Project

General

Profile

Support #386

Samba 4 Domain Controller on FreeBSD

Added by Daniel Curtis almost 10 years ago. Updated about 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Domain Controller
Target version:
Start date:
05/03/2014
Due date:
% Done:

100%

Estimated time:
3.00 h
Spent time:

Description

This is a guide how I installed Samba4 and got it working as a replacement for AD domain controllers on FreeBSD 9.

Here’s the overview of the network:
  1. DC1: dc01.example.com 192.168.1.254
  2. DC2: dc02.example.com 192.168.1.253
  3. Router: 192.168.1.1
  4. Domain: example.com

Preparing the Environment

  • First of all, Samba4 is really bleeding edge at the time of this writing, so you’ll want to make sure pkg is up to date:
    pkg update && pkg upgrade
    
  • Now Samba4 requires ACL’s to be enabled on the file system. Wherever you’ve installed the Samba4 data is the partition you’ll need to add ACL’s. This example is the bare bones simple install of /swap and /
    edit /etc/fstab
    
    • Add the acls option to the / partition:
      # Device        Mountpoint      FStype  Options Dump    Pass#
      /dev/ada0p2     /               ufs     rw,acls 1       1
      /dev/ada0p3     none            swap    sw      0       0
      
    • NOTE: If installing in a jail, make sure to add the acls option to the host fstab and not the jail fstab.
  • Since I don’t feel like rebooting my system to apply it, I’ll simply remount the partition:
    mount -o acls /
    
  • You will also need to update your resolv.conf file to reflect the domain:
    edit /etc/resolv.conf
    
    • Here’s an example of what it should look like:
      # Generated by resolvconf
      search EXAMPLE.COM
      domain example.com
      nameserver 192.168.1.254
      nameserver 192.168.1.253
      nameserver 192.168.1.1 #Fallback DNS IP
      

Installing Samba4

  • Install Samba4:
    pkg install samba4
    
  • Now let’s provision Samba4 as a Domain Controller:
    /usr/local/samba/bin/samba-tool domain provision --use-rfc2307 --interactive
    
    • Realm: example.com
    • Domain [example]: example
    • Server Role (dc, member, standalone) [dc]: dc
    • DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: SAMBA_INTERNAL
    • DNS forwarder IP address (write 'none' to disable forwarding): 192.168.1.1
    • Administrator password: SuperSecretPassword
    • Retype password: SuperSecretPassword
  • Add the following line to the [global] section of /usr/local/etc/smb4.conf:
    [global]
    nsupdate command = /usr/local/bin/samba-nsupdate -g
    
  • Start and enable Samba to start at boot:
    echo 'samba_server_enable="YES"' >> /etc/rc.conf
    service samba_server start
    

Testing Samba4

  • First let’s run this to test the domain:
    /usr/local/samba/bin/smbclient -L localhost -U%
    
  • You should see output for your domain. Now let’s test the administrative login:
    /usr/local/samba/bin/smbclient //localhost/netlogon -UAdministrator -c 'ls'
    
  • If that’s all good, let’s test DNS:
    host -t SRV _ldap._tcp.example.com
    

_ldap._tcp.example.com has SRV record 0 100 389 sambaLDAP01.example.com.

  • And now let’s test the Kerberos DNS record:
    host -t SRV _kerberos._udp.example.com
    

_kerberos._udp.example.com has SRV record 0 100 88 sambaLDAP01.example.com.

  • And finally, let’s test our DNS A record:
    host -t A sambaLDAP01.example.com
    

sambaLDAP01.example.com has address 192.168.1.254

  • Now let’s test logging in as Administrator user (using Kerberos):
    kinit administrator@EXAMPLE.COM
    
  • And now run this to see your Kerberos ticket:
    klist
    

Resources

#1

Updated by Daniel Curtis almost 10 years ago

  • Description updated (diff)
  • % Done changed from 70 to 80
#2

Updated by Daniel Curtis almost 10 years ago

  • Description updated (diff)
#3

Updated by Daniel Curtis almost 10 years ago

  • Description updated (diff)
#4

Updated by Daniel Curtis almost 10 years ago

  • Description updated (diff)
#5

Updated by Daniel Curtis almost 10 years ago

  • Description updated (diff)
#6

Updated by Daniel Curtis almost 10 years ago

  • Description updated (diff)
#7

Updated by Daniel Curtis almost 10 years ago

  • Description updated (diff)
  • Status changed from In Progress to Resolved
  • % Done changed from 80 to 100
#8

Updated by Daniel Curtis about 9 years ago

  • Project changed from 81 to FreeBSD Administration
  • Category set to Domain Controller
  • Target version set to FreeBSD 9
#9

Updated by Daniel Curtis about 8 years ago

  • Description updated (diff)
#10

Updated by Daniel Curtis about 8 years ago

  • Description updated (diff)
#11

Updated by Daniel Curtis about 8 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF