How to make nas4free's samba actually work with AD
Posted: 29 Jun 2014 07:17
Here is the process I've had to resort to in order to get nas4free's samba implementation to actually work with an AD structure.
1: In the GUI, put in a basic AD configuration for the CIFS service. DO NOT ENTER AN ACTUAL DOMAIN ADMINISTRATOR PASSWORD HERE! Just put in a bunch of bogus stuff. The point is to simply get the service set to auto-start.
2: Log in to the command line, and use /etc/rc.d/samba stop to halt the service.
3: Edit /etc/rc.d/samba such that the gui no longer updates the smb.conf file:
(at the end of the file)
# Create required config file
#samba_mkconf_cmd
4: Use the following config as a template for /var/etc/smb.conf. DO NOT UNCOMMENT THE COMMENTED LINES. They are there to point out what NOT to do.
5: Use /etc/rc.d/samba/start to start the service. You will see something like:
This is expected.
5: Use "net ads join -U youradminaccount@yourdomain.net" at the command line to join your domain. This creates the domain computer account and updates /var/etc/krb5.keytab with the appropriate ticket from your domain controller.
6: You will see the login failure messages each time samba is restarted. That's because you're refusing to allow nas4free to store your domain admin credentials IN PLAIN TEXT in the config.xml file. So, each time samba starts, it needlessly tries to re-join the domain, but fails because it doesn't have admin credentials.
There are several things to note about this process:
You will need to create and manage your shares manually in smb.conf. No great loss, as far as I'm concerned.
The kerberos config is rebuilt each time samba starts, forcing nas4free to accept deprecated encryption algorithms like rc4 and 3des. Moral of the story: if you're still using Windows 2000 for your Domain Controllers, you're in luck. But anyone planning to try nas4free in an environment where security actually matters should stay away until this crap is fixed.
The smb.conf variables accepted by the samba implementation are nothing like what the documentation (from samba) states. Especially regarding logging. I left a bunch of commented lines in the sample config to point out the items that should be completely avoided, or are not supported in the implementation.
The good news? FreeNAS's implementation is even more screwed up than nas4free's!!!
1: In the GUI, put in a basic AD configuration for the CIFS service. DO NOT ENTER AN ACTUAL DOMAIN ADMINISTRATOR PASSWORD HERE! Just put in a bunch of bogus stuff. The point is to simply get the service set to auto-start.
2: Log in to the command line, and use /etc/rc.d/samba stop to halt the service.
3: Edit /etc/rc.d/samba such that the gui no longer updates the smb.conf file:
(at the end of the file)
# Create required config file
#samba_mkconf_cmd
4: Use the following config as a template for /var/etc/smb.conf. DO NOT UNCOMMENT THE COMMENTED LINES. They are there to point out what NOT to do.
Code: Select all
[global]
## Core Definitions
netbios name = nas4free
workgroup = DOMAIN
server string = nas4free
security = ads
#server role = member server
#server min protocol = NT1
max protocol = SMB2
dns proxy = no
local master = no
domain master = no
preferred master = no
time server = no
os level = 0
###################### Logging ######################
log level = 1
#####################################################
syslog only = no
syslog = 3
log file = /var/log/samba/%h-%m.log
max log size = 10000
## Kerberos/AD authentication
#kerberos method = dedicated keytab
#use kerberos keytab = yes
#dedicated keytab file = /var/etc/krb5.keytab
#dedicated keytab file = /var/etc/private/nas4free.keytab
realm = domain.net
#password server = dc1.domain.net dc2.domain.net
allow trusted domains = no
#winbind refresh ticket = yes
#client use spnego = no
#client use spenego principal = no
send spnego principal = no
## Local Password SAM
encrypt passwords = yes
smb passwd file = /var/etc/private/smbpasswd
private dir = /var/etc/private
passdb backend = tdbsam
obey pam restrictions = no
## Winbind ID Maps
idmap config * : backend = tdb
idmap config * : range = 10000-39999
idmap config DOMAIN : backend = rid
idmap config DOMAIN : range = 10000-39999
## Winbind Enumeration
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind normalize names = yes
#winbind separator = +
winbind cache time = 7200
winbind nested groups = yes
## Connection Security
server signing = mandatory
client signing = mandatory
ntlm auth = No
lanman auth = No
client ntlmv2 auth = yes
server schannel = yes
client schannel = yes
## Charsets
unix charset = UTF-8
display charset = LOCALE
dos charset = CP437
## Guest Access
guest account = nobody
map to guest = Never
## Performance
strict locking = no
read raw = yes
write raw = yes
oplocks = yes
max xmit = 65535
deadtime = 15
getwd cache = yes
socket options = TCP_NODELAY SO_SNDBUF=131072 SO_RCVBUF=131072
aio read size = 16384
aio write size = 16384
## Printing
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
## User Settings
template homedir = /home
template shell = /bin/sh
## Interface Binding
bind interfaces only = yes
interfaces = eth0
## File Handling
dos filemode = no
create mask = 2770
directory mask = 2770
## Operating System
cache directory = /var/tmp/.winbindd
pid directory = /var/run
#panic action = /usr/local/libexec/samba/samba-backtrace
directory name cache size = 0
#obey pam restrictions = yes
[smb]
## Core Share Definitions
comment = Primary SMB Volume
path = /mnt/ppool/windows/smb/
writeable = yes
printable = no
guest ok = no
vfs objects = shadow_copy2 zfsacl recycle
## Special File Handling
hide dot files = no
veto files = /.snap/.sujournal/.zfs
## Inheritance
inherit acls = no
inherit owner = no
inherit permissions = yes
## Recycler
recycle:repository = .recycle/%U
recycle:keeptree = yes
recycle:versions = yes
recycle:touch = yes
recycle:directory_mode = 0777
recycle:subdir_mode = 0700
## Shadow Snapshots
shadow:format = auto-%Y%m%d-%H%M%S
shadow:snapdir = .zfs/snapshot
shadow:sort = desc
shadow:localtime = yes
## Property Mappings
acl map full control = yes
map readonly = no
map archive = no
map system = no
map hidden = no
map acl inherit = no
## ZFS
zfsacl:acesort = dontcareCode: Select all
nas4free: etc # /etc/rc.d/samba start
Removing stale Samba tdb files: ...... done
Could not connect to server herpaderp.domain.net
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE
Updating passdb.
Starting nmbd.
Starting smbd.
Starting winbindd.5: Use "net ads join -U youradminaccount@yourdomain.net" at the command line to join your domain. This creates the domain computer account and updates /var/etc/krb5.keytab with the appropriate ticket from your domain controller.
6: You will see the login failure messages each time samba is restarted. That's because you're refusing to allow nas4free to store your domain admin credentials IN PLAIN TEXT in the config.xml file. So, each time samba starts, it needlessly tries to re-join the domain, but fails because it doesn't have admin credentials.
There are several things to note about this process:
You will need to create and manage your shares manually in smb.conf. No great loss, as far as I'm concerned.
The kerberos config is rebuilt each time samba starts, forcing nas4free to accept deprecated encryption algorithms like rc4 and 3des. Moral of the story: if you're still using Windows 2000 for your Domain Controllers, you're in luck. But anyone planning to try nas4free in an environment where security actually matters should stay away until this crap is fixed.
The smb.conf variables accepted by the samba implementation are nothing like what the documentation (from samba) states. Especially regarding logging. I left a bunch of commented lines in the sample config to point out the items that should be completely avoided, or are not supported in the implementation.
The good news? FreeNAS's implementation is even more screwed up than nas4free's!!!