FreeBSD for "Mainserver" of small company

Hi all,

I have been tasked with setting up a new server to replace a 10+ year old Apple Mac Server which has been running as the "Mainserver" for a small company I work at. This Mac server performs various server roles, including DHCP, DNS, and most importantly, file serving. We have roughly 50-60 clients, 98% are Windows clients, and employees use the file system on the Mac extensively for storing company data. The file system is the Mac standard (sorry, I'm not very familiar with Apple stuff, especially Apple server stuff). We want to use ACL permissions to stay as compatible with possible with Windows. Now, our Mac Server has both POSIX and ACL permissions, which often cause us weird issues when new files or folders are created on the file system.

Our network engineer is strongly inclined to use FreeBSD as the Operating System for out new server, with ZFS file system for FreeBSD installation (root) and for data storage. From what I understand, ZFS natively supports ACL permissions, so that should not be an issue. I have been testing with FreeBSD, but I am having some trouble finding server administration tools that will provide for easy administration of DHCP, DNS, and Samba file sharing.

I know that Samba 4 supports setting up the Samba server as an Active Directory Domain Controller, which while not critical, would be a great asset to our company. I haven't got Samba working yet, but I'm still in the testing phases...

My main set of questions all revolves around this idea: Can I make it so FreeBSD is at least as easy to manage as the Mac Server was?

For administering the Mac server, we use TightVNC and use various Mac applications. For example, DHCP was administered using Server Admin, and adding clients was as simple as typing in a computer's MAC address and assigning it an IP address. On FreeBSD, I have looked into using Webmin, but I am ultimately not impressed with the ease of use of Webmin. Additionally, Webmin only supports older versions of Samba in it's Module configuration (3.6? I think) which presents a problem if I want to manage Active Directory groups and users.

I've also heard that it may be possible to manage a Samba 4 server using Microsoft Snap-in Console. (I call it Computer Management, accessed from Control Panel --> Administrative Tools --> Computer Management in Windows).

Has anyone done anything like this? Any suggestions on graphical or web administration applications that will make managing Samba, DHCP, and DNS easy? Has anyone come across any commercial solutions built on FreeBSD that would be worth checking out?
 
If I understood correctly, you are looking for: FreeBSD as file, DHCP and DNS server plus commercial support and an easy way to admin. So, you are looking for something like FreeNAS, what is supported by iXsystems.

However, I am relatively new on FreeBSD and may have better options out there, but most people here, I think, are more console than gui people. :)

EDIT: you may also want to take a look on pfSense and OPNsense, and perhaps separates networking and file serving.
 
Answering to the Samba 4/Active Directory. You can certainly use the ADUC (Active Directory Users and Computers) tool for management, which you may need to install on a windows desktop (server will already have it). Windows clients can mess with permissions in the usual way.

DHCP and DNS are easy enough with a text editor.

Here's a snippet from my DHCP config:
Code:
    host apTower {
     hardware ethernet 00:22:B0:53:A5:39;
     fixed-address 10.1.223.103;
    }
    host apCabin1 {
     hardware ethernet e4:8d:8c:89:43:cc;
     fixed-address 10.1.223.107;
    }
and similarly DNS (ISC-BIND probably overkill for your requirements)
Code:
$ORIGIN .
$TTL 38400   ; 10 hours 40 minutes
ComCast-ISP.YYY.LAN         IN SOA  CentralServices.XXX.LAN. leeb.XXX.org. (
                                2016113000 ; serial
                                10800      ; refresh (3 hours)
                                3600      ; retry (1 hour)
                                604800     ; expire (1 week)
                                38400      ; minimum (10 hours 40 minutes)
                                )
                        NS   CentralServices.XXX.LAN.
$ORIGIN ComCast-ISP.YYY.LAN.
Gateway         A   10.5.6.1
Router          A   10.5.6.2
NAT-Router   A   10.5.6.3

Yes, the initial setup may be a little painful, but maintaining it is fairly trivial.
 
Yes, the initial setup may be a little painful, but maintaining it is fairly trivial.
Fully agree. It took me a couple of hours to figure out how things worked and how to set it up but the same setup has been running steadily since FreeBSD 4.0. Of course the machine and the software has been upgraded over the years but the setup I once created is basically still the same. Every now and then an update forces me to change some minor configuration setting but that's about it. Keeping it running has required very little effort.
 
I may be biased as I've been doing it a long time, but I generally find it easier to manage these types of services by hand (I agree with you that the various management tools available aren't that user friendly). For example once you have a working DHCP config file, which should just be a case of taking the sample and changing a few settings, adding things like static reservations is just copying a few lines. Having said that I don't understand why adding a client would involve adding it to DHCP. Usually you would just set up a DHCP pool and pretty much just leave it. There's are very few reasons to give an office workstation a reserved IP address. I can't remember the last time I changed my DHCP config.

Similar with DNS. Ignoring the Samba/AD side of things you only really need a resolver, which can be enabled by just installing something like Bind and running pretty much the default configuration. Samba obviously will want to create DNS records for the domain but I have no experience in that; I know that it can integrate with Bind, but that they also prefer their built-in DNS server. I don't know if the built-in samba DNS server works as a normal resolver, if it does then you can probably just use that and not worry about configuring a standalone DNS server.

Both these should require very little manual changing once they are working.

I've seen a few (possibly outdated) horror stories about AD permissions (some things not working right, permission ordering being wrong, etc), but then I believe it can work very well if configured correctly; I'm sure there's a few posts about it on here. Using ZFS as a file server works very well though. It's great having storage that you can scrub and be confident is 100% correct. It's also incredibly easy to backup using send/recv, and the Samba integration with ZFS snapshots to provide "Previous Versions" in Windows works really well. I also believe you can use the standard AD management tools (Users & Computers, Group Policies, etc) from a Windows client which is pretty nifty.
 
Just a heads up...

I thought I'd give AD a go with the latest Samba to see how well it works. net/samba44 & net/samba43 both fail to provision a domain because they don't think ZFS has ACL support. Searching around it appears you need to use the --use-ntvfs option, but this doesn't exist in these versions. net/samba42 seems to allow me to provision a domain but I haven't tried anything else yet.

To be honest I was expecting Samba4 AD with ZFS support to be further along than it seems to be.
 
From the principle, replacing a Mac OS X Server (10 years old, means most probably 10.4) with FreeBSD, you can't get it wrong.

As CTL IT already figured out, the main concern is not about the services, here we have 1:1 replacements on FreeBSD, of course 10 years more modern ones. On the Mac it was IPFW, ISC-DHCP, Bind, Samba, Apache, Postfix/Cyrus IMAP, among other pretty standard OSS installations, and everything integrated into a single-sign-on setup with OpenLDAP (OpenDirectory).

The Apple specific parts were the administration tools, the most important of which were the Server Admin and the Workgroup Manager. These were GUI applications running on the server itself, and the most appropriate way to manage a Mac OS X server using the native Apple tools from a Windows machine was of course VNC.

I managed three Mac OS X Servers on three different continents of the world, and I did service configuration using ssh. And I would not be too much concerned about replacing the capabilities of the Server Admin application, because most of the things there are settings which are to be set once and then to be forgotten. There is no need to change these things every day.

I would be more concerned about replacing the Workgroup Manager application. This one took all the scare out of the Single-Sign-On with OpenLDAP/OpenDirectory. On said three Mac OS X Server installations, I was responsible only for the smooth operation of the services. User administration was done directly by the secretary of the boss, by entering things directly into the Workgroup Manager.

At the bottom line, I agree with lebarondemerde, for getting the hands on some more advanced administration tools, compared to vi'ing configuration files, it might be a good idea to evaluate the FreeBSD derivatives, which are preconfigured for serving files.

EDIT:
I forgot to tell, that careful people with some limited IT skills were able to do user management by editing directly the LDAP database. For doing this, it was sufficient to install phpLDAPadmin as a web service on the respective OS X Server.
 
If you create good templates this would be a good way of managing LDAP.
The templates came from Apple. It should be possible to move over the whole OpenLDAP database (including templates and all users) from the old Mac OS X Server and transfer this to a new FreeBSD machine. When well done on a weekend, this way, users won't even see a difference between the old and the new server. It is long time ago when I looked last into Samba, however, I assume, that OpenLDAP support can still be enabled, can't it?
 
I thought I'd give AD a go with the latest Samba to see how well it works. net/samba44 & net/samba43 both fail to provision a domain because they don't think ZFS has ACL support. Searching around it appears you need to use the --use-ntvfs option, but this doesn't exist in these versions. net/samba42 seems to allow me to provision a domain but I haven't tried anything else yet.

To be honest I was expecting Samba4 AD with ZFS support to be further along than it seems to be.
Definitely a question for the samba mailing list.
 
Since you are looking into rebuilding your services, I would also consider if there are any services that you would want split off into different physical machines. For example, maybe you'd want DHCP to be on a different (and less beefy) machine, so that it remained running in the event the file server was offline for some reason.

There may be no such need in your environment, but this is the time to think about it.
 
Thank you to all.

The reason we need a way to manage DHCP is because we use different subnets for different devices on our network. For example, 192.168.1.* are IT managed employ desktops. 192.168.2.* are it managed employee laptops, 192.168.4.* are printers, 192.168.0.* are servers, and any device connected to the network which we do not assign an address gets a 192.168.3.* IP. Hence, when we add a new computer, we give it a 192.168.1.* address.

I will check out the suggested freeBSD derivatives. I am in the process of setting up a small test network which I will make Samba be the AD DC of and see if I can put all of this good advice to work.

As obsigna mentioned, with the Mac server, we would just VNC in and use Server Admin and Workgroup Manager, both of which had really intuitive, nice GUIs. I'm just not seeing any good replacements for those in FreeBSD. If I can manage AD Users and Groups with Windows, that would be a great "replacement" and manage file permissions as normal in Windows. As for DHCP and DNS... If I can find a good way of setting up some similar addressing scheme without needing to edit config files (by command line or otherwise) whenever we add a new device to the network, then I could do without a tool for DHCP management (obviously).

Again, thank you all for your insight. Greatly appreciated. I also thanked you the "right" way with the thank buttons on all of your comments.
 
I thought I'd give AD a go with the latest Samba to see how well it works. net/samba44 & net/samba43 both fail to provision a domain because they don't think ZFS has ACL support. Searching around it appears you need to use the --use-ntvfs option, but this doesn't exist in these versions. net/samba42 seems to allow me to provision a domain but I haven't tried anything else yet.

Are you sure? We use samba 4.3.11 with ZFS and ACL support without any issues.
 
Are you sure? We use samba 4.3.11 with ZFS and ACL support without any issues.

Did you upgrade from an earlier version to 4.3?
I've just tried installing samba43 from ports, with EXP_MODULES enabled just in case that was required. (It installed 4.3.13)

If I try and provision using the standard command I get the following
Code:
# samba-tool domain provision --use-rfc2307 --interactive
[...]
ERROR(<class 'samba.provision.ProvisioningError'>): Provision failed - ProvisioningError: Your filesystem or build does not support posix ACLs, which s3fs requires.  Try the mounting the filesystem with the 'acl' option.
The FreeBSD readme that it installs says the following
Samba4 provisioning requires file system(s) with POSIX ACLs support. At
the moment that is UFS2 only. You have to add 'acls' option to the mount
flags to get things working.

It is known that ZFS-only installations don't work out of the box with
Samba4. In partucular, s3fs service requires POSIX ACLs during provi-
sioning. It is possible to work around that requirement by specifying:

# samba-tool domain provision --interactive --use-xattrs=no --use-ntvfs

And removing later in 'smb4.conf' options like:

'server services', 'dcerpc endpoint servers', 'posix:eadb'

and adding 'vfs objects = zfsacl' as well. Still this isn't supported
and tested configuration, so use it at your own risk.

However if I try the ntvfs option:
Code:
# samba-tool domain provision --use-rfc2307 --interactive --use-ntvfs
Usage: samba-tool domain provision [options]

samba-tool domain provision: error: no such option: --use-ntvfs
 
Back
Top