I have spent more than 15 hours trying to integrate FreeBSD servers and Microsoft Active Directory. Any successes have come from hours of googling and trying to patch together information from pages about several versions of FreeBSD and Samba to get a working system. These instructions represent my notes on the process and were tested on a FreeBSD 7.1 amd64 system with the Samba 3.0.34 port. I also tried the 3.2.8 and 3.3.2 ports but was unable to successfully integrate with an Active Directory domain.
Steps:
- Enter: cd /usr/ports/security/krb5 && make KRB5_HOME=/usr/local install clean
- Don’t change any config options
- Enter: cd /usr/ports/net/samba3 && make KRB5_HOME=/usr/local install clean
- Select LDAP, ADS, CUPS, WINBIND, ACL_SUPPORT, FAM_SUPPORT, SYSLOG, UTMP, PAM_SMBPASS, DNSUPDATE, EXP_MODULES & POPT. Deselect all other options.
- Enter: vi /etc/krb5.conf
- Many sources say this step is optional. I think it’s mandatory with Windows Server 2003 & 2008 servers.
- Make it look similar to below. Wherever you see DOMAIN.INT, replace with your active directory domain – but absolutely maintain the upper and lower case as specificed below. For instance, if your AD domain controller is ad1.example.dom, you would substitue “example.dom” for all occurences of “domain.int” maintaining the capitalization below.
- Also replace server in “server.domain.int” with the FQDN of your active directory controller. If you have more than one, you may add additional kdc and admin_server lines for each controller, substituting the hostname for each domain controller.
- Enter: kinit Administrator
- You should see: kinit: NOTICE: ticket renewable lifetime is 1 week
- If not, check your capitalization and the names of your kdc and admin_server entries.
- While you may enter: mv /usr/local/etc/smb.conf-dist /usr/local/etc/smb.conf && vi /usr/local/etc/smb.conf, I suggest entering vi /usr/local/etc/smb.conf to create a blank config file and adding the following lines.
- Replace DOMAIN, DOMAIN.INT and server.domain.int with the FQDN of your active directory controller. If you have more than one, you may add them to the password server line separated by spaces. Replace workgroup with the uppercase NETBIOS name of your domain, realm with the Active Directory domain, password server with the FQDN of your Active Directory domain controller, and wins server with the IP address of your WINS server if present on your network. Comment it out if you don’t have a WINS server.
- Enter: net ads join -U Administrator
- You should be prompted for the password to the Administrator account in your Active Directory domain.
- You should then see the following where DOMAIN is the NETBIOS name of your Active directory domain, FREEBSD is the hostname of your FreeBSD server, and DOMAIN.INT is your Active Directory domain used when configuring your /etc/krb5.conf file:
- Enter: mkdir /home/DOMAIN
- Where DOMAIN is the NETBIOS name of your Active Directory domain. The FreeBSD user /home directory is linked to /home.
- Enter: vi /etc/rc.conf
- Add the following lines to enable the various samba servers:
- Enter: /usr/local/etc/rc.d/samba start
- Start the Samba daemons.
- Enter: vi /etc/nsswitch.conf
- Make the existing lines match the following by making the highlighted changes:
- Enter: cd /usr/ports/security/pam_mkhomedir && make install clean
- This port will allow your system to automatically create user directories when combined with the next step.
- Enter: vi /etc/pam.d/sshd
- Make the existing lines match the following by adding the highlighted lines:
- Enter: /usr/local/etc/rc.d/samba start
- Enter: /usr/local/etc/rc.d/samba start
[logging]
default = SYSLOG:INFO:LOCAL7
default_realm = DOMAIN.INT[libdefaults]
clock_skew = 300
default_realm = DOMAIN.INT
default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
ticket_lifetime = 24000[realms]
DOMAIN.INT = {
kdc = server.domain.int:88
admin_server = server.domain.int:464
default_domain = domain.int
}[domain_realm]
.domain.int = DOMAIN.INT
domain.int = DOMAIN.INT
[global]
dos charset = ASCII
unix charset = UTF8
display charset = UTF8
workgroup = DOMAIN
realm = DOMAIN.INT
server string = FreeBSD Server %v
security = ADS
allow trusted domains = no
password server = server.domain.int
restrict anonymous = 2
client NTLMv2 auth = yes
client lanman auth = no
client plaintext auth = no
client use spnego = no
server signing = auto
log level = 10
log file = /var/log/samba/log.%m
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
preferred master = no
local master = no
domain master = no
dns proxy = no
wins server = 192.168.1.x
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template homedir = /home/%D/%U
template shell = /bin/tcsh
add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u
winbind separator = +
winbind cache time = 3600
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind refresh tickets = yes
winbind offline logon = yes
Using short domain name — DOMAIN
Joined ‘FREEBSD’ to realm ‘DOMAIN.INT’
nmbd_enable=”YES”
samba_enable=”YES”
smbd_enable=”YES”
winbindd_enable=”YES”
group: winbind files
group_compat: nis
hosts: files dns
networks: files
passwd: winbind files
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
shadow: winbind files
#
# $FreeBSD: src/etc/pam.d/sshd,v 1.16 2007/06/10 18:57:20 yar Exp $
#
# PAM configuration for the “sshd” service# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient /usr/local/lib/pam_winbind.so
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so# session
#session optional pam_ssh.so
session required /usr/local/lib/pam_mkhomedir.so
session required pam_permit.so# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
Please comment if you would like to see any corrections made to this guide.
Suggested Reading Material: