Hello-
I apologize in advance for this very long post!
I am having a devil of a time trying to get Samba 4.1.6 running on a FreeBSD 10.0 x64 machine using ZFS on all disks. I don't think that my issues are due to ZFS but I could be wrong! In this case, I want to join the FreeBSD system as a domain member of our AD.
The real issue here is that I am unable to enumerate AD users and groups when executing
/usr/local/etc/smb4.conf
/etc/nsswitch.conf
/etc/resolv.conf
/etc/krb5.conf
When I attempt to join our AD by typing
Now I want to enumerate:
No AD users....
I've noticed in the Samba Wiki site something about linking /lib/libnss_winbind.so to /lib/libnss_winbind.so.2 so I copied /usr/lib/nss_winbind.so.1 to /lib/libnss_winbind.so.2 and creating the symlink. Still no dice.
I also read the pkg-message as follows:
So I tried the samba-tools provisioning:
Seems to have completed OK. I noted the comment about krb5.conf at /var/db/samba4/private/krb5.conf. Does this mean that Samba maintains its own krb5 configuration separately from FreeBSD's? I renamed that krb5.conf and symlinked /var/db/samba4/private/krb5.conf to /etc/krb5.conf. The
I'm able to get a Kerberos ticket just fine:
Another potential issue. In version 3.6 of samba, our smb.conf had this:
But all of the examples I've seen for smb4.conf use the following:
I don't think I need to change the values to match the example. I've tried changing these to no avail.
I've spent almost two days trying to figure out this issue. Does anyone see what I might be doing wrong?
Should I consider throwing out winbindd and implementing some other technology such as sssd or nclsd? Does anyone have any success running Samba 4.1 on FreeBSD 10.0 using any of the following: winbindd, sssd, or nclsd? Or even LDAP? Does anyone have any success running Samba 4.1 on FreeBSD 9.2? I see that FreeNAS appears to use Samba 4.1 in their latest version 9.2.1.4 which runs FreeBSD 9.2.
I've posted this on the Samba mailing list. However, no one was able to solve this issue. I believe that might be because there aren't many FreeBSD users on that list.
Any advice/suggestions would be greatly appreciated!
~Doug
I apologize in advance for this very long post!
I am having a devil of a time trying to get Samba 4.1.6 running on a FreeBSD 10.0 x64 machine using ZFS on all disks. I don't think that my issues are due to ZFS but I could be wrong! In this case, I want to join the FreeBSD system as a domain member of our AD.
The real issue here is that I am unable to enumerate AD users and groups when executing
getent passwd
. I'm able to enumerate users/groups using wbinfo -u
and wbinfo -g
. I'm trying to use winbindd to retrieve AD metadata. Configuration files as follows:/usr/local/etc/smb4.conf
Code:
[global]
workgroup = SHORTDOMAINNAME
realm = EXAMPLE.COM
server string =
server role = member server
security = ADS
kerberos method = system keytab
log file = /var/log/samba4/log.%m
load printers = No
printcap name = /dev/null
disable spoolss = Yes
local master = No
domain master = No
template shell = /bin/bash
winbind separator = -
winbind cache time = 10
winbind enum users = Yes
winbind enum groups = Yes
winbind nss info = rfc2307
winbind refresh tickets = Yes
winbind offline logon = Yes
nsupdate command = /usr/local/bin/samba-nsupdate -g
idmap config SHORTDOMAINNAME:range = 1000-50000
idmap config SHORTDOMAINNAME:schema_mode = rfc2307
idmap config SHORTDOMAINNAME:backend = ad
idmap config *:range = 50001-60000
idmap config * : backend = tdb
admin users = "@SHORTDOMAINNAME-domain admins"
inherit permissions = Yes
inherit acls = Yes
use sendfile = Yes
dos filemode = Yes
[install]
comment = /zdata/home/install
path = /zdata/home/install
valid users = "@SHORTDOMAINNAME-domain admins"
read only = No
create mask = 0774
directory mask = 0774
inherit owner = Yes
map archive = No
map readonly = no
vfs objects = zfsacl
nfs4:chown = yes
nfs4:acedup = merge
nfs4:mode = special
[no-rsync]
comment = /zdata/home/no-rsync
path = /zdata/home/no-rsync
valid users = "@SHORTDOMAINNAME-domain admins"
read only = No
create mask = 0774
inherit owner = Yes
map archive = No
map readonly = no
vfs objects = zfsacl
nfs4:chown = yes
nfs4:acedup = merge
nfs4:mode = special
[public]
comment = Public Stuff
path = /home/public
write list = "@SHORTDOMAINNAME-domain admins"
read only = No
create mask = 0774
directory mask = 0774
force directory mode = 0774
guest ok = Yes
/etc/nsswitch.conf
Code:
#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: release/10.0.0/etc/nsswitch.conf 224765 2011-08-10 20:52:02Z dougb $
#
group: files winbind
#group: compat
#group_compat: nis
hosts: files dns
networks: files
passwd: files winbind
#passwd: compat
#passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
/etc/resolv.conf
Code:
search example.com
domain example.com
nameserver 192.168.XXX.3
nameserver 192.168.XXX.1
nameserver 192.168.XXX.7
/etc/krb5.conf
Code:
#/etc/krb5.conf
#This is used if you have alternative KDC's in you realm (not windows)
#that you are mapping trust accounts to in the windows domain
#see http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp
#[kdc]
#profile = /home/krb5kdc/kdc.conf
[libdefaults]
default_realm = EXAMPLE.COM
forwardable = true
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
# default_etypes = des-cbc-crc des-cbc-md5
# default_etypes_des = des-cbc-crc des-cbc-md5
ticket_lifetime = 24h
default_keytab_name = FILE:/etc/krb5.keytab
dns_lookup_realm = false
dns_lookup_kdc = true
[appdefaults]
default_realm = EXAMPLE.COM
pam = {
forwardable = true
krb4_convert = false
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
}
[realms]
EXAMPLE.COM = {
kdc = dc1.example.com:88
kdc = dc2.example.com:88
kdc = dc3.example.com:88
admin_server = dc1.example.com:749
kpasswd_server = dc1.example.com:464
kpasswd_protocol = SET_CHANGE
default_domain = example.com
}
[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM
.EXAMPLE.COM = EXAMPLE.COM
backup.example.com = EXAMPLE.COM
[logging]
default = FILE:/var/log/krb5lib.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
Code:
root@backup:/usr/ports/net/samba41 # make showconfig
===> The following configuration options are available for samba41-4.1.6:
ACL_SUPPORT=on: File system ACL support
ADS=on: Active Directory support
AIO_SUPPORT=on: Asyncronous IO support
CUPS=off: CUPS printing system support
DEBUG=off: With debug information in the binaries
DEVELOPER=off: With development support
DNSUPDATE=on: Dynamic DNS update(require ADS)
EXP_MODULES=off: Experimental modules
FAM_SUPPORT=off: File Alteration Monitor support
LDAP=on: LDAP support
MANPAGES=on: Build and/or install manual pages
PAM_SMBPASS=off: PAM authentication via passdb backends
PTHREADPOOL=off: Pthread pool
QUOTAS=off: Disk quota support
SYSLOG=off: Syslog support
UTMP=off: UTMP accounting support
====> Options available for the single DNS: you have to select exactly one of them
NSUPDATE=on: Use internal DNS with NSUPDATE utility
BIND98=off: Use bind98 as a DNS server frontend
BIND99=off: Use bind99 as a DNS server frontend
====> Options available for the radio ZEROCONF: you can only select none or one of them
AVAHI=on: Zeroconf support via Avahi
MDNSRESPONDER=off: Zeroconf support via mDNSResponder
===> Use 'make config' to modify these settings
root@backup:/usr/ports/net/samba41 #
Code:
root@backup:/usr/ports # pkg version -v
autoconf-2.69 = up-to-date with port
autoconf-wrapper-20131203 = up-to-date with port
avahi-app-0.6.31_1 = up-to-date with port
bash-4.3.11 = up-to-date with port
bigreqsproto-1.1.2 = up-to-date with port
binutils-2.24 = up-to-date with port
bison-2.7.1,1 = up-to-date with port
bonnie++-1.97_2 = up-to-date with port
bsdadminscripts-6.1.1_4 = up-to-date with port
ca_root_nss-3.15.5 = up-to-date with port
cyrus-sasl-2.1.26_5 = up-to-date with port
dbus-1.6.18_1 = up-to-date with port
dbus-glib-0.100.2 = up-to-date with port
dialog4ports-0.1.5_2 = up-to-date with port
docbook-1.5 = up-to-date with port
docbook-sgml-4.5_1 = up-to-date with port
docbook-xml-5.0_2 = up-to-date with port
docbook-xsl-1.76.1_2 = up-to-date with port
e2fsprogs-libuuid-1.42.9 = up-to-date with port
expat-2.1.0 = up-to-date with port
gamin-0.1.10_7 = up-to-date with port
gcc-4.7.3 = up-to-date with port
gcc-ecj-4.5 = up-to-date with port
gdbm-1.11 = up-to-date with port
gettext-0.18.3.1 = up-to-date with port
glib-2.36.3_2 = up-to-date with port
gmake-3.82_1 = up-to-date with port
gmp-5.1.3_1 = up-to-date with port
gnome_subr-1.0 = up-to-date with port
gnomehier-3.0 = up-to-date with port
gnutls-2.12.23_4 = up-to-date with port
gobject-introspection-1.36.0_2 = up-to-date with port
help2man-1.43.3_1 = up-to-date with port
inputproto-2.3 = up-to-date with port
intltool-0.50.2 = up-to-date with port
iso8879-1986_3 = up-to-date with port
kbproto-1.0.6 = up-to-date with port
ldb-1.1.16 = up-to-date with port
libICE-1.0.8_1,1 = up-to-date with port
libSM-1.2.2_1,1 = up-to-date with port
libX11-1.6.2_1,1 = up-to-date with port
libXau-1.0.8_1 = up-to-date with port
libXdmcp-1.1.1_1 = up-to-date with port
libcheck-0.9.12 = up-to-date with port
libdaemon-0.14 = up-to-date with port
libevent-1.4.14b_3 = up-to-date with port
libffi-3.0.13_1 = up-to-date with port
libgcrypt-1.5.3_1 = up-to-date with port
libgpg-error-1.12 = up-to-date with port
libiconv-1.14_3 = up-to-date with port
libinotify-20120419_2 = up-to-date with port
libpthread-stubs-0.3_4 = up-to-date with port
libsunacl-1.0 = up-to-date with port
libtasn1-3.3 = up-to-date with port
libtool-2.4.2_2 = up-to-date with port
libxcb-1.10 = up-to-date with port
libxml2-2.8.0_4 = up-to-date with port
libxslt-1.1.28_2 = up-to-date with port
lzo2-2.06_2 = up-to-date with port
m4-1.4.17_1,1 = up-to-date with port
mpc-1.0.2 = up-to-date with port
mpfr-3.1.2_1 = up-to-date with port
nettle-2.7.1 = up-to-date with port
openldap-client-2.4.39 = up-to-date with port
p11-kit-0.20.2 = up-to-date with port
p5-Locale-gettext-1.05_3 = up-to-date with port
p5-Parse-Pidl-4.0.16 = up-to-date with port
p5-Parse-Yapp-1.05 = up-to-date with port
p5-XML-Parser-2.41_1 = up-to-date with port
p7zip-9.20.1_2 = up-to-date with port
pcre-8.34 = up-to-date with port
perl5-5.16.3_9 = up-to-date with port
pkg-1.2.7_2 = up-to-date with port
pkgconf-0.9.5 = up-to-date with port
popt-1.16 = up-to-date with port
portmaster-3.17.4 = up-to-date with port
python2-2_2 = up-to-date with port
python27-2.7.6_4 = up-to-date with port
rsync-3.1.0_3 = up-to-date with port
samba-nsupdate-9.8.6_1 = up-to-date with port
samba41-4.1.6 = up-to-date with port
screen-4.0.3_14 = up-to-date with port
sdocbook-xml-1.1_1,2 = up-to-date with port
smartmontools-6.2_2 = up-to-date with port
talloc-2.1.0 = up-to-date with port
tdb-1.2.12,1 = up-to-date with port
tevent-0.9.21 = up-to-date with port
tmux-1.9.a_1 = up-to-date with port
vsftpd-ssl-3.0.2 = up-to-date with port
xcb-proto-1.10 = up-to-date with port
xcmiscproto-1.2.2 = up-to-date with port
xextproto-7.3.0 = up-to-date with port
xf86bigfontproto-1.2.0 = up-to-date with port
xmlcatmgr-2.2 = up-to-date with port
xmlcharent-0.3_2 = up-to-date with port
xorg-macros-1.19.0 = up-to-date with port
xproto-7.0.25 = up-to-date with port
xtrans-1.3.4 = up-to-date with port
zfs-stats-1.2.2 = up-to-date with port
zip-3.0 = up-to-date with port
root@backup:/usr/ports #
When I attempt to join our AD by typing
net ads join -U administrator
and supplying a valid password, the join command just sits there without returning to a prompt. When I abort it after a few minutes and execute net ads info
, I receive the following:
Code:
root@backup:/usr/ports # net ads info
LDAP server: 192.168.XXX.1
LDAP server name: dc3.example.com
Realm: EXAMPLE.COM
Bind Path: dc=EXAMPLE,dc=COM
LDAP port: 389
Server time: Wed, 23 Apr 2014 11:02:05 PDT
KDC server: 192.168.XXX.1
Server time offset: 0
root@backup:/usr/ports # net ads testjoin
Join is OK
root@backup:/usr/ports #
Now I want to enumerate:
Code:
root@backup:/usr/ports # wbinfo -p
Ping to winbindd succeeded
root@backup:/usr/ports #wbinfo -u
SHORTDOMAINNAME-doug
< ... snipped ... >
SHORTDOMAINNAME-humanresources
root@backup:/usr/ports # wbinfo -g | sort
SHORTDOMAINNAME-$223000-utakgq2rmg80
< ... snipped ... >
SHORTDOMAINNAME-winrmremotewmiusers__
root@backup:/usr/ports # getent passwd
root:<REDACTED>:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
< ... snipped ... >
no-rsync:<REDACTED>:1002:1002:no-rsync:/home/no-rsync:/bin/sh
root@backup:/usr/ports #
No AD users....
I've noticed in the Samba Wiki site something about linking /lib/libnss_winbind.so to /lib/libnss_winbind.so.2 so I copied /usr/lib/nss_winbind.so.1 to /lib/libnss_winbind.so.2 and creating the symlink. Still no dice.
I also read the pkg-message as follows:
Code:
===============================================================================
This port is *STILL* experimental, use it at your own risk.
How to start: http://wiki.samba.org/index.php/Samba4/HOWTO
* Your configuration is: /usr/local/etc/smb4.conf
* All the relevant databases are under: /var/db/samba4
* All the logs are under: /var/log/samba4
* Provisioning script is: /usr/local/bin/samba-tool
You will need to specify location of the 'nsupdate' command in the
smb4.conf file:
nsupdate command = /usr/local/bin/samba-nsupdate -g
For additional documentation check: http://wiki.samba.org/index.php/Samba4
Bug reports should go to the: https://bugzilla.samba.org/
===============================================================================
===> SECURITY REPORT:
This port has installed the following files which may act as network
servers and may therefore pose a remote security risk to the system.
/usr/local/bin/nmblookup
/usr/local/sbin/winbindd
/usr/local/lib/samba/libsmbd_base.so
/usr/local/lib/samba/libsamba-sockets.so
/usr/local/lib/samba/libsmb_transport.so
/usr/local/lib/samba/libgse.so
/usr/local/sbin/smbd
/usr/local/lib/samba/libkrb5-samba4.so.26
/usr/local/lib/libsmbconf.so.0
This port has installed the following startup scripts which may cause
these network services to be started at boot time.
/usr/local/etc/rc.d/samba_server
If there are vulnerabilities in these programs there may be a security
risk to the system. FreeBSD makes no guarantee about the security of
ports included in the Ports Collection. Please type 'make deinstall'
to deinstall the port if this is a concern.
For more information, and contact details about the security
status of this software, see the following webpage:
http://www.samba.org/
So I tried the samba-tools provisioning:
Code:
root@backup:/usr/local/etc # samba-tool domain provision
Realm [EXAMPLE.COM]:
Domain [EXAMPLE]: SHORTDOMAINNAME
Server Role (dc, member, standalone) [dc]: member
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
DNS forwarder IP address (write 'none' to disable forwarding) [192.168.XXX.3]:
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=BACKUP
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /var/db/samba4/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: member server
Hostname: backup
NetBIOS Domain: BACKUP
DNS Domain: example.com
DOMAIN SID: S-1-5-21-810959088-64420964-3790040152
root@backup:/usr/local/etc # less /var/db/samba4/private/krb5.conf
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
root@backup:/usr/local/etc #
Seems to have completed OK. I noted the comment about krb5.conf at /var/db/samba4/private/krb5.conf. Does this mean that Samba maintains its own krb5 configuration separately from FreeBSD's? I renamed that krb5.conf and symlinked /var/db/samba4/private/krb5.conf to /etc/krb5.conf. The
wbinfo
tool worked but still am unable to enumerate via getent passwd
.I'm able to get a Kerberos ticket just fine:
Code:
root@backup:/usr/local/etc # kinit
root@EXAMPLE.COM's Password:
root@backup:/usr/ports/net/samba41/files # klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: root@EXAMPLE.COM
Issued Expires Principal
Apr 23 11:29:07 2014 Apr 23 21:29:07 2014 krbtgt/EXAMPLE.COM@EXAMPLE.COM
root@backup:/usr/local/etc #
Another potential issue. In version 3.6 of samba, our smb.conf had this:
Code:
idmap config SHORTDOMAINNAME:range = 1000-50000
idmap config SHORTDOMAINNAME:schema_mode = rfc2307
idmap config SHORTDOMAINNAME:backend = ad
idmap config *:range = 50001-60000
idmap config * : backend = tdb
But all of the examples I've seen for smb4.conf use the following:
Code:
idmap config *:backend = tdb
idmap config *:range = 70001-80000
idmap config SHORTDOMAINNAME:backend = ad
idmap config SHORTDOMAINNAME:schema_mode = rfc2307
idmap config SHORTDOMAINNAME:range = 500-40000
I don't think I need to change the values to match the example. I've tried changing these to no avail.
I've spent almost two days trying to figure out this issue. Does anyone see what I might be doing wrong?
Should I consider throwing out winbindd and implementing some other technology such as sssd or nclsd? Does anyone have any success running Samba 4.1 on FreeBSD 10.0 using any of the following: winbindd, sssd, or nclsd? Or even LDAP? Does anyone have any success running Samba 4.1 on FreeBSD 9.2? I see that FreeNAS appears to use Samba 4.1 in their latest version 9.2.1.4 which runs FreeBSD 9.2.
I've posted this on the Samba mailing list. However, no one was able to solve this issue. I believe that might be because there aren't many FreeBSD users on that list.
Any advice/suggestions would be greatly appreciated!
~Doug