September 2008
S M T W T F S
« Dec   Jul »
 123456
78910111213
14151617181920
21222324252627
282930  

Tags

Recent Comments
    «  
      »

    Integrating FreeBSD 7.x Into Windows Server 2003/2008 Active Directory As A Domain Member Server

    I have spent more than 15 hours trying to integrate FreeBSD servers and Microsoft Active Directory. Any successes have come from hours of googling and trying to patch together information from pages about several versions of FreeBSD and Samba to get a working system. These instructions represent my notes on the process and were tested on a FreeBSD 7.1 amd64 system with the Samba 3.0.34 port. I also tried the 3.2.8 and 3.3.2 ports but was unable to successfully integrate with an Active Directory domain.

    Steps:

    1. Enter: cd /usr/ports/security/krb5 && make KRB5_HOME=/usr/local install clean
      • Don’t change any config options
    2. Enter: cd /usr/ports/net/samba3 && make KRB5_HOME=/usr/local install clean
      • Select LDAP, ADS, CUPS, WINBIND, ACL_SUPPORT, FAM_SUPPORT, SYSLOG, UTMP, PAM_SMBPASS, DNSUPDATE, EXP_MODULES & POPT. Deselect all other options.
    3. Enter: vi /etc/krb5.conf
      • Many sources say this step is optional. I think it’s mandatory with Windows Server 2003 & 2008 servers.
      • Make it look similar to below. Wherever you see DOMAIN.INT, replace with your active directory domain – but absolutely maintain the upper and lower case as specificed below. For instance, if your AD domain controller is ad1.example.dom, you would substitue “example.dom” for all occurences of “domain.int” maintaining the capitalization below.
      • Also replace server in “server.domain.int” with the FQDN of your active directory controller. If you have more than one, you may add additional kdc and admin_server lines for each controller, substituting the hostname for each domain controller.

      4. [logging]
      default = SYSLOG:INFO:LOCAL7
      default_realm = DOMAIN.INT

      [libdefaults]
      clock_skew = 300
      default_realm = DOMAIN.INT
      default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
      default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
      preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
      ticket_lifetime = 24000

      [realms]
      DOMAIN.INT = {
      kdc = server.domain.int:88
      admin_server = server.domain.int:464
      default_domain = domain.int
      }

      [domain_realm]
      .domain.int = DOMAIN.INT
      domain.int = DOMAIN.INT

    4. Enter: kinit Administrator
      • You should see: kinit: NOTICE: ticket renewable lifetime is 1 week
      • If not, check your capitalization and the names of your kdc and admin_server entries.
    5. While you may enter: mv /usr/local/etc/smb.conf-dist /usr/local/etc/smb.conf && vi /usr/local/etc/smb.conf, I suggest entering vi /usr/local/etc/smb.conf to create a blank config file and adding the following lines.
      • Replace DOMAIN, DOMAIN.INT and server.domain.int with the FQDN of your active directory controller. If you have more than one, you may add them to the password server line separated by spaces. Replace workgroup with the uppercase NETBIOS name of your domain, realm with the Active Directory domain, password server with the FQDN of your Active Directory domain controller, and wins server with the IP address of your WINS server if present on your network. Comment it out if you don’t have a WINS server.

      6. [global]
      dos charset = ASCII
      unix charset = UTF8
      display charset = UTF8
      workgroup = DOMAIN
      realm = DOMAIN.INT
      server string = FreeBSD Server %v
      security = ADS
      allow trusted domains = no
      password server = server.domain.int
      restrict anonymous = 2
      client NTLMv2 auth = yes
      client lanman auth = no
      client plaintext auth = no
      client use spnego = no
      server signing = auto
      log level = 10
      log file = /var/log/samba/log.%m
      max log size = 50
      socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
      preferred master = no
      local master = no
      domain master = no
      dns proxy = no
      wins server = 192.168.1.x
      ldap ssl = no
      idmap uid = 10000-20000
      idmap gid = 10000-20000
      template homedir = /home/%D/%U
      template shell = /bin/tcsh
      add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u
      winbind separator = +
      winbind cache time = 3600
      winbind enum users = yes
      winbind enum groups = yes
      winbind use default domain = yes
      winbind refresh tickets = yes
      winbind offline logon = yes

    6. Enter: net ads join -U Administrator
      • You should be prompted for the password to the Administrator account in your Active Directory domain.
      • You should then see the following where DOMAIN is the NETBIOS name of your Active directory domain, FREEBSD is the hostname of your FreeBSD server, and DOMAIN.INT is your Active Directory domain used when configuring your /etc/krb5.conf file:

      7. Using short domain name — DOMAIN
      Joined ‘FREEBSD’ to realm ‘DOMAIN.INT’

    7. Enter: mkdir /home/DOMAIN
      • Where DOMAIN is the NETBIOS name of your Active Directory domain. The FreeBSD user /home directory is linked to /home.
    8. Enter: vi /etc/rc.conf
      • Add the following lines to enable the various samba servers:

      9. nmbd_enable=”YES”
      samba_enable=”YES”
      smbd_enable=”YES”
      winbindd_enable=”YES”

    9. Enter: /usr/local/etc/rc.d/samba start
      • Start the Samba daemons.
    10. Enter: vi /etc/nsswitch.conf
      • Make the existing lines match the following by making the highlighted changes:

      11. group: winbind files
      group_compat: nis
      hosts: files dns
      networks: files
      passwd: winbind files
      passwd_compat: nis
      shells: files
      services: compat
      services_compat: nis
      protocols: files
      rpc: files
      shadow: winbind files

    11. Enter: cd /usr/ports/security/pam_mkhomedir && make install clean
      • This port will allow your system to automatically create user directories when combined with the next step.
    12. Enter: vi /etc/pam.d/sshd
      • Make the existing lines match the following by adding the highlighted lines:

      13. #
      # $FreeBSD: src/etc/pam.d/sshd,v 1.16 2007/06/10 18:57:20 yar Exp $
      #
      # PAM configuration for the “sshd” service

      # auth
      auth sufficient pam_opie.so no_warn no_fake_prompts
      auth requisite pam_opieaccess.so no_warn allow_local
      auth sufficient /usr/local/lib/pam_winbind.so
      #auth sufficient pam_krb5.so no_warn try_first_pass
      #auth sufficient pam_ssh.so no_warn try_first_pass
      auth required pam_unix.so no_warn try_first_pass

      # account
      account required pam_nologin.so
      #account required pam_krb5.so
      account required pam_login_access.so
      account required pam_unix.so

      # session
      #session optional pam_ssh.so
      session required /usr/local/lib/pam_mkhomedir.so
      session required pam_permit.so

      # password
      #password sufficient pam_krb5.so no_warn try_first_pass
      password required pam_unix.so no_warn try_first_pass

    13. Enter: /usr/local/etc/rc.d/samba start
    14. Enter: /usr/local/etc/rc.d/samba start

    Please comment if you would like to see any corrections made to this guide.

    Suggested Reading Material:

    September 19th, 2008 | Category: Computers | Leave a comment

    You must be logged in to post a comment.