IT'S NOTES

“Tell me and I forget, teach me and I may remember, involve me and I learn.” ― Benjamin Franklin.

About me

Search …
FREEBSD CIFS/SMB FILE SERVER
Posted on March 5, 2015 by phong
META

http://www.bmtsolutions.us/wiki/freebsd:cifs:server
Log in

This guide covers setting FreeBSD up as a CIFS/SMB File Server via Samba with ZFS storage. Entries RSS

Comments RSS
This guide covers FreeBSD 10 and Samba 4.1.7 for previous version see:
WordPress.org

Samba 3.6 Active Directory Fileserver on FreeBSD 9.2

Please refer to my FreeBSD Installation Guide if you need help installing FreeBSD. RECENT POSTS

rclone serve restic

Update FreeBSD How I back up my servers using restic

Offsite (cloud) backup solution ideas

You may wish to make sure FreeBSD and the ports collection are up to date. To do so, use the below commands.
However, please make sure you understand the risks if you are running these commands on an existing system with SATA HDD & SSD shown as
ports installed. removable

Proxmox storage tips/HDD pass

through
freebsd-update fetch
freebsd-update install

CATEGORIES
portsnap fetch update

Antivirus, Antispam

Big Data
Kerberos CCNA-CCNP

Coding
This only applies to an ADS Setup. As far as I know Kerberos has no function or use for a simple non-ADS Samba
setup. Database

Drawing
*NOTE:* I believe Samba 4.1 uses a built-in Kerberos implementation but I haven’t fully veri ed that. The krb5.conf
settings might not have any impact on Samba4 at all anymore.. E-Commerce

Firewall & IDS

As long as your FQDN is set correctly in rc.conf then Kerberos should be able to nd your domain controllers
Hack to learn
without needing anything con gured in the krb5.conf le. Or so, that has been my recent experience.
Linux CEH
However, here is an example krb5.conf le you could use. This is based off the krb5.conf man page. Linux Tips – How to

MacOS – Haskintos
krb5.conf
Mail , groupware

[libdefaults] MCSA-MCSE
default_realm = EXAMPLE.COM Monitor – Backup – HA

Project Management
[domain_realm]
.example.com = EXAMPLE.COM Trooble shooting & tunning

Uncategorized
[realms]
Virtual & Cloud
EXAMPLE.COM = {
kdc = kdc.example.com Web Tech
default_domain = example.com
Window tips
}

[logging]
kdc = FILE:/var/heimdal/kdc.log ARCHIVES
kdc = SYSLOG:INFO
January 2019
default = SYSLOG:INFO:USER
December 2018

November 2018

Install Samba October 2018

September 2018
This part is pretty easy.
August 2018

July 2018
cd /usr/ports/net/samba41 June 2018
make config
May 2018
make install clean
April 2018

March 2018
The options you select at the con guration page will depend on your environment and needs.
February 2018
ADS/LDAP – If you are not integrating into an Active Directory environment you can uncheck ADS and January 2018
LDAP
December 2017
CUPS – If you do not intend to share printers then you can uncheck CUPS.
November 2017

October 2017
+------------------------------ samba41-4.1.7 ---------------------------------+
September 2017
¦ +--------------------------------------------------------------------------+ ¦
¦ ¦ [x] ACL_SUPPORT File system ACL support ¦ ¦ August 2017
¦ ¦ [x] ADS Active Directory support ¦ ¦
July 2017
¦ ¦ [x] AIO_SUPPORT Asyncronous IO support ¦ ¦
¦ ¦ [ ] CUPS CUPS printing system support ¦ ¦ June 2017
¦ ¦ [ ] DEBUG With debug information in the binaries ¦ ¦ May 2017
¦ ¦ [ ] DEVELOPER With development support ¦ ¦
April 2017
¦ ¦ [ ] DNSUPDATE Dynamic DNS update(require ADS) ¦ ¦
¦ ¦ [ ] EXP_MODULES Experimental modules ¦ ¦ March 2017
¦ ¦ [ ] FAM_SUPPORT File Alteration Monitor support ¦ ¦ February 2017
¦ ¦ [x] LDAP LDAP support ¦ ¦
January 2017
¦ ¦ [x] MANPAGES Build and/or install manual pages ¦ ¦
¦ ¦ [ ] PAM_SMBPASS PAM authentication via passdb backends ¦ ¦ December 2016
¦ ¦ [x] PTHREADPOOL Pthread pool ¦ ¦
November 2016
¦ ¦ [ ] QUOTAS Disk quota support ¦ ¦
¦ ¦ [x] SYSLOG Syslog support ¦ ¦ October 2016
¦ ¦ [x] UTMP UTMP accounting support ¦ ¦ September 2016
¦ ¦----------------------------------- DNS ----------------------------------¦ ¦
August 2016
¦ ¦ (*) NSUPDATE Use internal DNS with NSUPDATE utility ¦ ¦
¦ ¦ ( ) BIND98 Use bind98 as a DNS server frontend ¦ ¦ July 2016
¦ ¦ ( ) BIND99 Use bind99 as a DNS server frontend ¦ ¦ June 2016
¦ ¦--------------------------------- ZEROCONF -------------------------------¦ ¦
¦ ¦ (*) AVAHI Zeroconf support via Avahi ¦ ¦
May 2016
¦ ¦ ( ) MDNSRESPONDER Zeroconf support via mDNSResponder ¦ ¦ April 2016
¦ +--------------------------------------------------------------------------+ ¦
March 2016
+------------------------------------------------------------------------------+
February 2016

January 2016

Con gure Samba December 2015

November 2015
My goal with the smb4.conf le is to keep it as absolutely simple as possible. So I omit anything where the default
October 2015
values from Samba work and only include lines that were needed to get this working in my environment. It’s always
recommended to review the samba documentation and other guides for settings that might apply to your September 2015
environment. Near the bottom of this guide there should be the complete output of testparm -v that you can also August 2015
reference.
July 2015

June 2015
Non-ADS Con g
May 2015
This section will cover con guration as a simple File Server with basic security for a home or very small of ce setup. April 2015

March 2015
ADS Con g
February 2015
This section covers con guration as a Member File Server within an Active Directory domain. January 2015

December 2014
Basic Settings
October 2014
/usr/local/etc/smb4.conf September 2014

August 2014
[global]
July 2014
workgroup = EXAMPLE
realm = EXAMPLE.COM June 2014
security = ADS May 2014

April 2014
[testshare]
path = / March 2014
read only = no February 2014

January 2014
No, really. That’s all you actually need. But read below for more options you may want. December 2013

November 2013
TDB Backend for idmap
October 2013
The TDB Backend is the default option when no backend is speci ed. September 2013

August 2013
However, you can specify it and provide a uid/gid mapping range if you want by adding the following to the global
section. The range setting tells Samba what range of ID’s to use for UID/GID mapping and you may adjust it as you July 2013
see t.
June 2013

October 2012
idmap config *:backend = tdb
idmap config *:range = 70001-80000

You can read more about the tdb backend with the below link.

https://www.samba.org/samba/docs/man/manpages-3/idmap_tdb.8.html

RID Backend for idmap

You can use the RID idmap backend with Samba to calculate the UID/GID values based off the Active Directory
RID value. This protects your Samba installation from loosing the mappings due to a damaged tdb database and
allows all Samba installations to use the same UID/GID values. You can read more about the RID backend on
Samba’s website with the link below.

https://www.samba.org/samba/docs/man/manpages-3/idmap_rid.8.html

From what I understand. The SID is unique per Domain and the RID is only unique inside a given Domain. A users
or groups complete SID is composed of the domain SID with the user/group RID as the last four or more numbers.
RIDs are never re-used and so the “next RID” value will always grow to a larger and larger number over time. This
is an easy way to get static SID to Linux UID/GID mappings that are the same across all Samba servers.

You need to also con gure a “fall back” backend, such as TDB for anything that doesn’t have an RID value. Such as
some of the domain “BUILTIN” accounts and groups like “Everyone” or “Administrators”.

A UID/GID is built by taking the RID and adding the low range number. So, if a RID is 1250 and your rid mapping
is 500-100000 then the UID/GID would come out as 1750. You want to make sure your high range number is large
enough to accommodate any UID/GID that would be calculated in this fashion. For example, if your mapping was
500-1000 and the same RID of 1250 would calculate to a GID/RID of 1750 but since your high range number is
1000 it wouldn’t be able to do the mapping and it would be ignored in same fashion (I haven’t tested it – just what I
understand from the documentation)

The idmap range should be con gured the same for any given domain on ALL samba servers otherwise you won’t
have matching UID/GID values which is the whole point for doing it in the rst place.

Below is a hopefully safe example of using idmap_rid for a mid sized domain.

idmap config *:backend = tdb

idmap config *:range = 2000-5000

idmap config EXAMPLE: default = yes

idmap config EXAMPLE: backend = rid
idmap config EXAMPLE: range = 6000-100000

Reference

http://svenvdhobby.blogspot.com/2012/10/part2-integrating-red-hat-enterprise.html
http://sadiquepp.blogspot.com/2008/02/authenticating-linux-to-ad-using.html

AD Backend for idmap

The AD backend is slightly similar to the RID backend in that it provides protection against lost/damanged TDB
database and keeps GID/UID mapping the same across all Samba installtions. It differs just in how it accomplishes
that. With the AD backend the samba idmapper will pull the UID/GID values directly out of the Active Directory
database. This means, a UID and GID value must be present in AD (via the RFC2307/SFU schema extensions) for
each user.

You can read more about the AD backend on Samba’s website with the link below.

https://www.samba.org/samba/docs/man/manpages-3/idmap_ad.8.html

If I get some more time I will try and document this more, however the above link describes it pretty well. The trick
here is getting the RFC2703 schema extensions added to a Windows Active Directory but there are several
examples on the web for most Windows server versions. Just google it.

Reference

Some related reading…

http://blog.banck.net/2014/02/preparing-windows-2012-r2-active.html

NTFS ACLs on ZFS

These are the settings I have been using successfully in my (Windows AD) environment to correctly store NTFS
permissions in a sensible way. I’m using 100% ZFS and not all of these settings will apply to UFS. As with most
Samba settings you can add these on a per-share basis but I normally add them to the [global] section.

read only = no
inherit permissions = No
inherit acls = No
inherit owner = No
force unknown acl user = No
store dos attributes = yes
map read only = no

vfs objects = zfsacl

nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = yes

You also need to set two ZFS settings on any pools/datasets you intend to store ACLs on.

zfs set aclmode=passthrough dataset/pool

zfs set aclinherit=passthrough dataset/pool

“Previous Versions” on ZFS

You can take ZFS snapshots for a Samba share and have those snapshots show up under the “Previous Versions”
tab on a Windows computer. It’s an amazingly great rst-level backup method. You can automate the snapshots to
run on a regular interval or each time you connect to the samba share. Image you damange or accidently delete a le
and the “restore” process is to just right-click on a folder, select the previous versions tab and get the most recent
les.

The short and quick example to enable ZFS ACLs and Previous Version ShadowCopies is below.

[someshare]
path = /somepool
vfs objects = shadow_copy2, zfsacl
shadow: snapdir = .zfs/snapshot
shadow: sort = desc
shadow: localtime = no
shadow: format = %Y-%m-%dT%H:%M:%S
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = yes

Then, create snapshots with

zfs snapshot somepool@`date -u +%Y-%m-%dT%H:%M:%S`

You can read more about the vfs_shadow_copy2 module here

http://www.samba.org/samba/docs/man/manpages/vfs_shadow_copy2.8.html
http://www.edplese.com/blog/2009/12/02/samba-shadow_copy2-enhancements/
http://www.edplese.com/samba-with-zfs.html
http://thegreyblog.blogspot.com/2010/05/accessing-zfs-snapshots-from-windows.html
https://forums.freebsd.org/viewtopic.php?&t=32282

notes

Some ideas for managing “rolling snapshots” that work with “Previous Versions”

https://github.com/zfsnap/zfsnap

snapshots can be given special properties when created, like..

zfs snapshot -o "zfsnap:ttl=1m" pool@date

With this you could set a TTL for a snapshot without putting it in the snapshot name itself. You could set all sorts
of properties. Also, custom properties on the dataset will get added to snapshots. So you could set “zfsnap:ttl=1m”
on the main dataset and all snapshots would inherit that property. This way the con guration of your rolling
snapshot systems could be stored fully inside the ZFS properties.

Also, these custom properties can be changed anytime. So you can change the TTL or even add more custom
properties to a snapshot.

Samba Auditing
Placeholder..

Short version: This logs all delete/move/writes

vfs objects = full_audit

full_audit:prefix = %u|%I
full_audit:success = chflags chmod chmod_acl chown mkdir rename rmdir unlink write pwr
full_audit:failure = none
full_audit:facility = LOCAL7
full_audit:priority = ALERT

Samba has support for logging access, renames, deletes, etc.

http://www.samba.org/samba/docs/man/manpages-3/vfs_full_audit.8.html
http://www.samba.org/samba/docs/man/manpages/vfs_audit.8.html
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/VFS.html

nsswitch
Winbind needs to be added to the /etc/nsswitch.conf le. Here’s an example below.

/etc/nsswitch.conf

#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: release/10.0.0/etc/nsswitch.conf 224765 2011-08-10 20:52:02Z dougb $
#
group: files winbind
#group: compat
#group_compat: nis
hosts: files dns
networks: files
passwd: files winbind
#passwd: compat
#passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files

All done. No restart of nsswitch should be needed.

Join ADS Domain

To see that everything looks okay. Try running the below command. It should (at this point) print out valid info on
your domain.

net ads info

To join this Samba server to the domain use the below command. Adjust the username if needed.

net ads join -U Administrator

You can follow up with the following command to make sure everything went okay.

net ads testjoin

Start Samba Server

At this point it probably makes sense to re up the samba server itself and try to connect to it.

First, we want to enable the server.

echo 'samba_server_enable="YES"' >> /etc/rc.conf

Now lets start the server.

service samba_server start

Advanced? Settings
Here is a handful of additional Samba settings you might want to use.

admin users

admin users = “@domain admins”

load printers

disable spoolss

domain master

local master

csc policy

interfaces

log le

netbios name

max log size

default yes

read only

Performance
Placeholder

AIO

Samba AIO needs the AIO module loaded. Here’s how to do that and con gure the system to load it on boot.

kldload aio
echo 'aio_load="YES"' >> /boot/loader.conf

https://blogs.oracle.com/timthomas/entry/making_samba_go_faster
http://lists.freebsd.org/pipermail/freebsd-stable/2011-February/061642.html

Notes
https://groups.google.com/forum/#!msg/mailing.freebsd.ports/uSc0gAojCnw/ggi0pBDesDcJ
Need to touch /usr/local/etc/lmhosts to x error in logs

Troubleshooting
getent passwd/group does not show domain users

Try asking getent for a speci c user. Try both with the domain and without. If you have changed the winbind domain
separator then you should adjust the below to match.

getent passwd DOMAIN\\username

getent passwd username

If the 1st line works and not the second then you might want to read about the setting *winbind use default domain
= yes

If both lines work but when typing getent passwd without a username domain users are not displayed then you may
want to read about the settings *winbind enum users = yes* and also *winbind enum groups = yes*

Unable to connect to CUPS server localhost:631 – Bad le descriptor

You may also see failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL

To disable printers in Samba add the following to the global section.

load printers = No
printing = bsd
printcap name = /dev/null
disable spoolss = Yes

DNS update failed: NT_STATUS_INVALID_PARAMETER

If you get this.. It might be.. That the netbois name in smb4.conf should match your system hostname..

Kinit failed: KDC has no support for encryption type

I get this error still. If you nd an answer I’d love to know it. Please email me!

More…

https://wiki.archlinux.org/index.php/Samba/Troubleshooting

Reference
http://www.pclinuxos.com/forum/index.php?topic=122010.0
http://www.whitneytechnologies.com/?p=119
http://blog.ngel.ru/2013/04/installing-samba4-on-freebsd-80.html
http://www.blogjoch.nl/artikel/2014/01/21/samba4-member-server-onder-freebsd-92
https://wiki.samba.org/index.php/Samba/Domain_Member
https://forums.freebsd.org/viewtopic.php?t=36137
http://lists.freebsd.org/pipermail/freebsd-questions/2005-December/108000.html
https://glsan.com/community/samba4/zfs-share-setup/

https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html
https://www.samba.org/samba/docs/man/manpages-3/idmap_tdb.8.html
https://www.samba.org/samba/docs/man/manpages-3/idmap_rid.8.html
https://www.samba.org/samba/docs/man/manpages-3/idmap_ad.8.html

Posted in Linux Tips - How to

Written by phong

View all author posts →

View Larger Map

Managing le/folder permissions and ownership How to integrate Active Directory with FreeBSD 10.0
using security/sssd?

Proudly powered by WordPress | Theme: Selma