As beta4 is out from samba4 I think it’s time to test the upcoming version of the open source samba server. With Samba4 you will have the option to run it as a DC, allowing you a centralized login in your office. We had some of those features in samba3 but with samba4 you will be able to deploy GPO s within you organization. With this you will be able to customize windows clients as you had done it with Windows DCs for years. Also there is a LDAP server integrated which is also a new feature and you can forgo to make LDAP server by hand. Also there are new python programs to help you administrate the organization. Also you can easily manage vpn access with radius from RSAT.
In this article I will show you the samba4 server on a FreeBSD9 machine.
First of all you have to install a FreeBSD 9 OS. Also you will need GCC and compiler utilities because you will need to compile the samba4 sources. Also it is recommended to have ports installed as it will help you installing some dependencies. You also need to have an ACL ready filesystem, as samba4 source will do checks for it. With FreeBSD9 in my opinion it’s not the best idea to hack it to run the root filesystem on ZFS so I’m usually running it on UFS2 with gmirror. I usually make a separate zpool for the storage. So first of all make sure that you mount the filesystems with ACL option. To do this you have to edit /etc/fstab and insert the option ’acls’ into the options column. Also if you don’t want to restart you have to remount the filesystem with acls option:
mount -o acls /
After these steps you can download the source from the official server:
After you downloaded it verify the file.
Now go with uncompressing the compressed file:
tar xvpzf samba-4.0.0beta4.tar.gz
Go into the uncompressed folder and now you can simply run configure:
You can configure prefix or anything you want but I think the default location is fine.
After configure if everything went fine just compile it:
If it was ok, you can now install it:
If everything is ok, now the samba installation will be at /usr/local/samba.
The next step is to run the provision which will create the necessary configuration files for the DC role(also will make the LDAP scheme and all necessary things):
/usr/local/samba/sbin/provision –realm=fbsddom.local –domain=FBSDDOM –adminpass=VerySecurepassW0rd! –server-role=dc
It will create you several files which will help you to continue with installation:
It will display you the details of the configuration.
Server Role: domain controller
NetBIOS Domain: FBSDDOM
DNS Domain: fbsddom.local
DOMAIN SID: S-1-5-21-292606287-3833067553-3225826363
And you will get a configuration file for phpLDAPadmin. In my opinion it’s better to use RSAT tools but it’s your choice. Now it’s time to configure the DNS server for our DC.
pkg_add –r bind98
It will download and install Bind 9.8.0 which is supported by samba4 (if you want dynamic dns update you will need to install it from source after patching it)
Bind configuration is simple.
You have to include the the configuration what samba installer made at provisioning, so simply edit /etc/namedb/named.conf and instert this line:
As it is running in chrooted environment, I’ve entered some nullfs mounts into fstab (of course there are other methods):
/usr/local/samba/ /var/named/usr/local/samba/ nullfs rw 0 0
/lib /var/named/lib nullfs rw 0 0
/usr/local/lib/ /var/named/usr/local/lib nullfs rw 0 0
Also you have to edit bind config for the listening addresses. You now just want to add named into rc.conf to start daemon at system boot.
If there is any problem, check log files. So for next step we will install krb5 package. I’ve installed it from ports. In the config I’ve checked DNS_FOR_REALM option.
It will help you debugging the Kerberos in samba4 (samba4 is coming with integrated Kerberos server).
You can start samba with the samba binary file (if you want to debug you can use ‘samba –i –M single’ command).
There is no startup script for samba4 yet. You can check the Kerberos server with kinit, and klist commands. I’ve configured a dhcpd server to make the windows client network configuration easier. I’ve added those options:
option domain-name-servers 172.16.1.1;
option domain-name “fbsddom.local”;
option routers 172.16.1.1;
If you can resolve the server from the dns server (fbsddc.fbsddom.local in this case) you can try to join the domain. You will need the domain administrator password what you’ve used at the provision. Afte you enteted everything your client is now joined into the domain: