FreeBSD 10 SAMBA Active Directory Member Server

This guide details how to install and configure SAMBA 4.1 as an AD member server of an existing domain on FreeBSD 10.x. This is only a basic configuration with a single share that allows Domain Users read/write access. Further configuration can be performed to restrict access as well as enabling ACLs to provide granular access management to directories within shares.

NB: I’ve started right from the beginning of installing FreeBSD and YMMV if you are not installing from scratch but it’s only the samba41 package and its dependencies that are installed as part of this guide. You should also make sure your AD PDC FSMO is sourcing external time synchronisation because Kerberos authentication has a 5min tolerance. Clients exceeding that tolerance will experience authentication failures with their tickets.

  1. Accepted default charset.
  2. Entered hostname.
  3. Unchecked docs, games and ports trees.
  4. Accepted default auto partitioning.
  5. Set root password.
  6. Configured network interface with IPv4 static IP.
  7. Did not configure IPv6.
  8. Entered AD DC domain and IP DNS settings.
  9. Set timezone.
  10. Added NTPD to the SSHD and dumpdev services to load at startup.
  11. Did not add any additional users.
  12. Exited the installer and rebooted.
  13. Modified /etc/ssh/sshd_config to permit root login
    #PermitRootLogin no
    PermitRootLogin yes
  14. Restart SSHD
    service sshd restart
  15. Update system:
    freebsd-update fetch
    freebsd-update install
  16. Modified /etc/sysctl.conf
    kern.maxfiles=25600
    kern.maxfilesperproc=16384
    net.inet.tcp.sendspace=65536
    net.inet.tcp.recvspace=65536
  17. Install the “pkg” package manager and update the repository
    pkg
    pkg update
  18. Install Samba 4.1
    pkg install samba41
  19. Create /etc/krb5.conf
    [libdefaults]
    	default_realm = TEST.LOCAL
    	dns_lookup_realm = true
    	dns_lookup_kdc = true
    	ticket_lifetime = 24h
    	renew_lifetime = 7d
    	forwardable = yes
  20. Update /etc/nsswitch.conf
    group: files winbind
    passwd: files winbind
  21. Create /usr/local/etc/smb4.conf
    [global]
    	workgroup = TEST
    	server string = Samba Server Version %v
    	security = ads
    	realm = TEST.LOCAL
    	domain master = no
    	local master = no
    	preferred master = no
    	socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072
    	use sendfile = true
    	 
    	idmap config * : backend = tdb
    	idmap config * : range = 100000-299999
    	idmap config TEST : backend = rid
    	idmap config TEST : range = 10000-99999
    	winbind separator = +
    	winbind enum users = yes
    	winbind enum groups = yes
    	winbind use default domain = yes
    	winbind nested groups = yes
    	winbind refresh tickets = yes
    	template homedir = /home/%D/%U
    	template shell = /bin/false
    		 
    	client use spnego = yes
    	client ntlmv2 auth = yes
    	encrypt passwords = yes
    	restrict anonymous = 2
    	log file = /var/log/samba4/log.%m
    	max log size = 50
    			 
    #============================ Share Definitions ==============================
    			 
    [testshare]
    	comment = Test share
    	path = /samba/testshare
    	read only = no
    	force group = "Domain Users"
    	directory mode = 0770
    	force directory mode = 0770
    	create mode = 0660
    	force create mode = 0660
    
  22. Join SAMBA to the domain
    net ads join -U administrator
    net ads testjoin
    # Should report "Join is OK"
  23. Enable and start SAMBA
    echo "samba_server_enable=YES" >> /etc/rc.conf
    service samba_server start
  24. Test Kerberos
    kinit administrator
    # Enter domain admin password, should return to the prompt
    	
    klist
    # Credentials cache: FILE:/tmp/krb5cc_0
    #    Principal: [email protected]TEST.LOCAL
    #
    # Issued                Expires               Principal
    # Dec  6 10:15:39 2014  Dec  6 20:15:39 2014  krbtgt/[email protected]
    
  25. Test Winbind
    wbinfo -u
    # Should return domain users
    	
    wbinfo -g
    # Should return domain groups
    	
    getent passwd
    # Should return domain users at the end of the list with 10000+ UIDs
    	
    getent group
    # Should return domain groups at the end of the list with 10000+ GIDs

    If the wbinfo commands don’t work it means either there’s an error in /usr/local/etc/smb4.conf or the winbind service isn’t running. It will usually be an error in smb4.conf so make sure you’ve replaced TEST and TEST.LOCAL to suit your own environment. Then restart the services

    service samba_server restart

    If the getent commands don’t work but wbinfo DOES return the expected results, check your /etc/nsswitch.conf passwd: and group: lines are set correctly as above, “compat” should be removed from both lines so they just specify “files winbind“.

  26. Create the share location on the server
    mkdir -p /samba/testshare
    chown "administrator":"domain users" /samba/testshare
    chmod 0770 /samba/testshare

You should then be able to browse the share from a Windows client and create files and directories etc.

NB: If you get an error that the server cannot be found by the Windows client check your AD DNS and add a hostname for your SAMBA server if it does not exist. It may not have been automatically created during the domain join process but you should have received an error at that point stating as much.

Leave a Reply

Your email address will not be published. Required fields are marked *

*
*
Website