Project

General

Profile

Support #386

Updated by Daniel Curtis over 10 years ago

Samba4. It’s almost here. A true Active Directory replacement for the open source world has arrived. Needless to say, I’m pretty excited about it. What’s really cool is that you can manage it using your own LDAP editor, or you can simply use the AD tools straight from Microsoft. Since I’ve administered Active Directory networks for years, this is my preferred method of administering it. In addition Active Directory has such a strong foothold in modern businesses, most IT administrators will be used to performing day to day tasks through the Microsoft AD tools. 

 I’ll show you how I installed Samba4 and got it working as a replacement for AD domain controllers on a fresh install of FreeBSD 9. 

 Here’s the overview of the network: 
 # DC1: sambaLDAP01.example.com -- IP: 192.168.1.254 
 # DC2: sambaLDAP02.example.com -- IP: 192.168.1.253 
 # Router: 192.168.1.1 
 # Domain: example.com 

 h2. Preparing the System 

 * First of all, Samba4 is really bleeding edge at the time of this writing, so you’ll want to make sure pkg is up to date: 
 <pre> 
 pkg update 
 pkg upgrade 
 </pre> 

 * Now Samba4 requires ACL’s to be enabled on the file system. Wherever you’ve installed the Samba4 data is the partition you’ll need to add ACL’s. This example is the bare bones simple install of /swap and / 
 <pre> 
 edit /etc/fstab 
 </pre> 

 * Add the ACL option to the / partition. I am using the @--use-ntvfs@ option, so the ACLs are stored in a file, rather than the filesystem metadata: 
 <pre> 
 # Device          Mountpoint        FStype    Options Dump      Pass# 
 /dev/ada0p2       /                 ufs       rw,acls 1         1 
 /dev/ada0p3       none              swap      sw        0         0 
 </pre> 

 * Since I don’t feel like rebooting my system to apply it, I’ll simply remount the partition: 
 <pre> 
 mount -o acls / 
 </pre> 

 * You will also need to update your @resolv.conf@ file to reflect the domain: 
 <pre> 
 edit /etc/resolv.conf 
 </pre> 

 * Here’s an example of what it should look like: 
 <pre> 
 # Generated by resolvconf 
 search EXAMPLE.COM 
 domain example.com 
 nameserver 192.168.1.254 
 nameserver 192.168.1.253 
 nameserver 192.168.1.1 #Fallback DNS IP 
 </pre> 

 You will also need to ensure that all of your systems are getting NTP time from the same NTP source. Starting with FreeBSD9, ntpd will start automatically if you set it up using the sysinstall tool. Refer to FreeBSD’s documentation on how to use it. 

 h2. Installing Samba4.1 and BIND 9.9 

 * Update the ports tree: 
 <pre> 
 portsnap fetch extract 
 </pre> 

 * Install and configure BIND 9.9 
 <pre> 
 cd /usr/ports/dns/bind99 
 make config make install clean 
 </pre> 
 NOTE: I needed to enable +GSSAPI+, +DLZ_BDB+, +DLZ_FILESYSTEM+, and +DLZ_STUB+ options while running @make config@. 

 h3. Install Samba4: 
 <pre> 
 cd /usr/ports/net/samba41 
 make config 
 make install clean 
 </pre> 
 *NOTE*: Make sure BIND99 is selected for the DNS server. 

 * Now let’s provision Samba4 as a Domain Controller (for the DNS we’ll use BIND9_DLZ for now; since this is what I set earlier). Since I am also running on a system with ZFS, I need to specify the @--use-ntvfs@ option: 
 <pre> 
 /usr/local/samba/bin/samba-tool domain provision --use-ntvfs --use-rfc2307 --interactive 
 </pre> 
 > Realm: *example.com* 
 > Domain [example]: *example* 
 > Server Role (dc, member, standalone) [dc]: *dc* 
 > DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: *BIND9_DLZ* 
 > DNS forwarder IP address (write 'none' to disable forwarding): *192.168.1.1* 
 > Administrator password: *SuperSecretPassword* 
 > Retype password: *SuperSecretPassword* 

 * Configure BIND 9.9 
 Insert the following line in @/var/named/etc/namedb/named.conf@: 
 <pre> 
 include "/var/db/samba4/private/named.conf"; 
 </pre> 
 *NOTE*: Make sure to change the database to BIND 9.9 and comment out the BIND 9.8 configuration. 
 *NOTE*: Make sure to change the @listen-on {}@ and @forwarder {}@ options to allow for proper network service to occur. 

 * Insert following lines into the @options {}@ section of your @/var/named/etc/namedb/named.conf@ file to allow BIND access to the samba keytab: 
 <pre> 
 tkey-gssapi-keytab "/var/db/samba4/private/dns.keytab"; 
 </pre> 

 * Set appropriate ownership and permissions on the dns.keytab file. Note that the most distributions have BIND configured to run under a non-root user account: 
 <pre> 
 chgrp bind /var/db/samba4/private/dns.keytab 
 chmod g+r /var/db/samba4/private/dns.keytab 
 </pre> 

 * Enable the service in @/etc/rc.conf@: 
 <pre> 
 echo 'named_enable="YES"' >> /etc/rc.conf 
 </pre> 

 * Disable BIND chroot, since I installed the domain controller inside of a FreeBSD Jail: 
 <pre> 
 echo 'named_chroot="YES"' >> /etc/rc.conf 
 </pre>  
  

 h3. Install Samba4: 
 <pre> 
 pkg install samba41 
 </pre> 

 * Now let’s provision Samba4 as a Domain Controller (for the DNS we’ll use BIND9_DLZ for now; since this is what I set earlier). Since I am also running on a system with ZFS, I need to specify the @--use-ntvfs@ option: 
 <pre> 
 /usr/local/samba/bin/samba-tool domain provision --use-ntvfs --use-rfc2307 --interactive 
 </pre> 
 > Realm: *example.com* 
 > Domain [example]: *example* 
 > Server Role (dc, member, standalone) [dc]: *dc* 
 > DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: *BIND9_DLZ* 
 > DNS forwarder IP address (write 'none' to disable forwarding): *192.168.1.1* 
 > Administrator password: *SuperSecretPassword* 
 > Retype password: *SuperSecretPassword* 

 * Now let’s start Samba4: 
 <pre> 
 /usr/local/samba/sbin/samba 
 </pre> 

 * Now let’s finish configuring Kerberos 
 <pre> 
 ln -s /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf 
 edit /etc/krb5.conf 
 </pre> 

 * Now, you’ll need to modify @krb5.conf@ to match your domain. The following is an example config (CAPS DO MATTER): 
 <pre> 
 [libdefaults] 
         default_realm = EXAMPLE.COM 
         dns_lookup_realm = false 
         dns_lookup_kdc = true 
 </pre> 

 h2. Testing Samba4 

 * First let’s run this to test the domain: 
 <pre> 
 /usr/local/samba/bin/smbclient -L localhost -U% 
 </pre> 

 * You should see output for your domain. Now let’s test the administrative login: 
 <pre> 
 /usr/local/samba/bin/smbclient //localhost/netlogon -UAdministrator%'' -c 'ls' 
 </pre> 

 * If that’s all good, let’s test DNS: 
 <pre> 
 host -t SRV _ldap._tcp.example.com 
 </pre> 
 > _ldap._tcp.example.com has SRV record 0 100 389 sambaLDAP01.example.com. 

 * And now let’s test the Kerberos DNS record: 
 <pre> 
 host -t SRV _kerberos._udp.example.com 
 </pre> 
 > _kerberos._udp.example.com has SRV record 0 100 88 sambaLDAP01.example.com. 

 * And finally, let’s test our DNS A record: 
 <pre> 
 host -t A sambaLDAP01.example.com 
 </pre> 
 > sambaLDAP01.example.com has address 192.168.1.254 

 * Now let’s test logging in as Administrator user (using Kerberos): 
 <pre> 
 kinit administrator@EXAMPLE.COM 
 </pre> 

 * And now run this to see your Kerberos ticket: 
 <pre> 
 klist 
 </pre> 

 Now let’s add it to rc.conf: 
 <pre> 
 echo 'samba_enable="YES"' >> /etc/rc.conf 
 </pre> 

 h2. Resources 

 * http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO 

Back