Packetwatch.net

Samba with Active Directory in FreeBSD



Last modified: Feb. 15, 2010

Contents
1 - Summary
2 - Dependencies
3 - Samba installation
4 - Service configuration
5 - Share example
6 - Service check


1 - Summary

This guide will show how to install samba in FreeBSD. Samba is used to create
network file and printer shares to SMB/CIFS clients which includes both UNIX
and Windows clients. In this guide, the FreeBSD computer will join a Windows
2003 Active Directory domain and provide a network share that will use
authentication, security and share permissions using Active Directory. This has
been tested in FreeBSD 8.0.


2 - Dependencies

In this example we will be using Test.local for the Active Directory domain.
Change the hostname to have the domain match the Active Directory domain.
  hostname="server.Test.local"
# sudo vi /etc/rc.conf
Password:

Add the following to /etc/rc.conf.local to do a NTP time check on system
startup. Next, set the local timezone and then update the system time from an
NTP time server.
  ntpdate_enable="YES"
  ntpdate_hosts="pdc.Test.local"
# sudo vi /etc/rc.conf.local 
Password:
# sudo ln -sf /usr/share/zoneinfo/timezone /etc/localtime
Password:
# sudo ntpdate -4b pdc.Test.local
Password:
12 Feb 08:51:36 ntpdate[1846]: step time server 192.168.1.20 offset 2.798483 sec

Modify /etc/sysctl.conf to increase the maximum number of files the kernel can
handle and then reboot. The minimum number of files needed is 16,384.
  kern.maxfiles=16384
  kern.maxfilesperproc=16384
# sudo vi /etc/sysctl.conf
Password:
# sudo shutdown -r now
Password:

After the reboot, edit /etc/hosts to have only the following.
  127.0.0.1       localhost.Test.local localhost
  192.168.1.50    server.Test.local server
# sudo vi /etc/hosts

Create your own configuration file for Kerberos. Here is an example.
  [libdefaults]
  default_realm = TEST.LOCAL
  [domain_realm]
  .Test.local = TEST.LOCAL
  [realms]
  TEST.LOCAL = {
  kdc = pdc.Test.local
  }
  [logging]
  default = SYSLOG:INFO:LOCAL7
# sudo vi /etc/krb5.conf
Password:

Test the Kerberos configuration by typing the following.
# kinit Administrator
Administrator@TEST.LOCAL's Password: 

List the Kerberos credentials.
# klist
Credentials cache: FILE:/tmp/krb5cc_1001
        Principal: Administrator@TEST.LOCAL

  Issued           Expires          Principal
Feb 12 09:57:57  Feb 12 19:57:57  krbtgt/TEST.LOCAL@TEST.LOCAL


3 - Samba installation

Install the samba port. Enable only the following options.
  [X] LDAP         With LDAP support
  [X] ADS          With Active Directory support
  [X] WINBIND      With WinBIND support
  [X] ACL_SUPPORT  With ACL support
  [X] SYSLOG       With Syslog support
  [X] DNSUPDATE    With dynamic DNS update(require ADS)
  [X] POPT         With system-wide POPT library
# cd /usr/ports/net/samba34/
# sudo make
Password:
# sudo make install
Password:
# sudo make clean
Password:


4 - Service configuration

Find were the samba daemons were installed to.
# pkg_info -L samba* | grep sbin
/usr/local/sbin/smbd
/usr/local/sbin/nmbd
/usr/local/sbin/winbindd

Edit /etc/rc.conf.local so that the samba service will start when the system
starts up. Somewhere in the file add the following.
  samba_enable="YES"
# sudo vi /etc/rc.conf.local
Password:

Find where the configuration file should be put.
# pkg_info -L samba* | grep rc.d
/usr/local/etc/rc.d/samba
# grep smb.conf /usr/local/etc/rc.d/samba 
#samba_config="/usr/local/etc/smb.conf"
samba_config_default="/usr/local/etc/smb.conf"
# strings /usr/local/sbin/smbd | grep smb.conf
last_smb_conf_reload_time
/usr/local/etc/smb.conf
Only 1 perfcount handler may be registered in smb.conf
_srvsvc_NetShareSetInfo: client is trying to change csc policy from the \
network; must be done with smb.conf
Found a printer in smb.conf: %s[%x]
spoolss_addprinterex_level_2: add printer for printer %s called and nosmb.conf \
parameter "addprinter command" is defined. Thisparameter must exist for this \
call to succeed
workgroup missing from smb.conf--exiting
ldap suffix missing from smb.conf--exiting
smb_conf_updated: Got message saying smb.conf was updated. Reloading.
smb_conf_updated

You can create your own configuration file. Here is a simple example without
any network shares. Afterwards, check the syntax.
  [global]
  workgroup = TEST
  realm = TEST.LOCAL
  server string =
  security = ADS
  password server = pdc.Test.local
  restrict anonymous = 2
  syslog only = Yes
  smb ports = 139
  load printers = No
  disable spoolss = Yes
  local master = No
  idmap gid = 10000-11000
  idmap uid = 10000-11000
  winbind enum users = Yes
  winbind enum groups = Yes
  winbind use default domain = Yes
  hide dot files = No
  wide links = No
# pkg_info -L samba* | grep smb.conf
/usr/local/man/man5/smb.conf.5.gz
/usr/local/share/examples/samba*/smb.conf.sample
/usr/local/share/examples/samba*/dce-dfs/smb.conf
/usr/local/share/examples/samba*/smb.conf.default
/usr/local/share/examples/samba*/tridge/smb.conf
/usr/local/share/examples/samba*/tridge/smb.conf.WinNT
/usr/local/share/examples/samba*/tridge/smb.conf.fjall
/usr/local/share/examples/samba*/tridge/smb.conf.lapland
/usr/local/share/examples/samba*/tridge/smb.conf.vittjokk
# sudo cp /usr/local/share/examples/samba*/smb.conf.sample /usr/local/etc/smb.conf
Password:
# sudo cp /usr/local/etc/smb.conf /usr/local/etc/smb.conf.example
Password:
# sudo chmod u+w /usr/local/etc/smb.conf
Password:
# sudo vi /usr/local/etc/smb.conf
Password:
# /usr/local/bin/testparm 
Load smb config files from /usr/local/etc/smb.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
        workgroup = TEST
        realm = TEST.LOCAL
        server string = 
        security = ADS
        password server = pdc.Test.local
        restrict anonymous = 2
        syslog only = Yes
        smb ports = 139
        load printers = No
        disable spoolss = Yes
        local master = No
        idmap uid = 10000-11000
        idmap gid = 10000-11000
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        hide dot files = No
        wide links = No

Join the domain.
# /usr/local/bin/net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- TEST
Joined 'SERVER' to realm 'Test.local'

List the Active Directory information.
# /usr/local/bin/net ads info
LDAP server: 192.168.1.20
LDAP server name: PDC.Test.local
Realm: TEST.LOCAL
Bind Path: dc=TEST,dc=LOCAL
LDAP port: 389
Server time: Fri, 12 Feb 2010 10:37:05 CST
KDC server: 192.168.1.20
Server time offset: 0

Log into your primary domain controller and open Active Directory Users and
Computers. The computer should be listed under Computers. Also, check your DNS
zones and the computer should be listed there as well.

Start the samba services.
# /usr/local/etc/rc.d/samba start
Password:
Removing stale Samba tdb files: ........ done
Starting nmbd.
Starting smbd.
Starting winbindd.

List all the users in the domain.
# /usr/local/bin/wbinfo -u
administrator
guest
...

List all groups in the domain.
# /usr/local/bin/wbinfo -g
domain users
domain admins
...


5 - Share example

Modify the name switch service configuration file to allow authentication
against Active Directory. Have the following two lines.
  group: files winbind
  passwd: files winbind
# sudo cp /etc/nsswitch.conf /etc/nsswitch.conf.original
Password:
# sudo vi /etc/nsswitch.conf
Password:

List the passwd database information from the local computer. Now, it will also
include information from Active Directory.
# getent passwd
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
administrator:*:10091:10006:Administrator:/home/TEST/administrator:/bin/false
...

List the group database information from the local computer. Now, it will also
include information from Active Directory.
# getent group
wheel:*:0:root,user
daemon:*:1
domain users:x:10006
...

Setup a network share.
# sudo mkdir -p /data/shares/backups/
Password:
# sudo chown -R "Administrator":"Domain Users" /data/shares/backups/
Password:
# ls -l /data/shares/
total 2
drwxr-xr-x  2 administrator  domain users  512 Feb 12 11:30 backups

Stop the samba services and add the following to the samba configuration file.
  [backups]
  comment = backups
  path= /data/shares/backups/
  valid users = Administrator
  write list = Administrator
  read only = No
# sudo /usr/local/etc/rc.d/samba stop
Password:
Stopping winbindd.
Waiting for PIDS: 589.
Stopping smbd.
Stopping nmbd.
Waiting for PIDS: 581.
# sudo vi /usr/local/etc/smb.conf
Password:

Test the samba configuration file.
# /usr/local/bin/testparm
Load smb config files from /usr/local/etc/smb.conf
Processing section "[backups]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
        workgroup = TEST
        realm = TEST.LOCAL
        server string = 
        security = ADS
        password server = pdc.Test.local
        restrict anonymous = 2
        syslog only = Yes
        smb ports = 139
        load printers = No
        disable spoolss = Yes
        local master = No
        idmap uid = 10000-11000
        idmap gid = 10000-11000
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        hide dot files = No
        wide links = No

[backups]
        comment = backups
        path = /data/shares/backups/
        valid users = Administrator
        write list = Administrator
        read only = No

Start the samba services.
# sudo /usr/local/etc/rc.d/samba start
Password:
Removing stale Samba tdb files: ........ done
Starting nmbd.
Starting smbd.
Starting winbindd.

Try to access this network share "\\server\backups" while logged in as a normal
domain user and it will fail. When you try to access this network share as the
domain Administrator it will be successful and you will and read and write
access.


6 - Service check

Reboot your computer. Log in like normal and check to see that the samba
services are running. That's it, now you have samba with Active Directory
running in FreeBSD.
# sudo shutdown -r now
Password:
# sudo /usr/local/etc/rc.d/samba status
Password:
nmbd is running as pid 581.
smbd is running as pid 585.
winbindd is running as pid 589.
# net ads info
LDAP server: 192.168.1.20
LDAP server name: PDC.Test.local
Realm: TEST.LOCAL
Bind Path: dc=TEST,dc=LOCAL
LDAP port: 389
Server time: Fri, 12 Feb 2010 11:23:07 CST
KDC server: 192.168.1.20
Server time offset: 0


Last modified: Thu Jan 1 00:00:00 1970 UTC
Packetwatch Research 2002-2017.