Samba4 AD/DC

FreeBSD 9.1 + Samba 4 (Bind99, SAMBA_INTERNAL) + Bind99 (actualizado desde el DHCP) + DHCP


Manuales consultados:

Parametros de red:
ifconfig_em0="inet  netmask"
ifconfig_em1="inet  netmask"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable

Particionado del disco SATA:
ada0        931GB  GPT
    ada0p1  512kB  freebsd-boot
    ada0p2   16GB  freebsd-ufs  /     exrootfs
    ada0p3   32GB  freebsd-swap none  exswap
    ada0p4   64GB  freebsd-ufs  /var  exvarfs
    ada0p5   16GB  freebsd-ufs  /tmp  extmpfs
    ada0p6  803GB  freebsd-ufs  /usr  exusrfs

Claves en el FreeBSD:
root / 123

Descargar el arbol de ports "fetch", se descomprime "extract" (se ejecuta la primera vez)
# portsnap fetch extract

Ahora para manterner el arbol de ports actualizado, se ejecuta siempre
# portsnap fetch update

Esta ultima linea se puede agregar al cron para que diario actualice los ports, en /etc/crontab se agrega una linea como esta
00 06 * * * root /usr/sbin/portsnap fetch update >/dev/null 2>&1

# cat /etc/fstab
# Device    Mountpoint    FStype    Options    Dump    Pass#
/dev/ada0p2    /        ufs    rw    1    1
/dev/ada0p3    none        swap    sw    0    0
/dev/ada0p4    /var        ufs    rw    2    2
/dev/ada0p5    /tmp        ufs    rw    2    2
/dev/ada0p6    /usr        ufs    rw    2    2

# cat /etc/fstab
# Device    Mountpoint    FStype    Options    Dump    Pass#
/dev/ada0p2    /        ufs    rw,acls    1    1
/dev/ada0p3    none        swap    sw    0    0
/dev/ada0p4    /var        ufs    rw,acls    2    2
/dev/ada0p5    /tmp        ufs    rw,acls    2    2
/dev/ada0p6    /usr        ufs    rw,acls    2    2

# reboot

Configurar las opciones de Bind99
# cd /usr/ports/dns/bind99
# make config

Options for bind99

[ ] FIXED_RRSET     Enable fixed rrset ordering
[ ] IDN             International Domain Names
[*] IPV6            IPv6 protocol
[ ] LARGE_FILE      64-bit file support
[*] LINKS           Create conf file symlinks in /usr/local
[*] REPLACE_BASE    Replace base BIND with this version  <-MARCAR ESTA OPCION!
[ ] RPZRRL_PATCH    RPZ improvements + RRL patch (experimental)
[ ] RPZ_NSDNAME     Enable RPZ NSDNAME policy records
[ ] RPZ_NSIP        Enable RPZ NSIP trigger rules
[ ] SIGCHASE        dig/host/nslookup will do DNSSEC validation
[*] SSL             Build with OpenSSL (Required for DNSSEC)
[*] THREADS         Threading support
[*] XML             Support for xml statistics output
[ ] DLZ_POSTGRESQL  G(DLZ): DLZ Postgres driver
[ ] DLZ_POSTGRESQL  G(DLZ): DLZ Postgres driver
[ ] DLZ_MYSQL       G(DLZ): DLZ MySQL driver (no threading)
[ ] DLZ_BDB         G(DLZ): DLZ BDB driver
[ ] DLZ_LDAP        G(DLZ): DLZ LDAP driver
[ ] DLZ_FILESYSTEM  G(DLZ): DLZ filesystem driver
[ ] DLZ_STUB        G(DLZ): DLZ stub driver

< OK >

Instalar Samba4
# cd /usr/ports/net/samba4
# make config

Options for samba4 4.0.3
[*] ACL_SUPPORT  File system ACL support
[*] ADS          Active Directory support
[*] AIO_SUPPORT  Asyncronous IO support
[ ] AVAHI        Zeroconf via Avahi  <- DESACTIVAR ESTA OPCION!
[*] CUPS         CUPS printing system
[*] DEBUG        With debug information in the binaries
[ ] DEVELOPER    With development support
[*] DNSUPDATE    Dynamic DNS update(require ADS)
[ ] EXP_MODULES  Experimental modules
[*] FAM_SUPPORT  File Alteration Monitor support
[*] LDAP         LDAP support
[ ] MANPAGES     Build and/or install manual pages
[*] PAM_SMBPASS  PAM authentication via passdb backends
[*] PTHREADPOOL  Pthread pool
[*] QUOTAS       Disk quota support
[*] SWAT         SWAT WebGUI
[*] SYSLOG       Syslog support
[*] UTMP         UTMP accounting support
[*] WINBIND      WinBIND support
[ ] NSUPDATE     S(DNS): Use internal DNS with NSUPDATE utility  <- DESACTIVAR ESTA OPCION!
[ ] BIND98       S(DNS): Use bind98 as a DNS server frontend
[*] BIND99       S(DNS): Use bind99 as a DNS server frontend  <- MARCAR ESTA OPCION!

< OK >

# make config-recursive
(todos los otros ports los dejo por defecto)

# make install clean

El port de Samba4 con la opcion [*] BIND99 instalara bind99, por eso
primero configuramos las opciones
de bind99 [*] REPLACE_BASE

# rndc-confgen -a -c /etc/namedb/rndc.conf -k rndc-key -b 256
wrote key file "/etc/namedb/rndc.conf"

# cat /etc/namedb/rndc.conf
key "rndc-key" {
        algorithm hmac-md5;
        secret "zvuOE1XeVBUXZa12LTUDEAgZaH3cVFZp+GiObzuAB5c=";

# edit /etc/namedb/named.conf

options {
        // All file and path names are relative to the chroot directory,
        // if any, and should be fully qualified.
        directory       "/etc/namedb/working";
        pid-file        "/var/run/named/pid";
        dump-file       "/var/dump/named_dump.db";
        statistics-file "/var/stats/named.stats";
        listen-on       {;; };
        forwarders {
//zone "example.com" { type master; file "/etc/namedb/master/empty.db"; };  <- COMENTAR ESTA LINEA!
controls {
        inet allow { localhost; } keys { rndc-key; };

// Take this from the /etc/namedb/rndc.conf file
key "rndc-key" {
        algorithm hmac-md5;
        secret "zvuOE1XeVBUXZa12LTUDEAgZaH3cVFZp+GiObzuAB5c=";

zone "example.com" {
        type master;
        allow-update { key "rndc-key"; };
        allow-transfer { localhost;; };
        file "/etc/namedb/dynamic/example.com";

zone "1.168.192.in-addr.arpa" {
        type master;
        allow-update { key "rndc-key"; };
        allow-transfer { localhost;; };
        file "/etc/namedb/dynamic/1.168.192.in-addr.arpa";

# edit /etc/namedb/dynamic/example.com

$TTL 3600 ; 1 hour default TTL
example.com.                IN          SOA         samdom.example.com.         admin.example.com.          (
                                            2013021701          ; Serial
                                            10800               ; Refresh (3 hours)
                                            3600                ; Retry (1 hour)
                                            604800              ; Expire (1 week)
                                            300         ; Negative Response TTL (5 minutes)
; DNS Servers
                            IN          NS          samdom.example.com.                 
; MX Records                                                                
                            ;IN         MX          10 mx.example.com.                  
                            ;IN         MX          20 mail.example.com.                
                            IN          A                          
; Machine Names                                                             
localhost                   IN          A                            
samdom                      IN          A                          
kerberos                    IN          A                          
ldap                        IN          A                          
; Aliases                                                                   
;_kerberos._udp              IN          SRV         01 00 88 kerberos.example.com.  
;_kerberos._tcp              IN          SRV         01 00 88 kerberos.example.com.
;_kpasswd._udp               IN          SRV         01 00 464 kerberos.example.com.
;_kerberos-adm._tcp          IN          SRV         01 00 749 kerberos.example.com.
;_kerberos                   IN          TXT         EXAMPLE.COM
;_ldap._tcp                  IN          SRV         01 00 389 ldap.example.com.
;_ldap._udp                  IN          SRV         01 00 88 ldap.example.com.

Aunque las entradas son correctas para _kerberos y _ldap, como Samba usa sus propios pero consulta a Bind, si las dejo activas causan problemas.

# edit /etc/namedb/dynamic/1.168.192.in-addr.arpa

$TTL 3600 ; 1 hour default TTL
1.168.192.in-addr.arpa. IN          SOA         samdom.example.com.         admin.example.com.          (
                                            2013021701          ; Serial
                                            10800               ; Refresh (3 hours)
                                            3600                ; Retry (1 hour)
                                            604800              ; Expire (1 week)
                                            300                 ; Negative Response TTL (5 minutes)
; DNS Servers                                                               
                            IN          NS          samdom.example.com.                 
; Machine IPs                                                               
1                           IN          PTR         samdom.example.com.                 
1                           IN          PTR         kerberos.example.com.

# edit /etc/rc.conf

# Bind

# /etc/rc.d/named start

# edit /etc/resolv.conf

search example.com

# nslookup samdom

Name:   samdom.example.com

# nslookup kerberos

Name:   kerberos.example.com

Instalar isc-dhcp42-server
# cd /usr/ports/net/isc-dhcp42-server

# make config

Options for isc-dhcp42-server 4.2.4_2

[ ] BIND_SYMBOLS  Enable BIND internal symbol table
[*] IPV6          IPv6 protocol
[ ] LDAP          LDAP support
[*] LDAP_SSL      Support LDAP over SSL/TLS
[ ] PARANOIA      Enable support for chroot

<  OK  >

# make config-recursive
# make install clean

# rm /usr/local/etc/dhcpd.conf
# edit /usr/local/etc/dhcpd.conf

# dhcpd.conf
# Sample configuration file for ISC dhcpd PRIMARY

option domain-name "example.com";
option domain-name-servers;
default-lease-time 600;
max-lease-time 7200;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.

# ad-hoc DNS update scheme - set to "none" to disable dynamic DNS updates.
ddns-updates on;
ddns-update-style interim;
ddns-domainname "example.com";
allow client-updates;

# Take this from the /etc/namedb/rndc.conf file
key "rndc-key" {
        algorithm hmac-md5;
        secret "zvuOE1XeVBUXZa12LTUDEAgZaH3cVFZp+GiObzuAB5c=";

zone example.com. {
        key rndc-key;

zone 1.168.192.in-addr.arpa. {
        key rndc-key;

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;

option netbios-name-servers;
option netbios-node-type 8;
option time-offset     -18000;     # Bogota GMT -5.0 Hours => -5x60x60 = -18000 Seconds
option ntp-servers;
option time-servers;

# Dinamics
subnet netmask {
  option routers;
  option broadcast-address;

# ifconfig em1 inet netmask up

# edit /etc/rc.conf

ifconfig_em1=" inet netmask"

# DHCP Server

# /usr/local/etc/rc.d/isc-dhcpd start

Instalar cups-base
# cd /usr/ports/print/cups-base

# make config
Dejo todo por defecto

# make config-recursive
Dejo todo por defecto

# make install clean

# edit /etc/rc.conf


# /usr/local/etc/rc.d/cupsd start

Editamos el archivo y le agregamos la parte "options"
# edit /etc/namedb/rndc.conf

key "rndc-key" {
        algorithm hmac-md5;
        secret "zvuOE1XeVBUXZa12LTUDEAgZaH3cVFZp+GiObzuAB5c=";

options {
     default-key    rndc-key;

# rndc status
version: 9.9.2-P1
CPUs found: 2
worker threads: 2
UDP listeners per interface: 2
number of zones: 99
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running

# /usr/local/bin/samba-tool domain provision
 Server Role (dc, member, standalone) [dc]: dc
 DNS forwarder IP address (write 'none' to disable forwarding) []:
Administrator password:
Retype password:
Looking up IPv4 addresses
More than one IPv4 address found. Using
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=example,DC=com
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=example,DC=com
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /var/db/samba4/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role:               active directory domain controller
Hostname:                  samdom
NetBIOS Domain:            EXAMPLE
DNS Domain:                example.com
DOMAIN SID:                S-1-5-21-3981277467-4260322419-4091201666

# cp /var/db/samba4/private/krb5.conf /etc/
# cat /etc/krb5.conf

        default_realm = EXAMPLE.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true

# edit /etc/rc.conf


# edit /etc/ntp.conf

server 0.pool.ntp.org prefer
server 1.pool.ntp.org
server 2.pool.ntp.org
server 3.pool.ntp.org
driftfile /var/db/ntp.drift

# /etc/rc.d/ntpd start
Starting ntpd.

# edit /etc/rc.conf

# Samba4

# testparm /usr/local/etc/smb4.conf
Load smb config files from /usr/local/etc/smb4.conf
max_open_files: increasing sysctl_max (11095) to minimum Windows limit (16384)
rlimit_max: increasing rlimit_max (11095) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
Press enter to see a dump of your service definitions

        workgroup =EXAMPLE
        realm = example.com
        server role = active directory domain controller
        passdb backend = samba_dsdb
        dns forwarder =
        rpc_server:tcpip = no
        rpc_daemon:spoolssd = embedded
        rpc_server:spoolss = embedded
        rpc_server:winreg = embedded
        rpc_server:ntsvcs = embedded
        rpc_server:eventlog = embedded
        rpc_server:srvsvc = embedded
        rpc_server:svcctl = embedded
        rpc_server:default = external
        idmap config * : backend = tdb
        create mask = 0777
        directory mask = 0777
        map archive = No
        map readonly = no
        store dos attributes = Yes
        vfs objects = dfs_samba4, acl_xattr

        path = /var/db/samba4/sysvol/example.com/scripts
        read only = No

        path = /var/db/samba4/sysvol
        read only = No

Para solucionar el error de
max_open_files: increasing sysctl_max (11095) to minimum Windows limit (16384)
rlimit_max: increasing rlimit_max (11095) to minimum Windows limit (16384)

# edit /boot/loader.conf

# Samba

# /usr/local/sbin/samba4 -i -M single -d 4 &

# killall samba4

# /usr/local/etc/rc.d/samba4 start

# kinit administrator@EXAMPLE.COM
administrator@example.com's Password: miclave123

# klist
Credentials cache: FILE:/tmp/krb5cc_0
            Principal: administrator@EXAMPLE.COM

  Issued               Expires              Principal
Feb 24 02:13:50  Feb 24 12:13:50  krbtgt/EXAMPLE.COM@EXAMPLE.COM

# net rpc join -S samdom -Uadministrator
Enter administrator's password: miclave123
Joined domain EXAMPLE.

# smbclient -L localhost -U%
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.0.3]

    Sharename       Type      Comment
    ---------       ----      -------
    netlogon        Disk
    sysvol          Disk
    IPC$            IPC       IPC Service (Samba 4.0.3)
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.0.3]

    Server               Comment
    ---------            -------

    Workgroup            Master
    ---------            -------

# /usr/local/bin/smbclient //localhost/netlogon -UAdministrator'' -c 'ls'
Enter Administrator's password: miclave123
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.0.3]
  .                                       D            0  Sun Feb 24 02:01:16 2013
  ..                                      D            0  Sun Feb 24 02:01:23 2013

            63332 blocks of size 65536. 54255 blocks available

# samba-tool dns query example.com @ ALL
Password for [administrator@EXAMPLE.COM]:
  Name=, Records=4, Children=0
        SOA: serial=1, refresh=900, retry=600, expire=86400, ns=samdom.example.com., email=hostmaster.example.com. (flags=600000f0, serial=1, ttl=3600)
        NS: samdom.example.com. (flags=600000f0, serial=1, ttl=900)
        A: (flags=600000f0, serial=1, ttl=900)
        A: (flags=600000f0, serial=110, ttl=900)
  Name=_msdcs, Records=0, Children=0
  Name=_sites, Records=0, Children=1
  Name=_tcp, Records=0, Children=4
  Name=_udp, Records=0, Children=2
  Name=DomainDnsZones, Records=0, Children=2
  Name=ForestDnsZones, Records=0, Children=2
  Name=samdom, Records=2, Children=0
        A: (flags=f0, serial=1, ttl=900)
        A: (flags=f0, serial=110, ttl=900)
# wbinfo -u

# wbinfo -g
Enterprise Read-Only Domain Controllers
Domain Admins
Domain Users
Domain Guests
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Group Policy Creator Owners
Read-Only Domain Controllers

# host -t SRV _ldap._tcp.example.com
_ldap._tcp.example.com has SRV record 0 100 389 samdom.example.com.

# host -t SRV _ldap._tcp.example.com
_ldap._tcp.example.com has SRV record 0 100 389 samdom.example.com.

# host -t A ldap.example.com
ldap.example.com has address

# host -t SRV _kerberos._tcp.example.com
_kerberos._tcp.example.com has SRV record 1 0 88 kerberos.example.com.

# host -t SRV _kerberos._udp.example.com
_kerberos._udp.example.com has SRV record 1 0 88 kerberos.example.com.

# host -t SRV _kpasswd._udp.example.com
_kpasswd._udp.example.com has SRV record 1 0 464 kerberos.example.com.

# host -t SRV _kerberos-adm._tcp.example.com
_kerberos-adm._tcp.example.com has SRV record 1 0 749 kerberos.example.com.
Al inactivar las lineas referentes a _kerberos y _ldap las consultas no se resuelven.

# host -t A samdom.example.com
samdom.example.com has address

Crear un usuario
# samba-tool user add miguel
New Password: miclave123
Retype Password: miclave123
User 'miguel' created successfully

Verificar el usuario creado
# wbinfo --name-to-sid miguel
S-1-5-21-1013221894-234835428-3392388920-1103 SID_USER (1)

# reboot

Compartir impresoras
# edit /usr/local/etc/smb4.conf

            comment = All Printers
            path = /var/spool/samba
            browseable = No
            guest ok = Yes
            printable = Yes
            use client driver = Yes
            default devmode = Yes
            ;show add printer wizard = no # Para no mostrar el asistente de impresoras

Para que los clientes Windows puedan consultar en el servidor que sirve
las impresoras en busca de drivers, debemos crear el directorio.
# mkdir -p /var/db/samba4/printer-drivers/{COLOR,IA64,W32ALPHA,W32MIPS,W32PPC,W32X86,WIN40,x64}
# edit /usr/local/etc/smb4.conf

            comment = Printer Drivers
            path = /var/db/samba4/printer-drivers
            browseable = yes
            guest ok = no
            read only = yes
            write list = root

Compartir carpetas y bloquear algunas extensiones peligrosas
# mkdir /home/tmp
# mkdir /home/tmp
# edit /usr/local/etc/smb4.conf

            comment = Temporary file space
            path = /home/tmp
            valid users = %U
            public = no
            writable = no
            browseable = yes
            printable = no
# Las siguientes lineas generan problemas si uso ACLS, dejar inactivas!
#           create mask = 0777
#           directory mask = 0777
#           force create mode = 0777
#           force directory mode = 0777
#           force user = nobody
#           force group = nobody
            write list = %U
            # Bloqueo de algunos archivos por extencion
            veto files = /*.reg/*.com/*.scr/*.cmd/*.exe/*.pif/*.bat/*.{*}/
            delete veto files = yes

Remote Server Administration Tools for Windows 7 with Service Pack 1 (SP1)

1 Instalar Remote Server Administration Tools for Windows 7 with Service Pack 1 (SP1)

2 Inicio / Panel de control / Programas / Activar o desactivar las caracteristicas de Windows

  (se abre ventanita)
3        - Herramientas de administracion de funciones
          - Herramientas de AD DS y AD LDS
            - Herramientas de AD DS
              * Centro de administracion de Active Directory
              * Herramientas de linea de comandos y complementos de AD DS

4 Aceptar

5 Wind + R

Para poder entrar a administrar el dominio mediante el comand dsa.msc, hay que estar logueado como el usuario administrator / miclave123 para poder ver los datos.

Mejor usar # rndc-confgen > /root/dhcp_updater.key


key "rndc-key" {
       algorithm hmac-md5;
       secret "+VsrLah1EEr+HKRTGRJyWA==";

 controls {
       inet port 953
               allow {; } keys { "rndc-key"; };


# Take this from the /etc/namedb/rndc.conf file
 key "rndc-key" {
       algorithm hmac-md5;
       secret "+VsrLah1EEr+HKRTGRJyWA==";

Una nota muy importante en caso de querer editar manualmente los archivos del DNS http://forums.freebsd.org/showthread.php?t=33849

"Note about editing dynamic zones manually

If you have to edit the zone files of dynamic zones manually while the DNS server is running, you’ll have to freeze the zones with # rndc freeze <myzone> before editing and unfreeze them with # rndc thaw <myzone> after editing. This is because named(8) has internal state information and external journal files attached to dynamic zones that have to be kept in sync with the zone files."


  1. Angel, You choose Samba-internal DNS when you do a domain provision, why do you install Bind99?

    1. Hi Frank,
      I no sure, but Samba have internal DNS, but forward to the system DNS, if you like try different configurations, i write this tutorial based on others when used same configuration (Samba DNS internal + Bind).