FreeBSD 9 SAMBA AD Member Server

This guide details the steps necessary to configure a SAMBA member server (3.6.5 as of 23/05/2012) on FreeBSD 9.0 in an existing Windows Active Directory domain. It is assumed that you have already installed a basic, functional server and configured details such as hostname, IP, DNS, timezone, etc.

I recommend setting the PACKAGEROOT variable to a geographically close mirror and performing a preliminary system update before continuing. Since I’m in Australia I executed the following:

freebsd-update fetch
freebsd-update install

For the purposes of this guide, the environment details are as follows. You will need to substitute your own values as necessary:

LAN subnet:
AD domain: test.local
DC name: tstdc1.test.local
SAMBA name: tstms1.test.local

Edit /etc/sysctl.conf and append the following lines:


If you didn’t install the ports tree during system installation, run:

portsnap fetch
portsnap extract

Update your ports tree:

portsnap update

Install PortMaster:

cd /usr/ports/ports-mgmt/portmaster
make install clean

Update the base system packages (It should be safe to accept default values)

portmaster -a

Install the NTP daemon for time synchronisation:

portmaster net/ntp

Perform a time sync against your AD DC:


Install Heimdal Kerberos for AD authentication:

portmaster security/heimdal

Create /etc/krb5.conf assuming your AD domain is “test.local”. Note the capitalisation of “default_realm”:

	default = FILE:/var/log/krb5libs.log
	kdc = FILE:/var/log/krb5kdc.log
	admin_server = FILE:/var/log/kadmind.log

	default_realm = TEST.LOCAL
	ticket_lifetime = 24h
	forwardable = yes

	pam = {
		debug = false
		ticket_lifetime = 36000
		renew_lifetime = 36000
		forwardable = true
		krb4_convert = false

Check that Kerberos authentication is working:

kinit administrator
# Enter your TEST\administrator password when prompted.
# If successful, you will be returned to the command prompt without any error

List the Kerberos ticket:

# Should show something similar to
# Credentials cache: FILE:/tmp/krb5cc_1001
#     Principal: [email protected]
#   Issued           Expires          Principal
# May 20 14:51:31  May 21 00:51:31  krbtgt/[email protected]

Install SAMBA 3.6:

portmaster net/samba36

Select the following options when prompted:

# Accept default options for all other packages.
# The installation will take quite a while.	

Create /usr/local/etc/smb.conf:

	workgroup = TEST
	security = ads
	realm = TEST.LOCAL
        socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072
        use sendfile = true
        aio read size = 16384
        aio write size = 16384

	idmap config * : backend = tdb
	idmap config * : range = 100000-299999
	idmap config TEST : backend = rid
	idmap config TEST : range = 10000-99999
	winbind separator = +
	winbind enum users = yes
	winbind enum groups = yes
	winbind use default domain = yes
	winbind refresh tickets = yes

	restrict anonymous = 2
	log file = /var/log/samba/log.%m
	max log size = 500

#============================ Share Definitions ==============================

	comment = Test share
	path = /samba/testshare
	read only = no
	valid users = @"TEST+Domain Users"
	force group = "Domain Users"
	directory mask = 0770
	force directory mode = 0770
	create mask = 0660
	force create mode = 0660

Edit /etc/nsswitch.conf and update the following lines:

group: files winbind
passwd: files winbind

Join the SAMBA server to the AD domain:

net ads join -U administrator
# Enter TEST\administrator password when prompted
# If you see the following message
# "No DNS domain configured for prkms2. Unable to perform DNS Update."
# Open the DNS MMC and add an "A" record for your SAMBA server manually

Confirm AD membership is functional:

net ads testjoin
# Should report "Join is OK"

Set SAMBA and Winbind services to start on boot, edit /etc/rc.conf and append:


Start the SAMBA services:

service samba start

Check that AD user and group details are available to the local FreeBSD system:

wbinfo -u
getent passwd
# Should end with your AD user with UIDs in the 10000+ range
wbinfo -g
getent group
# Should end with your AD group with GIDs in the 10000+ range

Create SAMBA testshare directory and set ownership and permissions:

mkdir -p /samba/testshare
chmod 0770 /samba/testshare
chgrp "Domain Users" /samba/testshare

You should now be able to browse to your SAMBA server from a Windows AD member.

Reboot and check that the SAMBA services are correctly started on boot.

Leave a Reply

Your email address will not be published. Required fields are marked *