This guide details how to install and configure SAMBA 4.1 as an AD member server of an existing domain on FreeBSD 10.x. This is only a basic configuration with a single share that allows Domain Users read/write access. Further configuration can be performed to restrict access as well as enabling ACLs to provide granular access management to directories within shares.
NB: I’ve started right from the beginning of installing FreeBSD and YMMV if you are not installing from scratch but it’s only the samba41 package and its dependencies that are installed as part of this guide. You should also make sure your AD PDC FSMO is sourcing external time synchronisation because Kerberos authentication has a 5min tolerance. Clients exceeding that tolerance will experience authentication failures with their tickets.
- Accepted default charset.
- Entered hostname.
- Unchecked docs, games and ports trees.
- Accepted default auto partitioning.
- Set root password.
- Configured network interface with IPv4 static IP.
- Did not configure IPv6.
- Entered AD DC domain and IP DNS settings.
- Set timezone.
- Added NTPD to the SSHD and dumpdev services to load at startup.
- Did not add any additional users.
- Exited the installer and rebooted.
- Modified /etc/ssh/sshd_config to permit root login
#PermitRootLogin no PermitRootLogin yes
- Restart SSHD
service sshd restart
- Update system:
freebsd-update fetch freebsd-update install
- Modified /etc/sysctl.conf
kern.maxfiles=25600 kern.maxfilesperproc=16384 net.inet.tcp.sendspace=65536 net.inet.tcp.recvspace=65536
- Install the “pkg” package manager and update the repository
pkg pkg update
- Install Samba 4.1
pkg install samba41
- Create /etc/krb5.conf
[libdefaults] default_realm = TEST.LOCAL dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = yes
- Update /etc/nsswitch.conf
group: files winbind passwd: files winbind
- Create /usr/local/etc/smb4.conf
[global] workgroup = TEST server string = Samba Server Version %v security = ads realm = TEST.LOCAL domain master = no local master = no preferred master = no socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072 use sendfile = true idmap config * : backend = tdb idmap config * : range = 100000-299999 idmap config TEST : backend = rid idmap config TEST : range = 10000-99999 winbind separator = + winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind refresh tickets = yes template homedir = /home/%D/%U template shell = /bin/false client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes restrict anonymous = 2 log file = /var/log/samba4/log.%m max log size = 50 #============================ Share Definitions ============================== [testshare] comment = Test share path = /samba/testshare read only = no force group = "Domain Users" directory mode = 0770 force directory mode = 0770 create mode = 0660 force create mode = 0660
- Join SAMBA to the domain
net ads join -U administrator net ads testjoin # Should report "Join is OK"
- Enable and start SAMBA
echo "samba_server_enable=YES" >> /etc/rc.conf service samba_server start
- Test Kerberos
kinit administrator # Enter domain admin password, should return to the prompt klist # Credentials cache: FILE:/tmp/krb5cc_0 # Principal: administrator@TEST.LOCAL # # Issued Expires Principal # Dec 6 10:15:39 2014 Dec 6 20:15:39 2014 krbtgt/[email protected]
- Test Winbind
wbinfo -u # Should return domain users wbinfo -g # Should return domain groups getent passwd # Should return domain users at the end of the list with 10000+ UIDs getent group # Should return domain groups at the end of the list with 10000+ GIDs
If the wbinfo commands don’t work it means either there’s an error in /usr/local/etc/smb4.conf or the winbind service isn’t running. It will usually be an error in smb4.conf so make sure you’ve replaced TEST and TEST.LOCAL to suit your own environment. Then restart the services
service samba_server restart
If the getent commands don’t work but wbinfo DOES return the expected results, check your /etc/nsswitch.conf passwd: and group: lines are set correctly as above, “compat” should be removed from both lines so they just specify “files winbind“.
- Create the share location on the server
mkdir -p /samba/testshare chown "administrator":"domain users" /samba/testshare chmod 0770 /samba/testshare
You should then be able to browse the share from a Windows client and create files and directories etc.
NB: If you get an error that the server cannot be found by the Windows client check your AD DNS and add a hostname for your SAMBA server if it does not exist. It may not have been automatically created during the domain join process but you should have received an error at that point stating as much.