Samba4 AD w/zfs domain provision (new install)

I have configured Samba4 (S4) as an Active Directory Domain controller.   To start the process we need to make sure we have a good build of S4 first.

QuickLinks

Provision
Add Users
Winbind

The quick and dirty way to test if S4 buid and linked properly run:

/usr/local/bin/samba-tool

If this binary spits out errors, then you have build issues which need to be addressed before continuing.

You will know if everything is working at this point by running:

/usr/local/bin/samba-tool

with the results:


Usage: samba-tool <subcommand>

Main samba administration tool.
Options:  -h, --help       show this help message and exit
Version Options:    -V, --version  Display version number

Available subcommands:
  dbcheck     - Check local AD database for errors.
  delegation  - Delegation management.
  dns         - Domain Name Service (DNS) management.
  domain      - Domain management.br/>   drs         - Directory Replication Services (DRS) management.
  dsacl       - DS ACLs manipulation.
  fsmo        - Flexible Single Master Operations (FSMO) roles management.
  gpo         - Group Policy Object (GPO) management.
  group       - Group management.
  ldapcmp     - Compare two ldap databases.
  ntacl       - NT ACLs manipulation.
  processes   - List processes (to aid debugging on systems without setproctitle).
  rodc        - Read-Only Domain Controller (RODC) management.
  sites       - Sites management.
  spn         - Service Principal Name (SPN) management.
  testparm    - Syntax check the configuration file.
  time        - Retrieve the time on a server.
  user        - User management.
  vampire     - Join and synchronise a remote AD domain to the local server.
For more help on a specific subcommand, please type: samba-tool <subcommand> (-h|--help)
 


 Provision the Domain

We need to make the directory "/var/db/samba4" as the port might not created it:


/usr/local/bin/samba-tool domain provision --interactive --use-ntvfs  --use-rfc2307

Realm []: GLSAN.LOCAL
Domain []: GLSAN
Server Role (dc, member, standalone) [dc]: dc
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: SAMBA_INTERNAL
DNS forwarder IP address (write 'none' to disable forwarding) [8.8.8.8]:  4.4.4.4
Administrator password: GreatLakesSANROCKS!
Retype password: GreatLakesSANROCKS!
<The system will start to spit out a bunch of config info here, eg...>
Looking up IPv4 addresses
Looking up IPv6 addresses
More than one IPv6 address found. Using fe80:2::be30:5bff:feda:5c84
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=glsan,DC=local
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=glsan,DC=local
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /var/db/samba4/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role:           active directory domain controller
Hostname:              gls-Michigan
NetBIOS Domain:        GLSAN
DNS Domain:            GLSAN.LOCAL
DOMAIN SID:            S-1-5-21-3685093879-240391083-2916678401


Congrat's You are now ready to start adding users.

First we need to make sure we update some kernel parameters.   Otherwise we will get a lot of "<pid> samba4 exit signal 6"
Add the following to /boot/loader.conf

kern.maxdsiz="2048M"
kern.dfldsiz="768M"
kern.maxssiz="256MB"

Adding Users

To list all users on the system with the domain tool is simple:

#samba-tool user list

Administrator
krbtgt
Guest

#samba-tool user add <username> --must-change-at-next-login --surname=<lastName HERE> --given-name=<FirstName HERE>

Now verify your user account has been added.

#samba-tool user list
Administrator
krbtgt
Guest

Winbind Setup

A critical set in setting up samba4 on freebsd is to make sure our users are "seen" by the system.   Therefore, we need to incorporate our users into /etc/nsswitch.conf.   This is easy to do considering Samba4 incorporates winbind (samba --> Unix converter) into the build for you already (assuming you followed Samba4 ports ).   Here's my nsswitch file after I updated it.   (My additions are in another color.)

#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: release/9.0.0/etc/nsswitch.conf 224765 2011-08-10 20:52:02Z dougb $
#

group: compat --> removed this line and replaced it with the line below
group: files winbind
hosts: files ldap dns
networks: files
passwd: compat --> removed this line and replaced it with the line below
passwd: files winbind
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files