FreeBSD: Setup Samba as an AD Domain Member

This post is a slight modification of the official wiki for setting up Samba as an AD Domain Member. The wiki mentioned is a great article, but as described it doesn’t work on FreeBSD. There are two extra changes that you have to make and these changes are described below.

In my lab, I built a Windows 2012R2 domain controller/DNS and a FreeBSD 10.1 VM running Samba 4.4.5.
My Windows domain is kdomain.local and the NETBIOS name is MYDOMAIN. They are on the same subnet and the IP of the BSD VM is in the DNS. Let’s verify the prerequisites before we install Samba. Make sure that everything checks out.

This is the full name of my BSD VM.

hostname
freebsd03.kdomain.local

This is what I have in resolv.conf. 192.168.1.19 is the IP of the Windows box.

cat /etc/resolv.conf
search kdomain.local
nameserver 192.168.1.19

This is the hostname and the IP of my BSD box.

cat /etc/rc.conf
hostname="freebsd03.kdomain.local"
ifconfig_em0="inet 192.168.1.18 netmask 255.255.255.0"

Make sure it resolves properly in DNS.

host -t A freebsd03.kdomain.local
freebsd03.kdomain.local has address 192.168.1.18

Check the date/time on both systems. They have to be the same. If the time is not the same, it’s fine, but they have to be in different time zones.

date
Fri Aug 26 19:26:24 EDT 2016

Another check using getent in case you have something in /etc/hosts.

getent hosts freebsd03
192.168.1.18      freebsd03.kdomain.local

If everything checks out, you can install samba.

pkg install samba44

This is where Samba expects the config file which doesn’t exist by default.

smbd -b | grep CONFIGFILE
   CONFIGFILE: /usr/local/etc/smb4.conf

The log dir is automatically created under /var/log/samba4. If you need to change the log dir or any other input parameters, look at /usr/local/etc/rc.d/samba_server file, but don’t change this file. Use the parameters there to change them in /etc/rc.conf.

Before you go further, you need to know what’s realm, NETBIOS and workgroup in Samba terms. They are kind of misleading as you can see below from the samba config file. On the domain controller, open up a command prompt and type:

set | find  "DOMAIN"
USERDNSDOMAIN=KDOMAIN.LOCAL
USERDOMAIN=MYDOMAIN
USERDOMAIN_ROAMINGPROFILE=MYDOMAIN

My domain is KDOMAIN.LOCAL and the NETBIOS domain name is MYDOMAIN. The hostname of my domain controller is DC03, but that’s irrelevant.
Now create the Samba config file which is /usr/local/etc/smb4.conf.

[global]
        netbios name = freebsd03
        realm = KDOMAIN.LOCAL
        workgroup = MYDOMAIN
        security = ADS
        winbind enum groups = Yes
        winbind enum users = Yes
        winbind nss info = rfc2307
        idmap config *:range = 2000-9999
        idmap config * : backend = tdb

As you can see the netbios name is not the netbios name of your domain controller, it’s the hostname of your BSD box. The realm is the domain name and the workgroup is the NETBIOS name of the domain controller. Yep, it is misleading, but it is what it is.

Previously, I mentioned that there are two changes that you have to make that are different than the original wiki. So, this is the first change. In the original wiki article, they suggest picking up one of the three idmap modules.

   # Just adding the following three lines is not enough!!
       #  - idmap config ad
       #  - idmap config rid
       #  - idmap_config_autorid

If you go ahead and implement any of them, you won’t be able to enumerate the domain users with getent. More info here. So, skip that and just do the config file as described above.

Now that you have your config in place, check for any errors. Just do testparm.

testparm
Load smb config files from /usr/local/etc/smb4.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

# Global parameters
[global]
        realm = KDOMAIN.LOCAL
        workgroup = MYDOMAIN
        security = ADS
        winbind enum groups = Yes
        winbind enum users = Yes
        winbind nss info = rfc2307
        idmap config *:range = 2000-9999
        idmap config * : backend = tdb

If everything is syntax OK, you can now join the BSD box to the domain.

net ads join -U administrator
Enter administrator's password:
Using short domain name -- MYDOMAIN
Joined 'FREEBSD03' to dns domain 'kdomain.local'

If you go back to your domain controller and open the ADUC (Active Directory Users and Computers), you’ll see your BSD hostname there.

Add these two lines to /etc/rc.conf.

samba_server_enable="YES"
winbindd_enable="YES"

Now, you can start Samba with service samba_server start. It also starts winbind daemon.

service samba_server start
Performing sanity check on Samba configuration: OK
Starting nmbd.
Starting smbd.
Starting winbindd.

Do all the checks.

wbinfo -u
MYDOMAIN\administrator
MYDOMAIN\guest
MYDOMAIN\klimenta
MYDOMAIN\krbtgt

wbinfo -g
MYDOMAIN\winrmremotewmiusers__
MYDOMAIN\domain computers
...

Now, do getent passwd. You won’t receive any domain users.
This is the second change that doesn’t apply from the official wiki. You’ll have to modify /etc/nsswitch.conf, so it looks like this. You have to replace compat with files for group and passwd entries.

group: files winbind
group_compat: nis
hosts: files dns
networks: files
passwd: files winbind
passwd_compat: nis

Reboot, and do getent passwd and getent group at this point. If you get the domain users and group, you are all set.

If you use pf, make sure that these ports are opened.

At this point, you’ll have the OS fully configured as a domain member, but you still can’t log in to FreeBSD with a domain account. In order to do that, we’ll have to make some changes.

Make sure you have these lines in smb.conf, restart samba service if necessary.

template shell = /bin/sh
template homedir = /home/%D/%U

The template shell and homedir means that each domain user will use /bin/sh for a shell and each home directory is expected to be under /home/ + domain name + the user name, in my case /home/MYDOMAIN/klimenta. Next, we should create a home dir for one of the users. In my case:

mkdir -p /home/MYDOMAIN/klimenta
cd /home/MYDOMAIN
chown -R [email protected] klimenta

Finally, the following three files needs to be modified: /etc/pam.d/sshd, /etc/pam.d/system and /etc/ssh/sshd_config. Reboot after the modifications.

In /etc/ssh/sshd_config, make sure these two lines are uncommented and set to yes and no.

PasswordAuthentication yes
ChallengeResponseAuthentication no

In /etc/pam.d/sshd, make sure you add this line three times so it looks like this. The order is also important.

# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth            sufficient      /usr/local/lib/pam_winbind.so
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass

# account
account         sufficient      /usr/local/lib/pam_winbind.so
account         required        pam_nologin.so
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so              want_agent
session         required        pam_permit.so

# password
password        sufficient      /usr/local/lib/pam_winbind.so
#password       sufficient      pam_krb5.so             no_warn try_first_pass
password        required        pam_unix.so             no_warn try_first_pass

In /etc/pam.d/system, make sure you add this line three times so it looks like this. The order is also important.

# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth            sufficient      /usr/local/lib/pam_winbind.so
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass nullok

# account
account         sufficient      /usr/local/lib/pam_winbind.so
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so              want_agent
session         required        pam_lastlog.so          no_fail

# password
password        sufficient      /usr/local/lib/pam_winbind.so
#password       sufficient      pam_krb5.so             no_warn try_first_pass
password        required        pam_unix.so             no_warn try_first_pass

At this point, after the reboot of course, you can log as a domain member.
What if we want to share our home directory or some other directory on the FreeBSD server? We have to add a config change in smb.conf file. I’ll explain how to share the home directory. If you want to share some other directory, make sure that the domain user has rights to that directory. In my case, I’ll have the domain user klimenta access the shared home directory for the domain user klimenta on the FreeBSD server. The permissions are already in place. Edit /usr/local/etc/smb4.conf file and add these lines at the end.

[share]
        comment = klimenta domain user share
        path =  /home/MYDOMAIN/klimenta
        valid users = [email protected]
        guest ok = no
        writable = yes
        browsable = yes

Restart samba service.

service samba_server start

Now, from a Windows workstation go to \\freebsd03 and you’ll see the directory.