Building an Active Directory Server with Samba
All of the Changes
Here is a list of all the files that were changed and
added during the course of this project.
I used the touch command to create a new empty file
/root/TIMESTAMP after installing FreeBSD
and before starting the additions and modifications.
Then the find command can list the files
that were modified or newer.
Changes in /etc
/etc/fstab
The only changes were to add the acls
option to the root file system,
and to comment out the line defining
/tmp as a 30 MB RAM-based file system,
The second change was needed in order to have enough
space to manage packages.
/dev/mmcsd0s1 /boot/msdos msdosfs rw,noatime 0 0 /dev/mmcsd0s2a / ufs rw,noatime,acls 1 1 ## commenting this out, as 30 MB is not large enough for "pkg update". ## leaving /tmp on root file system. ## md /tmp mfs rw,noatime,-s30m 0 0 md /var/log mfs rw,noatime,-s15m 0 0 md /var/tmp mfs rw,noatime,-s5m 0 0
/etc/hosts
I added lines mapping each of the interface IP addresses to the hostname. It should be able to pick this up from Samba, but I've read that something may only read the file.
[... unchanged lines not shown ...] 10.1.1.135 dc.corp.example.com dc.example.com dc fc00::ba27:ebff:fe41:b9ae dc.corp.example.com dc.example.com dc [... unchanged lines not shown ...]
/etc/krb5.conf
This is a newly-created symbolic link pointing to
the simple Kerberos configuration file
/var/db/samba4/private/krb5.conf.
That file contained the following after the domain provision:
[libdefaults] default_realm = CORP.EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = true
I later changed it to contain this:
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = EXAMPLE.ORG
rdns = false
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
EXAMPLE.ORG = {
kdc = freebsd.example.org
}
EXAMPLE = {
kdc = freebsd.example.org
}
[domain_realm]
example.org = EXAMPLE.ORG
.example.org = EXAMPLE.ORG
/etc/samba.smb.conf
[global] security = ads realm = EXAMPLE.ORG workgroup = EXAMPLE passdb backend = tdbsam kerberos method = secrets and keytab template shell = /bin/bash winbind offline logon = true winbind use default domain = Yes winbind enum users = Yes winbind enum groups = Yes idmap config * : backend = rid idmap config * : range = 10000-20000
/etc/localtime
This was changed by tzsetup.
/etc/rc.conf
Changed and added lines are highlighted.
##ORIGINAL hostname="raspberry-pi" hostname="freebsd" ##ORIGINAL ifconfig_ue0="DHCP" ifconfig_ue0="inet 10.1.1.235/24" defaultrouter="router" ipv6_prefix_ue0="fc00:0:0:0" ipv6_defaultrouter="router" sshd_enable="YES" ## Added: named_enable="YES" samba_server_enable="YES" samba_flags="-l /var/log" smbd_flags="-l /var/log" nmbd_flags="-l /var/log" # Nice if you have a network, else annoying. ##ORIGINAL #ntpd_enable="YES" ##ORIGINAL ntpd_sync_on_start="YES" ntpd_enable="YES" ntpd_sync_on_start="YES" #devd is necessary for proper DHCP operation; # don't disable unless you know how to run DHCP manually. #devd_enable="NO" # Turn off a lot of standard stuff # for more free memory. cron_enable="NO" ##ORIGINAL syslogd_enable="NO" syslogd_enable="YES" sendmail_enable="NONE" sendmail_submit_enable="NO" sendmail_outbound_enable="NO" sendmail_msp_queue_enable="NO" # On first boot, enlarge the root filesystem to fill the SD card growfs_enable="YES"
/etc/syslog.conf
As described earlier, I commented out all the lines directing output to files and added a line sending all output to a log collector.
# egrep -v '^#|^$' /etc/syslog.conf include /etc/syslog.d include /usr/local/etc/syslog.d *.* @10.1.1.100
/etc/nsswitch.conf
I changed these lines:
[... lines deleted ...] passwd: files winbind shadow: files winbind group: files winbind [... lines deleted ...] hosts: files dns myhostname [... lines deleted ...]
/etc/pam.d/*
See the PAM file changes here.
/etc/sysconfig/authconfig
I changed these lines:
[... lines deleted ...]
USEWINBIND=yes
USEWINBINDAUTH=yes
Changes in /usr/local
These changes are limited to /usr/local/etc.
Those within /usr/local/etc/namedb come
from setting up the DNS slave server.
# find /usr/local/etc/ -newer /root/TIMESTAMP \! -type d | sort /usr/local/etc/namedb/named.conf /usr/local/etc/namedb/slave/named.10.in-addr.arpa /usr/local/etc/namedb/slave/named.169.192.in-addr.arpa /usr/local/etc/namedb/slave/named.ip6.fc00 /usr/local/etc/namedb/slave/named.example.com /usr/local/etc/smb4.conf
The Samba configuration file
/usr/local/etc/smb4.conf
was created by the domain provisioning step.
As described earlier,
I manually added the log file
line to the file.
# Global parameters [global] workgroup = CORP realm = CORP.EXAMPLE.COM netbios name = FREEBSD server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes log file = /var/log/samba.log.%m [netlogon] path = /var/db/samba4/sysvol/corp.example.com/scripts read only = No [sysvol] path = /var/db/samba4/sysvol read only = No
Changes in /var
The directory /var/db/samba4 was empty
after installing the Samba package.
Now it has a hierarchy of directories and files,
plus sockets while running.
The lock files in msg.lock/
and the directory msg.sock/ and its contents
only exist while the server is running.
# tree -apF /var/db/samba4
/var/db/samba4/
|-- [-rw-------] account_policy.tdb
|-- [-rw-r--r--] brlock.tdb
|-- [-rw-------] dbwrap_watchers.tdb
|-- [-rw-r--r--] gencache.tdb
|-- [-rw-r--r--] gencache_notrans.tdb
|-- [-rw-r--r--] leases.tdb
|-- [-rw-r--r--] locking.tdb
|-- [drwxr-xr-x] msg.lock/
| |-- [-rw-r--r--] 2102
| |-- [-rw-r--r--] 2114
| |-- [-rw-r--r--] 2115
| |-- [-rw-r--r--] 2116
| |-- [-rw-r--r--] 2117
| |-- [-rw-r--r--] 2118
| |-- [-rw-r--r--] 2119
| |-- [-rw-r--r--] 2120
| |-- [-rw-r--r--] 2121
| |-- [-rw-r--r--] 2122
| |-- [-rw-r--r--] 2123
| |-- [-rw-r--r--] 2124
| |-- [-rw-r--r--] 2125
| |-- [-rw-r--r--] 2126
| `-- [-rw-r--r--] 2128
|-- [-rw-r-----] names.tdb
|-- [-rw-------] netsamlogon_cache.tdb
|-- [-rw-r--r--] printer_list.tdb
|-- [drwxr-xr-x] printing/
|-- [drwx------] private/
| |-- [drwxrwx---] dns/
| | |-- [-rw-rw----] sam.ldb
| | `-- [drwxrwx---] sam.ldb.d/
| | |-- [-rw-rw----] CN=CONFIGURATION,DC=CORP,DC=EXAMPLE,DC=COM.ldb
| | |-- [-rw-rw----] CN=SCHEMA,CN=CONFIGURATION,DC=CORP,DC=EXAMPLE,DC=COM.ldb
| | |-- [-rw-rw----] DC=CORP,DC=EXAMPLE,DC=COM.ldb
| | |-- [-rw-rw----] DC=DOMAINDNSZONES,DC=CORP,DC=EXAMPLE,DC=COM.ldb
| | |-- [-rw-rw----] DC=FORESTDNSZONES,DC=CORP,DC=EXAMPLE,DC=COM.ldb
| | `-- [-rw-rw----] metadata.tdb
| |-- [-rw-r-----] dns.keytab
| |-- [-rw-r--r--] dns_update_list
| |-- [-rw-------] hklm.ldb
| |-- [-rw-------] idmap.ldb
| |-- [-rw-r--r--] krb5.conf
| |-- [drwxr-x---] ldap_priv/
| | `-- [srwxrwxrwx] ldapi=
| |-- [srwxrwxrwx] ldapi=
| |-- [drwx------] msg.sock/
| | |-- [srwxrwxrwx] 1373=
| | |-- [srwxrwxrwx] 1382=
| | |-- [srwxrwxrwx] 1390=
| | |-- [srwxrwxrwx] 1392=
| | |-- [srwxrwxrwx] 2050=
| | |-- [srwxrwxrwx] 2102=
| | |-- [srwxrwxrwx] 2114=
| | |-- [srwxrwxrwx] 2115=
| | |-- [srwxrwxrwx] 2116=
| | |-- [srwxrwxrwx] 2117=
| | |-- [srwxrwxrwx] 2118=
| | |-- [srwxrwxrwx] 2119=
| | |-- [srwxrwxrwx] 2120=
| | |-- [srwxrwxrwx] 2121=
| | |-- [srwxrwxrwx] 2122=
| | |-- [srwxrwxrwx] 2123=
| | |-- [srwxrwxrwx] 2124=
| | |-- [srwxrwxrwx] 2125=
| | |-- [srwxrwxrwx] 2126=
| | `-- [srwxrwxrwx] 2128=
| |-- [-rw-r--r--] named.conf
| |-- [-r--r--r--] named.conf.update
| |-- [-rw-r--r--] named.txt
| |-- [-rw-------] netlogon_creds_cli.tdb
| |-- [-rw-------] privilege.ldb
| |-- [-rw-------] randseed.tdb
| |-- [-rw-------] sam.ldb
| |-- [drwxr-x---] sam.ldb.d/
| | |-- [-rw-------] CN=CONFIGURATION,DC=CORP,DC=EXAMPLE,DC=COM.ldb
| | |-- [-rw-------] CN=SCHEMA,CN=CONFIGURATION,DC=CORP,DC=EXAMPLE,DC=COM.ldb
| | |-- [-rw-------] DC=CORP,DC=EXAMPLE,DC=COM.ldb
| | |-- [-rw-rw----] DC=DOMAINDNSZONES,DC=CORP,DC=EXAMPLE,DC=COM.ldb
| | |-- [-rw-rw----] DC=FORESTDNSZONES,DC=CORP,DC=EXAMPLE,DC=COM.ldb
| | `-- [-rw-rw----] metadata.tdb
| |-- [-rw-------] schannel_store.tdb
| |-- [-rw-------] secrets.keytab
| |-- [-rw-------] secrets.ldb
| |-- [-rw-------] secrets.tdb
| |-- [-rw-------] share.ldb
| |-- [drwxr-xr-x] smbd.tmp/
| |-- [-rw-r--r--] spn_update_list
| `-- [drwx------] tls/
| |-- [-rw-r--r--] ca.pem
| |-- [-rw-r--r--] cert.pem
| `-- [-rw-------] key.pem
|-- [-rw-------] registry.tdb
|-- [-rw-r--r--] serverid.tdb
|-- [-rw-------] share_info.tdb
|-- [-rw-------] smbXsrv_open_global.tdb
|-- [-rw-------] smbXsrv_session_global.tdb
|-- [-rw-------] smbXsrv_tcon_global.tdb
|-- [-rw-------] smbXsrv_version_global.tdb
|-- [drwxrwx---] sysvol/
| `-- [drwxrwx---] corp.example.com/
| |-- [drwxrwx---] Policies/
| | |-- [drwxrwx---] {31B2F340-016D-11D2-945F-00C04FB984F9}/
| | | |-- [-rwxrwx---] GPT.INI*
| | | |-- [drwxrwx---] MACHINE/
| | | `-- [drwxrwx---] USER/
| | `-- [drwxrwx---] {6AC1786C-016F-11D2-945F-00C04FB984F9}/
| | |-- [-rwxrwx---] GPT.INI*
| | |-- [drwxrwx---] MACHINE/
| | `-- [drwxrwx---] USER/
| `-- [drwxrwx---] scripts/
|-- [-rw-------] winbindd_cache.tdb
`-- [drwxr-x---] winbindd_privileged/
`-- [srwxrwxrwx] pipe=
21 directories, 92 files
The files *.tdb and *.ldb
are TDB database version 6 files.
Raspberry Pi running BIND and Samba, a full Active Directory domain controller.