How-to: Install Samba

Michael Edenfield kutulu at
Fri May 14 13:59:46 PDT 2004

* David W. Chapman Jr. <dwcjr at> [040513 16:35]:
> On Thu, May 13, 2004 at 05:36:23PM +0200, Eric Masson wrote:
> > >>>>> "David" == David W Chapman, <David> writes:
> > 
> > Hello,
> > 
> >  David> I would recomment 3.0.4 which is in /usr/ports/net/samba-devel
> >  David> though.
> > 
> > Sorry to jump in this thread, but has anyone succeeded in joining a
> > stock port installed samba to an Active Directory domain ?
> > 
> I haven't personally.  According to the samba developers, it will 
> join AD in 2000 Native mode, but not 2k3 native mode.

I have, (2k) but it's not a quick process.  The major problem appears to 
be that Heimdal Kerberos, what's in -CURRENT, just doesn't work with
Samba's implementation of Active Directory.  I was able to get a
Kerberos ticket from the ADC but Samba refused to use the tickets or
join the domain.  Once I installed MIT Kerberos from ports, things went 
really smoothly.  I've actually seen other messages stating the exact
opposite (removing MIT and installing Heimdal worked) but that wasn't my
experience.  Clearly there's still some loose ends to tie up there :)

Here's what I did:

1) If you are running -CURRENT, rebuild world w/out Kerberos. 

2) If you are running -CURRENT, move the following files out of the way.
(I kept a backup of them, but this is probably not neccessary.
Rebuilding world with Kerberos enabled will replace them).
  * From /usr/bin:  kadmin, kdestroy, kinit, klist, kpasswd,
                    krb5-config, ksu
  * From /usr/lib: libcom_err*, libkadm5*, libkrb5*
  * From /usr/include: com_err.h, gssapi.h, krb5.h

3) Install /usr/ports/security/krb5

4) If you don't have openldap installed, install /usr/ports/openldap22-client
(I used v2.1 with no problems, so if you have that already its fine.)

5) Install /usr/ports/net/samba-devel with KRB5_HOME=/usr/local

6) Set up the /usr/local/etc/krb5.conf file.  You will need a minumum



    default_domain =

In all of my cases, my machines DNS hostname and ADC domain name were
identical, eg machine kutulu in domain kutulu.localnet had a dns name of
kutulu.kutulu.localnet.  I'm not sure how to deal with them being
different so I never tried :)

Also, you can add the following to the [libdefaults] section to speed
things up a tad:

dns_lookup_kdc = false
dns_lookup_realm = false

7) In your /usr/local/etc/smb.conf, add the following lines:

workgroup = YOUR
security = ADS

Specifically, your workgroup should be the "short name" of the domain as
you set it up on the controllers.  If not, samba will complain.

8) Log into the Active Directory controller:

$ kinit adminuser
adminuser at YOUR.ADS.DOMAIN's password:
$ klist

This will prompt for your administrative user's password, then display
the ticket you received from the controller.  This user should be
someone with 'add computer to domain' permissions.  

9) Join the domain:

$ net ads join
Using short domain name -- YOUR
Joined 'YOUR-PC' to realm 'YOUR.ADS.DOMAIN'

I have *not* gone as far as to set up winbind yet, but once this is done
you should be able to do things like:

net user
net group

And get replies.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :

More information about the freebsd-ports mailing list