October 9, 2014 at 12:58Creating a file server based on FreeBSD with authorization in AD
In this article, I will describe the creation of a file server with FreeBSD 9.2 (Samba-3.6) installed with authorization in the Windows 2003 domain.
When I first raised the file server to FreeBSD, I came across many problems, the solution of which had to be searched for a long time on thematic sites and forums . Therefore, here at each stage typical problems and their solutions will be described. I think this article will help many to resolve some issues.
So, let's start with the initial data:
I will not delve into the intricacies of installing the system. On this occasion, tons of information on the Internet and how to install the system, let everyone decide for himself. In this case, I did not rebuild the kernel and did not raise the RAID arrays. Everything is working just fine.
I note only a few nuances:
We turn to installing Samba (here, my first mistake was installing the Heimdal port, which, as it turned out, was not necessary to install at all):
Set with the parameters:
The installer will pull up all necessary packages automatically according to the dependencies. During the installation of each additional package, the system will often ask about the installation options. I left everything by default, I just turned off IPv6 protocol support, because we do not need him.
Next, we hammer the configs located at the end of the article. I note that the observance of the case of letters is required. If you use Putty, then you can copy-paste directly from the configs I have enclosed.
smb.conf should be in / usr / local / etc /. Other configs - in / etc.
If there is no file for some misunderstanding, then create it with a simple command and then hammer in:
Or, for example:
You can check the samba config with the testparm utility, which will indicate invalid entries. Again, invalid entries are not always the same. Here you need to know the subtleties.
After the configs are clogged, run the samba service:
Or easier:
A good answer would be:
After any change in the samba config, you must definitely restart it.
So, the system stands, the software is compiled, the configs are clogged. It's time to enter the machine into the domain.
We get a ticket:
We introduce samba, and accordingly the server itself in Active Directory:
We check:
This, in fact, can be finished, but so that there are no problems with writing to the shared directory, I recommend that you assign a domain administrator as the owner for the shared directory with an indication of the user group:
Attachments:
When I first raised the file server to FreeBSD, I came across many problems, the solution of which had to be searched for a long time on thematic sites and forums . Therefore, here at each stage typical problems and their solutions will be described. I think this article will help many to resolve some issues.
So, let's start with the initial data:
- Domain Name: domain.ru;
- Host Name: msrv-file.domain.ru;
- Host IP: 10.1.1.6;
- PDC name (aka DNS / AD / DHCP / NTP): msrv-dc1.domain.ru;
- IP PDC: 10.1.1.10;
- Blank with FreeBSD 9.2-i386-bootonly;
- Internet access is required;
- Printing is not needed.
I will not delve into the intricacies of installing the system. On this occasion, tons of information on the Internet and how to install the system, let everyone decide for himself. In this case, I did not rebuild the kernel and did not raise the RAID arrays. Everything is working just fine.
I note only a few nuances:
- 1. During the OS installation, when setting up the network interface, I consciously chose DHCP, for which IP reservation was made on the DHCP server by MAC. You can find out the MAC address of the interface using the dmesg utility.
- 2. For the correct resolution, I made a match in the DNS server to the file server, and also on the file server itself, added the following lines to the / etc / hosts file:
10.1.1.10 msrv-dc1.domain.ru 10.1.1.6 msrv-file.domain.ru - 3. After installation, ALWAYS check the time with PDC (of course, provided that it is NTP). If the time difference is more than 5 minutes, the file server will lose the domain.
Check the team:#ntpdate 10.1.1.10
We turn to installing Samba (here, my first mistake was installing the Heimdal port, which, as it turned out, was not necessary to install at all):
#cd /usr/ports/net/samba36
#make install clean && rehash
Set with the parameters:
[X] LDAP With LDAP support
[X] ADS With Active Directory support
[X] WINBIND With WinBIND support
[X] ACL_SUPPORT With ACL support
[X] SYSLOG With Syslog support
[X] QUOTAS With Disk quota support
[X] POPT With system-wide POPT library
The installer will pull up all necessary packages automatically according to the dependencies. During the installation of each additional package, the system will often ask about the installation options. I left everything by default, I just turned off IPv6 protocol support, because we do not need him.
Next, we hammer the configs located at the end of the article. I note that the observance of the case of letters is required. If you use Putty, then you can copy-paste directly from the configs I have enclosed.
smb.conf should be in / usr / local / etc /. Other configs - in / etc.
If there is no file for some misunderstanding, then create it with a simple command and then hammer in:
#ee /usr/local/etc/smb.conf
Or, for example:
#ee /etc/krb5.conf
You can check the samba config with the testparm utility, which will indicate invalid entries. Again, invalid entries are not always the same. Here you need to know the subtleties.
After the configs are clogged, run the samba service:
# /usr/local/etc/rc.d/samba.sh start
Or easier:
#service samba start
A good answer would be:
Starting SAMBA: removing stale tdbs :
Starting nmbd.
Starting smbd.
Starting winbindd.
After any change in the samba config, you must definitely restart it.
#service samba restart
So, the system stands, the software is compiled, the configs are clogged. It's time to enter the machine into the domain.
We get a ticket:
# kinit -p dl_admin // где dl_admin - администратор домена
dl_admin@DOMAIN.RU's Password: // система попросит пароль админа домена
# klist // проверяем полученный билет
Credentials cache: FILE:/tmp/krb5cc_0 // ответ должен быть примерно таким
Principal: dl_admin@DOMAIN.RU
Issued Expires Principal
Oct 05 10:37:52 Oct 05 17:17:52 krbtgt/DOMAIN.RU@DOMAIN.RU
We introduce samba, and accordingly the server itself in Active Directory:
# net ads join -U dl_admin
dl_admin's password:
Joined 'MSRV-FILE' to realm 'DOMAIN.RU'
We check:
# wbinfo -p
Ping to winbindd succeeded on fd 4# wbinfo -t
checking the trust secret via RPC calls succeeded# wbinfo -g
возвращает список групп пользователей# wbinfo -u
возвращает список пользователей# id dl_admin
возвращает идентификатор пользователяThis, in fact, can be finished, but so that there are no problems with writing to the shared directory, I recommend that you assign a domain administrator as the owner for the shared directory with an indication of the user group:
# chown -R dl_admin:"Domain Users" /home/share
# chmod -R 770 /home/shareAttachments:
krb5.conf
[logging]
default = FILE:/var/log/kerberos/krb5libs.log
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmin.log
[libdefaults]
ticket_lifetime = 24000
default_realm = DOMAIN.RU
dns_lookup_realm = false
dns_lookup_kdc = false
kdc_req_checksum_type = 2
checksum_type = 2
ccache_type = 1
forwardable = true
proxiable = true
clockskew = 300
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
[realms]
DOMAIN.RU = {
kdc = tcp/10.1.1.10:88
admin_server = tcp/10.1.1.10:749
default_domain = DOMAIN.RU
}
[domain_realm]
.domain.ru = DOMAIN.RU
domain.ru = DOMAIN.RU
[pam]
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
[login]
krb4_convert = false
krb4_get_tickets = false
nsswitch.conf
group: files winbind
group_compat: nis
hosts: files dns
networks: files
passwd: files winbind
passwd_compat: nis
#shells: files
#services: compat
#services_compat: nis
#protocols: files
#rpc: files
rc.conf
hostname="msrv-file.domain.ru"
keymap="ru.koi8-r.win.kbd"
ifconfig_bge0="DHCP"
sshd_enable="YES"
moused_enable="YES"
ntpd_enable="YES"
powerd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"
# -- sysinstall generated deltas -- # Sun Oct 5 10:31:10 2014
mousechar_start="3"
font8x8="cp866-8x8"
font8x14="cp866-8x14"
font8x16="cp866b-8x16"
scrnmap="koi8-r2cp866"
keymap="ru.koi8-r"
# smbd_enable="YES"
samba_enable="YES"
nmbd_enable="YES"
winbindd_enable="YES"
# -- sysinstall generated deltas -- # Sun Oct 5 15:09:56 2014
tcp_extensions="YES"resolv.conf
# Generated by resolvconf
nameserver 10.1.1.10smb.conf
[global]
dos charset = cp866
unix charset = koi8-r
display charset = koi8-r
workgroup = DOMAIN
realm = DOMAIN.RU
netbios name = MSRV-FILE
server string = File Server %v
security = ADS
auth methods = winbind
map to guest = Bad User
log file = /var/log/samba/log.%m
max log size = 50
client signing = Yes
preferred master = No
local master = No
domain master = No
dns proxy = No
winbind use default domain = Yes
inherit acls = Yes
hosts allow = 10.1.1., 127.
map acl inherit = Yes
case sensitive = No
nt acl support = Yes
os level = 10
socket options = SO_RCVBUF=8192 SO_SNDBUF=8192 TCP_NODELAY
load printers = No
printing = bsd
guest account = nobody
guest ok = yes
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = No
winbind refresh tickets = Yes
idmap config * : range = 600-20000
idmap config * : backend = tdb
interfaces = bge0
[tmp]
comment = Temporary file space
path = /tmp
read only = No
create mask = 0666
create mode = 666
directory mode = 666
directory mask = 0777
guest ok = Yes
[share]
comment = Share Directory
path = /home/share
write list = "@DOMAIN.RU\Domain Admins", "@DOMAIN.RU\Domain Users"
read only = No
create mode = 660
directory mode = 660
create mask = 0660
directory mask = 0770