Integrating FreeBSD into Active Directory – Part 1

This article will explain how to add your FreeBSD server to an existing Active Directory domain.  For this example, I am using FreeBSD 10.2, and Samba 4.2.

Assumptions:
IP Subnet: 192.168.0.0/24
Domain: EXAMPLE.LOCAL
Domain Controller 1: DC1.EXAMPLE.LOCAL
Domain Controller 2: DC2.EXAMPLE.LOCAL

Install Samba

Type in the following:

cd /usr/ports/net/samba42 && make install clean

Ensure that you enable ADS, Winbind, ACL_SUPPORT, AIO_SUPPORT, SYSLOG, QUOTAS, DNSUPDATE.  Do not enable CUPS unless you are planning on using the print services.  Most of the other defaults should be fine.

When you are done with that, you will need to create /usr/local/etc/smb4.conf and update it to the following (case sensitive!!!):

[global]
	workgroup = EXAMPLE
	server string = Samba Server Version %v
	security = ads
	realm = EXAMPLE.LOCAL
	socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072
	use sendfile = true
	 
	idmap config * : backend = tdb
	idmap config * : range = 100000-299999
	idmap config TEST : backend = rid
	idmap config TEST : range = 10000-99999
	winbind separator = +
	winbind enum users = yes
	winbind enum groups = yes
	winbind use default domain = yes
	winbind refresh tickets = yes

	restrict anonymous = 2
	log file = /var/log/samba4/log.%m
	max log size = 50

	winbind use default domain = yes
	template homedir = /home/%D/%U
	template shell = /usr/local/bin/bash

Time Sync using NTP

Kerberos authentication using Active Directory is very time sensitive, so it is important that you sync your server’s time to your domain controller, or you will be having a lot of issues at a later point in time.

  1. First you need to edit /etc/ntp.conf and make the following changes (it’ll be on the first page):
    server DC1.EXAMPLE.LOCAL iburst
    server DC2.EXAMPLE.LOCAL iburst
    #server 0.freebsd.pool.ntp.org iburst

    #server 1.freebsd.pool.ntp.org iburst
    #server 2.freebsd.pool.ntp.org iburst
    #server 3.freebsd.pool.ntp.org iburst
  2. Next you’ll need to ensure that your startup is correct (the order does matter, as ntpdate must run prior to ntpd):
    echo "ntpdate_enable=YES" >> /etc/rc.conf
    echo "ntpd_enable=YES" >> /etc/rc.conf
    service ntpd stop
    service ntpdate onestart
    service ntpd start

Prepare Kerberos

The next step is to prepare Kerberos.  You will need to do the following:

  1. Edit /etc/sysctl.conf and add the following:
    kern.maxfiles=25600
    kern.maxfilesperproc=16384
    net.inet.tcp.sendspace=65536
    net.inet.tcp.recvspace=65536
  2. Create /etc/krb5.conf and add the following (case sensitive!!!):
    [libdefaults]
    	default_realm = EXAMPLE.LOCAL
    	dns_lookup_realm = true
    	dns_lookup_kdc = true
    	ticket_lifetime = 24h
    	renew_lifetime = 7d
    	forwardable = yes
  3. Edit /etc/nsswitch.conf and modify your group and passwd values:
    group: files winbind
    passwd: files winbind

Install mDNS

I noticed that Samba tends to fill up my message log complaining it can’t find mdsnd, so the simple solution was to install nss_mdsn

cd /usr/ports/dns/nss_mdns/ && make install clean echo "mdnsd_enable=YES" >> /etc/rc.conf service mdnsd start

Join the Domain

The next steps are to join the domain and test the services.

  1. Join the domain:
    net ads join -U administrator
    net ads testjoin
    # Should report "Join is OK"
  2. Start the SAMBA service:
    echo "samba_server_enable=YES" >> /etc/rc.conf
    service samba_server start
  3. Next you would test Kerberos and Winbind:
    kinit administrator
    klist
    wbinfo -u
    wbinfo -g
    getent passwd
    getent group

If that all works, you are finished! To make this meaningful, the next article will show you how to login remotely using SSH / PAM.

This entry was posted in Active Directory and tagged , , . Bookmark the permalink.

Comments are closed.