Support #330
Updated by Daniel Curtis almost 11 years ago
To increase reliability of my Active Directory domain, I have decided to create a backup domain controller in a jail on my FreeNAS server. This guide is document the procedure used to set up the server. Once the jail had been created, I logged into the jail via ssh: <pre> ssh root@dc1.example.com </pre> h2. Install Samba4 Begin by installing BIND 9.8, samba4, and Heimdal Kerberos samba4 via pkg: <pre> pkg install bind98 pkg install heimdal pkg install samba4 </pre> NOTE: I chose to use the BIND 9.8 package instead of the default samba internal DNS server, since that is what I am using on the primary domain controller. Once the package finishes installing, the following is displayed: > This port is *STILL* experimental, use it at your own risk. > > How to start: http://wiki.samba.org/index.php/Samba4/HOWTO > > * Your configuration is: /usr/local/etc/smb4.conf > > * All the relevant databases are under: /var/db/samba4 > > * All the logs are under: /var/log/samba4 > > * Provisioning script is: /usr/local/bin/samba-tool > > You will need to specify location of the 'nsupdate' command in the > smb4.conf file: > > nsupdate command = /usr/local/bin/samba-nsupdate -g h2. Configure @/usr/local/etc/krb5.conf@ In order to join to the Active Directory domain, Samba and Kerberos need to be configured. Start by editing /etc/krb5.conf: <pre> nano /etc/krb5.conf </pre> > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = EXAMPLE.COM > ticket_lifetime = 24h > forwardable = yes > > [appdefaults] > pam = { > debug = false > ticket_lifetime = 36000 > renew_lifetime = 36000 > forwardable = true > krb4_convert = false > } NOTE: Make sure to replace EXAMPLE.COM with the Active Directory Realm. At this point, I was able to connect to the primary domain controllers Kerberos realm: <pre> kinit administrator </pre> I verified successful credentials by running: <pre> klist </pre> > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: administrator@example.com > > Valid starting Expires Service principal > 11/11/12 17:29:51 11/12/12 03:29:51 krbtgt/example.com@example.com > renew until 11/12/12 17:29:49 Now the machine can be joined to the Active Directory domain. h2. Joining the existing domain as a DC Make sure, that your @/etc/resolv.conf@ contains at least one nameserver entry, pointing to a DNS, that can resolve your Samba AD zone(s). Example: nameserver 192.168.0.1 Run the following provisioning command to join to the domain, and specifying to use the BIND9_DLZ backend: <pre> samba-tool domain join example.com DC -Uadministrator --realm=example.com --dns-backend=BIND9_DLZ </pre> During the join, you should see a set of debug messages about replicating the domains content, like this: > Partition[CN=Configuration,DC=samba,DC=example,DC=com] objects[1614/1614] linked_values[28/0] At the end, you will see a message like this: > Joined domain SAMBA (SID S-1-5-21-3565189888-2228146013-2029845409) as a DC Now you have joined your Samba4 server to your existing domain.