Purpose:

I have used SAMBA as an authentication method in other applications and to provide file and print services to a Windows network. When I read that SAMBA4 could be used as a domain controller, I was intrigued. I originally set out to see if it could be done and found that it actually would set up as a domain controller. I was then determined to find other applications. The first was to use a SAMBA server as a Read Only Domain Controller. Originally this was a bit more difficult as I felt I had to break the service to make it act in Read-Only mode. As the server does not require extra services and required minimal resources, I felt that it would be more secure. I was in a situation where a customer did not want to add a Microsoft Server to their network; however, wanted to have the security offered by a central server. We installed a FreeBSD server with SAMBA4 and had them up and running. The customer manages the services from a Windows desktop, with the exception of DHCP which is managed through WEBMIN.

If you have not already set up a server and need some assistance, you may want to look at our document entitled FreeBSD from the menu on the left.

The following is a quick check list for setting up SAMBA 4 as an Active Directory Server;

1. Prepare for Active Directory
2. Install Samba
3. Configure Samba
4. Manage Samba from Microsoft Management Console
5. Install and Configure DHCP
6. Install and Configure Webmin
7. Manage Samba from Webmin
8. Manage Samba from Secure Shell

Preparing for Active Directory:

There are some things that need to be done to the server before it will be able to be used as a domain controller.

• We will need to get the latest ports.
  The command to install or update the ports is:

  portsnap fetch extract

• Update the system and package information
  

  freebsd-update fetch install
  pkg update -f
  pkg upgrade

• Finally, change the file system to allow for Access Control List permissions.
  Be careful eith the configuration as an error will force you to log on insingle user mode to fix the error. When you have completed, you can apply the chages without rebooting.

  sed -i '' "s/rw/rw,acls,noatime/g" /etc/fstab
  mount -o acls /

Loading SAMBA:

This is the command to load it from ports. The config-recursive option allows you to configure all the dependencies before build. You will notice that we run the configuration at least twice during the build to allow the sub-dependencies to be configured. I attempt to deselect any man page, help documents and similar as I will use the Internet as a reference.

cd /usr/ports/net/samba42
make config-recursive
make config-recursive&& make install clean

These are the options that I select for the SAMBA installation:

• ACL_SUPPORT
• ADS
• AD_DC
• AIO_SUPPORT
• DEBUG
• DNSUPDATE
• EXP_MODULES
• FAM
• LDAP
• PTHREADPOOL
• QUOTAS
• SYSLOG
• UTMP
• NSUPDATE
• MDNSRESPONDER

I have attempted to load SAMBA through the pkg system; however, I do not think it has everything required for active directory. To install samba42 using the pkg system the command would be: pkg install samba42

Configuring SAMBA:

Now that SAMBA is loaded it should be configured to run for your network. Remember that the two major things that allow for Active Directory authentication is time and naming. We need to configure both of these starting with the name server. Using a text editor make certain that the first nameserver directive in /etc/resolv.conf is the ip address of the local machine. You should have at least one other dns server. Now examine the /etc/rc.conf file, there should be an entry for ntpd_enable="YES", if not add it. If you need to make adjustment to the external time servers or restrict access to time, you can edit the /etc/ntp.conf file.

In order for SAMBA to start at start up, you will need to add the directive to the rc.conf file:

echo 'samba_server_enable="YES"'>>/etc/rc.conf

Now we can build the configuration and set the SAMBA server as a domain controller. You will use the samba-tool utility to configure and make changes to the system. I am assuming the IP address of the server I am configuring will be 192.168.0.2 and I am using the domain EXAMPLE.COM. The first command that we will pass to samba-tool will be to configure the server. For the first server in a domain the command would be:

samba-tool domain provision --use-rfc2307 --host-ip=192.168.0.2 --interactive

For all other servers being added to a domain you will use the command:

samba-tool domain join example.com DC -Uadministrator --realm=example.com

Both commands will allow you to enter additional information such as the type of server and the password. Most of the answers will be defaulted and correct, answer according to your needs.

Manage Samba from Microsoft Management Console:

Windows has a remote toolkit that can be run on computers with Windows 7 Professional or better. To manage active directory, you will use these tools the same as if the server was a Windows 2008 R2. The Users and Computer mmc snap in (dsa.msc) will allow you to manage users, groups and computers. The Domain Name Service mmc snap in (dns.msc) allows configuration of domain names. The Flexible Single Master Operation (FSMO) roles can be changed using the same snap ins that are used to change the roles in Windows environment.

I have not tried to utilize this system in an organization like in the tests; however, I have not found a method to set set DNS Scavenging and Aging from the mmc.

Loading and Configuring DHCP:

Not all of the servers will need to host DHCP and there is some question as if the Domain Controller should. I am of the opinion that the DNS server will work better if DHCP is run from a DC.

To install DHCP you can run the command:

pkg install isc-dhcp43-server

To get the service to start you need to enable it in rc.conf:

echo 'dhcpd_enable="YES"'>>/etc/rc.conf

You may want additional configurations, see documentation.

To configure the server you will need to edit the /usr/local/etc/dhcpd.conf file. The file is well documented.

The DHCP server will not be managable through the Windows MMC snap in. We will load Webmin to manage the DHCP server as well as the SAMBA service.

Loading and Configuring Webmin:

While most all parts of active directory can be managed with the Microsoft Management Console, DHCP can not. Further, it is possible that the tools will not be loaded on a computer and can not be loaded on home edition. Webmin is a web based management program that has been around for some time. It can be used to manage both active directory and DHCP.

To install Webmin you can run the command:

pkg install webmin

You will need to run the Webmin setup script before the initial start, I normally use the default settings, using a secure password:

/usr/local/lib/webmin/setup.sh

To have the program start automatically you will need to enable it in rc.conf:

echo 'webmin_enable="YES"'>>/etc/rc.conf

You will want to start the WEBMIN service service webmin start. Webmin may be looking for the configuration file under smb.conf while Samba 4 uses smb4.conf. The some versions of Webmin may not find your SAMBA installation, look in the section "UN-USED MODULES". To make either function correctly open the module configuration and change the smb configuration file.

Managing with Webmin:

Webmin can be used to manage file shares, users and groups. There is no distinction between a user account and computer account, so you will see the computer names mixed in with users. The computer names all start with a $ sign. The module will allow you to join the domain, if it is not a controller. With time the Webmin module may provide more Domain management. I still prefer the MMC snap-ins for managing.

Managing with Secure Shell:

You can manage many aspects of the Directory Service using the samba-tool command. The two examples are the ones that I use by default. Version 4.1 defaulted to domain and forest functional level of 2003. You can raise the functional level of both by using the command:

samba-tool domain level raise --domain-level=2008_R2
samba-tool domain level raise --forest-level=2008_R2

Version 4.2 defaults to level 2008_R2 and 2012 is not available so you will not need to raise the level. By default SAMBA requires complex passwords. Some of the organizations that I work for do not require nor want complex passwords. You can control the password complexity, history, minimum length and age with the command:

samba-tool domain passwordsettings set --complexity=off --history-length=0 --min-pwd-length=2 --min-pwd-age=0 --max-pwd-age=0

We are looking into PERL scripts that can be run on either Windows or FreeBSD to assist in the management of the SAMBA domain controller. As we develop and test the scripts we will post them.