This post is a slight modification of the official wiki for setting up Samba as an AD Domain Member. The wiki mentioned is a great article, but as described it doesn’t work on FreeBSD. There are two extra changes that you have to make and these changes are described below.
In my lab, I built a Windows 2012R2 domain controller/DNS and a FreeBSD 10.1 VM running Samba 4.4.5.
My Windows domain is kdomain.local and the NETBIOS name is MYDOMAIN. They are on the same subnet and the IP of the BSD VM is in the DNS. Let’s verify the prerequisites before we install Samba. Make sure that everything checks out.
This is the full name of my BSD VM.
This is what I have in resolv.conf. 192.168.1.19 is the IP of the Windows box.
cat /etc/resolv.conf search kdomain.local nameserver 192.168.1.19
This is the hostname and the IP of my BSD box.
cat /etc/rc.conf hostname="freebsd03.kdomain.local" ifconfig_em0="inet 192.168.1.18 netmask 255.255.255.0"
Make sure it resolves properly in DNS.
host -t A freebsd03.kdomain.local freebsd03.kdomain.local has address 192.168.1.18
Check the date/time on both systems. They have to be the same. If the time is not the same, it’s fine, but they have to be in different time zones.
date Fri Aug 26 19:26:24 EDT 2016
Another check using getent in case you have something in /etc/hosts.
getent hosts freebsd03 192.168.1.18 freebsd03.kdomain.local
If everything checks out, you can install samba.
pkg install samba44
This is where Samba expects the config file which doesn’t exist by default.
smbd -b | grep CONFIGFILE CONFIGFILE: /usr/local/etc/smb4.conf
The log dir is automatically created under /var/log/samba4. If you need to change the log dir or any other input parameters, look at /usr/local/etc/rc.d/samba_server file, but don’t change this file. Use the parameters there to change them in /etc/rc.conf.
Before you go further, you need to know what’s realm, NETBIOS and workgroup in Samba terms. They are kind of misleading as you can see below from the samba config file. On the domain controller, open up a command prompt and type:
set | find "DOMAIN" USERDNSDOMAIN=KDOMAIN.LOCAL USERDOMAIN=MYDOMAIN USERDOMAIN_ROAMINGPROFILE=MYDOMAIN
My domain is KDOMAIN.LOCAL and the NETBIOS domain name is MYDOMAIN. The hostname of my domain controller is DC03, but that’s irrelevant.
Now create the Samba config file which is /usr/local/etc/smb4.conf.
[global] netbios name = freebsd03 realm = KDOMAIN.LOCAL workgroup = MYDOMAIN security = ADS winbind enum groups = Yes winbind enum users = Yes winbind nss info = rfc2307 idmap config *:range = 2000-9999 idmap config * : backend = tdb
As you can see the netbios name is not the netbios name of your domain controller, it’s the hostname of your BSD box. The realm is the domain name and the workgroup is the NETBIOS name of the domain controller. Yep, it is misleading, but it is what it is.
Previously, I mentioned that there are two changes that you have to make that are different than the original wiki. So, this is the first change. In the original wiki article, they suggest picking up one of the three idmap modules.
# Just adding the following three lines is not enough!! # - idmap config ad # - idmap config rid # - idmap_config_autorid
If you go ahead and implement any of them, you won’t be able to enumerate the domain users with getent. More info here. So, skip that and just do the config file as described above.
Now that you have your config in place, check for any errors. Just do testparm.
testparm Load smb config files from /usr/local/etc/smb4.conf Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions # Global parameters [global] realm = KDOMAIN.LOCAL workgroup = MYDOMAIN security = ADS winbind enum groups = Yes winbind enum users = Yes winbind nss info = rfc2307 idmap config *:range = 2000-9999 idmap config * : backend = tdb
If everything is syntax OK, you can now join the BSD box to the domain.
net ads join -U administrator Enter administrator's password: Using short domain name -- MYDOMAIN Joined 'FREEBSD03' to dns domain 'kdomain.local'
If you go back to your domain controller and open the ADUC (Active Directory Users and Computers), you’ll see your BSD hostname there.
Add these two lines to /etc/rc.conf.
Now, you can start Samba with service samba_server start. It also starts winbind daemon.
service samba_server start Performing sanity check on Samba configuration: OK Starting nmbd. Starting smbd. Starting winbindd.
Do all the checks.
wbinfo -u MYDOMAIN\administrator MYDOMAIN\guest MYDOMAIN\klimenta MYDOMAIN\krbtgt
wbinfo -g MYDOMAIN\winrmremotewmiusers__ MYDOMAIN\domain computers ...
Now, do getent passwd. You won’t receive any domain users.
This is the second change that doesn’t apply from the official wiki. You’ll have to modify /etc/nsswitch.conf, so it looks like this. You have to replace compat with files for group and passwd entries.
group: files winbind group_compat: nis hosts: files dns networks: files passwd: files winbind passwd_compat: nis
Reboot, and do getent passwd and getent group at this point. If you get the domain users and group, you are all set.
If you use pf, make sure that these ports are opened.