Solved SAMBA IN JAIL

R

rajagaru

Hello everyone,
First off all I'm a newbie in FreeBSD and jail.

I'm trying to implement a jail server in the company that I work, but I'm facing with a problem and I didn't find the solution on the internet.

I installed a fresh FreeBSD server with Samba 4.3 and FreeBSD 10.1 to test and works fine, but when I configure another fresh server, but now with samba in jail, I can't connect my windows machine to the domain controller.

Everything is normal to me and the configuration is the same.

Have something different in jail configuration to make samba works properly?
 
As far as I know Samba is going to have problems with broadcasts. All I can suggest is not using a jail for this. I very much doubt using a jail will increase the security in this case.

NB. There's no need to create new posts if you think you posted in the wrong section. We can move posts/threads and will do so if you did post in the wrong section.
 
If you are doing AD, then you don't need broadcasts. I have a small AD setup on one host with the "root" DC (from which replication is sourced and no outside host has access), a "subnet" DC (which replicates from the "root"), a member server (file server) and an ldap proxy (haproxy, for HA/LB) all running in separate jails:
Code: 
# jls
  JID  IP Address  Hostname  Path
  1000  10.1.200.99  dc-root.ad.nyingma.org  /usr/local/Jail-AD/dc-root
  1001  10.1.200.98  dc-lodge.ad.nyingma.org  /usr/local/Jail-AD/dc-lodge
  1002  10.1.200.101  fs-lodge.ad.nyingma.org  /usr/local/Jail-AD/fs-lodge
  1003  10.1.1.3  ldap-proxy.in.nyingma.org  /usr/local/Jail-AD/ldap-proxy
You need to ensure you specify interfaces to bind to the jails's IP and not a broadcast, plus disable netbios:
Code: 
# jexec 1000 samba --version
Version 4.2.4
# jexec 1000 cat /usr/local/etc/smb4.conf
# Global parameters
[global]
   workgroup = NYINGMA
   realm = AD.NYINGMA.ORG
   netbios name = DC-ROOT
   interfaces = 10.1.200.99
   bind interfaces only = Yes
   server role = active directory domain controller
   disable netbios = Yes
   dns forwarder = 10.1.200.1
   nsupdate command = /usr/local/bin/samba-nsupdate -g
   tls enabled = Yes
   tls keyfile = tls/Server-AD-dc-root-key.pem
   tls certfile = tls/Server-AD-dc-root.crt
   tls cafile = tls/CANI-RootCSA.crt
   idmap_ldb:use rfc2307 = yes

   log level = 1

[netlogon]
   path = /var/db/samba4/sysvol/ad.nyingma.org/scripts
   read only = No

[sysvol]
   path = /var/db/samba4/sysvol
   read only = No
My very limited understanding with AD is that the DC can/should provide the directory, and DNS is used instead of the reliance on broadcasts, enabling you break out of local subnet only visibility.

I have joined one Win7 machine to this domain to administer it with ADUC, my FreeBSD workstation and FreeBSD server, utilizing rfc2307 to ensure consistent uid/gid across all systems. None of these clients are on the same subnet as the AD jailed hosts. On the Win7 machine I could access the member server simply by entering fs-lodge as the DNS domain is the same for them all.

In this case, it's not for security, but that it is not recommended to run a DC and a member server on the same host, per the wiki:
Whilst the Domain Controller seems capable of running as a full file server, it is suggested that organisations run a distinct file server to allow upgrades of each without disrupting the other. It is also suggested that medium-sized sites should run more than one DC. It also makes sense to have the DC's distinct from any file servers that may use the Domain Controllers. Additionally using distinct file servers avoids the idiosyncrasies in the winbindd configuration on to the Active Directory Domain Controller. The Samba team do not recommend using the Domain Controller as a file server, the recommendation is to run a separate Domain Member with file shares.
Click to expand...
I didn't want to have to use two pieces of hardware to run this lot on.
 
You must log in or register to reply here.
Back
Top