FreeBSD 10.3 AMD64: Samba 46 with Windows Active Directory Authentication On UFS file system
if you want to run a file sharing server with samab but authenticate users against active directory this is how to do it.
This tutorial Assumes the following defaults:
hostname=bsd
samba_server ip address=192.168.0.2
domain full name=EXAMPLE.LOCAL
dns name= pdc1.example.local
primary domain controller ip = 192.168.0.1
domain dns server = 192.168.0.1
Update Ports three:
portsnap fetch portsnap extract
Install samba 4.6:
cd /usr/ports/net/samba46/ make install clean
configure to install ADS,AD_DC as shown in blow:
Note: if you made mistake in configuration options you can configure the port again with: make config
change hosts file:
vi /etc/hosts
# $FreeBSD: releng/10.3/etc/hosts 109997 2003-01-28 21:29:23Z dbaker $ # # Host Database # # This file should contain the addresses and aliases for local hosts that # share this file. Replace 'my.domain' below with the domainname of your # machine. # # In the presence of the domain name service or NIS, this file may # not be consulted at all; see /etc/nsswitch.conf for the resolution order. # # ::1 localhost localhost.my.domain 127.0.0.1 bsd bsd.example.local 192.168.0.2 bsd bsd.example.local # # Imaginary network. #10.0.0.2 myname.my.domain myname #10.0.0.3 myfriend.my.domain myfriend # # According to RFC 1918, you can use the following IP networks for # private nets which will never be connected to the Internet: # # 10.0.0.0 - 10.255.255.255 # 172.16.0.0 - 172.31.255.255 # 192.168.0.0 - 192.168.255.255 # # In case you want to be able to connect to the Internet, you need # real official assigned numbers. Do not try to invent your own network # numbers but instead get one from your network provider (if any) or # from your regional registry (ARIN, APNIC, LACNIC, RIPE NCC, or AfriNIC.) #
set dns server to PDC:
vi /etc/resolv.conf search example.local nameserver 192.168.0.1
set time to server’s time:
vi /etc/ntp.conf server pdc1.example.local iburst driftfile /var/db/ntp.drift
sync time with srever now:
ntpdate -4b pdc1.example.local
set ntp for boot time:
sysrc ntpdate_enable="YES" sysrc ntpd_sync_on_start="YES" sysrc ntpd_enable="YES"
Create and Edit kerberos Configuration File:
vi /etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.LOCAL
[domain_realm]
.example.local = EXAMPLE.LOCAL
[realms]
EXAMPLE.LOCAL = {
kdc = 192.168.0.1
default_domain = example.local
}
[logging]
kdc = FILE:/var/log/kdc.log
kdc = SYSLOG:INFO
default = SYSLOG:INFO:USER
configure nsswitch:
change group,shadow and password directives to use winbind
vi /etc/nsswitch.conf
# # nsswitch.conf(5) - name service switch configuration file # $FreeBSD: releng/10.3/etc/nsswitch.conf 224765 2011-08-10 20:52:02Z dougb $ # group: files winbind shadow: files winbind group_compat: nis hosts: files dns networks: files passwd: files winbind passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files
create and edit samba configuration file.
I will creating a sample share too.
vi /usr/local/etc/smb4.conf
[global]
workgroup = EXAMPLE
server string = Samba Server Version %v
security = ads
realm = EXAMPLE.LOCAL
use sendfile = true
idmap config * : backend = tdb
idmap config * : range = 100000-299999
idmap config EXAMPLE : backend = rid
idmap config EXAMPLE : range = 10000-99999
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind refresh tickets = yes
restrict anonymous = 2
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /usr/local/bin/bash
# Debug logging information
log level = 2
log file = /var/log/samba4/samba.log.%m
max log size = 50
debug timestamp = yes
# example share
[SHARE]
comment = Daily Emptied Dropbox
path = /sharing/share
valid users = "@EXAMPLE\Domain Users"
force group = "Domain Users"
writable = yes
read only = no
force create mode = 0666
create mask = 0777
directory mask = 0777
force directory mode = 0777
access based share enum = yes
hide unreadable = yes
start samba:
sysrc samba_server_enable=YES service samba_server start
get a ticket from pdc:
kinit administrator # Enter domain administrator password, should return to the prompt klist #shoud return the ticket, somthing like: # Credentials cache: FILE:/tmp/krb5cc_0 # Principal: administrator@EXAMPLE.LOCAL # # Issued Expires Principal # May 8 18:15:40 2017 May 10 20:15:39 2014 krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL
Join FreeBSD to domain:
net ads join -U administrator # Enter domain administrator password, should return to the prompt net ads testjoin # Should report "Join is OK"
restart samba:
service samba_server restart
get active directory users and groups:
wbinfo -u # Should return domain users wbinfo -g # Should return domain groups getent passwd # Should return domain users at the end of the list with 10000+ UIDs getent group # Should return domain groups at the end of the list with 10000+ GIDs
create share directory:
mkdir -p /sharing/share chown -R "administrator":"domain users" /sharing/share chmod 0770 /sharing/share or: chgrp "domain users" /sharing/share
restart samba:
service samba_server restart
Its Ready.
By: Mehdi Sadighian
Contact: mehdi.sadighian@hotmail.com telegram:http://t.me/mehdi_sadighian
TAG: freebsd 10, freebsd 10.3, samba, samba 46, samba 4.6, active directory authentication, kerberos, winbind, smb, smbd, file sharing