# Samba AD on FreeBSD



## 6502 (May 6, 2019)

Hello. I know my question is more for Samba forum and for that reason post it in Off-Topic. I need Samba file server for small network with Windows 7/10 clients. Current HP server is working with Windows Server 2003 which is domain controller. The clients are only 6-7 PCs but it is easier to use Active Directory for centralized domain users, control of file shares and disk quotas. The hardware will be replaced with HP DL360e Gen8 and the planned OS is FreeBSD (the plan is to run web/mail server on the same hardware). Configuration of Samba with AD is not easy like AD on Windows Server and I am not sure whether a better choice is to use Samba without AD. The main reason to add AD is to allow user password change from Windows UI (press Ctrl-Alt-Del and choose "change password"). The alternative is to instruct the users how to use PuTTY console and run `passwd`. I read something strange (for me) in Samba Wiki - "Samba team does not recommend using a DC as a file server for the following reasons...". For 15+ years I have used Windows Server (OS) as domain controller and file server and I think it is normal solution to work on the same system. The arguments listed in Samba Wiki do not sound convincing - future upgrades of OS and Samba can be made in the same time and shared user files can be stored on separate partition and kept unchanged. The question is what you think about this separation between AD and file server or the idea for Samba with AD? Maybe the assumption is for Samba on Linux (e.g. Ubuntu with its regular and unstable updates). Some years ago I have discovered a site with ready for use VM disk images for many OS-es (Linux mainly) but don't remember the name of site. It will be good if I can find pre-installed VM image with FreeBSD + Samba AD to do some experiments and decide what to do with my installation. Unfortunately most examples in Internet for Samba installation and configuration are for older versions or very sketchy.


----------



## zirias@ (May 6, 2019)

I think the ACL issue might be more relevant than update considerations.

Personally, I solved it with jails using vnet. One jail runs Samba as a DC, the other as a domain member providing the file shares.

I remember running into problems with ZFS acls and the sysvol of the DC. I finally got it working without creating a UFS image just to host the sysvol (like recommended in several places), but I don't remember the details .. maybe it works much better now with newer versions of the samba port.


----------



## tommiie (May 6, 2019)

That might be worth writing down in a tutorial.


----------



## _max_ (Apr 3, 2021)

Zirias said:


> I think the ACL issue might be more relevant than update considerations.
> 
> Personally, I solved it with jails using vnet. One jail runs Samba as a DC, the other as a domain member providing the file shares.
> 
> I remember running into problems with ZFS acls and the sysvol of the DC. I finally got it working without creating a UFS image just to host the sysvol (like recommended in several places), but I don't remember the details .. maybe it works much better now with newer versions of the samba port.


Sorry for warming up an old thread. But me, and I guess some others, would be interested in your zfs settings and the smb4.conf of your samba ad dc jail.


----------



## zirias@ (Apr 3, 2021)

This is very long ago and I honestly don't remember. The only thing I have left in /usr/local/etc/smb4.conf that _isn't_ standard domain controller setup is `vfs objects = zfsacl` in `[netlogon]` ad `[sysvol]`, and I'm unsure this would still be required. Newer samba versions played fine since with my existing domain, and I don't want to test re-provisioning it from scratch…


----------

