FreeBSD CIFS - SMB File Server - It's Notes
FreeBSD CIFS - SMB File Server - It's Notes
“Tell me and I forget, teach me and I may remember, involve me and I learn.” ― Benjamin Franklin.
About me
Search …
FREEBSD CIFS/SMB FILE SERVER
Posted on March 5, 2015 by phong
META
http://www.bmtsolutions.us/wiki/freebsd:cifs:server
Log in
This guide covers setting FreeBSD up as a CIFS/SMB File Server via Samba with ZFS storage. Entries RSS
Comments RSS
This guide covers FreeBSD 10 and Samba 4.1.7 for previous version see:
WordPress.org
Please refer to my FreeBSD Installation Guide if you need help installing FreeBSD. RECENT POSTS
CATEGORIES
portsnap fetch update
Antivirus, Antispam
Big Data
Kerberos CCNA-CCNP
Coding
This only applies to an ADS Setup. As far as I know Kerberos has no function or use for a simple non-ADS Samba
setup. Database
Drawing
*NOTE:* I believe Samba 4.1 uses a built-in Kerberos implementation but I haven’t fully veri ed that. The krb5.conf
settings might not have any impact on Samba4 at all anymore.. E-Commerce
MacOS – Haskintos
krb5.conf
Mail , groupware
[libdefaults] MCSA-MCSE
default_realm = EXAMPLE.COM Monitor – Backup – HA
Project Management
[domain_realm]
.example.com = EXAMPLE.COM Trooble shooting & tunning
Uncategorized
[realms]
Virtual & Cloud
EXAMPLE.COM = {
kdc = kdc.example.com Web Tech
default_domain = example.com
Window tips
}
[logging]
kdc = FILE:/var/heimdal/kdc.log ARCHIVES
kdc = SYSLOG:INFO
January 2019
default = SYSLOG:INFO:USER
December 2018
November 2018
September 2018
This part is pretty easy.
August 2018
July 2018
cd /usr/ports/net/samba41 June 2018
make config
May 2018
make install clean
April 2018
March 2018
The options you select at the con guration page will depend on your environment and needs.
February 2018
ADS/LDAP – If you are not integrating into an Active Directory environment you can uncheck ADS and January 2018
LDAP
December 2017
CUPS – If you do not intend to share printers then you can uncheck CUPS.
November 2017
October 2017
+------------------------------ samba41-4.1.7 ---------------------------------+
September 2017
¦ +--------------------------------------------------------------------------+ ¦
¦ ¦ [x] ACL_SUPPORT File system ACL support ¦ ¦ August 2017
¦ ¦ [x] ADS Active Directory support ¦ ¦
July 2017
¦ ¦ [x] AIO_SUPPORT Asyncronous IO support ¦ ¦
¦ ¦ [ ] CUPS CUPS printing system support ¦ ¦ June 2017
¦ ¦ [ ] DEBUG With debug information in the binaries ¦ ¦ May 2017
¦ ¦ [ ] DEVELOPER With development support ¦ ¦
April 2017
¦ ¦ [ ] DNSUPDATE Dynamic DNS update(require ADS) ¦ ¦
¦ ¦ [ ] EXP_MODULES Experimental modules ¦ ¦ March 2017
¦ ¦ [ ] FAM_SUPPORT File Alteration Monitor support ¦ ¦ February 2017
¦ ¦ [x] LDAP LDAP support ¦ ¦
January 2017
¦ ¦ [x] MANPAGES Build and/or install manual pages ¦ ¦
¦ ¦ [ ] PAM_SMBPASS PAM authentication via passdb backends ¦ ¦ December 2016
¦ ¦ [x] PTHREADPOOL Pthread pool ¦ ¦
November 2016
¦ ¦ [ ] QUOTAS Disk quota support ¦ ¦
¦ ¦ [x] SYSLOG Syslog support ¦ ¦ October 2016
¦ ¦ [x] UTMP UTMP accounting support ¦ ¦ September 2016
¦ ¦----------------------------------- DNS ----------------------------------¦ ¦
August 2016
¦ ¦ (*) NSUPDATE Use internal DNS with NSUPDATE utility ¦ ¦
¦ ¦ ( ) BIND98 Use bind98 as a DNS server frontend ¦ ¦ July 2016
¦ ¦ ( ) BIND99 Use bind99 as a DNS server frontend ¦ ¦ June 2016
¦ ¦--------------------------------- ZEROCONF -------------------------------¦ ¦
¦ ¦ (*) AVAHI Zeroconf support via Avahi ¦ ¦
May 2016
¦ ¦ ( ) MDNSRESPONDER Zeroconf support via mDNSResponder ¦ ¦ April 2016
¦ +--------------------------------------------------------------------------+ ¦
March 2016
+------------------------------------------------------------------------------+
February 2016
January 2016
November 2015
My goal with the smb4.conf le is to keep it as absolutely simple as possible. So I omit anything where the default
October 2015
values from Samba work and only include lines that were needed to get this working in my environment. It’s always
recommended to review the samba documentation and other guides for settings that might apply to your September 2015
environment. Near the bottom of this guide there should be the complete output of testparm -v that you can also August 2015
reference.
July 2015
June 2015
Non-ADS Con g
May 2015
This section will cover con guration as a simple File Server with basic security for a home or very small of ce setup. April 2015
March 2015
ADS Con g
February 2015
This section covers con guration as a Member File Server within an Active Directory domain. January 2015
December 2014
Basic Settings
October 2014
/usr/local/etc/smb4.conf September 2014
August 2014
[global]
July 2014
workgroup = EXAMPLE
realm = EXAMPLE.COM June 2014
security = ADS May 2014
April 2014
[testshare]
path = / March 2014
read only = no February 2014
January 2014
No, really. That’s all you actually need. But read below for more options you may want. December 2013
November 2013
TDB Backend for idmap
October 2013
The TDB Backend is the default option when no backend is speci ed. September 2013
August 2013
However, you can specify it and provide a uid/gid mapping range if you want by adding the following to the global
section. The range setting tells Samba what range of ID’s to use for UID/GID mapping and you may adjust it as you July 2013
see t.
June 2013
October 2012
idmap config *:backend = tdb
idmap config *:range = 70001-80000
You can read more about the tdb backend with the below link.
https://www.samba.org/samba/docs/man/manpages-3/idmap_tdb.8.html
You can use the RID idmap backend with Samba to calculate the UID/GID values based off the Active Directory
RID value. This protects your Samba installation from loosing the mappings due to a damaged tdb database and
allows all Samba installations to use the same UID/GID values. You can read more about the RID backend on
Samba’s website with the link below.
https://www.samba.org/samba/docs/man/manpages-3/idmap_rid.8.html
From what I understand. The SID is unique per Domain and the RID is only unique inside a given Domain. A users
or groups complete SID is composed of the domain SID with the user/group RID as the last four or more numbers.
RIDs are never re-used and so the “next RID” value will always grow to a larger and larger number over time. This
is an easy way to get static SID to Linux UID/GID mappings that are the same across all Samba servers.
You need to also con gure a “fall back” backend, such as TDB for anything that doesn’t have an RID value. Such as
some of the domain “BUILTIN” accounts and groups like “Everyone” or “Administrators”.
A UID/GID is built by taking the RID and adding the low range number. So, if a RID is 1250 and your rid mapping
is 500-100000 then the UID/GID would come out as 1750. You want to make sure your high range number is large
enough to accommodate any UID/GID that would be calculated in this fashion. For example, if your mapping was
500-1000 and the same RID of 1250 would calculate to a GID/RID of 1750 but since your high range number is
1000 it wouldn’t be able to do the mapping and it would be ignored in same fashion (I haven’t tested it – just what I
understand from the documentation)
The idmap range should be con gured the same for any given domain on ALL samba servers otherwise you won’t
have matching UID/GID values which is the whole point for doing it in the rst place.
Below is a hopefully safe example of using idmap_rid for a mid sized domain.
Reference
http://svenvdhobby.blogspot.com/2012/10/part2-integrating-red-hat-enterprise.html
http://sadiquepp.blogspot.com/2008/02/authenticating-linux-to-ad-using.html
The AD backend is slightly similar to the RID backend in that it provides protection against lost/damanged TDB
database and keeps GID/UID mapping the same across all Samba installtions. It differs just in how it accomplishes
that. With the AD backend the samba idmapper will pull the UID/GID values directly out of the Active Directory
database. This means, a UID and GID value must be present in AD (via the RFC2307/SFU schema extensions) for
each user.
You can read more about the AD backend on Samba’s website with the link below.
https://www.samba.org/samba/docs/man/manpages-3/idmap_ad.8.html
If I get some more time I will try and document this more, however the above link describes it pretty well. The trick
here is getting the RFC2703 schema extensions added to a Windows Active Directory but there are several
examples on the web for most Windows server versions. Just google it.
Reference
http://blog.banck.net/2014/02/preparing-windows-2012-r2-active.html
read only = no
inherit permissions = No
inherit acls = No
inherit owner = No
force unknown acl user = No
store dos attributes = yes
map read only = no
You also need to set two ZFS settings on any pools/datasets you intend to store ACLs on.
You can take ZFS snapshots for a Samba share and have those snapshots show up under the “Previous Versions”
tab on a Windows computer. It’s an amazingly great rst-level backup method. You can automate the snapshots to
run on a regular interval or each time you connect to the samba share. Image you damange or accidently delete a le
and the “restore” process is to just right-click on a folder, select the previous versions tab and get the most recent
les.
The short and quick example to enable ZFS ACLs and Previous Version ShadowCopies is below.
[someshare]
path = /somepool
vfs objects = shadow_copy2, zfsacl
shadow: snapdir = .zfs/snapshot
shadow: sort = desc
shadow: localtime = no
shadow: format = %Y-%m-%dT%H:%M:%S
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = yes
http://www.samba.org/samba/docs/man/manpages/vfs_shadow_copy2.8.html
http://www.edplese.com/blog/2009/12/02/samba-shadow_copy2-enhancements/
http://www.edplese.com/samba-with-zfs.html
http://thegreyblog.blogspot.com/2010/05/accessing-zfs-snapshots-from-windows.html
https://forums.freebsd.org/viewtopic.php?&t=32282
notes
Some ideas for managing “rolling snapshots” that work with “Previous Versions”
https://github.com/zfsnap/zfsnap
With this you could set a TTL for a snapshot without putting it in the snapshot name itself. You could set all sorts
of properties. Also, custom properties on the dataset will get added to snapshots. So you could set “zfsnap:ttl=1m”
on the main dataset and all snapshots would inherit that property. This way the con guration of your rolling
snapshot systems could be stored fully inside the ZFS properties.
Also, these custom properties can be changed anytime. So you can change the TTL or even add more custom
properties to a snapshot.
Samba Auditing
Placeholder..
http://www.samba.org/samba/docs/man/manpages-3/vfs_full_audit.8.html
http://www.samba.org/samba/docs/man/manpages/vfs_audit.8.html
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/VFS.html
nsswitch
Winbind needs to be added to the /etc/nsswitch.conf le. Here’s an example below.
/etc/nsswitch.conf
#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: release/10.0.0/etc/nsswitch.conf 224765 2011-08-10 20:52:02Z dougb $
#
group: files winbind
#group: compat
#group_compat: nis
hosts: files dns
networks: files
passwd: files winbind
#passwd: compat
#passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
To join this Samba server to the domain use the below command. Adjust the username if needed.
You can follow up with the following command to make sure everything went okay.
Advanced? Settings
Here is a handful of additional Samba settings you might want to use.
admin users
load printers
disable spoolss
domain master
local master
csc policy
interfaces
log le
netbios name
default yes
read only
Performance
Placeholder
AIO
Samba AIO needs the AIO module loaded. Here’s how to do that and con gure the system to load it on boot.
kldload aio
echo 'aio_load="YES"' >> /boot/loader.conf
https://blogs.oracle.com/timthomas/entry/making_samba_go_faster
http://lists.freebsd.org/pipermail/freebsd-stable/2011-February/061642.html
Notes
https://groups.google.com/forum/#!msg/mailing.freebsd.ports/uSc0gAojCnw/ggi0pBDesDcJ
Need to touch /usr/local/etc/lmhosts to x error in logs
Troubleshooting
getent passwd/group does not show domain users
Try asking getent for a speci c user. Try both with the domain and without. If you have changed the winbind domain
separator then you should adjust the below to match.
If the 1st line works and not the second then you might want to read about the setting *winbind use default domain
= yes
If both lines work but when typing getent passwd without a username domain users are not displayed then you may
want to read about the settings *winbind enum users = yes* and also *winbind enum groups = yes*
load printers = No
printing = bsd
printcap name = /dev/null
disable spoolss = Yes
If you get this.. It might be.. That the netbois name in smb4.conf should match your system hostname..
I get this error still. If you nd an answer I’d love to know it. Please email me!
More…
https://wiki.archlinux.org/index.php/Samba/Troubleshooting
Reference
http://www.pclinuxos.com/forum/index.php?topic=122010.0
http://www.whitneytechnologies.com/?p=119
http://blog.ngel.ru/2013/04/installing-samba4-on-freebsd-80.html
http://www.blogjoch.nl/artikel/2014/01/21/samba4-member-server-onder-freebsd-92
https://wiki.samba.org/index.php/Samba/Domain_Member
https://forums.freebsd.org/viewtopic.php?t=36137
http://lists.freebsd.org/pipermail/freebsd-questions/2005-December/108000.html
https://glsan.com/community/samba4/zfs-share-setup/
https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html
https://www.samba.org/samba/docs/man/manpages-3/idmap_tdb.8.html
https://www.samba.org/samba/docs/man/manpages-3/idmap_rid.8.html
https://www.samba.org/samba/docs/man/manpages-3/idmap_ad.8.html
Managing le/folder permissions and ownership How to integrate Active Directory with FreeBSD 10.0
using security/sssd?