Last modified: Feb. 15, 2010
Contents
1 - Summary
2 - Dependencies
3 - Samba installation
4 - Service configuration
5 - Share example
6 - Service check
1 - Summary
This guide will show how to install samba in FreeBSD. Samba is used to create
network file and printer shares to SMB/CIFS clients which includes both UNIX
and Windows clients. In this guide, the FreeBSD computer will join a Windows
2003 Active Directory domain and provide a network share that will use
authentication, security and share permissions using Active Directory. This has
been tested in FreeBSD 8.0.
2 - Dependencies
In this example we will be using Test.local for the Active Directory domain.
Change the hostname to have the domain match the Active Directory domain.
hostname="server.Test.local"
# sudo vi /etc/rc.conf
Password:
Add the following to /etc/rc.conf.local to do a NTP time check on system
startup. Next, set the local timezone and then update the system time from an
NTP time server.
ntpdate_enable="YES"
ntpdate_hosts="pdc.Test.local"
# sudo vi /etc/rc.conf.local
Password:
# sudo ln -sf /usr/share/zoneinfo/timezone /etc/localtime
Password:
# sudo ntpdate -4b pdc.Test.local
Password:
12 Feb 08:51:36 ntpdate[1846]: step time server 192.168.1.20 offset 2.798483 sec
Modify /etc/sysctl.conf to increase the maximum number of files the kernel can
handle and then reboot. The minimum number of files needed is 16,384.
kern.maxfiles=16384
kern.maxfilesperproc=16384
# sudo vi /etc/sysctl.conf
Password:
# sudo shutdown -r now
Password:
After the reboot, edit /etc/hosts to have only the following.
127.0.0.1 localhost.Test.local localhost
192.168.1.50 server.Test.local server
# sudo vi /etc/hosts
Create your own configuration file for Kerberos. Here is an example.
[libdefaults]
default_realm = TEST.LOCAL
[domain_realm]
.Test.local = TEST.LOCAL
[realms]
TEST.LOCAL = {
kdc = pdc.Test.local
}
[logging]
default = SYSLOG:INFO:LOCAL7
# sudo vi /etc/krb5.conf
Password:
Test the Kerberos configuration by typing the following.
# kinit Administrator
Administrator@TEST.LOCAL's Password:
List the Kerberos credentials.
# klist
Credentials cache: FILE:/tmp/krb5cc_1001
Principal: Administrator@TEST.LOCAL
Issued Expires Principal
Feb 12 09:57:57 Feb 12 19:57:57 krbtgt/TEST.LOCAL@TEST.LOCAL
3 - Samba installation
Install the samba port. Enable only the following options.
[X] LDAP With LDAP support
[X] ADS With Active Directory support
[X] WINBIND With WinBIND support
[X] ACL_SUPPORT With ACL support
[X] SYSLOG With Syslog support
[X] DNSUPDATE With dynamic DNS update(require ADS)
[X] POPT With system-wide POPT library
# cd /usr/ports/net/samba34/
# sudo make
Password:
# sudo make install
Password:
# sudo make clean
Password:
4 - Service configuration
Find were the samba daemons were installed to.
# pkg_info -L samba* | grep sbin
/usr/local/sbin/smbd
/usr/local/sbin/nmbd
/usr/local/sbin/winbindd
Edit /etc/rc.conf.local so that the samba service will start when the system
starts up. Somewhere in the file add the following.
samba_enable="YES"
# sudo vi /etc/rc.conf.local
Password:
Find where the configuration file should be put.
# pkg_info -L samba* | grep rc.d
/usr/local/etc/rc.d/samba
# grep smb.conf /usr/local/etc/rc.d/samba
#samba_config="/usr/local/etc/smb.conf"
samba_config_default="/usr/local/etc/smb.conf"
# strings /usr/local/sbin/smbd | grep smb.conf
last_smb_conf_reload_time
/usr/local/etc/smb.conf
Only 1 perfcount handler may be registered in smb.conf
_srvsvc_NetShareSetInfo: client is trying to change csc policy from the \
network; must be done with smb.conf
Found a printer in smb.conf: %s[%x]
spoolss_addprinterex_level_2: add printer for printer %s called and nosmb.conf \
parameter "addprinter command" is defined. Thisparameter must exist for this \
call to succeed
workgroup missing from smb.conf--exiting
ldap suffix missing from smb.conf--exiting
smb_conf_updated: Got message saying smb.conf was updated. Reloading.
smb_conf_updated
You can create your own configuration file. Here is a simple example without
any network shares. Afterwards, check the syntax.
[global]
workgroup = TEST
realm = TEST.LOCAL
server string =
security = ADS
password server = pdc.Test.local
restrict anonymous = 2
syslog only = Yes
smb ports = 139
load printers = No
disable spoolss = Yes
local master = No
idmap gid = 10000-11000
idmap uid = 10000-11000
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
hide dot files = No
wide links = No
# pkg_info -L samba* | grep smb.conf
/usr/local/man/man5/smb.conf.5.gz
/usr/local/share/examples/samba*/smb.conf.sample
/usr/local/share/examples/samba*/dce-dfs/smb.conf
/usr/local/share/examples/samba*/smb.conf.default
/usr/local/share/examples/samba*/tridge/smb.conf
/usr/local/share/examples/samba*/tridge/smb.conf.WinNT
/usr/local/share/examples/samba*/tridge/smb.conf.fjall
/usr/local/share/examples/samba*/tridge/smb.conf.lapland
/usr/local/share/examples/samba*/tridge/smb.conf.vittjokk
# sudo cp /usr/local/share/examples/samba*/smb.conf.sample /usr/local/etc/smb.conf
Password:
# sudo cp /usr/local/etc/smb.conf /usr/local/etc/smb.conf.example
Password:
# sudo chmod u+w /usr/local/etc/smb.conf
Password:
# sudo vi /usr/local/etc/smb.conf
Password:
# /usr/local/bin/testparm
Load smb config files from /usr/local/etc/smb.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
[global]
workgroup = TEST
realm = TEST.LOCAL
server string =
security = ADS
password server = pdc.Test.local
restrict anonymous = 2
syslog only = Yes
smb ports = 139
load printers = No
disable spoolss = Yes
local master = No
idmap uid = 10000-11000
idmap gid = 10000-11000
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
hide dot files = No
wide links = No
Join the domain.
# /usr/local/bin/net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- TEST
Joined 'SERVER' to realm 'Test.local'
List the Active Directory information.
# /usr/local/bin/net ads info
LDAP server: 192.168.1.20
LDAP server name: PDC.Test.local
Realm: TEST.LOCAL
Bind Path: dc=TEST,dc=LOCAL
LDAP port: 389
Server time: Fri, 12 Feb 2010 10:37:05 CST
KDC server: 192.168.1.20
Server time offset: 0
Log into your primary domain controller and open Active Directory Users and
Computers. The computer should be listed under Computers. Also, check your DNS
zones and the computer should be listed there as well.
Start the samba services.
# /usr/local/etc/rc.d/samba start
Password:
Removing stale Samba tdb files: ........ done
Starting nmbd.
Starting smbd.
Starting winbindd.
List all the users in the domain.
# /usr/local/bin/wbinfo -u
administrator
guest
...
List all groups in the domain.
# /usr/local/bin/wbinfo -g
domain users
domain admins
...
5 - Share example
Modify the name switch service configuration file to allow authentication
against Active Directory. Have the following two lines.
group: files winbind
passwd: files winbind
# sudo cp /etc/nsswitch.conf /etc/nsswitch.conf.original
Password:
# sudo vi /etc/nsswitch.conf
Password:
List the passwd database information from the local computer. Now, it will also
include information from Active Directory.
# getent passwd
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
administrator:*:10091:10006:Administrator:/home/TEST/administrator:/bin/false
...
List the group database information from the local computer. Now, it will also
include information from Active Directory.
# getent group
wheel:*:0:root,user
daemon:*:1
domain users:x:10006
...
Setup a network share.
# sudo mkdir -p /data/shares/backups/
Password:
# sudo chown -R "Administrator":"Domain Users" /data/shares/backups/
Password:
# ls -l /data/shares/
total 2
drwxr-xr-x 2 administrator domain users 512 Feb 12 11:30 backups
Stop the samba services and add the following to the samba configuration file.
[backups]
comment = backups
path= /data/shares/backups/
valid users = Administrator
write list = Administrator
read only = No
# sudo /usr/local/etc/rc.d/samba stop
Password:
Stopping winbindd.
Waiting for PIDS: 589.
Stopping smbd.
Stopping nmbd.
Waiting for PIDS: 581.
# sudo vi /usr/local/etc/smb.conf
Password:
Test the samba configuration file.
# /usr/local/bin/testparm
Load smb config files from /usr/local/etc/smb.conf
Processing section "[backups]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
[global]
workgroup = TEST
realm = TEST.LOCAL
server string =
security = ADS
password server = pdc.Test.local
restrict anonymous = 2
syslog only = Yes
smb ports = 139
load printers = No
disable spoolss = Yes
local master = No
idmap uid = 10000-11000
idmap gid = 10000-11000
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
hide dot files = No
wide links = No
[backups]
comment = backups
path = /data/shares/backups/
valid users = Administrator
write list = Administrator
read only = No
Start the samba services.
# sudo /usr/local/etc/rc.d/samba start
Password:
Removing stale Samba tdb files: ........ done
Starting nmbd.
Starting smbd.
Starting winbindd.
Try to access this network share "\\server\backups" while logged in as a normal
domain user and it will fail. When you try to access this network share as the
domain Administrator it will be successful and you will and read and write
access.
6 - Service check
Reboot your computer. Log in like normal and check to see that the samba
services are running. That's it, now you have samba with Active Directory
running in FreeBSD.
# sudo shutdown -r now
Password:
# sudo /usr/local/etc/rc.d/samba status
Password:
nmbd is running as pid 581.
smbd is running as pid 585.
winbindd is running as pid 589.
# net ads info
LDAP server: 192.168.1.20
LDAP server name: PDC.Test.local
Realm: TEST.LOCAL
Bind Path: dc=TEST,dc=LOCAL
LDAP port: 389
Server time: Fri, 12 Feb 2010 11:23:07 CST
KDC server: 192.168.1.20
Server time offset: 0
|
