[HOW TO] Samba Active Directory Domain Controller

[daoyama]

In this how to, I use ODROID-C1(ARM version) but you can use any NAS4Free later 10.1.0.2.1665.

For ZFS only user, you need create UFS partition.
viewtopic.php?f=55&t=9126

Preparation:
Disable CIFS/SMB
Use static IP address for LAN interface
Enable NTP
Use unused hostname and unused domain name
Empty directory on UFS partition for AD DC data

20150613E.png

20150613F.png

20150613G.png

Note:
AD DC will create DNS records of the specified domain.
You must set IP addres of the AD DC server to all clients via DHCP or static IP.
sysvol on ZFS is not supported. You must use UFS for sysvol storing.
To clear cached buffer, routing table, arp table and more, reboot the server is recommended before creating Samba AD DC.


Configure Samba Active Directory Domain Controller:
You can create AD DC from Initialize page of Services|Samba AD.

Example setting:
Hostname: nas4free-oc1
DNS fowrder: 8.8.8.8
DNS domain: mydomain.local
NetBIOS domain: MYDOMAIN

20150613H.png

Set DNS forwarder to ISP's DNS server. Don't use local server/router.
If you don't know it, try to use Google Public DNS.
https://developers.google.com/speed/public-dns/

Set Path on your permanent device such as HDD.

Optinally, check "User shares" if you want use shares defined in Services|CIFS/SMB|Shares.

Note: You can change DNS forwarder and User shares after initializing anytime.

After few seconds(some time few minutes), you can see the result.

20150613I.png

If you don't specify password, the admin password is shown in the result.
If you don't want such complex password, you can reset the password by CLI after enabling.

# samba-tool user setpassword administrator

After initializing, DNS server of the N4F will be changed to 127.0.0.1 to use Samba AD DC's internal DNS.
To flush created AD DC data to the disk completely, you need reboot the server.

Enable AD DC:
After enabling, you can see many of samba process.
Now your AD DC is running, you can join the AD from Windows, other N4F and other OSs.
First time you have only adminitrator account.
You need create your account on AD DC.

20150613J.png

20150613K.png

Join Windows to AD DC:

If you use DHCP, set DNS server to N4F's static IP address.
Otherwise, you can set DNS server address manually.

20150613L.png

Change System Properties.

20150613M.png

Login with AC DC user.

20150613P.png

You can manage domain user by RSAT(Remote Server Administration Tools):

20150613Q.png

For more detail, see also:
https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
https://wiki.samba.org/index.php/Joinin ... o_a_Domain
https://wiki.samba.org/index.php/DNS_Co ... on_Windows
https://wiki.samba.org/index.php/Instal ... Management

[daoyama]

I will update this later.

[daoyama]

If you want create CIFS/SMB shares, you need enable non-default settings.
Here is important setting on it.
For shares on UFS:

20150613R.png

For shares on ZFS:

20150613S.png

Additionally, you need passthrough of ACL inherit and ACL mode on ZFS dataset.

20150613T.png

[zoon01]

Nice posting daoyama

This is something for the wiki too
anyone able to write it?
http://wiki.nas4free.org/doku.php?id=do ... &#services

[alexey123]

I use dnsmasq based DHCP server extension on my NAS. I meed define dnsforvarder as "localhost" or nas4free ip address (10.0.0.1) ?

[ChriZathens]

Nice posting daoyama

This is something for the wiki too
anyone able to write it?
http://wiki.nas4free.org/doku.php?id=do ... &#services

I have started writing it, but due to my inexperience with the wiki (and lack of time.. ), it might take a while.
If anyone is willing to help, most welcomed..

[noclaf]

Really thanks for that guide!

I have two question :

1) Can I (how?) create&use UFS partition on my USB stick where I have my embedded N4F?
2) Is that recommended?

Unfortunately I have only this USB stick&HW RAID which is encrypted and thus must be manually mounted. Therefore the only "place" where I can have UFS partition for SAMBA AD is the stick.

[antal]

I did all preparations:

"Preparation:
Disable CIFS/SMB
Use static IP address for LAN interface
Enable NTP
Use unused hostname and unused domain name
Empty directory on UFS partition for AD DC data"


so when I go to Services ->Samba AD and click "Initialize" button i get a blank window and nothig happens..

123.JPG

I have a UFS filepartition.


My conf.

What is wrong?

[tdrivas]

Why do you need a UFS partition?

[daoyama]

I use dnsmasq based DHCP server extension on my NAS. I meed define dnsforvarder as "localhost" or nas4free ip address (10.0.0.1) ?

You must use samba DNS to provide service record for domain server.
Probably you cannot install other DNS service with Samba AD DC in same machine.

Use 127.0.0.1 on Samba AD DC and specify DNS forwarder as your DNS server.

Also you must specify Samba AD DC IP address only as DNS server in DHCP.
You cannot use your DNS server for AD member clients.
(You can set DNS manually as fixed address on client side instead of DHCP)

[daoyama]

1) Can I (how?) create&use UFS partition on my USB stick where I have my embedded N4F?
2) Is that recommended?

If you install N4F by recommended method you have always #3 data partition on USB stick.
You can use it but I recommend that you use RAID volume for samba data.
Using without redundancy is high risk.

[daoyama]

so when I go to Services ->Samba AD and click "Initialize" button i get a blank window and nothig happens..

Do you reboot before Initialize?
Please post your initialize page (parameters).
If possible, try to use other web browser.

[daoyama]

Why do you need a UFS partition?

The samba setup will create default NTFS ACL(not permission) on initial sysvol.
ZFS cannot handle NTFS ACL by default.
At this time, I have no solution for it.

[alexey123]

You cannot use your DNS server for AD member clients.
(You can set DNS manually as fixed address on client side instead of DHCP)

Hmm, I'm noob in AD//
I have win8.1 Home. for me I cannot be AD-member, but I want to make Dnsmasq compatible with NAS4Free.
I see:
AD controller open sockets udp and tcp *:53 , also mdnsresponder open socket *:5353 - so I must define DNS port for dnsmasq to any another number.
Dns will not work, but DHCP server will work for netboot.
Part for dnsmasq startup script is:

Code: Select all

command="/usr/local/sbin/dnsmasq"
_sambaad=`/usr/local/bin/xml sel -t -v "count(//sambaad/enable)" /conf/config.xml`
if [ 0 -eq "${_sambaad}" ]; then
	dnsmasqport=""
else
	dnsmasqport="-p 5354"
fi
command_args="-x $pidfile -C $dnsmasq_conf ${dnsmasqport}"

Is this way correct?

Also I see very strangle issue.
If I disable AD controller, then enable it - I must reboot NAS4Free server for give to start AD controller. But Gui not prompt me make reboot.

[marcos]

I just can thank again all the developers and the rest of the crew involved in this project: it's pretty cool to have the chance of deploying a small AD environment with just one computer (the NAS) that's already always on.
In a production environment having just one DC can be useless, but in a home/testing/educational environment is quite useful.

I've got a few questions about this topic:

- Can I use the DC deployed with NAS4free with vmware sphere? I mean, can I use it as the domain controller for vcenter server (and the ESXi hosts, the virtual machines etc..)? I don't see why not, but I'm not sure.Has anybody tried it?
- nas4free 10.2.0.2 uses samba version 4.2.3, does this version of samba support SMB 3.02? (for windows 8.1 and server 2012r2 integration) I answer myself: yes, it does.
- Are there any indications about the space needed for the UFS data partition used by AD? In my setup I only got one ZFS pool (3x2tb disks in raidZ1) and a 8gb USB2.0 stick. I know in this case it's recommended to use a UFS data partition with redundancy in the zfs pool, but I'd rather using the 3rd partition in my usb stick. -> I answer myself: in an enviroment with 6 computers joined to the domain and 6 active users, I'm using about 60mb in a lz4 ZFS volume formated in UFS2 (following the guide at the beginning of this thread). Instead of 2gb I assigned 3gb, so I've got a lot of free unused space

I know some of these questions may be answered at the freebsd 10.2 documentation or forums, but I haven't found anything. (that's another topic, I think I may be helpful with the documentation/wiki, although my English is not very good)

I've been using NAS4free for nearly 3 years, mainly as a iSCSI target for vmware sphere storage and for samba shares among windows, linux, android phones and TVs, iOS, pcbsd...clients. I'm using at the moment SMB3 with the "old" CFIS/samba shares in NAS4free 10.2.0.2 and everything is working fine even with an "old" Panasonic Viera smartTV , that's why I'm trying to see the pros and cons before upgrading to samba 4 and an active directory environment with NAS4free as the only DC. I answer myself again: the only non-working device at the moment is the mentioned panasonic viera smart TV (it seems it has some restrictions in file names) the rest are working fine inside an AD enviroment, with all the benefits of being inside a domain.

I've got another questions, anyway:
- Can I manipulate file permissions on my shared folders from windows using the Computer Management tool? (loged as a domain admin in my nas4free domain controller)


I know it's always better to manipulate permissions using UNIX permissions (being a ZFS filesystem, a BSD box...) at least that's what I've read in the samba documentation, but I wonder if there is any issue if I manipulate them from here using windows tools
Thanks

[meirick]

Hello,

I follow your "How do", and the work weel.
I use ZFS for the file system

But i don't understand how manage the permission? What manage the permission the CiFS share, ZFS, AD, Unix?

Thank for your help.

[philm]

Hey all, I was wondering if anyone knew of a fix for the issue found in this posting:

viewtopic.php?f=98&t=10812&p=79031#p79031

I am getting the OP error when I initilize the samba AD. And talking to the samba mailing listing, they say that it is not possible to get the samba service working on ZFS file system. I did inform them that I created a UFS Zvol but they are insisting it is not possible but here we are.

Please, any help will be much appreciated

[riveradavid]

The link to how to create a UFS partition if ZFS only (shown early in the original post)does not seem to work.

I do not use a USB stick, but have XigmaNAS install on a 240gb SSD. Do I have to redo the installation and create the boot in UFS rather than ZFS?

I appreciate any help anyone can offer.

Thanks

[raulfg3]

you can create a UFS volume or partition.

UFS on ZFS : viewtopic.php?f=55&t=9126

UFS Partition:

[riveradavid]

you can create a UFS volume or partition.

UFS on ZFS : viewtopic.php?f=55&t=9126

UFS Partition:

Thank you very much. That worked.

[riveradavid]

Hi again,

I am getting an error during my Samba Initialize. The screen shots are shown in the attached PDF.

[rjwren79]

I am showing the same issue.

Initalizing...
Traceback (most recent call last):
File "/usr/local/bin/samba-tool", line 33, in <module>
from samba.netcmd.main import cmd_sambatool
File "/usr/local/lib/python3.6/site-packages/samba/init.py", line 28, in <module>
import ldb
ModuleNotFoundError: No module named 'ldb'

Someone help!

[raulfg3]

error on latest 12.1.0.4.7091:

viewtopic.php?f=78&t=14912&p=92735&hilit=ldb#p92747