Samba 4.1.6 on FreeBSD 10.0


Active Member

Reaction score: 9
Messages: 130


I apologize in advance for this very long post!

I am having a devil of a time trying to get Samba 4.1.6 running on a FreeBSD 10.0 x64 machine using ZFS on all disks. I don't think that my issues are due to ZFS but I could be wrong! In this case, I want to join the FreeBSD system as a domain member of our AD.

The real issue here is that I am unable to enumerate AD users and groups when executing getent passwd. I'm able to enumerate users/groups using wbinfo -u and wbinfo -g. I'm trying to use winbindd to retrieve AD metadata. Configuration files as follows:

        workgroup = SHORTDOMAINNAME
        realm = EXAMPLE.COM
        server string = 
        server role = member server
        security = ADS
        kerberos method = system keytab
        log file = /var/log/samba4/log.%m
        load printers = No
        printcap name = /dev/null
        disable spoolss = Yes
        local master = No
        domain master = No
        template shell = /bin/bash
        winbind separator = -
        winbind cache time = 10
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind nss info = rfc2307
        winbind refresh tickets = Yes
        winbind offline logon = Yes
        nsupdate command = /usr/local/bin/samba-nsupdate -g
        idmap config SHORTDOMAINNAME:range = 1000-50000
        idmap config SHORTDOMAINNAME:schema_mode = rfc2307
        idmap config SHORTDOMAINNAME:backend = ad
        idmap config *:range = 50001-60000
        idmap config * : backend = tdb
        admin users = "@SHORTDOMAINNAME-domain admins"
        inherit permissions = Yes
        inherit acls = Yes
        use sendfile = Yes
        dos filemode = Yes

        comment = /zdata/home/install
        path = /zdata/home/install
        valid users = "@SHORTDOMAINNAME-domain admins"
        read only = No
        create mask = 0774
        directory mask = 0774
        inherit owner = Yes
        map archive = No
        map readonly = no
        vfs objects = zfsacl
        nfs4:chown = yes
        nfs4:acedup = merge
        nfs4:mode = special

        comment = /zdata/home/no-rsync
        path = /zdata/home/no-rsync
        valid users = "@SHORTDOMAINNAME-domain admins"
        read only = No
        create mask = 0774
        inherit owner = Yes
        map archive = No
        map readonly = no
        vfs objects = zfsacl
        nfs4:chown = yes
        nfs4:acedup = merge
        nfs4:mode = special

        comment = Public Stuff
        path = /home/public
        write list = "@SHORTDOMAINNAME-domain admins"
        read only = No
        create mask = 0774
        directory mask = 0774
        force directory mode = 0774
        guest ok = Yes
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: release/10.0.0/etc/nsswitch.conf 224765 2011-08-10 20:52:02Z dougb $
group: files winbind 
#group: compat
#group_compat: nis
hosts: files dns
networks: files
passwd: files winbind 
#passwd: compat
#passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
nameserver 192.168.XXX.3
nameserver 192.168.XXX.1
nameserver 192.168.XXX.7

#This is used if you have alternative KDC's in you realm (not windows)
#that you are mapping trust accounts to in the windows domain
#profile = /home/krb5kdc/kdc.conf

    default_realm        = EXAMPLE.COM
    forwardable          = true
    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
#    default_etypes       = des-cbc-crc des-cbc-md5
#    default_etypes_des   = des-cbc-crc des-cbc-md5
    ticket_lifetime      = 24h
    default_keytab_name  = FILE:/etc/krb5.keytab
    dns_lookup_realm = false 
    dns_lookup_kdc = true

    default_realm = EXAMPLE.COM
    pam = {
        forwardable      = true
        krb4_convert     = false
        debug            = false
        ticket_lifetime  = 36000
        renew_lifetime   = 36000

        kdc              =
        kdc              =
        kdc              =
        admin_server     =
        kpasswd_server   =
        kpasswd_protocol = SET_CHANGE
        default_domain   =


         default = FILE:/var/log/krb5lib.log
             kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
root@backup:/usr/ports/net/samba41 # make showconfig
===> The following configuration options are available for samba41-4.1.6:
     ACL_SUPPORT=on: File system ACL support
     ADS=on: Active Directory support
     AIO_SUPPORT=on: Asyncronous IO support
     CUPS=off: CUPS printing system support
     DEBUG=off: With debug information in the binaries
     DEVELOPER=off: With development support
     DNSUPDATE=on: Dynamic DNS update(require ADS)
     EXP_MODULES=off: Experimental modules
     FAM_SUPPORT=off: File Alteration Monitor support
     LDAP=on: LDAP support
     MANPAGES=on: Build and/or install manual pages
     PAM_SMBPASS=off: PAM authentication via passdb backends
     PTHREADPOOL=off: Pthread pool
     QUOTAS=off: Disk quota support
     SYSLOG=off: Syslog support
     UTMP=off: UTMP accounting support
====> Options available for the single DNS: you have to select exactly one of them
     NSUPDATE=on: Use internal DNS with NSUPDATE utility
     BIND98=off: Use bind98 as a DNS server frontend
     BIND99=off: Use bind99 as a DNS server frontend
====> Options available for the radio ZEROCONF: you can only select none or one of them
     AVAHI=on: Zeroconf support via Avahi
     MDNSRESPONDER=off: Zeroconf support via mDNSResponder
===> Use 'make config' to modify these settings
root@backup:/usr/ports/net/samba41 #
root@backup:/usr/ports # pkg version -v
autoconf-2.69                      =   up-to-date with port
autoconf-wrapper-20131203          =   up-to-date with port
avahi-app-0.6.31_1                 =   up-to-date with port
bash-4.3.11                        =   up-to-date with port
bigreqsproto-1.1.2                 =   up-to-date with port
binutils-2.24                      =   up-to-date with port
bison-2.7.1,1                      =   up-to-date with port
bonnie++-1.97_2                    =   up-to-date with port
bsdadminscripts-6.1.1_4            =   up-to-date with port
ca_root_nss-3.15.5                 =   up-to-date with port
cyrus-sasl-2.1.26_5                =   up-to-date with port
dbus-1.6.18_1                      =   up-to-date with port
dbus-glib-0.100.2                  =   up-to-date with port
dialog4ports-0.1.5_2               =   up-to-date with port
docbook-1.5                        =   up-to-date with port
docbook-sgml-4.5_1                 =   up-to-date with port
docbook-xml-5.0_2                  =   up-to-date with port
docbook-xsl-1.76.1_2               =   up-to-date with port
e2fsprogs-libuuid-1.42.9           =   up-to-date with port
expat-2.1.0                        =   up-to-date with port
gamin-0.1.10_7                     =   up-to-date with port
gcc-4.7.3                          =   up-to-date with port
gcc-ecj-4.5                        =   up-to-date with port
gdbm-1.11                          =   up-to-date with port
gettext-                   =   up-to-date with port
glib-2.36.3_2                      =   up-to-date with port
gmake-3.82_1                       =   up-to-date with port
gmp-5.1.3_1                        =   up-to-date with port
gnome_subr-1.0                     =   up-to-date with port
gnomehier-3.0                      =   up-to-date with port
gnutls-2.12.23_4                   =   up-to-date with port
gobject-introspection-1.36.0_2     =   up-to-date with port
help2man-1.43.3_1                  =   up-to-date with port
inputproto-2.3                     =   up-to-date with port
intltool-0.50.2                    =   up-to-date with port
iso8879-1986_3                     =   up-to-date with port
kbproto-1.0.6                      =   up-to-date with port
ldb-1.1.16                         =   up-to-date with port
libICE-1.0.8_1,1                   =   up-to-date with port
libSM-1.2.2_1,1                    =   up-to-date with port
libX11-1.6.2_1,1                   =   up-to-date with port
libXau-1.0.8_1                     =   up-to-date with port
libXdmcp-1.1.1_1                   =   up-to-date with port
libcheck-0.9.12                    =   up-to-date with port
libdaemon-0.14                     =   up-to-date with port
libevent-1.4.14b_3                 =   up-to-date with port
libffi-3.0.13_1                    =   up-to-date with port
libgcrypt-1.5.3_1                  =   up-to-date with port
libgpg-error-1.12                  =   up-to-date with port
libiconv-1.14_3                    =   up-to-date with port
libinotify-20120419_2              =   up-to-date with port
libpthread-stubs-0.3_4             =   up-to-date with port
libsunacl-1.0                      =   up-to-date with port
libtasn1-3.3                       =   up-to-date with port
libtool-2.4.2_2                    =   up-to-date with port
libxcb-1.10                        =   up-to-date with port
libxml2-2.8.0_4                    =   up-to-date with port
libxslt-1.1.28_2                   =   up-to-date with port
lzo2-2.06_2                        =   up-to-date with port
m4-1.4.17_1,1                      =   up-to-date with port
mpc-1.0.2                          =   up-to-date with port
mpfr-3.1.2_1                       =   up-to-date with port
nettle-2.7.1                       =   up-to-date with port
openldap-client-2.4.39             =   up-to-date with port
p11-kit-0.20.2                     =   up-to-date with port
p5-Locale-gettext-1.05_3           =   up-to-date with port
p5-Parse-Pidl-4.0.16               =   up-to-date with port
p5-Parse-Yapp-1.05                 =   up-to-date with port
p5-XML-Parser-2.41_1               =   up-to-date with port
p7zip-9.20.1_2                     =   up-to-date with port
pcre-8.34                          =   up-to-date with port
perl5-5.16.3_9                     =   up-to-date with port
pkg-1.2.7_2                        =   up-to-date with port
pkgconf-0.9.5                      =   up-to-date with port
popt-1.16                          =   up-to-date with port
portmaster-3.17.4                  =   up-to-date with port
python2-2_2                        =   up-to-date with port
python27-2.7.6_4                   =   up-to-date with port
rsync-3.1.0_3                      =   up-to-date with port
samba-nsupdate-9.8.6_1             =   up-to-date with port
samba41-4.1.6                      =   up-to-date with port
screen-4.0.3_14                    =   up-to-date with port
sdocbook-xml-1.1_1,2               =   up-to-date with port
smartmontools-6.2_2                =   up-to-date with port
talloc-2.1.0                       =   up-to-date with port
tdb-1.2.12,1                       =   up-to-date with port
tevent-0.9.21                      =   up-to-date with port
tmux-1.9.a_1                       =   up-to-date with port
vsftpd-ssl-3.0.2                   =   up-to-date with port
xcb-proto-1.10                     =   up-to-date with port
xcmiscproto-1.2.2                  =   up-to-date with port
xextproto-7.3.0                    =   up-to-date with port
xf86bigfontproto-1.2.0             =   up-to-date with port
xmlcatmgr-2.2                      =   up-to-date with port
xmlcharent-0.3_2                   =   up-to-date with port
xorg-macros-1.19.0                 =   up-to-date with port
xproto-7.0.25                      =   up-to-date with port
xtrans-1.3.4                       =   up-to-date with port
zfs-stats-1.2.2                    =   up-to-date with port
zip-3.0                            =   up-to-date with port
root@backup:/usr/ports #
When I attempt to join our AD by typing net ads join -U administrator and supplying a valid password, the join command just sits there without returning to a prompt. When I abort it after a few minutes and execute net ads info, I receive the following:

root@backup:/usr/ports # net ads info
LDAP server: 192.168.XXX.1
LDAP server name:
Bind Path: dc=EXAMPLE,dc=COM
LDAP port: 389
Server time: Wed, 23 Apr 2014 11:02:05 PDT
KDC server: 192.168.XXX.1
Server time offset: 0
root@backup:/usr/ports # net ads testjoin
Join is OK
root@backup:/usr/ports #
Now I want to enumerate:
root@backup:/usr/ports # wbinfo -p
Ping to winbindd succeeded
root@backup:/usr/ports #wbinfo -u
   < ... snipped ... >
root@backup:/usr/ports # wbinfo -g | sort
   < ... snipped ... >
root@backup:/usr/ports # getent passwd
root:<REDACTED>:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
   < ... snipped ... >
root@backup:/usr/ports #
No AD users....

I've noticed in the Samba Wiki site something about linking /lib/ to /lib/ so I copied /usr/lib/ to /lib/ and creating the symlink. Still no dice.

I also read the pkg-message as follows:

This port is *STILL* experimental, use it at your own risk.

How to start:

* Your configuration is: /usr/local/etc/smb4.conf

* All the relevant databases are under: /var/db/samba4

* All the logs are under: /var/log/samba4

* Provisioning script is: /usr/local/bin/samba-tool

You will need to specify location of the 'nsupdate' command in the
smb4.conf file:

      nsupdate command = /usr/local/bin/samba-nsupdate -g

For additional documentation check:

Bug reports should go to the:


      This port has installed the following files which may act as network
      servers and may therefore pose a remote security risk to the system.

      This port has installed the following startup scripts which may cause
      these network services to be started at boot time.

      If there are vulnerabilities in these programs there may be a security
      risk to the system. FreeBSD makes no guarantee about the security of
      ports included in the Ports Collection. Please type 'make deinstall'
      to deinstall the port if this is a concern.

      For more information, and contact details about the security
      status of this software, see the following webpage:
So I tried the samba-tools provisioning:
root@backup:/usr/local/etc # samba-tool domain provision
 Server Role (dc, member, standalone) [dc]: member
 DNS forwarder IP address (write 'none' to disable forwarding) [192.168.XXX.3]: 
Administrator password: 
Retype password: 
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=BACKUP
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /var/db/samba4/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role:           member server
Hostname:              backup
NetBIOS Domain:        BACKUP
DNS Domain:  
DOMAIN SID:            S-1-5-21-810959088-64420964-3790040152

root@backup:/usr/local/etc # less /var/db/samba4/private/krb5.conf
        default_realm = EXAMPLE.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true
root@backup:/usr/local/etc #
Seems to have completed OK. I noted the comment about krb5.conf at /var/db/samba4/private/krb5.conf. Does this mean that Samba maintains its own krb5 configuration separately from FreeBSD's? I renamed that krb5.conf and symlinked /var/db/samba4/private/krb5.conf to /etc/krb5.conf. The wbinfo tool worked but still am unable to enumerate via getent passwd.

I'm able to get a Kerberos ticket just fine:
root@backup:/usr/local/etc # kinit
root@EXAMPLE.COM's Password: 
root@backup:/usr/ports/net/samba41/files # klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: root@EXAMPLE.COM

  Issued                Expires               Principal
Apr 23 11:29:07 2014  Apr 23 21:29:07 2014  krbtgt/EXAMPLE.COM@EXAMPLE.COM
root@backup:/usr/local/etc #
Another potential issue. In version 3.6 of samba, our smb.conf had this:
        idmap config SHORTDOMAINNAME:range = 1000-50000
        idmap config SHORTDOMAINNAME:schema_mode = rfc2307
        idmap config SHORTDOMAINNAME:backend = ad
        idmap config *:range = 50001-60000
        idmap config * : backend = tdb
But all of the examples I've seen for smb4.conf use the following:
   idmap config *:backend = tdb
   idmap config *:range = 70001-80000
   idmap config SHORTDOMAINNAME:backend = ad
   idmap config SHORTDOMAINNAME:schema_mode = rfc2307
   idmap config SHORTDOMAINNAME:range = 500-40000
I don't think I need to change the values to match the example. I've tried changing these to no avail.

I've spent almost two days trying to figure out this issue. Does anyone see what I might be doing wrong?

Should I consider throwing out winbindd and implementing some other technology such as sssd or nclsd? Does anyone have any success running Samba 4.1 on FreeBSD 10.0 using any of the following: winbindd, sssd, or nclsd? Or even LDAP? Does anyone have any success running Samba 4.1 on FreeBSD 9.2? I see that FreeNAS appears to use Samba 4.1 in their latest version which runs FreeBSD 9.2.

I've posted this on the Samba mailing list. However, no one was able to solve this issue. I believe that might be because there aren't many FreeBSD users on that list.

Any advice/suggestions would be greatly appreciated!



Aspiring Daemon

Reaction score: 47
Messages: 598

I had Samba3 running well under 9.2. I haven't yet gotten around to upgrading to Samba4.

There were quite a lot of changes in the config file syntax when going to Samba4, perhaps there is something there that you have missed. Or: I remember (faintly) having to set
group: compat
group_compat: files winbind
But I am very unsure if that still applied.


Active Member

Reaction score: 9
Messages: 130

see my /etc/nsswitch.conf above. It has what you suggested.

I'm now experimenting with openldap.


New Member

Reaction score: 3
Messages: 5

I am having the same problem. So, I'm wondering if any solution was found to this issue?

I am trying to install Samba as a member fileserver on a Windows 2008 domain. I am using a freshly installed FreeBSD 10 system with the latest updates. I only installed vim-lite and then the samba41 package from ports. I am able to join the domain and the wbinfo -u/-g commands work as expected. At this point, the only problem I have is that getent passwd/group commands are not showing the domain user/group accounts.

I've tried to read through the logs and I haven't found any consistent errors. I did once after first installing samba get a kinit error :

Kinit failed: KDC has no support for encryption type

However, after restarting samba a couple of times I haven't seen that error pop up again.

Any help would be greatly appreciated.


New Member

Reaction score: 3
Messages: 5

Always happens. As soon as I ask for help I find something the helps me solve the problem.

I decided to run winbind in the foreground in hopes that I would at least know if it was doing something when I ran getent passwd/ group.

So, I did. I got a BUNCH of lines like this..
Could not get unix ID for SID S-1-5-21-343818398-854245398-1801674531-4768
Could not get unix ID for SID S-1-5-21-343818398-854245398-1801674531-6223
Could not get unix ID for SID S-1-5-21-343818398-854245398-1801674531-2245
So, that at least gave me something to Google where I found that apparently with following line the rfc2307 part tells winbind to try and get the unix UID/GID numbers from the Active Directory server itself. Since this is a Windows AD environment these values don't exist and it can't get them. So it fails.
idmap config MYDOMAIN:schema_mode = rfc2307
If I just comment out the three idmap config MYDOMAIN ... lines then it seems to work okay. getent passwd/ group and id username commands work and I can access shares. I haven't tested this beyond that though. At this point I'm unclear what the "right" smb4.conf settings are.

I would be very happy to hear any comments or advise on the proper configuration.


Active Member

Reaction score: 9
Messages: 130

Hey @bwmarrin!

Following your example, I uncommented those three DOMAIN lines from my smb4.conf and now I'm able to execute getent passwd enumerating not only the Unix usernames but the AD usernames as well!

This is on a FreeBSD 9.2-RELEASE i386 machine in an AD 2008 domain.

Kudos! Now only if we knew what would be the *correct* way to configure smb4.conf!

Last edited by a moderator:


New Member

Reaction score: 3
Messages: 5

So! A bit of reading and I think I have a better understanding. I could be all wrong so please review the above links and the tdb link below as well. ... tdb.8.html

The behavior that I've always used with Samba 3.x in the past as been (apparently) the tdb idmap method. With the tdb method Samba creates a local database and it maps the Windows Active Directory SID's for users/groups to unix ID's and stores this inside its tdb database. With this method there are some disadvantages that the mapping will be different on each Samba server if you had multiple servers, of course. Also, if the tdb database was lost or corrupt and you had to recreate it then all the mapping would change and the permissions on all the files could (most likely would) get all mixed up and everything we need to be reset with the right user/group permissions. To use the tdb method with Samba 4.x then you only need the the following two lines:

    idmap config *:backend = tdb
    idmap config *:range = 70001-80000
This just says for * domains (which apparently means all domains not defined by another idmap configuration) to use the tdb backend and use the 70001-80000 range of ID's for UID/GID mapping. If you were just using the default backend in Samba 3.x then this is that and will work the same as what you've been doing.

So the per DOMAIN idmap lines are added to overcome the problems with the tdb mapping method. The RID and AD backends are two options that can be configured. With the RID backend it just does some math (read the link I posted for more info) to create the SID to unix ID mapping. This will cause all mappings to be the same across all Samba servers as long as you configure the range the same for a given domain on each server (as I understand). Then there's the AD backend which expects the UID/GID for each user to actually be stored in the Active Directory database. With this method all mappings are the same across all Samba servers and line up with what's in Active Directory. It's probably the best option, really, and I'm sure that's why it's displayed in the Samba HOWTO page for setting up a member server.

I'm still not exactly sure on how to make the AD backend work with Windows since I haven't tried it yet. But, from what I've reads so far to get the AD backend to work you have to have the rfc2307 schema extensions added to your Active Directory database. You can apparently do this on Windows 2003 and up? You should be able to just google rfc2307 and the version of Windows to learn more about it. Apparently on Windows 2008 R2 I need to enable "Identity Management for UNIX". I'm not sure if that adds the UID/GID's automagically-like or not. Also, the idmap range set (when using AD backend) needs to match the range present in the Active Directory UID/GID fields.

I'll try to enable the rfc2307 when I get a chance and report back here with what happens :) Meanwhile, I'm going to use the tdb backend on this new system even with it's a potential for problems. Once I migrate to the AD backend I'll want to do that on all my systems and I know that's going to be a bit of work because I'm sure all the mappings will be broken and permissions will need to be re-set up.


Aspiring Daemon

Reaction score: 141
Messages: 725

Hi @bwmarrin!

For what it's worth, rfc2307 is great with SAMBA, making sure that all users and groups get the same UID and GID everywhere. That opens up for *NIX clients to have home folders over NFSv4, e.g. But you need to enable it in Active Directory and set a UID and GID for every user and group, which might be difficult to sway in a larger organization, but totally worth in the long run. And as far as I understood it, with rfc2307, it's also possible to have "offline logon" active at the same time, something not possible with "ad" or "rid".

Last edited by a moderator:


New Member

Messages: 1

I had the same issue and I can confirm that removing the last three lines (given as example from samba's wiki page) fixed it (FreeBSD 10.3, Samba 4.4)

idmap config SHORTDOMAINNAME:range = 1000-50000
idmap config SHORTDOMAINNAME:schema_mode = rfc2307
idmap config SHORTDOMAINNAME:backend = ad


New Member

Reaction score: 1
Messages: 1

Hi everybody just a note. I incurred in this thread because I had similar issues (Samba 4.2.10-Debian) and after way too many tests I think that:
  1. it is not completely exact that removing the
    idmap config SHORTDOMAINNAME
    lines fixes the problem, that fix makes Samba show the users and the groups with the getent command but ...
  2. ... what it does not fix is that the UID and GID are mapped on the
    idmap config *
    range that is probably not what you wanted if you got into the trouble of configuring rfc2307 in the first place.
So, probably the best solution (if you really need rfc2307, otherwise I agree that simply removing the above lines could be an acceptable fix) is to correctly setup the so called Identity Management for Unix (this: and that: for a Windows AD) and then configure the Unix Attributes: first for the groups and then for the users.

Once you have done that, you should see that they domain groups and users have another id in the range 1000-50000 (following the above example) and getent shows those id, because it shows only the groups and users with the Unix Attributes set (and that is the reason why at the beginning it seems not be working: it is working but the groups and users lists are empty).