Preface I have encountered great difficulty installing Samba4 on FreeBSD, and with a final release imminent I am documenting my install procedure along with a handful of relevant differences for FreedBSD. From what I can tell, Samba4's internal Kerberos server does not start and as a result Samba4 does not fully work on FreeBSD. Scroll to the end to get more information about the Kerberos problem. I am hoping that this guide will help solve the Kerberos issue so that FreeBSD users can utilise Samba4. System Configuration This is a fresh install of FreeBSD 9.0 with services: sshd; ntpd; and powerd enabled. This is my server setup: My server's IP is: 192.168.1.1 My server's name is: Vanity My domain is: SIN My realm is: sin.x My default user is: test When following this guide, remember to substitute for the appropriate values. The version of Samba4 installed: 4.1.0pre1-GIT-99efe84 Samba4 Installation Guide for FreeBSD 9.0 Basic housekeeping The first thing I'll do is update the Ports Collection: Code:# portsnap fetch # portsnap extract # portsnap update I need a text editor and I can't use vi, so I'm going to install nano: Code:# cd /usr/ports/editors/nano # make install clean I have selected the option [*] EXTRA_ENCODINGS as part of the libiconv 1.14 install (this is a dependency for nano) Code:#rehash Until I discovered rehash, I had to reboot to use newly installed programmes. Enable ACL Samba4 requires that the filesystem be mounted with ACL. Let's configure fstab to mount the filesystem correctly on startup: Code:# nano /etc/fstab # Device Mountpoint FStype Options Dump Pass# /dev/da0p2 / ufs rw,acls 1 1 /dev/da0p3 none swap sw 0 0 With nano, Ctrl+O saves the file, and Ctrl+X closes the file. Let's mount the filesystem now: Code:# mount -o acls / Install Git To get the latest version of Samba4 we need to install git: Code:# pkg_add -r git # rehash Install Samba4 I'm going to download Samba to the home directory of the default user (test): Code: # cd /home/test # git clone git://git.samba.org/samba.git samba-master # cd samba-master # ./configure --enable-debug --enable-selftest # make 'build' finished successfully (11m59.678s) # make install 'install' finished successfully (3m12.695s) Provision Samba4 Provisioning Samba4 has changed recently and most documentation list the old way of doing it. Code:# /usr/local/samba/bin/samba-tool domain provision Realm [SIN.X]: SIN.X Domain [SIN]: SIN Server Role (dc, member, standalone) [dc]: dc DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: SAMBA_INTERNAL DNS forwarder IP address (write 'none' to disable forwarding) [192.168.1.1]: 192.168.1.1 Administrator password: <password> Retype password: <password> Most of the values have been populated automatically from DHCP (my router). And this is the result I get: Code:Looking up IPv4 addresses Looking up IPv6 addresses More than one IPv6 address found. Using fe80:1::223:aeff:fe63:d846 Setting up share.ldb Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Adding DomainDN: DC=sin,DC=x Adding configuration container Setting up sam.ldb schema Setting up sam.ldb configuration data Setting up display specifiers Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up well known security principals Setting up sam.ldb users and groups Setting up self join Adding DNS accounts Creating CN=MicrosoftDNS,CN=System,DC=sin,DC=x Creating DomainDnsZones and ForestDnsZones partitions Populating DomainDnsZones and ForestDnsZones partitions Setting up sam.ldb rootDSE marking as synchronized Fixing provision GUIDs A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf Once the above files are installed, your Samba4 server will be ready to use Server Role: active directory domain controller Hostname: Vanity NetBIOS Domain: SIN DNS Domain: sin.x DOMAIN SID: S-1-5-21-3757277530-4222028134-2000681140 Testing Samba4 Existing documentation states that this is how you start Samba4: Code: #/usr/local/samba/sbin/samba But I think on FreeBSD it should be: samba start Now let's test: Code: # /usr/local/samba/bin/smbclient -L localhost -U% Domain=[SIN] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-99efe84] Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.1.0pre1-GIT-99efe84) Domain=[SIN] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-99efe84] Server Comment --------- ------- Workgroup Master --------- ------- And yes, that is how the output is formatted. Code: # /usr/local/samba/bin/smbclient //localhost/netlogon -UAdministrator%'<password>' -c 'ls' Domain=[SIN] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-99efe84] . D 0 Mon Dec 3 22:22:47 2012 .. D 0 Mon Dec 3 22:22:55 2012 36535 blocks of size 4194304. 32702 blocks available Configuring DNS I am using â€“dns-backend=SAMBA_INTERNAL, so I only need to configure /etc/resolv.conf. Code: # nano /etc/resolv.conf Code:# Generated by resolvconf search SIN.X domain sin.x nameserver 192.168.1.1 nameserver 192.168.1.254 I'm not sure if search is the same as domain? Note that the second nameserver is my router, I donâ€™t want to be unable to connect to the net while Iâ€™m setting everything up. I think this file will be overwritten by DHCP though (my router handles DHCP too). Testing DNS To test LDAP: Code:# host -t SRV _ldap._tcp.sin.x Host _ldap._tcp.sin.x not found: 3(NXDOMAIN) At first this didn't work, even after rebooting I got the same problem. I think that it is because Samba4 isn't starting automatically and must be started by: Code:# /usr/local/samba/sbin/samba start Trying again: Code:# host -t SRV _ldap._tcp.sin.x _ldap._tcp.sin.x has SRV record 0 100 389 vanity.sin.x. Now testing Kerberos: Code:# host -t SRV _kerberos._udp.sin.x _kerberos._udp.sin.x has SRV record 0 100 88 vanity.sin.x. And finally the this server: Code:# host -t A vanity.sin.x vanity.sin.x has address 192.168.1.1 Testing Kerberos Samba4 uses an internal implementation of Kerberos, do not start the Heimdal Kerberos that comes with FreeBSD, this is a different service. The HOWTO states to replace the existing krb.conf with the file located /usr/local/samba/share/setup/krb5.conf, but neither krb.conf nor krb5.conf existed on my system. My guess was this: Code: # cp /usr/local/samba/share/setup/krb5.conf /etc/krb.conf # nano /etc/krb5.conf And edit the file as such: Code:[libdefaults] default_realm = SIN.X dns_lookup_realm = false dns_lookup_kdc = true Testing: Code: # kinit administrator@SIN.X administrator@SIN.X's Password: <password> kinit: krb5_get_init_creds: unable to reach any KDC in realm SIN.X It appears that Kerberos is failing to start, so I'm not sure of where to go from here? Someone far more knowledgeable than me indicated that nsupdate was not compiled with GSSAPI. I have no idea how to go about fixing this, but surely Frank and I aren't the only people having this problem.