Categories
josephscott

FreeBSD Users and Groups with Samba (Winbind) and Active Directory

One of the most popular posts on this blog is the how to: Active Directory With nss_ldap And pam_ldap On FreeBSD. That was almost a year and half ago and things have changed a bit since then. One of the reasons that I’d recommended using LDAP at the time was because Winbind (part of Samba) was troublesome (at least on FreeBSD) and that there wasn’t an easy way to provide a consistent UID to SID mapping across systems. Since then Winbind seems to be quite stable on FreeBSD and with the idmap_rid option you can easily keep the UID to SID mapping consistent across multiple systems. With the release of FreeBSD 6.0 this month I’m ready to update the steps needed to make FreeBSD use Active Directory (AD) users and groups, this time via Samba (Winbind) instead of LDAP.

I wrote these steps using FreeBSD 6.0 and Samba 3.0.20b (from the ports collection). The Active Directory system is running Windows 2003, thought I don’t think that will make a difference, AD on Windows 2000 should also work just fine. All host names use the domain example.com, so be sure to change them to reflect your network setup.

  1. Step 0: Your Windows AD server and your FreeBSD system should all be running normally, if not stop now and go fix them up first.
  2. Install Samba: We will be installing Samba 3.0.20b from /usr/ports/net/samba3. Add the following lines to your /etc/make.conf before installing the port:

    WITHOUT_CUPS=yes
    WITHOUT_ADS=yes
    WITH_SYSLOG=yes
    WITH_WINBIND=yes
    WITH_EXP_MODULES=yes
    WITH_PAM_SMBPASS=yes
    WITH_ACL_SUPPORT=yes

    This assumes that you aren’t interested in using CUPS for printing on this system. We also aren’t going to be using Kerberos for this, hence the WITHOUT_ADS=yes line. The option to enable syslog is optional, I tend to prefer it. We must have Winbind and the experimental modules enables the use of imap_rid, which we also need. Although we will be using the Winbind PAM module, I like having the option using smbpass also. ACL support is not required, but I recommend including it.

    Run make install from /usr/ports/net/samba3 and only enable the following options: WINBIND, ACL_SUPPORT, SYSLOG, UTMP, PAM_SMBPASS, EXP_MODULES, POPT. This might take a little while to build, in the mean time add the following lines to your /etc/rc.conf file:

    nmbd_enable="YES"
    smbd_enable="YES"
    winbindd_enable="YES"

    This will enable the three major components of Samba on your FreeBSD system.

  3. SMB.CONF: The configuration file for Samba is /usr/local/etc/smb.conf. Here’s a basic one to make this work:

    [global]
    workgroup = EXAMPLE
    server string = Samba Server
    security = DOMAIN
    allow trusted domains = No
    log file = /var/log/samba/log.%m
    max log size = 50
    dns proxy = No
    wins server = domainserver.example.com
    ldap ssl = no
    idmap backend = idmap_rid:EXAMPLE=10000-20000
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    template shell = /bin/tcsh
    winbind use default domain = Yes

    Most of this should be pretty straight forward, if you aren’t sure what an option means the Samba documentation does a good job of covering them. Change the workgroup to the name of the Windows domain and the wins server to the name of your wins server. Change the EXAMPLE domain in idmap backend to the name of your Windows domain. To make sure that I didn’t run into any UID conflicts I have Winbind use 10,000 through 20,000. This can be changed to meet your systems needs, if you aren’t sure then leave them unchanged, they should be a safe bet. Same goes for the template shell option.

  4. Join The Domain: The process for joining a domain in Samba has changed a bit over the years, mostly due to the new net program. The process is still simple though, run:

    /usr/local/bin/net rpc join -S windomainserver.example.com -U administrator

    Replace windomainserver.example.com with the name of one of your Windows domain controllers. You’ll be prompted for the administrator password. This should just work. If it doesn’t make sure that your FreeBSD system can resolve the IP address of your domain controller and try again.

  5. Start Samba and Winbind: At this point you can startup Samba and Winbind on your system with:

    /usr/local/etc/rc.d/samba.sh start
  6. Name Switch Service: To instruct FreeBSD to make use of Active Directory (via Winbind) as a source of user and group information we’ll need to make changed to the /etc/nsswitch.conf file:

    group: files winbind
    group_compat: nis
    hosts: files dns
    networks: files
    passwd: files winbind
    passwd_compat: nis
    shells: files

    In case it isn’t obvious, the two lines that need to be changed in the stock /etc/nsswitch.conf is group and passwd.

  7. Home Directories: You may or may not need to have support for user home directories on your FreeBSD system, depending on what services you want to make available. In my case I want users to be able to ssh into the system, so they’ll need home directories. Rather than running adduser for every AD user we’ll use the mkhomedir PAM library to take care of this automatically. Run make install in /usr/ports/security/pam_mkhomedir to install it.
  8. Pluggable Authentication Modules: In other to authenticate users you’ll have to modify the corresponding PAM configuration file for that service. Sticking with the ssh example, we’ll be editing /etc/pam.d/sshd. In the auth section add the following as the second line:

    auth sufficient /usr/local/lib/pam_winbind.so

    That will instruct sshd to attempt user authentication via Winbind. In order to create home directories for users on demand add the following line to the session section of /etc/pam.d/sshd:

    session required /usr/local/lib/pam_mkhomedir.so

    The first time that an AD user attempts to login their home directory will be created. Be sure to make these changes for each service that your system will be making available (IMAP, POP3, FTP, etc).

  9. Optional Reboot: Although not required for everything to work, I’d recommend a reboot. This will give all of the FreeBSD subsystems a chance to become aware of the Name Switch Service and PAM changes. Let me repeat, you do not need to reboot in order for ssh and friends to work after following these steps.

That’s it. At this point you should have FreeBSD system that uses Active Directory users and groups and can authenticate those users via ssh. I prefer this method over the previous one that used LDAP. There are less components to install and configure and you don’t have to make any changes to your Active Directory layout. In my case this was a completely drop in solution, only requiring the ability to add a computer to the Windows domain.

If you have any thoughts or pointers on how to refine this process please leave a comment or send me a note via my contact form.

34 replies on “FreeBSD Users and Groups with Samba (Winbind) and Active Directory”

I follwed these instructions, and now ls -l shows the correct userids from the w2k server, but pw usershow claims those don’t exist, and none of the domain passwords work.

Any suggestions?

Hi, I tried to implement this strategy(FreeBSD 6.1, samba-3.0.22) and am receiving the following messages:

Jun 2 20:50:41 homews pam_winbind[928]: user `smurf’ denied access (incorrect password or invalid membership)
Jun 2 20:50:41 homews sshd[926]: error: PAM: authentication error for illegal user smurf from pheromone.ircfriends.net

Needless to say, I have been unable to get this to work. However, “wbinfo -a smurf%smurfpass” tells me it authenticates correctly with both plain text and with challenge/response.

Any ideas where to go next?
Thanks…Bill

I haven’t been able to get this to work on FreeBSD 6.1, with the samba-3.0.21b,1 port. Strangely, I get the following log entry from pam_winbind (where is a domain username), but then the logon fails!

pam_winbind[24938]: user ” granted access

Domain user logons fail locally, and over ssh, and in the same way. This is also true for su (unless it is run by root).

I can see that the pam_sm_authenticate() function in pam_winbind.so is succeeding with PAM_SUCCESS, but the pam_authenticate() call above it later fails with PAM_AUTH_ERR. Does anyone more familiar with this know why that might happen?

Thanks
Thomas

I’ve managed to get it working, by changing the order of the entries in /etc/pam.d files! 🙂

I followed the instructions, and lo and behold, it works wonderfully. But I have one question, not too presumptuously I hope, for Joseph. Using your scheme, how would you add AD users to local groups? I’ve ready a couple of howtos but they seem to rely on LDAP. What tweaks would you suggest?

Thanks.

Right, I assumed that to be the case… enumeration of said users is not so obvious. Do users have to login to the server before they can be added to /etc/group, or can you add them if you know their usernames in AD? Thanks for any insight.

You only have to know their AD username. You can add them to /etc/group at any time. There is no requirement for them to have logged into that specific server.

I was having trouble getting samba3 to compile under 6.1-RELEASE following your instructions. I kept getting an error about some LDAP declaration being undefined. I then did a make config to re-configure using all of the options you specified AND the LDAP option, followed by a make clean install and it installed.

I tried following this site and this site http://web.irtnog.org/doc/how-to/freebsd-winbind to try and get AD authentication to work.

I can “join” successfully and run wbinfo commands just fine. When I run getent passwd I see only the local users to the FreeBSD box. However when I run getent group I see both AD and local groups.

When I try to do an ssh authentication into the freebsd box. The attempt reaches the domain controller but it logs it as a failed attempt because of invalid password. However if I do a ntlm_auth command on the same exact user, it passes.

I know I’m missing something simple. Any ideas?

This is a clean install of FBSD 6.2. All my ports are up to date.

FreeBSD 6.2, Samba 3.0.24,1,
Im using a combo of this tutorial and this one http://www.kurai.org/~gdunn/samba3-ad/fbsd_samba.html

Getent works fine with group and passwd, net ads info works fine, joined the domain…. everything “looks fine” and then..

Failed to create_builtin_users: Failed to create users over and over
ssh login does not work
local logins dont work
I get an error about /bin/false being my shell but I know its bash and is stated correctly in the MSFU35 extended schema.

I’m fairly sure something is wrong with user id mappings from Windows to Unix.

I really want to be able to have AD users log in locally or remotely, have access to Windows fileshares whilst in Unix and have browseability whilst in Gnome/KDE or Windows or OSX.

Is 3.0.24 the issue? Seems that *

I have no clue what I did but it all works now????????????????

I’m pretty beat.. will post my configs tomorrow.

Hi Joseph

Thanks for this howto. 🙂

I followed it, and everything is working fine, but I have a suggestion: include the line below in smb.conf, because without it pam_mkhomedir can´t create the HOMEDIR.

template homedir = /home/%U

I´m using FBSD 6.2, pam_mkhomedir-0.1 and samba-3.0.24,1.

Thanks for this – an excellent guide with helpful examples and, for the first time ever, I’ve got samba working!!!

Now I just have to find a use for it 🙂

I followed this how to and I think I have it working…?

Although I’m getting huge winbindd log files and the following pesky error message:

winbindd version 3.0.21b started.
Copyright The Samba Team 2000-2004
[2007/04/19 16:34:30, 0] sam/idmap.c:idmap_init(137)
idmap_init: idmap backend uses deprecated ‘idmap_’ prefix. Please replace ‘idmap_rid’ by ‘rid’ in /usr/local/etc/smb.conf
[2007/04/19 16:34:30, 0] sam/idmap_rid.c:rid_idmap_init(357)
rid_idmap_init: idmap_rid does not work with trusted domains
rid_idmap_init: please set “allow trusted domains” to “no” when using idmap_rid
[2007/04/19 16:34:30, 0] sam/idmap.c:idmap_init(146)
idmap_init: failed to initialize remote backend!
[2007/04/19 16:34:30, 1] nsswitch/winbindd.c:main(1011)
Could not init idmap — netlogon proxy only

I also get a lot of log entries that state:
could not lookup domain user domainuser
could not look up gid for group DomainGroup

I’m sure that the error logs are trying to tell me something useful; however I’m just not getting it.

Thanks in advance!
jim

Daniel: It works if you create /home/YOURDOMAIN first.

Is it possible to restrict access to certain security groups in AD?

jmi: Yes it is possible to restrict access to certain Active Directory groups

smb.conf:
workgroup = DOMAIN_NAME
server string = Borro -> The FreeBSD Samba Test
security = domain
log file = /var/log/samba/log.%m
max log size = 50
wins server = your.domain.controller
dns proxy = no
winbind use default domain = YES
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind cache time = 10
winbind enum users = yes
winbind enum groups = yes
idmap backend = rid:DOMAIN_NAME=10000-20000
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
template homedir = /home/%D/%U
ldap ssl = no
allow trusted domains = no

share definition: (notice @access_borro -> this is the Active Directory group)
[borro_share]
path = /usr/local/borro_share
browseable = yes
public = no
valid users = @access_borro
writable = yes
printable = no
force group = wheel
force user = jimd

jmi,
I can’t seem to get the ssh part to work correctly.
I get always get:

sshd[712]: error: PAM: authentication error for illegal user DOMAIN_NAMEjimd from borro.domain.name
Apr 24 00:00:45 mars pam_winbind[748]: pam_parse: unknown option; no_warn
Apr 24 00:00:47 mars pam_winbind[748]: request failed: Wrong Password, PAM error was 9, NT error was NT_STATUS_WRONG_PASSWORD

OR
sshd[712]: error: PAM: authentication error for illegal user DOMAIN_NAMEjimd from borro.domain.name
Apr 24 00:00:45 mars pam_winbind[748]: pam_parse: unknown option; no_warn
Apr 24 00:00:47 mars pam_winbind[748]: request failed: Wrong Password, PAM error was 9, NT error was NT_STATUS_WRONG_PASSWORD

It seems as though it doesn’t recognize the separator; however, come to think of it, I don’t know that I set one. Or I could have totally jacked up the ssh conf, I’ll check it out.

Weird that I can wbinfo -a jimd%password and get:

plaintext password authentication succeeded
challenge/response password authentication succeeded

->jim

Hello,

Not newbie to Samba or FreeBSD, but I’m having a devil of time getting Samba to complile on 6.2! Chris or Daniel, any ideas that would greatly help!

Ugh…just updated to latest samba (samba-3.0.25,1) and there are subtle issues with the config. I think it’s *supposed* to support the config given here, but it doesn’t work.

I was getting all kinds of errors, but the one that tipped me off was found in /var/log/samba/log.winbindd-idmap:

[2007/06/01 23:32:09, 1] nsswitch/idmap.c:idmap_init(343)
Initializing idmap domains
[2007/06/01 23:32:09, 1] nsswitch/idmap_rid.c:idmap_rid_initialize(69)
ERROR: Invalid configuration, ID range missing
[2007/06/01 23:32:09, 0] nsswitch/idmap.c:idmap_init(438)
ERROR: Initialization failed for backend rid (domain default domain), deferred!
[2007/06/01 23:32:09, 0] nsswitch/idmap.c:smb_register_idmap(129)
Idmap module rid already registered!
[2007/06/01 23:32:09, 0] lib/module.c:do_smb_load_module(69)
Module ‘/usr/local/lib/samba/idmap/rid.so’ initialization failed: NT_STATUS_OBJECT_NAME_COLLISION

Now, there are lots of dead-ends to google for there. It turns out that there’s been a change recently in the way to configure idmaps, and even though man smb.conf seems to say the old config syntax is valid, I had to change to the new syntax:

#
# OLD WAY
#
#idmap backend = rid:DOMAIN_NAME=10000-20000

#
# NEW WAY
#
idmap domains = DOMAIN_NAME
idmap config DOMAIN_NAME:backend = rid
idmap config DOMAIN_NAME:range = 10000-20000

Hopefully I’ve saved someone some time by posting this here.

Thanks for that tip Chris! I’ve been trying to solve this winbind/rid problem for several days on RedHat ES 5.1 which comes with samba 3.0.25b. Thankfully googling the NT_STATUS_OBJECT_NAME_COLLISION error from winbindd-idmap.log led me to your post.

Thanks Chris, I’ve been searching for ages trying to get to the bottom of these errors, there isn’t much info on the net

Followed this tutorial and ran into a small problem, not with the tutorial, but with my environment. It seems that for ssh to work the user can’t be in more than 15 Active Directory groups. I was getting something like
[sshd] initgroups(username, guid): Invalid argument. If you experience this issue get your AD group membership down to 15 and you should be just fine.

Thanks for the wonderful tutorial!

After editing /etc/make.conf file i did make install bug i am getting below message

Stop in /usr/ports/net/samba3.
*** Error code 1

Stop in /usr/ports/net/samba3.
*** Error code 1

Stop in /usr/ports/net/samba3.
[root@freebsd61 /usr/ports/net/samba3]# pwd
/usr/ports/net/samba3
[root@freebsd61 /usr/por

I am trying to install smbclient in freebsd6.1

Hi

Actually i am tester i dont know any thing about this , i am trying to do
cifs mounting in freebsd but i am getting any thing about that please help me.

Hi,

I did apply this procedure and everything works fine. Thanks for your contribution to others.

I have a case in my Lab. I have 2 AD in redundancy, and I would like to configure the server so it can authenticate the users with any of them (have redundancy as well on the authentication). is this possible? if yes, any clues or ideas to get it done?

Regards,
–Aberardo.

Debian Lenny with Samba 3.2.5
with “old” idmap syntax winbind generates errors about re-initialization of rid module:

[2009/03/06 12:07:48, 0] winbindd/idmap.c:smb_register_idmap(142)
Idmap module rid already registered!
[2009/03/06 12:07:48, 0] lib/module.c:do_smb_load_module(69)
Module ‘/usr/lib/samba/idmap/rid.so’ initialization failed: NT_STATUS_OBJECT_NAME_COLLISION

after changing it to “new” syntax errors have gone

was:

idmap backend = rid:DOMAIN=10000-20000
idmap uid = 10000-20000
idmap gid = 10000-20000

become:

idmap domains = DOMAIN
idmap config DOMAIN:backend = rid
idmap config DOMAIN:range = 10000-20000

@Chris: thanks man! you wont believe how annoying it was to have ossec mailing me every second about that error.

smbd Version 3.5.4-0.70.el5_6.1
CentOS release 5.6 (Final)

Leave a Reply

Your email address will not be published. Required fields are marked *