Support #330
Updated by Daniel Curtis almost 11 years ago
To increase reliability of my Active Directory domain, I have decided to create a backup domain controller in a jail on my FreeNAS server. This guide is document the procedure used to set up the server. Once the jail had been created, I logged into the jail via ssh:
<pre>
ssh root@dc1.example.com
</pre>
h2. Install Samba4
Begin by installing BIND 9.8, samba4, and Heimdal Kerberos via pkg:
<pre>
pkg install bind98 heimdal pylibacl py27-xattr samba4
</pre>
NOTE: I chose to use the BIND 9.8 package instead of the default samba internal DNS server, since that is what I am using on the primary domain controller.
Once the package finishes installing, the following is displayed:
> This port is *STILL* experimental, use it at your own risk.
>
> How to start: http://wiki.samba.org/index.php/Samba4/HOWTO
>
> * Your configuration is: /usr/local/etc/smb4.conf
>
> * All the relevant databases are under: /var/db/samba4
>
> * All the logs are under: /var/log/samba4
>
> * Provisioning script is: /usr/local/bin/samba-tool
>
> You will need to specify location of the 'nsupdate' command in the
> smb4.conf file:
>
> nsupdate command = /usr/local/bin/samba-nsupdate -g
This is important to remember, as the @smb4.conf@ file will be created after joining the domain.
h2. Configure @/usr/local/etc/krb5.conf@
In order to join to the Active Directory domain, Samba and Kerberos need to be configured. Start by editing /etc/krb5.conf:
<pre>
nano /etc/krb5.conf
</pre>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = EXAMPLE.COM
> ticket_lifetime = 24h
> forwardable = yes
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
NOTE: Make sure to replace EXAMPLE.COM with the Active Directory Realm.
At this point, I was able to connect to the primary domain controllers Kerberos realm:
<pre>
kinit administrator
</pre>
I verified successful credentials by running:
<pre>
klist
</pre>
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: administrator@example.com
>
> Valid starting Expires Service principal
> 11/11/12 17:29:51 11/12/12 03:29:51 krbtgt/example.com@example.com
> renew until 11/12/12 17:29:49
Now the machine can be joined to the Active Directory domain.
h2. Joining the existing domain as a DC
Make sure, that your @/etc/resolv.conf@ contains at least one nameserver entry, pointing to a DNS, that can resolve your Samba AD zone(s). Example:
nameserver 192.168.0.1
Run the following provisioning command to join to the domain, and specifying to use the BIND9_DLZ backend:
<pre>
samba-tool domain join EXAMPLE.COM DC -Uadministrator@EXAMPLE.COM --use-ntvfs --realm=EXAMPLE.COM --dns-backend=BIND9_DLZ
</pre>
NOTE: I needed the @--use-ntvfs@ during the joining, or else an error will prevent the joining.
During the join, you should see a set of debug messages about replicating the domains content, like this:
> Partition[CN=Configuration,DC=samba,DC=example,DC=com] objects[1614/1614] linked_values[28/0]
At the end, you will see a message like this:
> Joined domain SAMBA (SID S-1-5-21-3565189888-2228146013-2029845409) as a DC
Now you have joined your Samba4 server to your existing domain. This will also create a samba4 configuration file at @/usr/local/etc/smb4.conf@.
h2. Configure @/usr/local/etc/smb4.conf@
Edit the @/usr/local/etc/smb4.conf@ file and add the configuration parameter noted above:
<pre>
vi /usr/local/etc/smb4.conf
</pre>
> [global]
> ...
> nsupdate command = /usr/local/bin/samba-nsupdate -g
> ...
h2. Configure BIND
Add the Dynamically Loadable Zone and Kerberos keytab definitions to the BIND configuration:
<pre>
vi /etc/namedb/named.conf
</pre>
> options {
> ...
> include "/var/db/samba4/private/named.conf";
> tkey-gssapi-keytab "/var/db/samba4/private/dns.keytab";
> ...
> }
Then add the following at the end of the /etc/namedb/named.conf:
> include "/var/db/samba4/private/named.conf";
Enable the service in /etc/rc.conf
<pre>
vi /etc/rc.conf
</pre>
> named_enable="YES"
> named_chrootdir=""
Note: Since the BIND server has been set up in jail, it is already chrooted. The default configuration automatically sets up BIND in a chroot environment, and will cause the named service to fail to start unless the +@named_chrootdir=""@+ is specified in the @/etc/rc.conf@.
Start the service
<pre>
service named start
</pre>
> Starting named.
And check to see that it is running
<pre>
service named status
</pre>
> named is running as pid 13260.
h2. Enable and start Samba4 service
Enable the service in /etc/rc.conf
<pre>
vi /etc/rc.conf
</pre>
> ntpd_enable="YES"
> samba4_enable="YES"
Then start the services:
<pre>
service ntpd start
service samba4 start
</pre>
h2. Resources
* https://bugs.freenas.org/issues/3776
* https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC