moving to freebsd / jails / bhyve (part 3): domain controller
i want to centralize auth. since i use smb a lot and anything i can think of supports active directory it makes sense to just use an active directory domain controller. i was going to try using freeipa but it seems like it targets fedora / rhel and not freebsd. so i will go with the tested and true: samba
freebsd is strange inasmuch it separates samba major versions. i don’t quite understand why it does this but it does. i’m going to use pkg because i consider the ports tree a special case where you need specific options and i haven’t ran into that use case yet. it would also have to use resources to build and i’m not too fond of “the gentoo way” of package installation.
EDIT: WARNING!!! do not use samba420 … use samba419 instead. samba420 has what seems to be a python bug that prevents provisioning. (2025-12-20) i guess i understand now why they separate it by versions 🤣
need to take a look at some things the jail might need in its config. allow.mount and allow.mount.fdescfs seems important to samba so those need to be added.
dc {
enforce_statfs = 1;
devfs_ruleset = 0;
exec.clean;
exec.consolelog = /usr/local/bastille/logs/dc_console.log;
exec.start = '/bin/sh /etc/rc';
exec.stop = '/bin/sh /etc/rc.shutdown';
host.hostname = dc;
mount.devfs;
mount.fstab = /usr/local/bastille/jails/dc/fstab;
allow.mount;
allow.mount.fdescfs;
path = /usr/local/bastille/jails/dc/root;
securelevel = 2;
osrelease = 15.0-RELEASE-p1;
vnet;
vnet.interface = e0b_dc;
exec.prestart += "jib addm dc lagg0";
exec.prestart += "ifconfig e0a_dc description \"vnet0 host interface for Bastille jail dc\"";
exec.poststop += "ifconfig e0a_dc destroy";
}
root@dc:~ # pkg search samba
samba-nsupdate-9.16.5_1 nsupdate utility with the GSS-TSIG support
samba416-4.16.11_10 Free SMB/CIFS and AD/DC server and client for Unix
samba419-4.19.9_11 Free SMB/CIFS and AD/DC server and client for Unix
samba420-4.20.7_10 Free SMB/CIFS and AD/DC server and client for Unix
root@dc:~ # pkg install samba419
Updating FreeBSD-ports repository catalogue...
FreeBSD-ports repository is up to date.
Updating FreeBSD-ports-kmods repository catalogue...
FreeBSD-ports-kmods repository is up to date.
All repositories are up to date.
The following 82 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
...
samba419-4.19.9_11 [FreeBSD-ports]
...
Number of packages to be installed: 82
The process will require 533 MiB more space.
80 MiB to be downloaded.
Proceed with this action? [y/N]: yafter this is done there will be quite a few package notes. this is kind of important:
How to start: http://wiki.samba.org/index.php/Samba4/HOWTO
* Your configuration is: /usr/local/etc/smb4.conf
* All the relevant databases are under: /var/db/samba4
* All the logs are under: /var/log/samba4
* Provisioning script is: /usr/local/bin/samba-tool
For the working DNS updates you will need to either build dns/bind9*
with the enabled GSSAPI(GSSAPI_MIT5 is recommended) or install
dns/samba-nsupdate package, which is preconfigured with such a support.
You will need to specify location of the 'nsupdate' command in the
smb4.conf file:
nsupdate command = /usr/local/bin/samba-nsupdate -g
at this point i should probably move onto learning how to backup jails and come back to it because i really don’t want to spend time backtracking into the unknown if i screw it up.
moving on. i came across this which looks like it’s super fast to create the domain controller / domain. i refuse to believe it’s that easy though so luckily i have a backup to restore if i completely get lost in it.
root@dc:~ # samba-tool domain provision --use-rfc2307 --interactive
Realm: macer.life
Domain [macer]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:
DNS forwarder IP address (write 'none' to disable forwarding) [192.168.99.1]:
Administrator password:
Retype password:
... samba should be set up and it should have created a couple of files of importance. pay attention to the krb5.conf file it tells you about at the end. copy that to /etc/krb5.conf .. it’s a pretty basic kerberos config. also, bastille yanks the host resolv.conf so make sure it’s changed to the proper dns and domain.
search macer.life
nameserver 192.168.99.2
yes. it will use itself as its own dns and forward it to 192.168.99.1. another thing from when installing samba is to add that line in /usr/local/etc/smb4.conf that allows for dns updating.
# Global parameters
[global]
dns forwarder = 192.168.99.1
netbios name = DC
realm = MACER.LIFE
server role = active directory domain controller
workgroup = MACER
idmap_ldb:use rfc2307 = yes
nsupdate command = /usr/local/bin/samba-nsupdate -g
[sysvol]
path = /var/db/samba4/sysvol
read only = No
[netlogon]
path = /var/db/samba4/sysvol/macer.life/scripts
read only = No
just a warning with the dns. i run a few services external to the network. if you do not have those hosts on the samba dns then it will say it can’t be found. so if you use your domain to run something on a vps (like i do) then you will have to add an A entry in the dns to point at that ip.
now if you have samba running in the jail you should be able to see users and groups from it using wbinfo.
root@dc:~ # wbinfo -u
MACER\administrator
MACER\guest
MACER\krbtgt
root@dc:~ # wbinfo -g
MACER\cert publishers
MACER\ras and ias servers
MACER\allowed rodc password replication group
MACER\denied rodc password replication group
MACER\dnsadmins
MACER\enterprise read-only domain controllers
MACER\domain admins
MACER\domain users
MACER\domain guests
MACER\domain computers
MACER\domain controllers
MACER\schema admins
MACER\enterprise admins
MACER\group policy creator owners
MACER\read-only domain controllers
MACER\protected users
MACER\dnsupdateproxy
the problem with a domain is you need to add users, groups, and update dns entries on it. i’m going to see if i can find something a bit more simple than using samba-tool because samba-tool is like going down a rabbit hole. if you run windows (not sure about 11) you can install RSAT which i did for a long long time. i want to come away from that but i really do want the clicky/pointy stuff. i just have to look harder. ncurses would work too but i’m not sure if something like that exists.
i’ll make that another post. for now i’m going to set up a ‘shell’ jail for testing purposes.