To simplify home network management, I recently decommissioned my beefy domain controller/file server/Hyper-V host, moving mass file storage to the cloud. I thought I could live without Active Directory, but with 5 PCs and a couple of Windows tablets, I want it back, so my plan is to host a tiny VM instance in hyper-V on 4 of my desktop PCs, creating something like peer-to-peer AD (hopefully with little overhead).
The following references were incredibly helpful, but neither were perfect for getting up and running quickly, hence this gist.
- Samba AD DC HOWTO
- samba4 dc in FreeBSD 10
- Download FreeBSD
- Install (Easy on Hyper-V). Hyper-V integration services now built-in for FreeBSD.
- Update your ports:
- # portsnap fetch extract update
- Prepare filesystem by adding acls option to /etc/fstab:
- /dev/ada0p2 / ufs rw,acls 1 1
- Apply: # mount -o acls /
- Install samba41:
- # pkg install samba41
- Results in something like the following:
===============================================================================
Message for samba41-4.1.14:
===============================================================================
How to start: http://wiki.samba.org/index.php/Samba4/HOWTO
* Your configuration is: /usr/local/etc/smb4.conf
* All the relevant databases are under: /var/db/samba4
* All the logs are under: /var/log/samba4
* Provisioning script is: /usr/local/bin/samba-tool
%25%25NSUPDATE%25%25You will need to specify location of the 'nsupdate' command in the
%25%25NSUPDATE%25%25smb4.conf file:
%25%25NSUPDATE%25%25
%25%25NSUPDATE%25%25 nsupdate command = /usr/local/bin/samba-nsupdate -g
%25%25NSUPDATE%25%25
For additional documentation check: http://wiki.samba.org/index.php/Samba4
Bug reports should go to the: https://bugzilla.samba.org/
===============================================================================
- Note the nsupdate comment. We need to install samba-nsupdate:
- # pkg install samba-nsupdate
- Make use of the tool:
- # samba-tool domain provision --use-rfc2307 --interactive
- This is fairly straight-forward, but reference the [Samba AD DC HOWTO] (https://wiki.samba.org/index.php/Samba4/HOWTO#Provisioning_The_Samba_Active_Directory) if you get stuck.
- Once complete, we receive the following message:
- A Kerberos configuration suitable for Samba 4 has been generated at /var/db/samba4/private/krb5.conf
- Copy or link to /usr/local/etc/krb5.conf:
- # ln -s /var/db/samba4/private/krb5.conf /usr/local/etc/.
- We now have an smb4.conf, which needs to know about our nsupdate path:
- # vi /usr/local/etc/smb4.conf
[global]
...
nsupdate command = /usr/local/bin/samba-nsupdate -g
- # echo 'samba_server_enable="YES"' >> /etc/rc.conf
- # /usr/local/etc/rc.d/samba_server start
- Update resolve.conf with domain name and AD DC IP(s):
- # vi /etc/resolve.conf
domain samdom.example.com
nameserver 192.168.1.1
Just check out the Testing Your Samba Domain Controller section of the Samba AD DC HOWTO
To join another FreeBSD DC to the existing domain, follow the previous steps up to New Domain, then (source: Join a domain as a DC):
- Verify that the local hostname isn't resolved to 127.0.0.1 in /etc/hosts:
127.0.0.1 localhost.localdomain localhost DC2.samdom.example.com DC2
10.99.0.2 DC2.samdom.example.com DC2
- Configure /etc/resolv.conf
search samdom.example.com
nameserver 192.168.1.1
- Create an /etc/krb5.conf file and add the following:
[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true
default_realm = SAMDOM.EXAMPLE.COM
- Verify:
- # kinit administrator
- Make use of the tool:
- *# samba-tool domain join samdom.example.com DC -Uadministrator --realm=samdom.example.com
- This is fairly straight-forward, but reference the [Samba AD DC HOWTO] (https://wiki.samba.org/index.php/Join_a_domain_as_a_DC#Join_the_existing_domain_as_a_Domain_Controller) if you get stuck.
- We now have an smb4.conf, which needs to know about our nsupdate path and our desire for rfc2307:
- # vi /usr/local/etc/smb4.conf
[global]
...
idmap_ldb:use rfc2307 = yes
nsupdate command = /usr/local/bin/samba-nsupdate -g
- # echo 'samba_server_enable="YES"' >> /etc/rc.conf
- # /usr/local/etc/rc.d/samba_server start
- # samba-tool drs showrepl
samba-tool domain passwordsettings set --complexity=off
samba-tool domain passwordsettings set --history-length=0
samba-tool domain passwordsettings set --min-pwd-age=0
samba-tool domain passwordsettings set --max-pwd-age=0
Second DC has replication problems after walking through this for second time: https://forums.freebsd.org/threads/56530/