This post is a slight modification of the official wiki for setting up Samba as an AD Domain Member. The wiki mentioned is a great article, but as described it doesn’t work on FreeBSD. There are two extra changes that you have to make and these changes are described below.

In my lab, I built a Windows 2012R2 domain controller/DNS and a FreeBSD 10.1 VM running Samba 4.4.5.
My Windows domain is kdomain.local and the NETBIOS name is MYDOMAIN. They are on the same subnet and the IP of the BSD VM is in the DNS. Let’s verify the prerequisites before we install Samba. Make sure that everything checks out.

This is the full name of my BSD VM.


This is what I have in resolv.conf. is the IP of the Windows box.

cat /etc/resolv.conf
search kdomain.local

This is the hostname and the IP of my BSD box.

cat /etc/rc.conf
ifconfig_em0="inet netmask"

Make sure it resolves properly in DNS.

host -t A freebsd03.kdomain.local
freebsd03.kdomain.local has address

Check the date/time on both systems. They have to be the same. If the time is not the same, it’s fine, but they have to be in different time zones.

Fri Aug 26 19:26:24 EDT 2016

Another check using getent in case you have something in /etc/hosts.

getent hosts freebsd03      freebsd03.kdomain.local

If everything checks out, you can install samba.

pkg install samba44

This is where Samba expects the config file which doesn’t exist by default.

smbd -b | grep CONFIGFILE
   CONFIGFILE: /usr/local/etc/smb4.conf

The log dir is automatically created under /var/log/samba4. If you need to change the log dir or any other input parameters, look at /usr/local/etc/rc.d/samba_server file, but don’t change this file. Use the parameters there to change them in /etc/rc.conf.

Before you go further, you need to know what’s realm, NETBIOS and workgroup in Samba terms. They are kind of misleading as you can see below from the samba config file. On the domain controller, open up a command prompt and type:

set | find  "DOMAIN"

My domain is KDOMAIN.LOCAL and the NETBIOS domain name is MYDOMAIN. The hostname of my domain controller is DC03, but that’s irrelevant.
Now create the Samba config file which is /usr/local/etc/smb4.conf.

        netbios name = freebsd03
        realm = KDOMAIN.LOCAL
        workgroup = MYDOMAIN
        security = ADS
        winbind enum groups = Yes
        winbind enum users = Yes
        winbind nss info = rfc2307
        idmap config *:range = 2000-9999
        idmap config * : backend = tdb

As you can see the netbios name is not the netbios name of your domain controller, it’s the hostname of your BSD box. The realm is the domain name and the workgroup is the NETBIOS name of the domain controller. Yep, it is misleading, but it is what it is.

Previously, I mentioned that there are two changes that you have to make that are different than the original wiki. So, this is the first change. In the original wiki article, they suggest picking up one of the three idmap modules.

   # Just adding the following three lines is not enough!!
       #  - idmap config ad
       #  - idmap config rid
       #  - idmap_config_autorid

If you go ahead and implement any of them, you won’t be able to enumerate the domain users with getent. More info here. So, skip that and just do the config file as described above.

Now that you have your config in place, check for any errors. Just do testparm.

Load smb config files from /usr/local/etc/smb4.conf
Loaded services file OK.

Press enter to see a dump of your service definitions

# Global parameters
        realm = KDOMAIN.LOCAL
        workgroup = MYDOMAIN
        security = ADS
        winbind enum groups = Yes
        winbind enum users = Yes
        winbind nss info = rfc2307
        idmap config *:range = 2000-9999
        idmap config * : backend = tdb

If everything is syntax OK, you can now join the BSD box to the domain.

net ads join -U administrator
Enter administrator's password:
Using short domain name -- MYDOMAIN
Joined 'FREEBSD03' to dns domain 'kdomain.local'

If you go back to your domain controller and open the ADUC (Active Directory Users and Computers), you’ll see your BSD hostname there.


Add these two lines to /etc/rc.conf.


Now, you can start Samba with service samba_server start. It also starts winbind daemon.

service samba_server start
Performing sanity check on Samba configuration: OK
Starting nmbd.
Starting smbd.
Starting winbindd.

Do all the checks.

wbinfo -u
wbinfo -g
MYDOMAIN\domain computers

Now, do getent passwd. You won’t receive any domain users.
This is the second change that doesn’t apply from the official wiki. You’ll have to modify /etc/nsswitch.conf, so it looks like this. You have to replace compat with files for group and passwd entries.

group: files winbind
group_compat: nis
hosts: files dns
networks: files
passwd: files winbind
passwd_compat: nis

Reboot, and do getent passwd and getent group at this point. If you get the domain users and group, you are all set.

If you use pf, make sure that these ports are opened.


More Posts

#91 Windows 2012R2: Terminal License Server or Remote Desktop Services Server
July 6, 2016

#91 Windows 2012R2: Terminal License Server or Remote Desktop Services Server

#90 Windows/PowerShell: CommVault report from vCenter
June 30, 2016

#90 Windows/PowerShell: CommVault report from vCenter

#88 Visual C#: 5ball – game
April 11, 2016

#88 Visual C#: 5ball – game

#87 FreeBSD: Expand drive size
April 5, 2016

#87 FreeBSD: Expand drive size