Samba4 dc in FreeBSD 10

[igorino]

These days I made some installations of working Samba4 domains with everything working, ACL's, DNS registrations, GPO's etc. here is how I could successfully implement Samba4 repeatedly.

The example server have these details:

• OS: FreeBSD 10.0-RELEASE
• Arch: i386 or amd64
• Hostname: samba4
• Domain: domain.com.br
• Fixed IP: 172.17.0.1
• Local DNS
• Local DHCP
• LAN 172.17.0.0/16
• Internet router 172.17.0.254
• WAN 200.201.202.0/24
• External DNS: 200.201.220.1, 200.205.180.2

In a fresh install, update your ports tree: # portsnap fetch extract update.

In /etc/fstab file insert the acls option in the filesystem where Samba will be installed.

[cmd=#]vi /etc/fstab[/cmd]
...
/dev/ada0p2     /               ufs     rw,acls 1       1
...

Apply the new option: # mount -o acls /.

I will not use the -DBATCH option, instead I'll use configure and configure-recursive in the configurations here. Someone may select additional packages for their environment and with -DBATCH, I think, it will be very little didactic, anyway, be advised that the options defined here are, somewhat, minimal.

# cd /usr/ports/security/openssl
# make config-recursive
Set default options.
# make && make install clean && rehash

# cd /usr/ports/net/isc-dhcp43-server
# make config-recursive
Set default options.
# make && make install clean && rehash

# cd /usr/ports/dns/py-dns
# make config-recursive
Set default options.
# make && make install clean && rehash

Insert --with-dlopen=yes into CONFIGURE_ARGS of dns/bind98 port Makefile file, but do not compile it yet.

[cmd=#]vi /usr/ports/dns/bind98/Makefile[/cmd]
...
CONFIGURE_ARGS= --localstatedir=/var --disable-linux-caps \
                --with-dlopen=yes \
                --disable-symtable \
...

# cd /usr/ports/net/samba41
# make config-recursive

In net/samba41 configuration select the following options: ACL_SUPPORT, ADS, AIO_SUPPORT, CUPS, DEBUG, DNSUPDATE, FAM_SUPPORT, LDAP, PAM_SMBPASS, PTHREADPOOL, QUOTAS, SYSLOG, UTMP, BIND98, AVAHI. Set default options in the remaining packages.

Again # make config-recursive.

In the dns/bind98 configuration select the following options: IDN, IPV6, LARGE_FILE, RPZRRL_PATCH, SSL, THREADS, DLZ_FILESYSTEM, DLZ_STUB, GSSAPI_HEIMDAL.. Set default options in the remaining packages.

# make && make install clean && rehash

Edit /usr/local/etc/dhcpd.conf.

# cp /usr/local/etc/dhcpd.conf /usr/local/etc/dhcpd.conf.orig

Replace the contents of /usr/local/etc/dhcpd.conf with these lines, this dhcpd is just a "support" example you can replace it with any other external dhcpd easily:

[cmd=-#]vi /usr/local/etc/dhcpd.conf[/cmd]
server-name "samba4.domain.com.br";
option domain-name "domain.com.br";
option domain-name-servers 172.17.0.1;
ignore client-updates;
default-lease-time 432000;
max-lease-time 604800;

authoritative;

zone DOMAIN.COM.BR. {
  primary localhost;
}
zone 17.172.in-addr.arpa. {
  primary localhost;
}
subnet 172.17.0.0 netmask 255.255.0.0 {
  range 172.17.100.2 172.17.220.255;
  option routers 172.17.0.254;
  option broadcast-address 172.17.255.255;
  option domain-name-servers 172.17.0.1;
  option domain-name "domain.com.br";
}
# some fixed address
host nas4free {
  hardware ethernet 00:0a:0b:12:34:56;
  fixed-address 172.17.0.21;
}

Edit /usr/local/etc/namedb/named.conf.

# cp /usr/local/etc/namedb/named.conf /usr/local/etc/namedb/named.conf.orig

Replace the contents of /usr/local/etc/namedb/named.conf with these lines:

[cmd=#]vi /usr/local/etc/namedb/named.conf[/cmd]
acl local-domain { 172.17.0.0/16; };
acl interfaces { 172.17.0.1; 127.0.0.1; };
options {
	directory       "/usr/local/etc/namedb/working/";
        notify          no;
        recursion       yes;
        minimal-responses yes;
        provide-ixfr    yes;
        request-ixfr    yes;
        pid-file        "/var/run/named/pid";
        dump-file       "/var/dump/named_dump.db";
        statistics-file "/var/stats/named.stats";
        tkey-gssapi-keytab "/var/db/samba4/private/dns.keytab";
        listen-on       { interfaces; };
};
//external dns that you trust
acl slaves { 200.201.220.1; 200.205.180.2; };

//notice that the "internal" view does not have zones, dlz will properly populate it with his own fashion.
view "internal" {
        match-clients { local-domain; };
        allow-update { localhost; local-domain; };
        allow-query { localhost; local-domain; };
        include "/var/db/samba4/private/named.conf";
};
//some external view if you wish
view "external"
{
        allow-query { !local-domain; any; };
        recursion no;
        additional-from-auth no;
        additional-from-cache no;
        zone "domain.com.br" {
                notify yes;
                type master;
                file "/usr/local/etc/namedb/working/external/db.domain.com.br";
                allow-transfer { slaves; };
        };
        zone "0-254.202.201.200.in-addr.arpa" {
                notify yes;
                type master;
                file "/usr/local/etc/namedb/working/external/db.200.201.202.0-254";
                allow-transfer { slaves; };
        };
};

Create the folder directory holding the external view files: # mkdir /usr/local/etc/namedb/working/external.

The /usr/local/etc/namedb/working/external/db.domain.com.br file:

$TTL    3600
$ORIGIN domain.com.br.
@       IN      SOA     samba4.domain.com.br. root.domain.com.br. (
                        2014082004
                        1h
                        1h
                        2w
                        1h )

        IN      NS      samba4.domain.com.br.
        IN      A       200.201.202.61

web     IN      A       200.201.202.55

The /usr/local/etc/namedb/working/external/db.200.201.202.0-254 file:

$TTL    300
$ORIGIN 0-254.202.201.200.in-addr.arpa.
@       IN      SOA     samba4.domain.com.br. root.domain.com.br. (
                        2014082003
                        1200
                        120
                        2419200
                        86400 )

        IN      NS      samba4.domain.com.br.

55      IN      PTR     web.domain.com.br.

Give the proper permissions to those files.
# chown -R bind:bind /usr/local/etc/namedb/working/external
# chmod -R 755 /usr/local/etc/namedb/working/external

Insert the proper hostnames into the /etc/hosts file.

[cmd=#]vi /etc/hosts[/cmd]
...
127.0.0.1               localhost localhost.localdomain
172.17.0.1              samba4  samba4.domain.com.br
...

Insert the following entries into /etc/resolv.conf file, make sure you are using a fixed address in your interface.

[cmd=#]vi /etc/resolv.conf[/cmd]
search domain.com.br
domain samba4.domain.com.br
nameserver 172.17.0.1

Reboot the system.

Set up the domain.

[cmd=#]samba-tool domain provision --use-rfc2307 --interactive[/cmd]
Realm [DOMAIN.COM.BR]: DOMAIN.COM.BR
Domain [DOMAIN]: DOMAIN
Server Role (dc, member, standalone) [dc]: dc
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_DLZ
Administrator password: pa$$w0rd
Retype password: pa$$w0rd
...

If you ever need to start over the provision, delete the contents of /var/db/samba4/private/ folder directory and the /usr/local/etc/smb4.conf file.

After the end of the provisioning process, symbolic link some of the generated files to the location where Kerberos expects them.
# ln -s /var/db/samba4/private/krb5.conf /usr/local/etc/.
# ln -s /var/db/samba4/private/dns.keytab /usr/local/etc/krb5.keytab

Define the daemons that will start with the server.

# echo 'dhcpd_enable="YES"' >> /etc/rc.conf
# echo 'cupsd_enable="YES"' >> /etc/rc.conf
# echo 'named_enable="YES"' >> /etc/rc.conf
# echo 'named_chrootdir=""' >> /etc/rc.conf
# echo 'samba_server_enable="YES"' >> /etc/rc.conf
# echo 'winbindd_enable="YES"' >> /etc/rc.conf

Start some daemons (samba_server will start winbindd).

# /usr/local/etc/rc.d/dhcpd start
# /usr/local/etc/rc.d/cupsd start
# /usr/local/etc/rc.d/named start
# /usr/local/etc/rc.d/samba_server start

Now proceed to some testing.

named:

# host -t SRV _ldap._tcp.domain.com.br.
_ldap._tcp.domain.com.br has SRV record 0 100 389 samba4.domain.com.br.
# host -t SRV _kerberos._udp.domain.com.br
_kerberos._udp.domain.com.br has SRV record 0 100 88 samba4.domain.com.br.

Kerberos:

# kinit administrator@DOMAIN.COM.BR
administrator@DOMAIN.COM.BR's Password:
# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: administrator@DOMAIN.COM.BR
  Issued                Expires               Principal
Aug 27 14:50:58 2014  Aug 28 00:50:58 2014  krbtgt/DOMAIN.COM.BR@DOMAIN.COM.BR

Samba:

[cmd=#]smbclient -L localhost -U%[/cmd]
Domain=[DOMAIN] OS=[Unix] Server=[Samba 4.1.11]

        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk
        sysvol          Disk
        IPC$            IPC       IPC Service (Samba 4.1.11)
Domain=[DOMAIN] OS=[Unix] Server=[Samba 4.1.11]

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
[cmd=#]smbclient //localhost/netlogon -Uadministrator[/cmd]
Enter administrator's password:
Domain=[DOMAIN] OS=[Unix] Server=[Samba 4.1.11]
smb: \>

If everything went okay try to join a Windows machine to the domain DOMAIN with the administrator account and his respective password, at the same time watch for events in the Samba server.

Afterwards install the RSAT for Windows 7 or adminpak and supporttools for Windows XP to manage the domain, GPO's etc.

If anybody could give me some input (output is the right word?) that will be awesome.

 

[fred974]

Hi @igorino,

Will this work inside a jail (ezjail)?

 

[igorino]

If Samba, Bind and Kerberos have their files mutually accessible I believe yes. Remember that, in this setup, Bind isn't jailed (as recommended from the Samba wiki so, that daemon, has access to Samba files).

Other aspect to verify is proper name resolution in the new environment, if they have another ip.

 

[malco_2001]

It will work perfectly if VIMAGE support is enabled in the kernel, and for the jail. Otherwise the nbt service will need to be disabled in smb4.conf.

 

[dasti]

Hi!

gGreat tutorial !

I'm trying to get Samba 4.3.3 working with freebsdFreeBSD 10.2 with internal DNS. For now joining a workstation to the domain won't create any entries in Samba DNS.
- Do you have any idea of where it could come from?
- Is using the internal DNS (as recommended in the wiki) a bad idea?
- Is using freebsdFreeBSD for Samba a bad idea?

thnxThanks,
dasti

 

[malco_2001]

It depends. Samba internal DNS is much easier, and allows management with the Windows DNS console using MMC. The clients must be set to use the DC for DNS, and sometimes ipconfig /registerdns has to be run from the Windows clients. In general it usually just worked for me when I tried it.

Are you planning to run a single domain controller using FreeBSD? Or are you planning to have more than one domain controller? It's pretty easy to maintain a single DC but if you want to have more it has to be very carefully planned out, or you will be sorry. If you just want to run a single DC you might try FreeNAS. It has the domain controller role built in with everything you need pre-configured. I would highly recommend it for single server setups. I've deployed quite a few of them, and later migrated them to FreeNAS when DC support was integrated.

 

[dasti]

Are you planning to run a single domain controller using FreeBSD? Or are you planning to have more than one domain controller?

I plan to run several single domain controller in small branch offices (10-20 users), even if I'm not a specialist yet, it seems obvious that there is an administrative overhead to this method compared to a real multi site windows' active directory... But licenses cost has the upperhand...

According to the feedback I got from #samba, SAMBA_INTERNAL seems to be very young and not production ready, that's not what interpreted from the wiki...

I would highly recommend it for single server setups. I've deployed quite a few of them, and later migrated them to FreeNAS when DC support was integrated

That's a very interesting feedback, I'll try that!

Here's more newbies' questions :
1/ In you tutorial, why do you change the compile options of dns/bind99 then install net/samba4 then install dns/bind99? Is there a special reason for that or can it be: install net/samba4 then change compile option and install dns/bind99 ?

2/ Now that dns/bind910 9.10 is available, in your experience, should I use this version ?

 

[kpa]

As far as I know all versions of BIND are now either EoL or deprecated (or at least not recommended for new installs), the replacement for it is dns/bundy.

 

[malco_2001]

I plan to run several single domain controller in small branch offices (10-20 users), even if I'm not a specialist yet, it seems obvious that there is an administrative overhead to this method compared to a real multi site windows' active directory... But licenses cost has the upperhand...

According to the feedback I got from #samba, SAMBA_INTERNAL seems to be very young and not production ready, that's not what interpreted from the wiki...


That's a very interesting feedback, I'll try that!

Here's more newbies' questions :
1/ In you tutorial, why do you change the compile options of dns/bind99 then install net/samba4 then install dns/bind99? Is there a special reason for that or can it be: install net/samba4 then change compile option and install dns/bind99 ?

2/ Now that dns/bind910 9.10 is available, in your experience, should I use this version ?

I would urge you not to try samba as a full blown replacement in a multi-site environment yet. I was referring to a single location, and single server. You may get yourself into a very bad predicament if you do not know what you are doing. Others before me have tried, and failed over a period of 1 year. I have tried, and failed over a period of several months. I was eventually hired at a place to clean up a mess, and migrate a samba 4 active directory to Windows Server.

Here is the biggest reason I won't do this myself yet:

https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround

That workaround, and even the unison workaround is absolute garbage. The truth is DFS-R replication is badly needed. Centralized id mapping is highly important in addition to that. If you do this it will surely haunt you without centralized id mapping using idmap_ad. That itself is a feat to accomplish, and maintain as it stands. You will also likely end up with certain users at certain locations not being able to access files on a constant basis. In addition to that domain trusts are only partially supported so you will likely run into lots of issues even trying to setup separate forests, and configuring them to talk to each-other. In short it's not really an easy process to figure out. I have learned a ton in the process, and I believe I could successful go back, and make it all work using a true DFS-R replacement if I had to start over. I would have to literally write a novel just to explain it all to you. I am considering doing that as well as writing roles for PCBSD's TrueOS that would simplify the process for all someday.

I am just not there yet myself, and I am pretty good at what I do. I had to construct static dns zone files for active directory by hand just to fix a broken samba to windows server dns replication to complete a migration. I had to spend a lot of time in ADSIedit as well rebuilding objects when a bad samba replication destroyed a servers copy of the directory. It was literally a disaster but I was able to pull of the migration as opposed to starting over.

I had better luck with samba internal dns, and using a bind server in addition as a conditional forwarder. Samba's internal dns did not support conditional forwarding, nor did it support reverse lookups the last time I tried. With bind there are some limitations such as when a domain specified in the conditional forwarder goes down bind has to be restarted as does samba. At least that was from my experience.

I don't want to discourage you but I do want to warn you to please research ahead of time, and be aware of what the limitations are. You will need to be at a higher proficiency than I am with samba to pull this off. You will want to deeply read through the mailing lists, and wiki. Asks lots of questions over there, and get all of the information you need ahead of time. Most importantly don't get yourself fired trying this just to save a few bucks!

 

[leebrown66]

As far as I know all versions of BIND are now either EoL or deprecated (or at least not recommended for new installs), the replacement for it is dns/bundy.

According to the ISC website:
dns/bind99 9.9.8p3 EOL Dec 2017
dns/bind910 9.10p3 EOL TBA

 

[dasti]

I would urge you not to try samba as a full blown replacement in a multi-site environment yet. I was referring to a single location, and single server. You may get yourself into a very bad predicament if you do not know what you are doing. Others before me have tried, and failed over a period of 1 year. I have tried, and failed over a period of several months. I was eventually hired at a place to clean up a mess, and migrate a samba 4 active directory to Windows Server.

Here is the biggest reason I won't do this myself yet:

https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround

That workaround, and even the unison workaround is absolute garbage. The truth is DFS-R replication is badly needed. Centralized id mapping is highly important in addition to that. If you do this it will surely haunt you without centralized id mapping using idmap_ad. That itself is a feat to accomplish, and maintain as it stands. You will also likely end up with certain users at certain locations not being able to access files on a constant basis. In addition to that domain trusts are only partially supported so you will likely run into lots of issues even trying to setup separate forests, and configuring them to talk to each-other. In short it's not really an easy process to figure out. I have learned a ton in the process, and I believe I could successful go back, and make it all work using a true DFS-R replacement if I had to start over. I would have to literally write a novel just to explain it all to you. I am considering doing that as well as writing roles for PCBSD's TrueOS that would simplify the process for all someday.

I am just not there yet myself, and I am pretty good at what I do. I had to construct static dns zone files for active directory by hand just to fix a broken samba to windows server dns replication to complete a migration. I had to spend a lot of time in ADSIedit as well rebuilding objects when a bad samba replication destroyed a servers copy of the directory. It was literally a disaster but I was able to pull of the migration as opposed to starting over.

I had better luck with samba internal dns, and using a bind server in addition as a conditional forwarder. Samba's internal dns did not support conditional forwarding, nor did it support reverse lookups the last time I tried. With bind there are some limitations such as when a domain specified in the conditional forwarder goes down bind has to be restarted as does samba. At least that was from my experience.

I don't want to discourage you but I do want to warn you to please research ahead of time, and be aware of what the limitations are. You will need to be at a higher proficiency than I am with samba to pull this off. You will want to deeply read through the mailing lists, and wiki. Asks lots of questions over there, and get all of the information you need ahead of time. Most importantly don't get yourself fired trying this just to save a few bucks!

advice well recieved, there are several sites but also several ad without any relations/replication users don't go from site to sites