Preface
I have encountered great difficulty installing Samba4 on FreeBSD, and with a final release imminent I am documenting my install procedure along with a handful of relevant differences for FreedBSD. From what I can tell, Samba4's internal Kerberos server does not start and as a result Samba4 does not fully work on FreeBSD.
Scroll to the end to get more information about the Kerberos problem. I am hoping that this guide will help solve the Kerberos issue so that FreeBSD users can utilise Samba4.
System Configuration
This is a fresh install of FreeBSD 9.0 with services: sshd; ntpd; and powerd enabled.
This is my server setup:
My server's IP is: 192.168.1.1
My server's name is: Vanity
My domain is: SIN
My realm is: sin.x
My default user is: test
When following this guide, remember to substitute for the appropriate values.
The version of Samba4 installed: 4.1.0pre1-GIT-99efe84
Basic housekeeping
The first thing I'll do is update the Ports Collection:
I need a text editor and I can't use vi, so I'm going to install nano:
I have selected the option [*] EXTRA_ENCODINGS as part of the libiconv 1.14 install (this is a dependency for nano)
Until I discovered rehash, I had to reboot to use newly installed programmes.
Enable ACL
Samba4 requires that the filesystem be mounted with ACL. Let's configure fstab to mount the filesystem correctly on startup:
With nano, Ctrl+O saves the file, and Ctrl+X closes the file.
Let's mount the filesystem now:
Install Git
To get the latest version of Samba4 we need to install git:
Install Samba4
I'm going to download Samba to the home directory of the default user (test):
Provision Samba4
Provisioning Samba4 has changed recently and most documentation list the old way of doing it.
Most of the values have been populated automatically from DHCP (my router). And this is the result I get:
Testing Samba4
Existing documentation states that this is how you start Samba4:
But I think on FreeBSD it should be: samba start
Now let's test:
And yes, that is how the output is formatted.
Configuring DNS
I am using –dns-backend=SAMBA_INTERNAL, so I only need to configure /etc/resolv.conf.
I'm not sure if search is the same as domain? Note that the second nameserver is my router, I don’t want to be unable to connect to the net while I’m setting everything up. I think this file will be overwritten by DHCP though (my router handles DHCP too).
Testing DNS
To test LDAP:
At first this didn't work, even after rebooting I got the same problem. I think that it is because Samba4 isn't starting automatically and must be started by:
Trying again:
Now testing Kerberos:
And finally the this server:
Testing Kerberos
Samba4 uses an internal implementation of Kerberos, do not start the Heimdal Kerberos that comes with FreeBSD, this is a different service.
The HOWTO states to replace the existing krb.conf with the file located /usr/local/samba/share/setup/krb5.conf, but neither krb.conf nor krb5.conf existed on my system.
My guess was this:
And edit the file as such:
Testing:
It appears that Kerberos is failing to start, so I'm not sure of where to go from here?
Someone far more knowledgeable than me indicated that nsupdate was not compiled with GSSAPI. I have no idea how to go about fixing this, but surely Frank and I aren't the only people having this problem.
I have encountered great difficulty installing Samba4 on FreeBSD, and with a final release imminent I am documenting my install procedure along with a handful of relevant differences for FreedBSD. From what I can tell, Samba4's internal Kerberos server does not start and as a result Samba4 does not fully work on FreeBSD.
Scroll to the end to get more information about the Kerberos problem. I am hoping that this guide will help solve the Kerberos issue so that FreeBSD users can utilise Samba4.
System Configuration
This is a fresh install of FreeBSD 9.0 with services: sshd; ntpd; and powerd enabled.
This is my server setup:
My server's IP is: 192.168.1.1
My server's name is: Vanity
My domain is: SIN
My realm is: sin.x
My default user is: test
When following this guide, remember to substitute for the appropriate values.
The version of Samba4 installed: 4.1.0pre1-GIT-99efe84
Samba4 Installation Guide for FreeBSD 9.0
Basic housekeeping
The first thing I'll do is update the Ports Collection:
Code:
# portsnap fetch
# portsnap extract
# portsnap update
I need a text editor and I can't use vi, so I'm going to install nano:
Code:
# cd /usr/ports/editors/nano
# make install clean
I have selected the option [*] EXTRA_ENCODINGS as part of the libiconv 1.14 install (this is a dependency for nano)
Code:
#rehash
Enable ACL
Samba4 requires that the filesystem be mounted with ACL. Let's configure fstab to mount the filesystem correctly on startup:
Code:
# nano /etc/fstab
# Device Mountpoint FStype Options Dump Pass#
/dev/da0p2 / ufs rw,acls 1 1
/dev/da0p3 none swap sw 0 0
Let's mount the filesystem now:
Code:
# mount -o acls /
Install Git
To get the latest version of Samba4 we need to install git:
Code:
# pkg_add -r git
# rehash
Install Samba4
I'm going to download Samba to the home directory of the default user (test):
Code:
# cd /home/test
# git clone git://git.samba.org/samba.git samba-master
# cd samba-master
# ./configure --enable-debug --enable-selftest
# make
[color="SeaGreen"]'build' finished successfully (11m59.678s)[/color]
# make install
[color="SeaGreen"]'install' finished successfully (3m12.695s)[/color]
Provision Samba4
Provisioning Samba4 has changed recently and most documentation list the old way of doing it.
Code:
# /usr/local/samba/bin/samba-tool domain provision
Realm [SIN.X]: SIN.X
Domain [SIN]: SIN
Server Role (dc, member, standalone) [dc]: dc
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: SAMBA_INTERNAL
DNS forwarder IP address (write 'none' to disable forwarding) [192.168.1.1]: 192.168.1.1
Administrator password: <password>
Retype password: <password>
Code:
[color="SeaGreen"]Looking up IPv4 addresses
Looking up IPv6 addresses
More than one IPv6 address found. Using fe80:1::223:aeff:fe63:d846
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=sin,DC=x
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=sin,DC=x
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: Vanity
NetBIOS Domain: SIN
DNS Domain: sin.x
DOMAIN SID: S-1-5-21-3757277530-4222028134-2000681140[/color]
Testing Samba4
Existing documentation states that this is how you start Samba4:
Code:
#/usr/local/samba/sbin/samba
Now let's test:
Code:
# /usr/local/samba/bin/smbclient -L localhost -U%
Domain=[SIN] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-99efe84]
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba 4.1.0pre1-GIT-99efe84)
Domain=[SIN] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-99efe84]
Server Comment
--------- -------
Workgroup Master
--------- -------
And yes, that is how the output is formatted.
Code:
# /usr/local/samba/bin/smbclient //localhost/netlogon -UAdministrator%'<password>' -c 'ls'
Domain=[SIN] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-99efe84]
. D 0 Mon Dec 3 22:22:47 2012
.. D 0 Mon Dec 3 22:22:55 2012
36535 blocks of size 4194304. 32702 blocks available
Configuring DNS
I am using –dns-backend=SAMBA_INTERNAL, so I only need to configure /etc/resolv.conf.
Code:
# nano /etc/resolv.conf
Code:
# Generated by resolvconf
search SIN.X
domain sin.x
nameserver 192.168.1.1
nameserver 192.168.1.254
Testing DNS
To test LDAP:
Code:
# host -t SRV _ldap._tcp.sin.x
Host _ldap._tcp.sin.x not found: 3(NXDOMAIN)
Code:
# /usr/local/samba/sbin/samba start
Code:
# host -t SRV _ldap._tcp.sin.x
_ldap._tcp.sin.x has SRV record 0 100 389 vanity.sin.x.
Code:
# host -t SRV _kerberos._udp.sin.x
_kerberos._udp.sin.x has SRV record 0 100 88 vanity.sin.x.
Code:
# host -t A vanity.sin.x
vanity.sin.x has address 192.168.1.1
Testing Kerberos
Samba4 uses an internal implementation of Kerberos, do not start the Heimdal Kerberos that comes with FreeBSD, this is a different service.
The HOWTO states to replace the existing krb.conf with the file located /usr/local/samba/share/setup/krb5.conf, but neither krb.conf nor krb5.conf existed on my system.
My guess was this:
Code:
# cp /usr/local/samba/share/setup/krb5.conf /etc/krb.conf
# nano /etc/krb5.conf
Code:
[libdefaults]
default_realm = SIN.X
dns_lookup_realm = false
dns_lookup_kdc = true
Testing:
Code:
# kinit administrator@SIN.X
administrator@SIN.X's Password: <password>
kinit: krb5_get_init_creds: unable to reach any KDC in realm SIN.X
It appears that Kerberos is failing to start, so I'm not sure of where to go from here?
Someone far more knowledgeable than me indicated that nsupdate was not compiled with GSSAPI. I have no idea how to go about fixing this, but surely Frank and I aren't the only people having this problem.