Integrating FreeBSD 7.x Into Windows Server 2003/2008 Active Directory As A Domain Member Server

By | September 19, 2008

I have spent more than 15 hours trying to integrate FreeBSD servers and Microsoft Active Directory. Any successes have come from hours of googling and trying to patch together information from pages about several versions of FreeBSD and Samba to get a working system. These instructions represent my notes on the process and were tested on a FreeBSD 7.1 amd64 system with the Samba 3.0.34 port. I also tried the 3.2.8 and 3.3.2 ports but was unable to successfully integrate with an Active Directory domain.

Steps:

  1. Enter: cd /usr/ports/security/krb5 && make KRB5_HOME=/usr/local install clean
    • Don’t change any config options
  2. Enter: cd /usr/ports/net/samba3 && make KRB5_HOME=/usr/local install clean
    • Select LDAP, ADS, CUPS, WINBIND, ACL_SUPPORT, FAM_SUPPORT, SYSLOG, UTMP, PAM_SMBPASS, DNSUPDATE, EXP_MODULES & POPT. Deselect all other options.
  3. Enter: vi /etc/krb5.conf
    • Many sources say this step is optional. I think it’s mandatory with Windows Server 2003 & 2008 servers.
    • Make it look similar to below. Wherever you see DOMAIN.INT, replace with your active directory domain – but absolutely maintain the upper and lower case as specificed below. For instance, if your AD domain controller is ad1.example.dom, you would substitue “example.dom” for all occurences of “domain.int” maintaining the capitalization below.
    • Also replace server in “server.domain.int” with the FQDN of your active directory controller. If you have more than one, you may add additional kdc and admin_server lines for each controller, substituting the hostname for each domain controller.
  4. [logging]
    default = SYSLOG:INFO:LOCAL7
    default_realm = DOMAIN.INT

    [libdefaults]
    clock_skew = 300
    default_realm = DOMAIN.INT
    default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
    default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
    preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
    ticket_lifetime = 24000

    [realms]
    DOMAIN.INT = {
    kdc = server.domain.int:88
    admin_server = server.domain.int:464
    default_domain = domain.int
    }

    [domain_realm]
    .domain.int = DOMAIN.INT
    domain.int = DOMAIN.INT

  5. Enter: kinit Administrator
    • You should see: kinit: NOTICE: ticket renewable lifetime is 1 week
    • If not, check your capitalization and the names of your kdc and admin_server entries.
  6. While you may enter: mv /usr/local/etc/smb.conf-dist /usr/local/etc/smb.conf && vi /usr/local/etc/smb.conf, I suggest entering vi /usr/local/etc/smb.conf to create a blank config file and adding the following lines.
    • Replace DOMAIN, DOMAIN.INT and server.domain.int with the FQDN of your active directory controller. If you have more than one, you may add them to the password server line separated by spaces. Replace workgroup with the uppercase NETBIOS name of your domain, realm with the Active Directory domain, password server with the FQDN of your Active Directory domain controller, and wins server with the IP address of your WINS server if present on your network. Comment it out if you don’t have a WINS server.
  7. [global]
    dos charset = ASCII
    unix charset = UTF8
    display charset = UTF8
    workgroup = DOMAIN
    realm = DOMAIN.INT
    server string = FreeBSD Server %v
    security = ADS
    allow trusted domains = no
    password server = server.domain.int
    restrict anonymous = 2
    client NTLMv2 auth = yes
    client lanman auth = no
    client plaintext auth = no
    client use spnego = no
    server signing = auto
    log level = 10
    log file = /var/log/samba/log.%m
    max log size = 50
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    preferred master = no
    local master = no
    domain master = no
    dns proxy = no
    wins server = 192.168.1.x
    ldap ssl = no
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    template homedir = /home/%D/%U
    template shell = /bin/tcsh
    add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u
    winbind separator = +
    winbind cache time = 3600
    winbind enum users = yes
    winbind enum groups = yes
    winbind use default domain = yes
    winbind refresh tickets = yes
    winbind offline logon = yes

  8. Enter: net ads join -U Administrator
    • You should be prompted for the password to the Administrator account in your Active Directory domain.
    • You should then see the following where DOMAIN is the NETBIOS name of your Active directory domain, FREEBSD is the hostname of your FreeBSD server, and DOMAIN.INT is your Active Directory domain used when configuring your /etc/krb5.conf file:
  9. Using short domain name — DOMAIN
    Joined ‘FREEBSD’ to realm ‘DOMAIN.INT’

  10. Enter: mkdir /home/DOMAIN
    • Where DOMAIN is the NETBIOS name of your Active Directory domain. The FreeBSD user /home directory is linked to /home.
  11. Enter: vi /etc/rc.conf
    • Add the following lines to enable the various samba servers:
  12. nmbd_enable=”YES”
    samba_enable=”YES”
    smbd_enable=”YES”
    winbindd_enable=”YES”

  13. Enter: /usr/local/etc/rc.d/samba start
    • Start the Samba daemons.
  14. Enter: vi /etc/nsswitch.conf
    • Make the existing lines match the following by making the highlighted changes:
  15. group: winbind files
    group_compat: nis
    hosts: files dns
    networks: files
    passwd: winbind files
    passwd_compat: nis
    shells: files
    services: compat
    services_compat: nis
    protocols: files
    rpc: files
    shadow: winbind files

  16. Enter: cd /usr/ports/security/pam_mkhomedir && make install clean
    • This port will allow your system to automatically create user directories when combined with the next step.
  17. Enter: vi /etc/pam.d/sshd
    • Make the existing lines match the following by adding the highlighted lines:
  18. #
    # $FreeBSD: src/etc/pam.d/sshd,v 1.16 2007/06/10 18:57:20 yar Exp $
    #
    # PAM configuration for the “sshd” service

    # auth
    auth sufficient pam_opie.so no_warn no_fake_prompts
    auth requisite pam_opieaccess.so no_warn allow_local
    auth sufficient /usr/local/lib/pam_winbind.so
    #auth sufficient pam_krb5.so no_warn try_first_pass
    #auth sufficient pam_ssh.so no_warn try_first_pass
    auth required pam_unix.so no_warn try_first_pass

    # account
    account required pam_nologin.so
    #account required pam_krb5.so
    account required pam_login_access.so
    account required pam_unix.so

    # session
    #session optional pam_ssh.so
    session required /usr/local/lib/pam_mkhomedir.so
    session required pam_permit.so

    # password
    #password sufficient pam_krb5.so no_warn try_first_pass
    password required pam_unix.so no_warn try_first_pass

  19. Enter: /usr/local/etc/rc.d/samba start
  20. Enter: /usr/local/etc/rc.d/samba start

Please comment if you would like to see any corrections made to this guide.

Suggested Reading Material:

Leave a Reply

Your email address will not be published. Required fields are marked *