
• then privilege escalation isn’t “some clever exploit,”
• it’s literally “domain administration via the intended tool.”

In my case, with root on the DC, I was able to create a new domain user and place it into a privileged group to validate the impact (in a controlled, authorized scope).

Here are some examples:

#Info domain 
samba-tool domain info 127.0.0.1

# List domain users and groupssamba-tool user list
samba-tool group list# Check who is in Domain Admins (visibility without changing anything)samba-tool group listmembers "Domain Admins"# List computers joined to the domainsamba-tool computer list

Step 2: Dumping Hashes — No Need for secretsdump.py

Samba keeps credentials and other secrets in its backend databases (think sam.ldb and secrets.ldb). The important part is this: if you already have root on the Samba AD DC, you can often use native Samba tooling to extract authentication artifacts directly from that storage layer.

Depending on how the domain is configured, those artifacts can include material equivalent to NT hashes and/or Kerberos keys:

samba-tool user export /tmp/users.txt --attributes=uid,userPrincipalName,sAMAccountName,unicodePwd

⚠️ Heads up: These hashes look a bit different from what you’d expect from a Windows DC, but don’t worry — they’re still NT hashes. You can crack them just like you would with any other.

Bonus: Manual Hash Extraction with ldbsearch

If you enjoy doing things the old-fashioned way — robes, candles, command-line incantations — try this:

ldbsearch -H /var/lib/samba/private/sam.ldb '(objectClass=user)' sAMAccountName unicodePwd

You’re querying the Samba internal LDB database directly. No wrappers. No fancy tools. Just raw power.

Step 4: Now You’re the Admin — Time to Spread

Once I had my user in the Domain Admins group, I went back to the Windows machines joined to this Samba domain and ran a quick password spray using my freshly created creds.

And boom — RDP access to all domain-joined machines.

netexec rdp 10.0.0.0/24 -u 'user' -p 'pass'

Final Thoughts

My biggest lesson from this engagement wasn’t a command.

It was the mindset shift:

Active Directory isn’t “that Windows thing.”
It’s an identity and trust system — and Samba is a real implementation of it.

So when your DC is Linux, don’t panic and don’t brute-force the Windows playbook.

Use the native mechanics, understand the storage layer, and remember:

Sometimes the Force isn’t gone… you’re just trying to ignite the lightsaber from the wrong end.

Padawans, enjoyed this guide?
• 👏🏽Clap now or comment which channel you’ll try first — it helps me craft even better content!
• 🔗Share with friends embarking on their cybersecurity journey — your support means a lot.
• 🤝Follow me, Douglas Costa and Infosec-Writeup, for more Red Team wizardry.

📚 Unlock your cybersecurity career 📚 — download my new eBook for instant access to practical offensive security tips and Hack The Box labs. Take your first step and start hacking smarter today!