FreeBSD 10.3 AMD64: Samba 46 with Windows Active Directory Authentication On UFS file system

 

if you want to run a file sharing server with samab but authenticate users against active directory this is how to do it.

This tutorial Assumes the following defaults:

hostname=bsd
samba_server ip address=192.168.0.2
domain full name=EXAMPLE.LOCAL
dns name= pdc1.example.local
primary domain controller ip = 192.168.0.1
domain dns server = 192.168.0.1

Update Ports three:

portsnap fetch
portsnap extract

Install samba 4.6:

cd /usr/ports/net/samba46/

make install clean

configure to install ADS,AD_DC as shown in blow:

Note: if you made mistake in configuration options you can configure the port again with: make config

change hosts file:

vi /etc/hosts

# $FreeBSD: releng/10.3/etc/hosts 109997 2003-01-28 21:29:23Z dbaker $
#
# Host Database
#
# This file should contain the addresses and aliases for local hosts that
# share this file. Replace 'my.domain' below with the domainname of your
# machine.
#
# In the presence of the domain name service or NIS, this file may
# not be consulted at all; see /etc/nsswitch.conf for the resolution order.
#
#
::1 localhost localhost.my.domain
127.0.0.1 bsd bsd.example.local
192.168.0.2 bsd bsd.example.local
#
# Imaginary network.
#10.0.0.2 myname.my.domain myname
#10.0.0.3 myfriend.my.domain myfriend
#
# According to RFC 1918, you can use the following IP networks for
# private nets which will never be connected to the Internet:
#
# 10.0.0.0 - 10.255.255.255
# 172.16.0.0 - 172.31.255.255
# 192.168.0.0 - 192.168.255.255
#
# In case you want to be able to connect to the Internet, you need
# real official assigned numbers. Do not try to invent your own network
# numbers but instead get one from your network provider (if any) or
# from your regional registry (ARIN, APNIC, LACNIC, RIPE NCC, or AfriNIC.)
#

set dns server to PDC:

vi /etc/resolv.conf

search example.local
nameserver 192.168.0.1

set time to server’s time:

vi /etc/ntp.conf 

server pdc1.example.local iburst 
driftfile /var/db/ntp.drift

sync time with srever now:

ntpdate -4b pdc1.example.local

set ntp for boot time:

sysrc ntpdate_enable="YES"
sysrc ntpd_sync_on_start="YES"
sysrc ntpd_enable="YES"

Create and Edit kerberos Configuration File:

vi /etc/krb5.conf

[libdefaults]
    default_realm = EXAMPLE.LOCAL
 
[domain_realm]
    .example.local = EXAMPLE.LOCAL
 
[realms]
    EXAMPLE.LOCAL = {
        kdc = 192.168.0.1 
        default_domain = example.local
    }
 
[logging]
    kdc = FILE:/var/log/kdc.log
    kdc = SYSLOG:INFO
    default = SYSLOG:INFO:USER

configure nsswitch:
change group,shadow and password directives to use winbind

vi /etc/nsswitch.conf

#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: releng/10.3/etc/nsswitch.conf 224765 2011-08-10 20:52:02Z dougb $
#
group: files winbind 
shadow: files winbind
group_compat: nis
hosts: files dns
networks: files
passwd: files winbind 
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files

create and edit samba configuration file.
I will creating a sample share too.

vi /usr/local/etc/smb4.conf

[global]
	    workgroup = EXAMPLE
	    server string = Samba Server Version %v
	    security = ads
	    realm = EXAMPLE.LOCAL
	    use sendfile = true

	    idmap config * : backend = tdb
	    idmap config * : range = 100000-299999
	    idmap config EXAMPLE : backend = rid
	    idmap config EXAMPLE : range = 10000-99999
	    winbind enum users = yes
	    winbind enum groups = yes
	    winbind use default domain = yes
	    winbind refresh tickets = yes
	    restrict anonymous = 2
	    winbind use default domain = yes
	    template homedir = /home/%D/%U
	    template shell = /usr/local/bin/bash

	# Debug logging information
	log level = 2
	log file = /var/log/samba4/samba.log.%m
	max log size = 50
	debug timestamp = yes


# example share

[SHARE]
    comment = Daily Emptied Dropbox
    path = /sharing/share
    valid users = "@EXAMPLE\Domain Users"
    force group = "Domain Users"
    writable = yes
    read only = no
    force create mode = 0666
    create mask = 0777
    directory mask = 0777
    force directory mode = 0777
    access based share enum = yes
    hide unreadable = yes

start samba:

sysrc samba_server_enable=YES
service samba_server start

get a ticket from pdc:

kinit administrator
# Enter domain administrator password, should return to the prompt

klist
#shoud return the ticket, somthing like:

# Credentials cache: FILE:/tmp/krb5cc_0
#    Principal: administrator@EXAMPLE.LOCAL
#
# Issued                Expires               Principal
# May  8 18:15:40 2017  May  10 20:15:39 2014  krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL

Join FreeBSD to domain:

net ads join -U administrator
# Enter domain administrator password, should return to the prompt

net ads testjoin
# Should report "Join is OK"

restart samba:

service samba_server restart

get active directory users and groups:

wbinfo -u
# Should return domain users
	
wbinfo -g
# Should return domain groups
	
getent passwd
# Should return domain users at the end of the list with 10000+ UIDs
	
getent group
# Should return domain groups at the end of the list with 10000+ GIDs

create share directory:

mkdir -p /sharing/share

chown -R "administrator":"domain users" /sharing/share

chmod 0770 /sharing/share

or: chgrp "domain users" /sharing/share

restart samba:

service samba_server restart

Its Ready.

By: Mehdi Sadighian
Contact: mehdi.sadighian@hotmail.com
TAG: freebsd 10, freebsd 10.3, samba, samba 46, samba 4.6, active directory authentication, kerberos, winbind, smb, smbd, file sharing