Category Archives: Samba

Adding FreeBSD 9 servers to Active Directory with Samba36 and Kerberos

Posted on by

#Take care of time sync issues before anything else
#Configure ntpdate against domain controller and enable or make sure all servers are #pointed to the same time source it’s best to use the domain controller

vi /etc/rc.conf

ntpdate_enable=”YES”
ntpdate_hosts=”0.freebsd.pool.ntp.org”

#Min number of files required for the kernel to deal with AD is 16384, modify systctl.conf
vi /etc/sysctl.conf

kern.maxfiles=16384
kern.maxfilesperproc=16384

#Reboot so the changes take effect
#Make sure /etc/hosts is configured properly
#Adjust per system
127.0.0.1 localhost localhost.mydomain.com
10.3.5.55 kgfree kgfree.mydomain.com

#Create krb5.conf
vi /etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
MYDOMAIN.COM = {
kdc = mykdc.mydomain.com:88
admin_server = myadmin.mydomain.com:749
default_domain = MYDOMAIN
kdc = mykdc.mydomain.com
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM

#Test kerberos
kinit Administrator@MYDOMAIN.COM
#Confirm ticket
klist

#Install Samba
cd /usr/ports/net/samba36
make install clean
#configure options

[X] LDAP With LDAP support
[X] ADS With Active Directory support
[X] WINBIND With WinBIND support
[X] ACL_SUPPORT With ACL support
[X] SYSLOG With Syslog support
[X] PAM_SMBPASS With PAM authentication vs passdb backends
[X] DNSUPDATE With dynamic DNS update(require ADS)
[X] POPT With system-wide POPT library

Choose python bindings
No TLS/SSL for cups

#Configure Samba to start
vi /etc/rc.conf

nmbd_enable=”YES”
samba_enable=”YES”
winbindd_enable=”YES”

#Configure Samba
vi /usr/local/etc/smb.conf

[global]
workgroup = MYDOMAIN
server string = FreeBSD Server
security = ads
idmap config * : range = 10000-20000
idmap config * : backend = idmap_rid:MYDOMAIN=10000-20000
template shell = /bin/sh
template homedir = /home/%D/%U
winbind use default domain = Yes
load printers = yes
log file = /var/log/samba/log.%m
max log size = 50
realm = MYDOMAIN.COM
wins server = mydc.mydomain.com
dns proxy = no

[homes]
comment = Home Directories
browseable = no
writable = yes

#Test to make sure the conf file is correct and in the expected location (sometimes you #may have to move the smb.conf to /usr/local/etc/samba )
/usr/local/bin/testparm

#Join the domain
net ads join -U Administrator

#Home directory creation, we can use pam_mkhomedir
cd /usr/ports/security/pam_mkhomedir
make install clean

#Enable homedir creation with sshd
vi /etc/pam.d/sshd

auth            sufficient      pam_krb5.so             no_warn try_first_pass
auth sufficient /usr/local/lib/pam_winbind.so try_first_pass
session required /usr/local/lib/pam_mkhomedir.so

#Start samba
/usr/local/etc/rc.d/samba start

#Test users and groups (if everything is configure properly you will see a list of domain #users and groups
wbinfo -u
wbinfo -g
Reboot