PHReeK.oRG

This guide details the steps necessary to configure a SAMBA member server (3.6.5 as of 23/05/2012) on FreeBSD 9.0 in an existing Windows Active Directory domain. It is assumed that you have already installed a basic, functional server and configured details such as hostname, IP, DNS, timezone, etc.

I recommend setting the PACKAGEROOT variable to a geographically close mirror and performing a preliminary system update before continuing. Since I'm in Australia I executed the following:

setenv PACKAGEROOT ftp://mirror.aarnet.edu.au
freebsd-update fetch
freebsd-update install

For the purposes of this guide, the environment details are as follows. You will need to substitute your own values as necessary:

LAN subnet: 10.1.1.0/24
     
AD domain: test.local
AD realm: TEST.LOCAL
DC name: prkdc1.test.local
DC IP: 10.1.1.1
     
SAMBA name: prkms1.test.local
SAMBA IP: 10.1.1.2

Edit /etc/sysctl.conf and append the following lines:

kern.maxfiles=25600
kern.maxfilesperproc=16384
net.inet.tcp.sendspace=65536
net.inet.tcp.recvspace=65536

If you didn't install the ports tree during system installation, run:

portsnap fetch
portsnap extract

Update your ports tree:

portsnap update

Install PortMaster:

cd /usr/ports/ports-mgmt/portmaster
make install clean

Update the base system packages (It should be safe to accept default values)

portmaster -a

Install the NTP daemon for time synchronisation:

portmaster net/ntp

Perform a time sync against your AD DC:

ntpdate 10.1.1.1

Install Heimdal Kerberos for AD authentication:

portmaster security/heimdal

Create /etc/krb5.conf assuming your AD domain is "test.local". Note the capitalisation of "default_realm":

[logging]
	default = FILE:/var/log/krb5libs.log
	kdc = FILE:/var/log/krb5kdc.log
	admin_server = FILE:/var/log/kadmind.log

[libdefaults]
	default_realm = TEST.LOCAL
	ticket_lifetime = 24h
	forwardable = yes

[appdefaults]
	pam = {
		debug = false
		ticket_lifetime = 36000
		renew_lifetime = 36000
		forwardable = true
		krb4_convert = false
	}

Check that Kerberos authentication is working:

kinit administrator
# Enter your TEST\administrator password when prompted.
# If successful, you will be returned to the command prompt without any error

List the Kerberos ticket:

klist
# Should show something similar to
#
# Credentials cache: FILE:/tmp/krb5cc_1001
#     Principal: [email protected]
#
#   Issued           Expires          Principal
# May 20 14:51:31  May 21 00:51:31  krbtgt/[email protected]

Install SAMBA 3.6:

portmaster net/samba36

Select the following options when prompted:

ADS
CUPS
WINBIND
ACL_SUPPORT
AIO_SUPPORT
FAM_SUPPORT
SYSLOG
QUOTAS
UTMP
DNSUPDATE
POPT
IPV6
		
# Accept default options for all other packages.
# The installation will take quite a while.	

Create /usr/local/etc/smb.conf:

[global]
	workgroup = TEST
	server string = Samba Server Version %v
	security = ads
	realm = TEST.LOCAL
	password server = 10.1.1.1
	domain master = no
	local master = no
	preferred master = no
	idmap backend = tdb
	idmap uid = 10000-99999
	idmap gid = 10000-99999
	idmap config TEST:backend = rid
	idmap config TEST:range = 10000-99999
	winbind separator = +
	winbind enum users = yes
	winbind enum groups = yes
	winbind use default domain = yes
	winbind nested groups = yes
	winbind refresh tickets = yes
	template homedir = /home/%D/%U
	template shell = /bin/sh
	client use spnego = yes
	client ntlmv2 auth = yes
	encrypt passwords = yes
	restrict anonymous = 2
	log file = /var/log/samba/log.%m
	max log size = 500

#============================ Share Definitions ==============================

[testshare]
	comment = Test share
	path = /samba/testshare
	read only = no
	valid users = @"TEST+Domain Users"
	force group = "Domain Users"
	directory mode = 0770
	force directory mode = 0770
	create mode = 0660
	force create mode = 0660
	# Hide share from users who don't have access
	access based share enum = yes
	# Hide files/directories if user doesn't have read access
	hide unreadable = yes

Edit /etc/nsswitch.conf and update the following lines:

group: files winbind
passwd: files winbind

Join the SAMBA server to the AD domain:

net ads join -U administrator
# Enter TEST\administrator password when prompted
	
# If you see the following message
# "No DNS domain configured for prkms2. Unable to perform DNS Update."
# Open the DNS MMC and add an "A" record for your SAMBA server manually

Confirm AD membership is functional:

net ads testjoin
# Should report "Join is OK"

Set SAMBA and Winbind services to start on boot, edit /etc/rc.conf and append:

samba_enable="YES"
winbindd_enable="YES"

Start the SAMBA services:

service samba start

Check that AD user and group details are available to the local FreeBSD system:

getent passwd
# Should end with your AD user with UIDs in the 10000+ range
	
getent group
# Should end with your AD group with GIDs in the 10000+ range

Create SAMBA testshare directory and set ownership and permissions:

mkdir -p /samba/testshare
chmod 0770 /samba/testshare
chgrp "Domain Users" /samba/testshare

You should now be able to browse to your SAMBA server from a Windows AD member.

Reboot and check that the SAMBA services are correctly started on boot.