Skip to content

Instantly share code, notes, and snippets.

Last active August 16, 2017 21:34
  • Star 13 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
Samba 4.1 on FreeBSD 10.1

Samba 4.1 Active Directory Domain Controller on FreeBSD 10.1

To simplify home network management, I recently decommissioned my beefy domain controller/file server/Hyper-V host, moving mass file storage to the cloud. I thought I could live without Active Directory, but with 5 PCs and a couple of Windows tablets, I want it back, so my plan is to host a tiny VM instance in hyper-V on 4 of my desktop PCs, creating something like peer-to-peer AD (hopefully with little overhead).


The following references were incredibly helpful, but neither were perfect for getting up and running quickly, hence this gist.

FreeBSD Fresh

  1. Download FreeBSD
  1. Install (Easy on Hyper-V). Hyper-V integration services now built-in for FreeBSD.

Get Ready

  1. Update your ports:
  • # portsnap fetch extract update
  1. Prepare filesystem by adding acls option to /etc/fstab:
  • /dev/ada0p2 / ufs rw,acls 1 1
  • Apply: # mount -o acls /

pkg install

  • Install samba41:
    • # pkg install samba41
    • Results in something like the following:
Message for samba41-4.1.14:

How to start:

* Your configuration is: /usr/local/etc/smb4.conf

* All the relevant databases are under: /var/db/samba4

* All the logs are under: /var/log/samba4

* Provisioning script is: /usr/local/bin/samba-tool

%25%25NSUPDATE%25%25You will need to specify location of the 'nsupdate' command in the
%25%25NSUPDATE%25%25smb4.conf file:
%25%25NSUPDATE%25%25      nsupdate command = /usr/local/bin/samba-nsupdate -g
For additional documentation check:

Bug reports should go to the:

  • Note the nsupdate comment. We need to install samba-nsupdate:
    • # pkg install samba-nsupdate

New Domain

  • Make use of the tool:
  • Once complete, we receive the following message:
    • A Kerberos configuration suitable for Samba 4 has been generated at /var/db/samba4/private/krb5.conf
  • Copy or link to /usr/local/etc/krb5.conf:
    • # ln -s /var/db/samba4/private/krb5.conf /usr/local/etc/.
  • We now have an smb4.conf, which needs to know about our nsupdate path:
    • # vi /usr/local/etc/smb4.conf
        nsupdate command = /usr/local/bin/samba-nsupdate -g

Make it run

  • # echo 'samba_server_enable="YES"' >> /etc/rc.conf
  • # /usr/local/etc/rc.d/samba_server start


  • Update resolve.conf with domain name and AD DC IP(s):
  • # vi /etc/resolve.conf

Test it out

Just check out the Testing Your Samba Domain Controller section of the Samba AD DC HOWTO

Add Another

To join another FreeBSD DC to the existing domain, follow the previous steps up to New Domain, then (source: Join a domain as a DC):

Another's DNS Fun

  • Verify that the local hostname isn't resolved to in /etc/hosts:   localhost.localdomain    localhost   DC2   DC2
  • Configure /etc/resolv.conf

Another's Kerberos Setup

  • Create an /etc/krb5.conf file and add the following:
    dns_lookup_realm = true
    dns_lookup_kdc = true
    default_realm = SAMDOM.EXAMPLE.COM
  • Verify:
    • # kinit administrator

Join It

        idmap_ldb:use rfc2307 = yes
        nsupdate command = /usr/local/bin/samba-nsupdate -g

Make Another Run

  • # echo 'samba_server_enable="YES"' >> /etc/rc.conf
  • # /usr/local/etc/rc.d/samba_server start

Check Out Replication

  • # samba-tool drs showrepl

Password Complexity

   samba-tool domain passwordsettings set --complexity=off
   samba-tool domain passwordsettings set --history-length=0
   samba-tool domain passwordsettings set --min-pwd-age=0
   samba-tool domain passwordsettings set --max-pwd-age=0
Copy link

Second DC has replication problems after walking through this for second time:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment