Back to home
Active directory fileserver This idea came to mind when i needed a temporary fileserver using the existing windows networking landscape but didn't have the option to install windows server.
The procedure that is outlined here is based on freebsd, but i don't see why it wouldn't work with linux either.
Preps Before starting, a couple of things should be noted:
in this example, the values used are:
Install a freebsd system as usual, with an extra user that is member of wheel.
No kernel source needed, but the ports have to be installed and updated!
Package install
package install
#pkg install perl
#cd /usr/ports/net/samba
#make install clean
Server configuration
#nano /etc/rc.conf

-- enter the lines below


ntpdate_hosts=""   # sync time with dc's, NOT public
winbindd_enable="YES" # required to set yes seperate
#nano /etc/resolv.conf

search domain.local
#nano /etc/sysctl.conf

#nano /etc/hosts
-- add the line to this file: localhost.domain.local localhost fileserver1.domain.local fileserver1

To set the correct timezone, a symlink has to be made to a valid timezone file to /etc/localtime.
These files can be found in: /usr/share/zoneinfo. Here we use /usr/share/zoneinfo/Europe/Amsterdam
#ln -s /usr/local/share/zoneinfo/Europe/Amsterdam /etc/localtime
#ntpdate -4b
Kerberos 5 configuration windows uses kerberos 5 for it's logins etc. so we have to set things up right for using it:
#nano /etc/krb5.conf

        kdc = dc1.domain.local
default = SYSLOG:INFO:LOCAL7		

once this file is made, we can test to see if we can login using the administrator account and verify kerberos working:
Testing kerberos
#kinit administrator
administrator@DOMAIN.LOCAL's Password: adminpass

Credentials cache: FILE:/tmp/krb5cc_1001
	Principal: administrator@DOMAIN.LOCAL
  Issued           Expires          Principal
Feb 12 09:57:57  Feb 12 19:57:57  krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
As seen with klist, the principal is the administartor account and we have a valid login.
Samba configuration First, let's make some storage folders. On what filesystem doesn't matter here. ZFS would be nice to have!
#mkdir -p /datastore/dfs
#mkdir -p /datastore/homes
#mkdir -p /datastore/backups
#mkdir -p /datastore/filestore

And then we make a samba config file:
#nano /usr/local/etc/samba.conf

 workgroup = DOMAIN
 preferred master = No
 server string = fileserver1
 security = ADS
 encrypt passwords = yes
# log level = 3
# log file = /var/log/samba/%m
 max log size = 50
 winbind enum users =Yes
 winbind enum groups = Yes
 winbind use default domain = Yes
 winbind nested groups = Yes
 winbind separator = +
 idmap uid = 10000-20000
 idmap gid = 10000-20000
 template shell = /bin/bash
 template primary group = "Domain Users"
 load printers = No
 disable spoolss = Yes
# local master = No
 admin users = "@DOMAIN+Domain Admins"
 host msdfs = Yes

 path = /datastore/dfs
 msdfs root = Yes

 comment = Home directories
 valid users = %S
 read only = No
 writeable = Yes
 browsable = No
 path = /datastore/homes/%S

	comment = Backups systeembeheer
  valid users = @DOMAIN+Administrators
  writable = Yes
  browseable = Yes
  path = /datastore/backups

	comment = All the files for users
	valid users = %S
	read only = No
	writeable = Yes
	browsable = Yes
	path = /datastore/filestore
-- store the file and start samba:
#service samba start
-- or use old style:
#/usr/local/etc/rc.d/samba start

Once samba is up and running with no errors, we add this server to the active directory:
active directory join
#net ads join -U administrator
Enter administrator's password: adminpass
Using short domain name -- DOMAIN
Joined 'fileserver1' to realm 'domain.local'

#net ads info
LDAP server:
LDAP server name: dc1.domain.local
Bind Path: dc=DOMAIN,dc=LOCAL
LDAP port: 389
Server time: xxxxxxxxxx
KDC server:
server time offset: 0
If you receive the above, it means our server is joined in the active directory!
To verify this, login op either DC of the domain and go to the 'computers' folder in the root of AD. It should have the fileserver1 object.
From there, you can move it where you like according to your AD setup.

To verify that this user can 'see' the groups and users in the domain:
active directory join
#wbinfo -u
-- listing of all the found users in the domain is done. If not, something is wrong.

#wbinfo -g
-- listing of all the found groups in the domain. If not, something is wrong.	
If something is wrong, check your logfiles, they probably will tell you why it can't find any groups or users.

Once all is working, it's time to tell the system how to use these users and groups by configuring nsswitch:
#nano /etc/nsswitch.conf

group: files winbind
group_compat: nis
hosts: files dns wins
networks: files
shadow: files winbind
passwd: files winbind
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files winbind
Note: we still are using the groups and passwd files also! This way, whenever something is wrong with AD we can still login to the system using the local usernames and passwords, including root!
You can check if things are ok using:
#getent passwd
-- list of the content of /etc/passwd
-- list of all the users of AD, starting at uid 10000 and gid 100006

#getent group
-- list of the content of /etc/groups
-- list of the groups in AD, starting at gid 10006
File system permissions In general on freebsd you can assign permissions and ownership by using chown and chmod. This doesn't change but the usernames and groups are defined a little different:
#chown -R "administrator":"Domain admins" /datastore/backups		
The use of CHMOD is the same as usual on a freebsd system.
Distributed filesystem In windows, there is a thing called DFS service, meaning a distributed filesystem. We can imitate this by creating special symlinks in a folder. We have made /datastore/dfs before and set this in the samba configuration as a DFS root.
First thing to do is to make sure that the shared folders which are targetted are available on the server(s). Then add dfs symlinks like so:
DFS symlinks
#cd /datastore/dfs
#ln -s 'msdfs:fileserver1:\backups' backups
#ln -s 'msdfs:DC1:\shared$' shared
#ln -s 'msdfs:fileserver1:\filestore,msdfs:fileserver2:\filestore1' filestore
As you can see on the last line, it is possible to reference 2 shares on 2 different servers. These folders have to be kept in sync and the clients will be loadbalanced over these 2 shares.
The syncing is a matter beyond the scope of this document, there are several ways to accomplish this.