Samba 4.1 on FreeBSD 10.1

SambaOnFreeBsd.md

Samba 4.1 Active Directory Domain Controller on FreeBSD 10.1

To simplify home network management, I recently decommissioned my beefy domain controller/file server/Hyper-V host, moving mass file storage to the cloud. I thought I could live without Active Directory, but with 5 PCs and a couple of Windows tablets, I want it back, so my plan is to host a tiny VM instance in hyper-V on 4 of my desktop PCs, creating something like peer-to-peer AD (hopefully with little overhead).

Resources

The following references were incredibly helpful, but neither were perfect for getting up and running quickly, hence this gist.

• Samba AD DC HOWTO
  • https://wiki.samba.org/index.php/Samba4/HOWTO
• samba4 dc in FreeBSD 10
  • https://forums.freebsd.org/threads/samba4-dc-in-freebsd-10.47798/

FreeBSD Fresh

1. Download FreeBSD

• https://www.freebsd.org/where.html

1. Install (Easy on Hyper-V). Hyper-V integration services now built-in for FreeBSD.

Get Ready

1. Update your ports:

• # portsnap fetch extract update

1. Prepare filesystem by adding acls option to /etc/fstab:

• /dev/ada0p2 / ufs rw,acls 1 1
• Apply: # mount -o acls /

pkg install

• Install samba41:
  • # pkg install samba41
  • Results in something like the following:

===============================================================================
Message for samba41-4.1.14:
 ===============================================================================

How to start: http://wiki.samba.org/index.php/Samba4/HOWTO

* Your configuration is: /usr/local/etc/smb4.conf

* All the relevant databases are under: /var/db/samba4

* All the logs are under: /var/log/samba4

* Provisioning script is: /usr/local/bin/samba-tool

%25%25NSUPDATE%25%25You will need to specify location of the 'nsupdate' command in the
%25%25NSUPDATE%25%25smb4.conf file:
%25%25NSUPDATE%25%25
%25%25NSUPDATE%25%25      nsupdate command = /usr/local/bin/samba-nsupdate -g
%25%25NSUPDATE%25%25
For additional documentation check: http://wiki.samba.org/index.php/Samba4

Bug reports should go to the: https://bugzilla.samba.org/

===============================================================================

• Note the nsupdate comment. We need to install samba-nsupdate:
  • # pkg install samba-nsupdate

New Domain

• Make use of the tool:
  • # samba-tool domain provision --use-rfc2307 --interactive
  • This is fairly straight-forward, but reference the [Samba AD DC HOWTO] (https://wiki.samba.org/index.php/Samba4/HOWTO#Provisioning_The_Samba_Active_Directory) if you get stuck.
• Once complete, we receive the following message:
  • A Kerberos configuration suitable for Samba 4 has been generated at /var/db/samba4/private/krb5.conf
• Copy or link to /usr/local/etc/krb5.conf:
  • # ln -s /var/db/samba4/private/krb5.conf /usr/local/etc/.
• We now have an smb4.conf, which needs to know about our nsupdate path:
  • # vi /usr/local/etc/smb4.conf

[global]
...
        nsupdate command = /usr/local/bin/samba-nsupdate -g

Make it run

• # echo 'samba_server_enable="YES"' >> /etc/rc.conf
• # /usr/local/etc/rc.d/samba_server start

DNS Fun

• Update resolve.conf with domain name and AD DC IP(s):
• # vi /etc/resolve.conf

domain samdom.example.com
nameserver 192.168.1.1

Test it out

Just check out the Testing Your Samba Domain Controller section of the Samba AD DC HOWTO

Add Another

To join another FreeBSD DC to the existing domain, follow the previous steps up to New Domain, then (source: Join a domain as a DC):

Another's DNS Fun

• Verify that the local hostname isn't resolved to 127.0.0.1 in /etc/hosts:

127.0.0.1   localhost.localdomain    localhost   DC2.samdom.example.com   DC2
10.99.0.2   DC2.samdom.example.com   DC2

• Configure /etc/resolv.conf

search samdom.example.com
nameserver 192.168.1.1

Another's Kerberos Setup

• Create an /etc/krb5.conf file and add the following:

[libdefaults]
    dns_lookup_realm = true
    dns_lookup_kdc = true
    default_realm = SAMDOM.EXAMPLE.COM

• Verify:
  • # kinit administrator

Join It

• Make use of the tool:
  • *# samba-tool domain join samdom.example.com DC -Uadministrator --realm=samdom.example.com
  • This is fairly straight-forward, but reference the [Samba AD DC HOWTO] (https://wiki.samba.org/index.php/Join_a_domain_as_a_DC#Join_the_existing_domain_as_a_Domain_Controller) if you get stuck.
• We now have an smb4.conf, which needs to know about our nsupdate path and our desire for rfc2307:
  • # vi /usr/local/etc/smb4.conf

[global]
...
        idmap_ldb:use rfc2307 = yes
        nsupdate command = /usr/local/bin/samba-nsupdate -g

Make Another Run

• # echo 'samba_server_enable="YES"' >> /etc/rc.conf
• # /usr/local/etc/rc.d/samba_server start

Check Out Replication

• # samba-tool drs showrepl

Password Complexity

   samba-tool domain passwordsettings set --complexity=off
   samba-tool domain passwordsettings set --history-length=0
   samba-tool domain passwordsettings set --min-pwd-age=0
   samba-tool domain passwordsettings set --max-pwd-age=0

Second DC has replication problems after walking through this for second time: https://forums.freebsd.org/threads/56530/