FreeBSD Users and Groups with Samba (Winbind) and Active Directory

One of the most popular posts on this blog is the how to: Active Directory With nss_ldap And pam_ldap On FreeBSD. That was almost a year and half ago and things have changed a bit since then. One of the reasons that I’d recommended using LDAP at the time was because Winbind (part of Samba) was troublesome (at least on FreeBSD) and that there wasn’t an easy way to provide a consistent UID to SID mapping across systems. Since then Winbind seems to be quite stable on FreeBSD and with the idmap_rid option you can easily keep the UID to SID mapping consistent across multiple systems. With the release of FreeBSD 6.0 this month I’m ready to update the steps needed to make FreeBSD use Active Directory (AD) users and groups, this time via Samba (Winbind) instead of LDAP.

I wrote these steps using FreeBSD 6.0 and Samba 3.0.20b (from the ports collection). The Active Directory system is running Windows 2003, thought I don’t think that will make a difference, AD on Windows 2000 should also work just fine. All host names use the domain example.com, so be sure to change them to reflect your network setup.

  1. Step 0: Your Windows AD server and your FreeBSD system should all be running normally, if not stop now and go fix them up first.
  2. Install Samba: We will be installing Samba 3.0.20b from /usr/ports/net/samba3. Add the following lines to your /etc/make.conf before installing the port:

    WITHOUT_CUPS=yes
    WITHOUT_ADS=yes
    WITH_SYSLOG=yes
    WITH_WINBIND=yes
    WITH_EXP_MODULES=yes
    WITH_PAM_SMBPASS=yes
    WITH_ACL_SUPPORT=yes

    This assumes that you aren’t interested in using CUPS for printing on this system. We also aren’t going to be using Kerberos for this, hence the WITHOUT_ADS=yes line. The option to enable syslog is optional, I tend to prefer it. We must have Winbind and the experimental modules enables the use of imap_rid, which we also need. Although we will be using the Winbind PAM module, I like having the option using smbpass also. ACL support is not required, but I recommend including it.

    Run make install from /usr/ports/net/samba3 and only enable the following options: WINBIND, ACL_SUPPORT, SYSLOG, UTMP, PAM_SMBPASS, EXP_MODULES, POPT. This might take a little while to build, in the mean time add the following lines to your /etc/rc.conf file:

    nmbd_enable="YES"
    smbd_enable="YES"
    winbindd_enable="YES"

    This will enable the three major components of Samba on your FreeBSD system.

  3. SMB.CONF: The configuration file for Samba is /usr/local/etc/smb.conf. Here’s a basic one to make this work:

    [global]
    workgroup = EXAMPLE
    server string = Samba Server
    security = DOMAIN
    allow trusted domains = No
    log file = /var/log/samba/log.%m
    max log size = 50
    dns proxy = No
    wins server = domainserver.example.com
    ldap ssl = no
    idmap backend = idmap_rid:EXAMPLE=10000-20000
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    template shell = /bin/tcsh
    winbind use default domain = Yes

    Most of this should be pretty straight forward, if you aren’t sure what an option means the Samba documentation does a good job of covering them. Change the workgroup to the name of the Windows domain and the wins server to the name of your wins server. Change the EXAMPLE domain in idmap backend to the name of your Windows domain. To make sure that I didn’t run into any UID conflicts I have Winbind use 10,000 through 20,000. This can be changed to meet your systems needs, if you aren’t sure then leave them unchanged, they should be a safe bet. Same goes for the template shell option.

  4. Join The Domain: The process for joining a domain in Samba has changed a bit over the years, mostly due to the new net program. The process is still simple though, run:

    /usr/local/bin/net rpc join -S windomainserver.example.com -U administrator

    Replace windomainserver.example.com with the name of one of your Windows domain controllers. You’ll be prompted for the administrator password. This should just work. If it doesn’t make sure that your FreeBSD system can resolve the IP address of your domain controller and try again.

  5. Start Samba and Winbind: At this point you can startup Samba and Winbind on your system with:

    /usr/local/etc/rc.d/samba.sh start
  6. Name Switch Service: To instruct FreeBSD to make use of Active Directory (via Winbind) as a source of user and group information we’ll need to make changed to the /etc/nsswitch.conf file:

    group: files winbind
    group_compat: nis
    hosts: files dns
    networks: files
    passwd: files winbind
    passwd_compat: nis
    shells: files

    In case it isn’t obvious, the two lines that need to be changed in the stock /etc/nsswitch.conf is group and passwd.

  7. Home Directories: You may or may not need to have support for user home directories on your FreeBSD system, depending on what services you want to make available. In my case I want users to be able to ssh into the system, so they’ll need home directories. Rather than running adduser for every AD user we’ll use the mkhomedir PAM library to take care of this automatically. Run make install in /usr/ports/security/pam_mkhomedir to install it.
  8. Pluggable Authentication Modules: In other to authenticate users you’ll have to modify the corresponding PAM configuration file for that service. Sticking with the ssh example, we’ll be editing /etc/pam.d/sshd. In the auth section add the following as the second line:

    auth sufficient /usr/local/lib/pam_winbind.so

    That will instruct sshd to attempt user authentication via Winbind. In order to create home directories for users on demand add the following line to the session section of /etc/pam.d/sshd:

    session required /usr/local/lib/pam_mkhomedir.so

    The first time that an AD user attempts to login their home directory will be created. Be sure to make these changes for each service that your system will be making available (IMAP, POP3, FTP, etc).

  9. Optional Reboot: Although not required for everything to work, I’d recommend a reboot. This will give all of the FreeBSD subsystems a chance to become aware of the Name Switch Service and PAM changes. Let me repeat, you do not need to reboot in order for ssh and friends to work after following these steps.

That’s it. At this point you should have FreeBSD system that uses Active Directory users and groups and can authenticate those users via ssh. I prefer this method over the previous one that used LDAP. There are less components to install and configure and you don’t have to make any changes to your Active Directory layout. In my case this was a completely drop in solution, only requiring the ability to add a computer to the Windows domain.

If you have any thoughts or pointers on how to refine this process please leave a comment or send me a note via my contact form.

33 Comments

  1. I follwed these instructions, and now ls -l shows the correct userids from the w2k server, but pw usershow claims those don’t exist, and none of the domain passwords work.

    Any suggestions?

  2. Hi, I tried to implement this strategy(FreeBSD 6.1, samba-3.0.22) and am receiving the following messages:

    Jun 2 20:50:41 homews pam_winbind[928]: user `smurf’ denied access (incorrect password or invalid membership)
    Jun 2 20:50:41 homews sshd[926]: error: PAM: authentication error for illegal user smurf from pheromone.ircfriends.net

    Needless to say, I have been unable to get this to work. However, “wbinfo -a smurf%smurfpass” tells me it authenticates correctly with both plain text and with challenge/response.

    Any ideas where to go next?
    Thanks…Bill

  3. Bill,

    Did you just show a log saying that your login on SSH failed, and your Samba login failed, and really ask why ?

    – Chris

  4. I haven’t been able to get this to work on FreeBSD 6.1, with the samba-3.0.21b,1 port. Strangely, I get the following log entry from pam_winbind (where is a domain username), but then the logon fails!

    pam_winbind[24938]: user ” granted access

    Domain user logons fail locally, and over ssh, and in the same way. This is also true for su (unless it is run by root).

    I can see that the pam_sm_authenticate() function in pam_winbind.so is succeeding with PAM_SUCCESS, but the pam_authenticate() call above it later fails with PAM_AUTH_ERR. Does anyone more familiar with this know why that might happen?

    Thanks
    Thomas

  5. I’ve managed to get it working, by changing the order of the entries in /etc/pam.d files! :)

  6. I followed the instructions, and lo and behold, it works wonderfully. But I have one question, not too presumptuously I hope, for Joseph. Using your scheme, how would you add AD users to local groups? I’ve ready a couple of howtos but they seem to rely on LDAP. What tweaks would you suggest?

    Thanks.

  7. @michael- I’m assuming by local you mean FreeBSD groups in /etc/group. If so just add them to the correct group in /etc/group.

  8. Right, I assumed that to be the case… enumeration of said users is not so obvious. Do users have to login to the server before they can be added to /etc/group, or can you add them if you know their usernames in AD? Thanks for any insight.

  9. You only have to know their AD username. You can add them to /etc/group at any time. There is no requirement for them to have logged into that specific server.

  10. I was having trouble getting samba3 to compile under 6.1-RELEASE following your instructions. I kept getting an error about some LDAP declaration being undefined. I then did a make config to re-configure using all of the options you specified AND the LDAP option, followed by a make clean install and it installed.

  11. I tried following this site and this site http://web.irtnog.org/doc/how-to/freebsd-winbind to try and get AD authentication to work.

    I can “join” successfully and run wbinfo commands just fine. When I run getent passwd I see only the local users to the FreeBSD box. However when I run getent group I see both AD and local groups.

    When I try to do an ssh authentication into the freebsd box. The attempt reaches the domain controller but it logs it as a failed attempt because of invalid password. However if I do a ntlm_auth command on the same exact user, it passes.

    I know I’m missing something simple. Any ideas?

    This is a clean install of FBSD 6.2. All my ports are up to date.

  12. FreeBSD 6.2, Samba 3.0.24,1,
    Im using a combo of this tutorial and this one http://www.kurai.org/~gdunn/samba3-ad/fbsd_samba.html

    Getent works fine with group and passwd, net ads info works fine, joined the domain…. everything “looks fine” and then..

    Failed to create_builtin_users: Failed to create users over and over
    ssh login does not work
    local logins dont work
    I get an error about /bin/false being my shell but I know its bash and is stated correctly in the MSFU35 extended schema.

    I’m fairly sure something is wrong with user id mappings from Windows to Unix.

    I really want to be able to have AD users log in locally or remotely, have access to Windows fileshares whilst in Unix and have browseability whilst in Gnome/KDE or Windows or OSX.

    Is 3.0.24 the issue? Seems that *

  13. I have no clue what I did but it all works now????????????????

    I’m pretty beat.. will post my configs tomorrow.

  14. Hi Joseph

    Thanks for this howto. :)

    I followed it, and everything is working fine, but I have a suggestion: include the line below in smb.conf, because without it pam_mkhomedir can´t create the HOMEDIR.

    template homedir = /home/%U

    I´m using FBSD 6.2, pam_mkhomedir-0.1 and samba-3.0.24,1.

  15. Thanks for this – an excellent guide with helpful examples and, for the first time ever, I’ve got samba working!!!

    Now I just have to find a use for it :-)

  16. I´m trying to make this work with webmin, do you have any ideas?

  17. I followed this how to and I think I have it working…?

    Although I’m getting huge winbindd log files and the following pesky error message:

    winbindd version 3.0.21b started.
    Copyright The Samba Team 2000-2004
    [2007/04/19 16:34:30, 0] sam/idmap.c:idmap_init(137)
    idmap_init: idmap backend uses deprecated ‘idmap_’ prefix. Please replace ‘idmap_rid’ by ‘rid’ in /usr/local/etc/smb.conf
    [2007/04/19 16:34:30, 0] sam/idmap_rid.c:rid_idmap_init(357)
    rid_idmap_init: idmap_rid does not work with trusted domains
    rid_idmap_init: please set “allow trusted domains” to “no” when using idmap_rid
    [2007/04/19 16:34:30, 0] sam/idmap.c:idmap_init(146)
    idmap_init: failed to initialize remote backend!
    [2007/04/19 16:34:30, 1] nsswitch/winbindd.c:main(1011)
    Could not init idmap — netlogon proxy only

    I also get a lot of log entries that state:
    could not lookup domain user domainuser
    could not look up gid for group DomainGroup

    I’m sure that the error logs are trying to tell me something useful; however I’m just not getting it.

    Thanks in advance!
    jim

  18. Daniel: It works if you create /home/YOURDOMAIN first.

    Is it possible to restrict access to certain security groups in AD?

  19. jmi: Yes it is possible to restrict access to certain Active Directory groups

    smb.conf:
    workgroup = DOMAIN_NAME
    server string = Borro -> The FreeBSD Samba Test
    security = domain
    log file = /var/log/samba/log.%m
    max log size = 50
    wins server = your.domain.controller
    dns proxy = no
    winbind use default domain = YES
    winbind uid = 10000-20000
    winbind gid = 10000-20000
    winbind cache time = 10
    winbind enum users = yes
    winbind enum groups = yes
    idmap backend = rid:DOMAIN_NAME=10000-20000
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    template shell = /bin/bash
    template homedir = /home/%D/%U
    ldap ssl = no
    allow trusted domains = no

    share definition: (notice @access_borro -> this is the Active Directory group)
    [borro_share]
    path = /usr/local/borro_share
    browseable = yes
    public = no
    valid users = @access_borro
    writable = yes
    printable = no
    force group = wheel
    force user = jimd

  20. Jim, is there a way to restrict SSH login by groups as well?

  21. jmi,
    I can’t seem to get the ssh part to work correctly.
    I get always get:

    sshd[712]: error: PAM: authentication error for illegal user DOMAIN_NAMEjimd from borro.domain.name
    Apr 24 00:00:45 mars pam_winbind[748]: pam_parse: unknown option; no_warn
    Apr 24 00:00:47 mars pam_winbind[748]: request failed: Wrong Password, PAM error was 9, NT error was NT_STATUS_WRONG_PASSWORD

    OR
    sshd[712]: error: PAM: authentication error for illegal user DOMAIN_NAME\jimd from borro.domain.name
    Apr 24 00:00:45 mars pam_winbind[748]: pam_parse: unknown option; no_warn
    Apr 24 00:00:47 mars pam_winbind[748]: request failed: Wrong Password, PAM error was 9, NT error was NT_STATUS_WRONG_PASSWORD

    It seems as though it doesn’t recognize the separator; however, come to think of it, I don’t know that I set one. Or I could have totally jacked up the ssh conf, I’ll check it out.

    Weird that I can wbinfo -a jimd%password and get:

    plaintext password authentication succeeded
    challenge/response password authentication succeeded

    ->jim

  22. Hello,

    Not newbie to Samba or FreeBSD, but I’m having a devil of time getting Samba to complile on 6.2! Chris or Daniel, any ideas that would greatly help!

  23. Ugh…just updated to latest samba (samba-3.0.25,1) and there are subtle issues with the config. I think it’s *supposed* to support the config given here, but it doesn’t work.

    I was getting all kinds of errors, but the one that tipped me off was found in /var/log/samba/log.winbindd-idmap:

    [2007/06/01 23:32:09, 1] nsswitch/idmap.c:idmap_init(343)
    Initializing idmap domains
    [2007/06/01 23:32:09, 1] nsswitch/idmap_rid.c:idmap_rid_initialize(69)
    ERROR: Invalid configuration, ID range missing
    [2007/06/01 23:32:09, 0] nsswitch/idmap.c:idmap_init(438)
    ERROR: Initialization failed for backend rid (domain default domain), deferred!
    [2007/06/01 23:32:09, 0] nsswitch/idmap.c:smb_register_idmap(129)
    Idmap module rid already registered!
    [2007/06/01 23:32:09, 0] lib/module.c:do_smb_load_module(69)
    Module ‘/usr/local/lib/samba/idmap/rid.so’ initialization failed: NT_STATUS_OBJECT_NAME_COLLISION

    Now, there are lots of dead-ends to google for there. It turns out that there’s been a change recently in the way to configure idmaps, and even though man smb.conf seems to say the old config syntax is valid, I had to change to the new syntax:

    #
    # OLD WAY
    #
    #idmap backend = rid:DOMAIN_NAME=10000-20000

    #
    # NEW WAY
    #
    idmap domains = DOMAIN_NAME
    idmap config DOMAIN_NAME:backend = rid
    idmap config DOMAIN_NAME:range = 10000-20000

    Hopefully I’ve saved someone some time by posting this here.

  24. @Chris, it sure saved me some time, thanks!!!

  25. Thanks for that tip Chris! I’ve been trying to solve this winbind/rid problem for several days on RedHat ES 5.1 which comes with samba 3.0.25b. Thankfully googling the NT_STATUS_OBJECT_NAME_COLLISION error from winbindd-idmap.log led me to your post.

  26. Thanks Chris, I’ve been searching for ages trying to get to the bottom of these errors, there isn’t much info on the net

  27. Followed this tutorial and ran into a small problem, not with the tutorial, but with my environment. It seems that for ssh to work the user can’t be in more than 15 Active Directory groups. I was getting something like
    [sshd] initgroups(username, guid): Invalid argument. If you experience this issue get your AD group membership down to 15 and you should be just fine.

    Thanks for the wonderful tutorial!

  28. After editing /etc/make.conf file i did make install bug i am getting below message

    Stop in /usr/ports/net/samba3.
    *** Error code 1

    Stop in /usr/ports/net/samba3.
    *** Error code 1

    Stop in /usr/ports/net/samba3.
    [root@freebsd61 /usr/ports/net/samba3]# pwd
    /usr/ports/net/samba3
    [root@freebsd61 /usr/por

    I am trying to install smbclient in freebsd6.1

  29. @suresh -

    Looks like there was an error in building samba3 at some point. I’d suggest tracking that down before trying to go any further.

  30. Hi

    Actually i am tester i dont know any thing about this , i am trying to do
    cifs mounting in freebsd but i am getting any thing about that please help me.

  31. Aberardo Castillo

    Thu 13 Nov 2008 at 6:41 pm

    Hi,

    I did apply this procedure and everything works fine. Thanks for your contribution to others.

    I have a case in my Lab. I have 2 AD in redundancy, and I would like to configure the server so it can authenticate the users with any of them (have redundancy as well on the authentication). is this possible? if yes, any clues or ideas to get it done?

    Regards,
    –Aberardo.

  32. Debian Lenny with Samba 3.2.5
    with “old” idmap syntax winbind generates errors about re-initialization of rid module:

    [2009/03/06 12:07:48, 0] winbindd/idmap.c:smb_register_idmap(142)
    Idmap module rid already registered!
    [2009/03/06 12:07:48, 0] lib/module.c:do_smb_load_module(69)
    Module ‘/usr/lib/samba/idmap/rid.so’ initialization failed: NT_STATUS_OBJECT_NAME_COLLISION

    after changing it to “new” syntax errors have gone

    was:

    idmap backend = rid:DOMAIN=10000-20000
    idmap uid = 10000-20000
    idmap gid = 10000-20000

    become:

    idmap domains = DOMAIN
    idmap config DOMAIN:backend = rid
    idmap config DOMAIN:range = 10000-20000

  33. @Chris: thanks man! you wont believe how annoying it was to have ossec mailing me every second about that error.

    smbd Version 3.5.4-0.70.el5_6.1
    CentOS release 5.6 (Final)

Leave a Reply

Your email address will not be published.

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

© 2014 Joseph Scott

Theme by Anders NorenUp ↑