Creating a FreeBSD-based file server with AD authorization
In this article I will describe the creation of a file server with FreeBSD 9.2 installed (Samba-3.6) with authorization in the Windows 2003 domain.
When I first brought up a file server on FreeBSD, I came across a lot of problems that had to be solved for a long time on thematic sites and forums. Therefore, here at each stage typical problems and their solutions will be described. I think this article will help many to resolve some issues.
So let's start with the initial data:
')
I will not delve into the subtleties of installing the system. On this occasion, there are tons of information on the Internet and how to set up the system let everyone decide for himself. In this case, I did not rebuild the kernel and did not raise the RAID-arrays. Everything works so well.
I will note only some nuances:
Moving on to installing Samba (here my first mistake was installing the Heimdal port, which, as it turned out, does not need to be installed at all):
Set with parameters:
The installer will tighten all the necessary packages automatically according to the dependencies. During the installation of each additional package, the system will often ask for installation options. I left everything by default, just turned off IPv6 protocol support, since we don't need him.
Next, we score configs located at the end of the article. I note that the register of letters is mandatory. If you use Putty, you can copy-paste directly from the configs I have attached.
smb.conf should be in / usr / local / etc /. The rest of the configs are in / etc.
If there is no file due to some misunderstanding, then we create it with a simple command and immediately hammer it in:
Or, for example:
You can check the samba config using the testparm utility, which will indicate incorrect entries. Again, invalid entries are not always so. Here you need to know the details.
After the configs are clogged, we start the samba service:
Or easier:
A good answer would be:
After any change in the samba config, you must restart it.
So, the system costs, software is compiled, configs are clogged. It's time to enter the machine in the domain.
We get a ticket:
We enter samba, and accordingly the server itself in Active Directory:
Checking:
On this, in fact, it is possible to finish, but in order to avoid problems with writing to the shared directory, I recommend that you assign the domain administrator as the owner for the share with the indication of the user group:
Attachments:
When I first brought up a file server on FreeBSD, I came across a lot of problems that had to be solved for a long time on thematic sites and forums. Therefore, here at each stage typical problems and their solutions will be described. I think this article will help many to resolve some issues.
So let's start with the initial data:
')
- Domain Name: domain.ru;
- Hostname: msrv-file.domain.ru;
- Host IP: 10.1.1.6;
- PDC name (also known as DNS / AD / DHCP / NTP): msrv-dc1.domain.ru;
- IP PDC: 10.1.1.10;
- A pig with FreeBSD 9.2-i386-bootonly;
- Internet access is a must;
- Printing is not needed.
I will not delve into the subtleties of installing the system. On this occasion, there are tons of information on the Internet and how to set up the system let everyone decide for himself. In this case, I did not rebuild the kernel and did not raise the RAID-arrays. Everything works so well.
I will note only some nuances:
- 1. During the installation of the OS when configuring the network interface, I deliberately chose DHCP, for which IP reservation over MAC was made on the DHCP server itself. You can find the MAC address of the interface using the dmesg utility.
- 2. For the correct rezolv, I made a match in the DNS server to the file server, as well as on the file server itself, added the following lines to the / etc / hosts file:
10.1.1.10 msrv-dc1.domain.ru 10.1.1.6 msrv-file.domain.ru - 3. After installation, we MUST verify the time with the PDC (of course, provided that it is NTP). If the time difference is more than 5 minutes, the file server will lose the domain.
Verify the command:#ntpdate 10.1.1.10
Moving on to installing Samba (here my first mistake was installing the Heimdal port, which, as it turned out, does not need to be installed at all):
#cd /usr/ports/net/samba36 #make install clean && rehash Set with parameters:
[X] LDAP With LDAP support [X] ADS With Active Directory support [X] WINBIND With WinBIND support [X] ACL_SUPPORT With ACL support [X] SYSLOG With Syslog support [X] QUOTAS With Disk quota support [X] POPT With system-wide POPT library The installer will tighten all the necessary packages automatically according to the dependencies. During the installation of each additional package, the system will often ask for installation options. I left everything by default, just turned off IPv6 protocol support, since we don't need him.
Next, we score configs located at the end of the article. I note that the register of letters is mandatory. If you use Putty, you can copy-paste directly from the configs I have attached.
smb.conf should be in / usr / local / etc /. The rest of the configs are in / etc.
If there is no file due to some misunderstanding, then we create it with a simple command and immediately hammer it in:
#ee /usr/local/etc/smb.conf Or, for example:
#ee /etc/krb5.conf You can check the samba config using the testparm utility, which will indicate incorrect entries. Again, invalid entries are not always so. Here you need to know the details.
After the configs are clogged, we start the samba service:
# /usr/local/etc/rc.d/samba.sh start Or easier:
#service samba start A good answer would be:
Starting SAMBA: removing stale tdbs : Starting nmbd. Starting smbd. Starting winbindd. After any change in the samba config, you must restart it.
#service samba restart So, the system costs, software is compiled, configs are clogged. It's time to enter the machine in the domain.
We get a ticket:
# kinit -p dl_admin // dl_admin - dl_admin@DOMAIN.RU's Password: // # klist // Credentials cache: FILE:/tmp/krb5cc_0 // Principal: dl_admin@DOMAIN.RU Issued Expires Principal Oct 05 10:37:52 Oct 05 17:17:52 krbtgt/DOMAIN.RU@DOMAIN.RU We enter samba, and accordingly the server itself in Active Directory:
# net ads join -U dl_admin dl_admin's password: Joined 'MSRV-FILE' to realm 'DOMAIN.RU' Checking:
# wbinfo -p Ping to winbindd succeeded on fd 4 # wbinfo -t checking the trust secret via RPC calls succeeded # wbinfo -g # wbinfo -u # id dl_admin On this, in fact, it is possible to finish, but in order to avoid problems with writing to the shared directory, I recommend that you assign the domain administrator as the owner for the share with the indication of the user group:
# chown -R dl_admin:"Domain Users" /home/share # chmod -R 770 /home/share Attachments:
krb5.conf
[logging] default = FILE:/var/log/kerberos/krb5libs.log kdc = FILE:/var/log/kerberos/krb5kdc.log admin_server = FILE:/var/log/kerberos/kadmin.log [libdefaults] ticket_lifetime = 24000 default_realm = DOMAIN.RU dns_lookup_realm = false dns_lookup_kdc = false kdc_req_checksum_type = 2 checksum_type = 2 ccache_type = 1 forwardable = true proxiable = true clockskew = 300 v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } [realms] DOMAIN.RU = { kdc = tcp/10.1.1.10:88 admin_server = tcp/10.1.1.10:749 default_domain = DOMAIN.RU } [domain_realm] .domain.ru = DOMAIN.RU domain.ru = DOMAIN.RU [pam] debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false [login] krb4_convert = false krb4_get_tickets = false nsswitch.conf
group: files winbind group_compat: nis hosts: files dns networks: files passwd: files winbind passwd_compat: nis #shells: files #services: compat #services_compat: nis #protocols: files #rpc: files rc.conf
hostname="msrv-file.domain.ru" keymap="ru.koi8-r.win.kbd" ifconfig_bge0="DHCP" sshd_enable="YES" moused_enable="YES" ntpd_enable="YES" powerd_enable="YES" # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable dumpdev="NO" # -- sysinstall generated deltas -- # Sun Oct 5 10:31:10 2014 mousechar_start="3" font8x8="cp866-8x8" font8x14="cp866-8x14" font8x16="cp866b-8x16" scrnmap="koi8-r2cp866" keymap="ru.koi8-r" # smbd_enable="YES" samba_enable="YES" nmbd_enable="YES" winbindd_enable="YES" # -- sysinstall generated deltas -- # Sun Oct 5 15:09:56 2014 tcp_extensions="YES" resolv.conf
# Generated by resolvconf nameserver 10.1.1.10 smb.conf
[global] dos charset = cp866 unix charset = koi8-r display charset = koi8-r workgroup = DOMAIN realm = DOMAIN.RU netbios name = MSRV-FILE server string = File Server %v security = ADS auth methods = winbind map to guest = Bad User log file = /var/log/samba/log.%m max log size = 50 client signing = Yes preferred master = No local master = No domain master = No dns proxy = No winbind use default domain = Yes inherit acls = Yes hosts allow = 10.1.1., 127. map acl inherit = Yes case sensitive = No nt acl support = Yes os level = 10 socket options = SO_RCVBUF=8192 SO_SNDBUF=8192 TCP_NODELAY load printers = No printing = bsd guest account = nobody guest ok = yes winbind enum users = Yes winbind enum groups = Yes winbind nested groups = No winbind refresh tickets = Yes idmap config * : range = 600-20000 idmap config * : backend = tdb interfaces = bge0 [tmp] comment = Temporary file space path = /tmp read only = No create mask = 0666 create mode = 666 directory mode = 666 directory mask = 0777 guest ok = Yes [share] comment = Share Directory path = /home/share write list = "@DOMAIN.RU\Domain Admins", "@DOMAIN.RU\Domain Users" read only = No create mode = 660 directory mode = 660 create mask = 0660 directory mask = 0770 Source: https://habr.com/ru/post/239813/
All Articles