Creating a file server based on FreeBSD with authorization in AD

In this article, I will describe the creation of a file server with FreeBSD 9.2 (Samba-3.6) installed with authorization in the Windows 2003 domain.

When I first raised the file server to FreeBSD, I came across many problems, the solution of which had to be searched for a long time on thematic sites and forums . Therefore, here at each stage typical problems and their solutions will be described. I think this article will help many to resolve some issues.


So, let's start with the initial data:

  • Domain Name:;
  • Host Name:;
  • Host IP:;
  • PDC name (aka DNS / AD / DHCP / NTP):;
  • IP PDC:;
  • Blank with FreeBSD 9.2-i386-bootonly;
  • Internet access is required;
  • Printing is not needed.

I will not delve into the intricacies of installing the system. On this occasion, tons of information on the Internet and how to install the system, let everyone decide for himself. In this case, I did not rebuild the kernel and did not raise the RAID arrays. Everything is working just fine.

I note only a few nuances:

  • 1. During the OS installation, when setting up the network interface, I consciously chose DHCP, for which IP reservation was made on the DHCP server by MAC. You can find out the MAC address of the interface using the dmesg utility.
  • 2. For the correct resolution, I made a match in the DNS server to the file server, and also on the file server itself, added the following lines to the / etc / hosts file:
  • 3. After installation, ALWAYS check the time with PDC (of course, provided that it is NTP). If the time difference is more than 5 minutes, the file server will lose the domain.
    Check the team:


We turn to installing Samba (here, my first mistake was installing the Heimdal port, which, as it turned out, was not necessary to install at all):

#cd /usr/ports/net/samba36
#make install clean && rehash

Set with the parameters:

[X] LDAP With LDAP support
[X] ADS With Active Directory support
[X] WINBIND With WinBIND support
[X] ACL_SUPPORT With ACL support
[X] SYSLOG With Syslog support
[X] QUOTAS With Disk quota support
[X] POPT With system-wide POPT library

The installer will pull up all necessary packages automatically according to the dependencies. During the installation of each additional package, the system will often ask about the installation options. I left everything by default, I just turned off IPv6 protocol support, because we do not need him.

Next, we hammer the configs located at the end of the article. I note that the observance of the case of letters is required. If you use Putty, then you can copy-paste directly from the configs I have enclosed.
smb.conf should be in / usr / local / etc /. Other configs - in / etc.
If there is no file for some misunderstanding, then create it with a simple command and then hammer in:

#ee /usr/local/etc/smb.conf

Or, for example:

#ee /etc/krb5.conf

You can check the samba config with the testparm utility, which will indicate invalid entries. Again, invalid entries are not always the same. Here you need to know the subtleties.

After the configs are clogged, run the samba service:

# /usr/local/etc/rc.d/ start

Or easier:

#service samba start

A good answer would be:

Starting SAMBA: removing stale tdbs :
Starting nmbd.
Starting smbd.
Starting winbindd.

After any change in the samba config, you must definitely restart it.

#service samba restart

So, the system stands, the software is compiled, the configs are clogged. It's time to enter the machine into the domain.
We get a ticket:

# kinit -p dl_admin // где dl_admin - администратор домена
dl_admin@DOMAIN.RU's Password: // система попросит пароль админа домена
# klist // проверяем полученный билет
Credentials cache: FILE:/tmp/krb5cc_0 // ответ должен быть примерно таким
Principal: dl_admin@DOMAIN.RU
Issued Expires Principal
Oct 05 10:37:52 Oct 05 17:17:52 krbtgt/DOMAIN.RU@DOMAIN.RU

We introduce samba, and accordingly the server itself in Active Directory:

# net ads join -U dl_admin
dl_admin's password:
Joined 'MSRV-FILE' to realm 'DOMAIN.RU'

We check:

# wbinfo -p
Ping to winbindd succeeded on fd 4

# wbinfo -t
checking the trust secret via RPC calls succeeded

# wbinfo -g
возвращает список групп пользователей

# wbinfo -u
возвращает список пользователей

# id dl_admin
возвращает идентификатор пользователя

This, in fact, can be finished, but so that there are no problems with writing to the shared directory, I recommend that you assign a domain administrator as the owner for the shared directory with an indication of the user group:

# chown -R dl_admin:"Domain Users" /home/share
# chmod -R 770 /home/share

        default = FILE:/var/log/kerberos/krb5libs.log
        kdc = FILE:/var/log/kerberos/krb5kdc.log
        admin_server = FILE:/var/log/kerberos/kadmin.log
        ticket_lifetime = 24000
        default_realm = DOMAIN.RU
        dns_lookup_realm = false
        dns_lookup_kdc = false
        kdc_req_checksum_type = 2
        checksum_type = 2
        ccache_type = 1
        forwardable = true
        proxiable = true
        clockskew = 300
         v4_instance_resolve = false
         v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                plain = {
                        something = something-else
        DOMAIN.RU = {
                kdc = tcp/
                admin_server = tcp/
                default_domain = DOMAIN.RU
[domain_realm] = DOMAIN.RU = DOMAIN.RU
        debug = false
        ticket_lifetime = 36000
        renew_lifetime = 36000
        forwardable = true
        krb4_convert = false
        krb4_convert = false
        krb4_get_tickets = false

group: files winbind
group_compat: nis
hosts: files dns
networks: files
passwd: files winbind
passwd_compat: nis
#shells: files
#services: compat
#services_compat: nis
#protocols: files
#rpc: files

# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
# -- sysinstall generated deltas -- # Sun Oct  5 10:31:10 2014
# smbd_enable="YES"
# -- sysinstall generated deltas -- # Sun Oct  5 15:09:56 2014

# Generated by resolvconf

        dos charset = cp866
        unix charset = koi8-r
        display charset = koi8-r
        workgroup = DOMAIN
        realm = DOMAIN.RU
        netbios name = MSRV-FILE
        server string = File Server %v
        security = ADS
        auth methods = winbind
        map to guest = Bad User
        log file = /var/log/samba/log.%m
        max log size = 50
        client signing = Yes
        preferred master = No
        local master = No
        domain master = No
        dns proxy = No
        winbind use default domain = Yes
        inherit acls = Yes
        hosts allow = 10.1.1., 127.
        map acl inherit = Yes
        case sensitive = No
        nt acl support = Yes
        os level = 10
        socket options = SO_RCVBUF=8192 SO_SNDBUF=8192 TCP_NODELAY
        load printers = No
        printing = bsd
        guest account = nobody
        guest ok = yes
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind nested groups = No
        winbind refresh tickets = Yes
        idmap config * : range = 600-20000
        idmap config * : backend = tdb
        interfaces = bge0
        comment = Temporary file space
        path = /tmp
        read only = No
        create mask = 0666
        create mode = 666
        directory mode = 666
        directory mask = 0777
        guest ok = Yes
        comment = Share Directory
        path = /home/share
        write list = "@DOMAIN.RU\Domain Admins", "@DOMAIN.RU\Domain Users"
        read only = No
        create mode = 660
        directory mode = 660
        create mask = 0660
        directory mask = 0770

Also popular now: