Personal tools
You are here: Home Documentation How-tos How to Join an Active Directory Domain Under FreeBSD
Navigation
 
Document Actions

How to Join an Active Directory Domain Under FreeBSD

This How-to applies to: FreeBSD 6.x, FreeBSD 5.x, Samba 3.x, Windows Server 2003, Windows SBS 2003

You can join a computer running FreeBSD to a Windows 2000/2003 Active Directory domain using the net/samba3 port configured with Active Directory and winbind support. Both PAM (for authentication) and NSS (for directory information) are supported. This how-to assumes that Windows Services for Unix has already been installed and configured on a suitable domain controller, and that the relevant Unix attributes have been specified for domain users and groups.

To install and configure the Active Directory client software:

  1. The Kerberos 5 client included with FreeBSD will automatically detect and use the domain controller service records in DNS.  No additional configuration is required.
  2. The binary package for net/samba3 does not include several important features.  Install net/samba3 from the ports tree with the following commands: 
    ed /usr/local/etc/pkgtools.conf
    /^  MAKE_ARGS
    a
            'net/samba3' => [
                    'SAMBA_PRIVATE=/var/db/samba/private',
                    'WITH_ADS=yes',
                    'WITH_ACL_SUPPORT=yes',
                    'WITH_FAM_SUPPORT=yes',
                    'WITH_SYSLOG=yes',
                    'WITH_QUOTAS=yes',
                    'WITH_MSDFS=yes',
                    'WITH_EXP_MODULES=yes',
            ],
    .
    wq
    portinstall --batch net/samba3
    rehash
  3. Set the name of the domain, the security model (Windows 2000/2003 Active Directory domains versus Windows NT domains), the Unix user and group ID ranges, and the default Unix user attributes in the Samba configuration file /usr/local/etc/smb.conf. Samba will automatically detect and use the domain controller service records in DNS. Create the configuration file and verify its syntax with the following commands (substituting your own workgroup and realm for the ones shown below): 
    ed
    a
    [global]
    workgroup = EXAMPLE
    realm = EXAMPLE.COM
    security = ADS
    use kerberos keytab = Yes
    allow trusted domains = No
    idmap backend = ad
    idmap uid = 1000-100000
    idmap gid = 1000-100000
    log level = 3
    syslog only = Yes
    winbind cache time = 3600
    winbind enum users = Yes
    winbind enum groups = Yes
    winbind nested groups = Yes
    winbind nss info = sfu
    winbind offline logon = Yes
    winbind refresh tickets = True
    winbind use default domain = Yes
    .
    w /usr/local/etc/smb.conf
    q
    testparm
  4. Join the computer to the domain with a command similar to the following (using your Active Directory credentials, e.g., the Administrator account, and optionally specifying the container or OU where the account should be created, e.g. Computers): 
    net ads join "MyBusiness/Computers/SBSComputers" -U Administrator
  5. Enable Samba and start it with the following commands: 
    ed /etc/rc.conf
    a
    samba_enable="YES"
    .
    wq
    /usr/local/etc/rc.d/samba start
  6. Test the domain membership with commands similar to the following: 
    # test authentication
    ntlm_auth --username=testuser
    <enter account password when prompted>

    # test user lookup
    wbinfo -u

    # test group lookup
    wbinfo -g
  7. FreeBSD supports the name service switch (NSS) mechanism for specifying alternate directory information sources. Configure FreeBSD to use the winbind NSS module with the following commands: 
    sed -i '' -e 's/group:.*/group: files winbind/' /etc/nsswitch.conf
    sed -i '' -e 's/passwd:.*/passwd: files winbind/' /etc/nsswitch.conf
  8. Test the winbind NSS module with the following commands: 
    # test user lookup; equivalent to "getent passwd" on Linux
    pw show user -a

    # test group lookup; equivalent to "getent group" on Linux
    pw show group -a
  9. FreeBSD supports pluggable authentication modules (PAM). Configure FreeBSD to use the winbind PAM module for interactive logins (e.g. at the console or for the command su) with the following commands: 
    ed /etc/pam.d/system
    23a
    password sufficient /usr/local/lib/pam_winbind.so try_first_pass
    .
    14a
    account sufficient /usr/local/lib/pam_winbind.so
    .
    9a
    auth sufficient /usr/local/lib/pam_winbind.so try_first_pass
    .
    wq
    Some services do not use the system-wide PAM settings. Each individual service file must be modified as shown above. (I copied the pam_krb5.so entries verbatim, changing only the pam module to pam_winbind.so.) For example, configure the SSH server to use the winbind PAM module with the following commands: 
    ed /etc/pam.d/sshd
    24a
    password sufficient /usr/local/lib/pam_winbind.so try_first_pass
    .
    15a
    account sufficient /usr/local/lib/pam_winbind.so
    .
    10a
    auth sufficient /usr/local/lib/pam_winbind.so try_first_pass
    .
    wq
    /etc/rc.d/sshd restart
  10. Be certain to test the PAM configuration before logging off the computer!

Please refer to Daniel Harris's 2003 ONLamp.com article FreeBSD Access Control Lists for information on using ACLs with Samba.

by Matthew X. Economou last modified 2007-03-15 11:47
Advertisements
 
Powered by Plone CMS, the Open Source Content Management System

This site conforms to the following standards: