FreeBSD SAMBA AD Member Server

This guide details the steps necessary to configure a SAMBA member server (3.6.5 as of 23/05/2012) on FreeBSD 9.0 in an existing Windows Active Directory domain. It is assumed that you have already installed a basic, functional server and configured details such as hostname, IP, DNS, timezone, etc.

I recommend setting the PACKAGEROOT variable to a geographically close mirror and performing a preliminary system update before continuing. Since I'm in Australia I executed the following:

setenv PACKAGEROOT ftp://mirror.aarnet.edu.au
freebsd-update fetch
freebsd-update install

For the purposes of this guide, the environment details are as follows. You will need to substitute your own values as necessary:

LAN subnet: 10.1.1.0/24
     
AD domain: test.local
AD realm: TEST.LOCAL
DC name: tstdc1.test.local
DC IP: 10.1.1.1
     
SAMBA name: tstms1.test.local
SAMBA IP: 10.1.1.2

Edit /etc/sysctl.conf and append the following lines:

kern.maxfiles=25600
kern.maxfilesperproc=16384
net.inet.tcp.sendspace=65536
net.inet.tcp.recvspace=65536

If you didn't install the ports tree during system installation, run:

portsnap fetch
portsnap extract

Update your ports tree:

portsnap update

Install PortMaster:

cd /usr/ports/ports-mgmt/portmaster
make install clean

Update the base system packages (It should be safe to accept default values)

portmaster -a

Install the NTP daemon for time synchronisation:

portmaster net/ntp

Perform a time sync against your AD DC:

ntpdate 10.1.1.1

Install Heimdal Kerberos for AD authentication:

portmaster security/heimdal

Create /etc/krb5.conf assuming your AD domain is "test.local". Note the capitalisation of "default_realm":

[logging]
	default = FILE:/var/log/krb5libs.log
	kdc = FILE:/var/log/krb5kdc.log
	admin_server = FILE:/var/log/kadmind.log

[libdefaults]
	default_realm = TEST.LOCAL
	ticket_lifetime = 24h
	forwardable = yes

[appdefaults]
	pam = {
		debug = false
		ticket_lifetime = 36000
		renew_lifetime = 36000
		forwardable = true
		krb4_convert = false
	}

Check that Kerberos authentication is working:

kinit administrator
# Enter your TEST\administrator password when prompted.
# If successful, you will be returned to the command prompt without any error

List the Kerberos ticket:

klist
# Should show something similar to
#
# Credentials cache: FILE:/tmp/krb5cc_1001
#     Principal: [email protected]
#
#   Issued           Expires          Principal
# May 20 14:51:31  May 21 00:51:31  krbtgt/[email protected]

Install SAMBA 3.6:

portmaster net/samba36

Select the following options when prompted:

ADS
CUPS
WINBIND
ACL_SUPPORT
AIO_SUPPORT
FAM_SUPPORT
SYSLOG
QUOTAS
UTMP
DNSUPDATE
POPT
IPV6
		
# Accept default options for all other packages.
# The installation will take quite a while.	

Create /usr/local/etc/smb.conf:

[global]
	workgroup = TEST
	server string = Samba Server Version %v
	security = ads
	realm = TEST.LOCAL
	domain master = no
	local master = no
	preferred master = no
        socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072
        use sendfile = true
#        read raw = yes  # Should provide a performance increase but currently untested, YMMV
#        write raw = yes  # Should provide a performance increase but currently untested, YMMV
        aio read size = 16384
        aio write size = 16384

	idmap config * : backend = tdb
	idmap config * : range = 100000-299999
	idmap config TEST : backend = rid
	idmap config TEST : range = 10000-99999
	winbind separator = +
	winbind enum users = yes
	winbind enum groups = yes
	winbind use default domain = yes
	winbind nested groups = yes
	winbind refresh tickets = yes
	template homedir = /home/%D/%U
	template shell = /bin/sh

	client use spnego = yes
	client ntlmv2 auth = yes
	encrypt passwords = yes
	restrict anonymous = 2
	log file = /var/log/samba/log.%m
	max log size = 500

#============================ Share Definitions ==============================

[testshare]
	comment = Test share
	path = /samba/testshare
	read only = no
	valid users = @"TEST+Domain Users"
	force group = "Domain Users"
	directory mode = 0770
	force directory mode = 0770
	create mode = 0660
	force create mode = 0660
	# Hide share from users who don't have access
	access based share enum = yes
	# Hide files/directories if user doesn't have read access
	hide unreadable = yes

Edit /etc/nsswitch.conf and update the following lines:

group: files winbind
passwd: files winbind

Join the SAMBA server to the AD domain:

net ads join -U administrator
# Enter TEST\administrator password when prompted
	
# If you see the following message
# "No DNS domain configured for prkms2. Unable to perform DNS Update."
# Open the DNS MMC and add an "A" record for your SAMBA server manually

Confirm AD membership is functional:

net ads testjoin
# Should report "Join is OK"

Set SAMBA and Winbind services to start on boot, edit /etc/rc.conf and append:

samba_enable="YES"
winbindd_enable="YES"

Start the SAMBA services:

service samba start

Check that AD user and group details are available to the local FreeBSD system:

wbinfo -u
getent passwd
# Should end with your AD user with UIDs in the 10000+ range
	
wbinfo -g
getent group
# Should end with your AD group with GIDs in the 10000+ range

Create SAMBA testshare directory and set ownership and permissions:

mkdir -p /samba/testshare
chmod 0770 /samba/testshare
chgrp "Domain Users" /samba/testshare

You should now be able to browse to your SAMBA server from a Windows AD member.

Reboot and check that the SAMBA services are correctly started on boot.


Comments

Gravatar

2014-08-13

Some of the configuration options are different in SAMBA 4.x so generally you'll have some issues with shares prompting for username/password etc if you try and use a 3.x config.

I've been working on updated guides for each distro/OS with the necessary options to allow 4.x to work but they're not quite ready yet. I'm also hoping to include proper ACL support so permissions are a bit nicer to work with and can be modified straight from Windows and a few other things.

Gravatar

Jv

2014-08-12

I wonder if the 4.X procedures on FBSD 10.0 are the same ...

Gravatar

2014-05-13

Your server will usually join the domain by IP4. I'd recommend just adding the server's IP6 address manually to one of your DNS DCs if you want to provide IP6 connectivity. Windows 7 and 8 prefer IP6 over IP4 according to "netsh int ipv6 show prefix" and as long as a AAAA DNS record exists they should use it. There may be an option to force trying IP6 first but AD just relies on whatever DNS records are returned in your environment so that's where I'd start.

Gravatar

Jeya

2014-04-25

Hi , I have my freebsd client with both ipv4 & ipv6 address enabled . I want join the AD domain with my ipv6 client address & not by ipv4 address. Can anyone suggest ideas ?

net ads join -U [email protected]
Note: Joining the AD domain with ipv4 was successful in my case. I need help for ipv6 .

Gravatar

2013-02-25

Useful. Thanks for this.

Our class needed a clear explanation... Even if we are using another UNIX flavour like Arch Linux.

Kudos ;-)

Post a comment