These days I made some installations of working Samba4 domains with everything working, ACL's, DNS registrations, GPO's etc. here is how I could successfully implement Samba4 repeatedly.
The example server have these details:
In a fresh install, update your ports tree:
In /etc/fstab file insert the acls option in the filesystem where Samba will be installed.
Apply the new option:
I will not use the -DBATCH option, instead I'll use configure and configure-recursive in the configurations here. Someone may select additional packages for their environment and with -DBATCH, I think, it will be very little didactic, anyway, be advised that the options defined here are, somewhat, minimal.
Set default options.
Set default options.
Set default options.
Insert --with-dlopen=yes into CONFIGURE_ARGS of dns/bind98 port Makefile file, but do not compile it yet.
In net/samba41 configuration select the following options: ACL_SUPPORT, ADS, AIO_SUPPORT, CUPS, DEBUG, DNSUPDATE, FAM_SUPPORT, LDAP, PAM_SMBPASS, PTHREADPOOL, QUOTAS, SYSLOG, UTMP, BIND98, AVAHI. Set default options in the remaining packages.
Again
In the dns/bind98 configuration select the following options: IDN, IPV6, LARGE_FILE, RPZRRL_PATCH, SSL, THREADS, DLZ_FILESYSTEM, DLZ_STUB, GSSAPI_HEIMDAL.. Set default options in the remaining packages.
Edit /usr/local/etc/dhcpd.conf.
Replace the contents of /usr/local/etc/dhcpd.conf with these lines, this dhcpd is just a "support" example you can replace it with any other external dhcpd easily:
Edit /usr/local/etc/namedb/named.conf.
Replace the contents of /usr/local/etc/namedb/named.conf with these lines:
Create thefolder directory holding the external view files:
The /usr/local/etc/namedb/working/external/db.domain.com.br file:
The /usr/local/etc/namedb/working/external/db.200.201.202.0-254 file:
Give the proper permissions to those files.
Insert the proper hostnames into the /etc/hosts file.
Insert the following entries into /etc/resolv.conf file, make sure you are using a fixed address in your interface.
Reboot the system.
Set up the domain.
If you ever need to start over the provision, delete the contents of /var/db/samba4/private/folder directory and the /usr/local/etc/smb4.conf file.
After the end of the provisioning process, symbolic link some of the generated files to the location where Kerberos expects them.
Define the daemons that will start with the server.
Start some daemons (samba_server will start winbindd).
Now proceed to some testing.
named:
Kerberos:
Samba:
If everything went okay try to join a Windows machine to the domain DOMAIN with the administrator account and his respective password, at the same time watch for events in the Samba server.
Afterwards install the RSAT for Windows 7 or adminpak and supporttools for Windows XP to manage the domain, GPO's etc.
If anybody could give me some input (output is the right word?) that will be awesome.
The example server have these details:
- OS: FreeBSD 10.0-RELEASE
- Arch: i386 or amd64
- Hostname: samba4
- Domain: domain.com.br
- Fixed IP: 172.17.0.1
- Local DNS
- Local DHCP
- LAN 172.17.0.0/16
- Internet router 172.17.0.254
- WAN 200.201.202.0/24
- External DNS: 200.201.220.1, 200.205.180.2
In a fresh install, update your ports tree:
# portsnap fetch extract update
.In /etc/fstab file insert the acls option in the filesystem where Samba will be installed.
Code:
[cmd=#]vi /etc/fstab[/cmd] ... /dev/ada0p2 / ufs rw,acls 1 1 ...
Apply the new option:
# mount -o acls /
.I will not use the -DBATCH option, instead I'll use configure and configure-recursive in the configurations here. Someone may select additional packages for their environment and with -DBATCH, I think, it will be very little didactic, anyway, be advised that the options defined here are, somewhat, minimal.
# cd /usr/ports/security/openssl
# make config-recursive
Set default options.
# make && make install clean && rehash
# cd /usr/ports/net/isc-dhcp43-server
# make config-recursive
Set default options.
# make && make install clean && rehash
# cd /usr/ports/dns/py-dns
# make config-recursive
Set default options.
# make && make install clean && rehash
Insert --with-dlopen=yes into CONFIGURE_ARGS of dns/bind98 port Makefile file, but do not compile it yet.
Code:
[cmd=#]vi /usr/ports/dns/bind98/Makefile[/cmd] ... CONFIGURE_ARGS= --localstatedir=/var --disable-linux-caps \ --with-dlopen=yes \ --disable-symtable \ ...
# cd /usr/ports/net/samba41
# make config-recursive
In net/samba41 configuration select the following options: ACL_SUPPORT, ADS, AIO_SUPPORT, CUPS, DEBUG, DNSUPDATE, FAM_SUPPORT, LDAP, PAM_SMBPASS, PTHREADPOOL, QUOTAS, SYSLOG, UTMP, BIND98, AVAHI. Set default options in the remaining packages.
Again
# make config-recursive
.In the dns/bind98 configuration select the following options: IDN, IPV6, LARGE_FILE, RPZRRL_PATCH, SSL, THREADS, DLZ_FILESYSTEM, DLZ_STUB, GSSAPI_HEIMDAL.. Set default options in the remaining packages.
# make && make install clean && rehash
Edit /usr/local/etc/dhcpd.conf.
# cp /usr/local/etc/dhcpd.conf /usr/local/etc/dhcpd.conf.orig
Replace the contents of /usr/local/etc/dhcpd.conf with these lines, this dhcpd is just a "support" example you can replace it with any other external dhcpd easily:
Code:
[cmd=-#]vi /usr/local/etc/dhcpd.conf[/cmd] server-name "samba4.domain.com.br"; option domain-name "domain.com.br"; option domain-name-servers 172.17.0.1; ignore client-updates; default-lease-time 432000; max-lease-time 604800; authoritative; zone DOMAIN.COM.BR. { primary localhost; } zone 17.172.in-addr.arpa. { primary localhost; } subnet 172.17.0.0 netmask 255.255.0.0 { range 172.17.100.2 172.17.220.255; option routers 172.17.0.254; option broadcast-address 172.17.255.255; option domain-name-servers 172.17.0.1; option domain-name "domain.com.br"; } # some fixed address host nas4free { hardware ethernet 00:0a:0b:12:34:56; fixed-address 172.17.0.21; }
Edit /usr/local/etc/namedb/named.conf.
# cp /usr/local/etc/namedb/named.conf /usr/local/etc/namedb/named.conf.orig
Replace the contents of /usr/local/etc/namedb/named.conf with these lines:
Code:
[cmd=#]vi /usr/local/etc/namedb/named.conf[/cmd] acl local-domain { 172.17.0.0/16; }; acl interfaces { 172.17.0.1; 127.0.0.1; }; options { directory "/usr/local/etc/namedb/working/"; notify no; recursion yes; minimal-responses yes; provide-ixfr yes; request-ixfr yes; pid-file "/var/run/named/pid"; dump-file "/var/dump/named_dump.db"; statistics-file "/var/stats/named.stats"; tkey-gssapi-keytab "/var/db/samba4/private/dns.keytab"; listen-on { interfaces; }; }; //external dns that you trust acl slaves { 200.201.220.1; 200.205.180.2; }; //notice that the "internal" view does not have zones, dlz will properly populate it with his own fashion. view "internal" { match-clients { local-domain; }; allow-update { localhost; local-domain; }; allow-query { localhost; local-domain; }; include "/var/db/samba4/private/named.conf"; }; //some external view if you wish view "external" { allow-query { !local-domain; any; }; recursion no; additional-from-auth no; additional-from-cache no; zone "domain.com.br" { notify yes; type master; file "/usr/local/etc/namedb/working/external/db.domain.com.br"; allow-transfer { slaves; }; }; zone "0-254.202.201.200.in-addr.arpa" { notify yes; type master; file "/usr/local/etc/namedb/working/external/db.200.201.202.0-254"; allow-transfer { slaves; }; }; };
Create the
# mkdir /usr/local/etc/namedb/working/external
.The /usr/local/etc/namedb/working/external/db.domain.com.br file:
Code:
$TTL 3600 $ORIGIN domain.com.br. @ IN SOA samba4.domain.com.br. root.domain.com.br. ( 2014082004 1h 1h 2w 1h ) IN NS samba4.domain.com.br. IN A 200.201.202.61 web IN A 200.201.202.55
The /usr/local/etc/namedb/working/external/db.200.201.202.0-254 file:
Code:
$TTL 300 $ORIGIN 0-254.202.201.200.in-addr.arpa. @ IN SOA samba4.domain.com.br. root.domain.com.br. ( 2014082003 1200 120 2419200 86400 ) IN NS samba4.domain.com.br. 55 IN PTR web.domain.com.br.
Give the proper permissions to those files.
# chown -R bind:bind /usr/local/etc/namedb/working/external
# chmod -R 755 /usr/local/etc/namedb/working/external
Insert the proper hostnames into the /etc/hosts file.
Code:
[cmd=#]vi /etc/hosts[/cmd] ... 127.0.0.1 localhost localhost.localdomain 172.17.0.1 samba4 samba4.domain.com.br ...
Insert the following entries into /etc/resolv.conf file, make sure you are using a fixed address in your interface.
Code:
[cmd=#]vi /etc/resolv.conf[/cmd] search domain.com.br domain samba4.domain.com.br nameserver 172.17.0.1
Reboot the system.
Set up the domain.
Code:
[cmd=#]samba-tool domain provision --use-rfc2307 --interactive[/cmd] Realm [DOMAIN.COM.BR]: DOMAIN.COM.BR Domain [DOMAIN]: DOMAIN Server Role (dc, member, standalone) [dc]: dc DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_DLZ Administrator password: pa$$w0rd Retype password: pa$$w0rd ...
If you ever need to start over the provision, delete the contents of /var/db/samba4/private/
After the end of the provisioning process, symbolic link some of the generated files to the location where Kerberos expects them.
# ln -s /var/db/samba4/private/krb5.conf /usr/local/etc/.
# ln -s /var/db/samba4/private/dns.keytab /usr/local/etc/krb5.keytab
Define the daemons that will start with the server.
Code:
# echo 'dhcpd_enable="YES"' >> /etc/rc.conf # echo 'cupsd_enable="YES"' >> /etc/rc.conf # echo 'named_enable="YES"' >> /etc/rc.conf # echo 'named_chrootdir=""' >> /etc/rc.conf # echo 'samba_server_enable="YES"' >> /etc/rc.conf # echo 'winbindd_enable="YES"' >> /etc/rc.conf
Start some daemons (samba_server will start winbindd).
Code:
# /usr/local/etc/rc.d/dhcpd start # /usr/local/etc/rc.d/cupsd start # /usr/local/etc/rc.d/named start # /usr/local/etc/rc.d/samba_server start
Now proceed to some testing.
named:
Code:
# host -t SRV _ldap._tcp.domain.com.br. _ldap._tcp.domain.com.br has SRV record 0 100 389 samba4.domain.com.br. # host -t SRV _kerberos._udp.domain.com.br _kerberos._udp.domain.com.br has SRV record 0 100 88 samba4.domain.com.br.
Kerberos:
Code:
# kinit administrator@DOMAIN.COM.BR administrator@DOMAIN.COM.BR's Password: # klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: administrator@DOMAIN.COM.BR Issued Expires Principal Aug 27 14:50:58 2014 Aug 28 00:50:58 2014 krbtgt/DOMAIN.COM.BR@DOMAIN.COM.BR
Samba:
Code:
[cmd=#]smbclient -L localhost -U%[/cmd] Domain=[DOMAIN] OS=[Unix] Server=[Samba 4.1.11] Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.1.11) Domain=[DOMAIN] OS=[Unix] Server=[Samba 4.1.11] Server Comment --------- ------- Workgroup Master --------- ------- [cmd=#]smbclient //localhost/netlogon -Uadministrator[/cmd] Enter administrator's password: Domain=[DOMAIN] OS=[Unix] Server=[Samba 4.1.11] smb: \>
If everything went okay try to join a Windows machine to the domain DOMAIN with the administrator account and his respective password, at the same time watch for events in the Samba server.
Afterwards install the RSAT for Windows 7 or adminpak and supporttools for Windows XP to manage the domain, GPO's etc.
If anybody could give me some input (output is the right word?) that will be awesome.
Last edited by a moderator: