Back to home
Active directory fileserver This idea came to mind when i needed a temporary fileserver using the existing windows networking landscape but didn't have the option to install windows server.
The procedure that is outlined here is based on freebsd, but i don't see why it wouldn't work with linux either.
Preps Before starting, a couple of things should be noted:
in this example, the values used are:
Install a freebsd system as usual, with an extra user that is member of wheel.
No kernel source needed, but the ports have to be installed and updated!
Package install
package install
#pkg install perl
#cd /usr/ports/net/samba
#make install clean
-- select: LDAP, ADS, WINBIND, ACL_SUPPORT, SYSLOG, DNSUPDATE and POPT
	
Server configuration
rc.conf
#nano /etc/rc.conf

-- enter the lines below

ifconfig_em0="172.20.1.3/16"
hostname="fileserver1.domain.local"
defaultrouter="172.20.254.254"

sshd_enable="YES"
ntpdate_enable="YES"
ntpdate_hosts="172.20.1.1"   # sync time with dc's, NOT public
dumpdev="NO"
samba_enable="YES"
winbindd_enable="YES" # required to set yes seperate
	
resolv.conf
#nano /etc/resolv.conf

search domain.local
nameserver 172.20.1.1
nameserver 172.20.1.2
	
sysctl.conf
#nano /etc/sysctl.conf

kern.maxfiles=16384
kern.maxfilesperproc=16384
	
hosts
#nano /etc/hosts
-- add the line to this file:
127.0.0.1 localhost.domain.local localhost 172.20.1.3 fileserver1.domain.local fileserver1
	

To set the correct timezone, a symlink has to be made to a valid timezone file to /etc/localtime.
These files can be found in: /usr/share/zoneinfo. Here we use /usr/share/zoneinfo/Europe/Amsterdam
timezone
#ln -s /usr/local/share/zoneinfo/Europe/Amsterdam /etc/localtime
#ntpdate -4b 172.20.1.1
	
Kerberos 5 configuration windows uses kerberos 5 for it's logins etc. so we have to set things up right for using it:
krb5.conf
#nano /etc/krb5.conf

[libdefaults]
default_realm=DOMAIN.LOCAL
[domain_realm]
.domain.local=DOMAIN.LOCAL
[realms]
ICTOPUSBV.COM = {
        kdc = dc1.domain.local
}
[logging]
default = SYSLOG:INFO:LOCAL7		
	

once this file is made, we can test to see if we can login using the administrator account and verify kerberos working:
Testing kerberos
#kinit administrator
administrator@DOMAIN.LOCAL's Password: adminpass

#klist
Credentials cache: FILE:/tmp/krb5cc_1001
	Principal: administrator@DOMAIN.LOCAL
	
  Issued           Expires          Principal
Feb 12 09:57:57  Feb 12 19:57:57  krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
	
As seen with klist, the principal is the administartor account and we have a valid login.
Samba configuration First, let's make some storage folders. On what filesystem doesn't matter here. ZFS would be nice to have!
Storage
#mkdir -p /datastore/dfs
#mkdir -p /datastore/homes
#mkdir -p /datastore/backups
#mkdir -p /datastore/filestore
	

And then we make a samba config file:
samba.conf
#nano /usr/local/etc/samba.conf

[global]
 workgroup = DOMAIN
 realm = DOMAIN.LOCAL
 preferred master = No
 server string = fileserver1
 security = ADS
 encrypt passwords = yes
# log level = 3
# log file = /var/log/samba/%m
 max log size = 50
 winbind enum users =Yes
 winbind enum groups = Yes
 winbind use default domain = Yes
 winbind nested groups = Yes
 winbind separator = +
 idmap uid = 10000-20000
 idmap gid = 10000-20000
 template shell = /bin/bash
 template primary group = "Domain Users"
 load printers = No
 disable spoolss = Yes
# local master = No
 admin users = "@DOMAIN+Domain Admins"
 host msdfs = Yes

[dfs]
 path = /datastore/dfs
 msdfs root = Yes

[homes]
 comment = Home directories
 valid users = %S
 read only = No
 writeable = Yes
 browsable = No
 path = /datastore/homes/%S

[backups$]
	comment = Backups systeembeheer
  valid users = @DOMAIN+Administrators
  writable = Yes
  browseable = Yes
  path = /datastore/backups

[filestore]
	comment = All the files for users
	valid users = %S
	read only = No
	writeable = Yes
	browsable = Yes
	path = /datastore/filestore
	
-- store the file and start samba:
#service samba start
-- or use old style:
#/usr/local/etc/rc.d/samba start
	

Once samba is up and running with no errors, we add this server to the active directory:
active directory join
#net ads join -U administrator
Enter administrator's password: adminpass
Using short domain name -- DOMAIN
Joined 'fileserver1' to realm 'domain.local'

#net ads info
LDAP server: 172.20.1.1
LDAP server name: dc1.domain.local
REALM: DOMAIN.LOCAL
Bind Path: dc=DOMAIN,dc=LOCAL
LDAP port: 389
Server time: xxxxxxxxxx
KDC server: 172.20.1.1
server time offset: 0
	
	
If you receive the above, it means our server is joined in the active directory!
To verify this, login op either DC of the domain and go to the 'computers' folder in the root of AD. It should have the fileserver1 object.
From there, you can move it where you like according to your AD setup.

To verify that this user can 'see' the groups and users in the domain:
active directory join
#wbinfo -u
-- listing of all the found users in the domain is done. If not, something is wrong.

#wbinfo -g
-- listing of all the found groups in the domain. If not, something is wrong.	
If something is wrong, check your logfiles, they probably will tell you why it can't find any groups or users.

Once all is working, it's time to tell the system how to use these users and groups by configuring nsswitch:
nsswitch.conf
#nano /etc/nsswitch.conf

group: files winbind
group_compat: nis
hosts: files dns wins
networks: files
shadow: files winbind
passwd: files winbind
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files winbind
Note: we still are using the groups and passwd files also! This way, whenever something is wrong with AD we can still login to the system using the local usernames and passwords, including root!
You can check if things are ok using:
nsswitch.conf
#getent passwd
-- list of the content of /etc/passwd
-- list of all the users of AD, starting at uid 10000 and gid 100006

#getent group
-- list of the content of /etc/groups
-- list of the groups in AD, starting at gid 10006
File system permissions In general on freebsd you can assign permissions and ownership by using chown and chmod. This doesn't change but the usernames and groups are defined a little different:
ownership
#chown -R "administrator":"Domain admins" /datastore/backups		
The use of CHMOD is the same as usual on a freebsd system.
Distributed filesystem In windows, there is a thing called DFS service, meaning a distributed filesystem. We can imitate this by creating special symlinks in a folder. We have made /datastore/dfs before and set this in the samba configuration as a DFS root.
First thing to do is to make sure that the shared folders which are targetted are available on the server(s). Then add dfs symlinks like so:
DFS symlinks
#cd /datastore/dfs
#ln -s 'msdfs:fileserver1:\backups' backups
#ln -s 'msdfs:DC1:\shared$' shared
#ln -s 'msdfs:fileserver1:\filestore,msdfs:fileserver2:\filestore1' filestore
As you can see on the last line, it is possible to reference 2 shares on 2 different servers. These folders have to be kept in sync and the clients will be loadbalanced over these 2 shares.
The syncing is a matter beyond the scope of this document, there are several ways to accomplish this.