Home
Download

Open Source

Projects
Patches

System Integration

Notes
SRPMs

This document describes how to configure a computer running FreeBSD to serve as an Active Directory domain controller.

Base UNIX Domain Controller

First, setup the server:

  1. Install FreeBSD and configure networking. Be sure to set the server's hostname such as with hostname="dc.example.com" in /etc/rc.conf
  2. Configure the Samba 4 port by entering /usr/ports/net/samba43/ and running make config. (The version 4.4 of the Samba port is presently broken.)
  3. For a minimal install, select neither mDNSresponder nor avahi while configuring the build.
  4. Build and install Samba 4 by running make install clean.
  5. Activate filesystem ACLs in /etc/fstab, e.g., /dev/ada0p2 / ufs rw,acls 1 1.
  6. Configure Samba by running samba-tool domain provision --use-rfc2307 --interactive.
  7. Use samba-tool user add to add users to Samba's authentication database.
  8. Activate Samba by adding samba_server_enable="YES" to /etc/rc.conf.

Next, add a Windows client to the domain:

  1. Set the Windows host's DNS resolver to point to the Samba server's IP address.
  2. Right click on the computer icon; select properties; select change settings near the text computer name; and press the button to change the computer's domain.
  3. Select the domain radio button and type in Samba 4's full domain.
  4. Click ok and provide the administrative password for the Samba 4 domain.
  5. Restart the client computer.

As an aside, Red Hat-derived Linux distributions such as RHEL, CentOS, and Fedora make it difficult to configure Samba 4 as an Active Directory domain controller. This is primarily because these distributions use MIT Kerberos, while many of the Active Directory-related features in Samba 4 require Heimdal Kerberos. Information about the coming solution to this problem can be found on the Internet, including as documented by the Samba project.

Adding Host Records to Samba's DNS implementation

Each domain host will likely require a DNS record in Samba's DNS service. You can use the following command to add an A record to the domain controller at dc.example.com for the host which is named host.example.com and bears the IP address 10.0.0.64: samba-tool dns add dc.example.com example.com host A 10.0.0.64.

Remote Management from a Windows Computer

Windows provides facilities for remotely managing domain-connected computers. In order to activate one such facility on a user computer, run the following on that user computer:

Enable-PSremoting

Once the user computer is set to accept remote-management requests, you can run the following command as the domain administrator from an administrative computer to test remote management (replace TARGET with the computer you intent to manage):

Invoke-Command -Computer TARGET -ScriptBlock { "C:\Program files" |  Get-ChildItem }

Smart-Card Authentication

Certificate Production

Establish a Certificate Authority

Smart-card-based authentication requires a number of certificates: CA "root-of-trust" certificate, a certificate for the domain controller, and certificates for each user.

  1. Create a basic CA directory structure from within the root of where you intend to store your certificates and other materials: mkdir certs crl private newcerts.
  2. Create a blank file named index.txt.
  3. Create files named serial and crlnumber containing 00.
  4. Add the following to /etc/openssl.cnf:
    CRLURL      = [URL of CRL server, e.g., https://crl.example.com/example.com.crl]
    BASEDIR     = [Base of certificate store; where signed certificates go]
    COUNTRY     = [Two-letter country code]
    STATE       = [State of province (not abbreviated)]
    LOCALITY    = [City, town, etc.]
    ORG         = [Name of organization]
    OU          = [Organizational unit]
    DOMAIN      = [Domain, e.g., example.com]
    EMAIL       = [Email address]@$DOMAIN
    DC          = [Hostname of domain controller]
    
    # Using "ADSI Edit" on Windows:
    #   1. Connect to domain controller
    #   2. Default naming context
    #   3. DC=...
    #   4. OU=Domain Controllers
    #   5. Right click on CN=... and select Properties
    #   6. View objectGUID in hexadecimal
    DCGUID      = [Domain controller's GUID in HEX, eg, FEEDDEADBEEF...]
    
    # Using "ADSI Edit" on Windows:
    #   1. Connect to domain controller
    #   2. Default naming context
    #   3. DC=...
    #   4. CN=Users
    #   5. Right click on CN=... and select Properties
    #   6. View usePrincipalName
    UPN         = [UPN of user]
    
    oid_section = new_oids
    
    [ new_oids ]
    scardLogin = 1.3.6.1.4.1.311.20.2.2
    msUPN      = 1.3.6.1.4.1.311.20.2.3
    msKDC      = 1.3.6.1.5.2.3.5
    msADGUID   = 1.3.6.1.4.1.311.25.1
    
    [ ca ]
    default_ca  = CA_default                  # The default ca section
    
    [ CA_default ]
    dir              = $BASEDIR               # Where everything is kept
    certs            = $dir/certs             # Where the issued certs are kept
    crl_dir          = $dir/crl               # Where the issued crl are kept
    database         = $dir/index.txt         # database index file.
    unique_subject   = yes                    # Set to 'no' to allow creation of
    new_certs_dir    = $dir/newcerts          # default place for new certs.
    certificate      = $dir/cacert.pem        # The CA certificate
    serial           = $dir/serial            # The current serial number
    crlnumber        = $dir/crlnumber         # the current crl number
    crl              = $dir/ca-crl.pem        # The current CRL
    private_key      = $dir/private/cakey.pem # The private key
    RANDFILE         = $dir/private/.rand     # private random number file
    # x509_extensions =               # Extensions to add to certificate
    name_opt         = ca_default             # Subject Name options
    cert_opt         = ca_default             # Certificate field options
    crl_extensions   = crl_ext
    default_days     = 730                    # how long to certify for
    default_crl_days = 30                     # how long before next CRL
    default_md       = sha256                 # use public key default MD
    preserve         = no                     # keep passed DN ordering
    policy           = policy_match
    
    [ policy_match ]
    countryName            = match
    stateOrProvinceName    = match
    organizationName       = match
    organizationalUnitName = optional
    commonName             = supplied
    emailAddress           = optional
    
    [ policy_anything ]
    countryName            = match
    stateOrProvinceName    = match
    localityName           = match
    organizationName       = match
    organizationalUnitName = match
    commonName             = supplied
    emailAddress           = supplied
    
    [ req ]
    default_bits           = 4096
    default_keyfile        = privkey.pem
    distinguished_name     = req_distinguished_name
    x509_extensions        = v3_ca            # The extensions to add to the self signed cert
    string_mask            = utf8only
    attributes             = req_attributes
    
    [ req_attributes ]
    challengePassword     = A challenge password
    challengePassword_min = 4
    challengePassword_max = 20
    unstructuredName      = An optional company name
    
    [ req_distinguished_name ]
    countryName                    = Country Name (2 letter code)
    countryName_default            = $COUNTRY
    countryName_min                = 2
    countryName_max                = 2
    stateOrProvinceName            = State or Province Name (full name)
    stateOrProvinceName_default    = $STATE
    localityName                   = Locality Name (eg, city)
    localityName_default           = $LOCALITY
    organizationName               = Organization Name (eg, company)
    organizationName_default       = $ORG
    organizationalUnitName         = Organizational Unit Name (eg, section)
    organizationalUnitName_default = $OU
    emailAddress                   = Email Address
    emailAddress_default           = $EMAIL
    emailAddress_max               = 64
    commonName                     = Common Name (eg, YOUR name)
    commonName_default             = hostname.$DOMAIN
    commonName_max                 = 64
    
    [ v3_req ]
    basicConstraints = CA:FALSE
    keyUsage         = nonRepudiation, digitalSignature, keyEncipherment
    
    [ v3_ca ]
    subjectKeyIdentifier   = hash
    authorityKeyIdentifier = keyid:always,issuer
    basicConstraints       = CA:true
    keyUsage               = cRLSign, keyCertSign
    crlDistributionPoints  = URI:$CRLURL
    nsCertType             = sslCA, emailCA
    subjectAltName         = email:copy
    issuerAltName          = issuer:copy
    
    [ crl_ext ]
    issuerAltName          = issuer:copy
    authorityKeyIdentifier = keyid:always
    
    # Extensions for domain-controller certificates:
    
    [ usr_cert_mskdc ]
    # This goes against PKIX guidelines but some CAs do it and some software
    # requires this to avoid interpreting an end-user certificate as a CA.
    basicConstraints       = CA:FALSE
    crlDistributionPoints  = URI:$CRLURL
    nsCertType             = server
    keyUsage               = nonRepudiation, digitalSignature, keyEncipherment
    nsComment              = "Domain Controller Certificate"
    subjectKeyIdentifier   = hash
    authorityKeyIdentifier = keyid,issuer
    subjectAltName         = @dc_subjalt
    issuerAltName          = issuer:copy
    nsCaRevocationUrl      = $CRLURL
    extendedKeyUsage       = clientAuth,serverAuth,msKDC
    
    [dc_subjalt]
    DNS                    = $DC
    otherName              = msADGUID;FORMAT:HEX,OCTETSTRING:$DCGUID
    
    # Extensions for smart-card user certificates:
    
    [ usr_cert_scarduser ]
    
    # This goes against PKIX guidelines but some CAs do it and some software
    # requires this to avoid interpreting an end-user certificate as a CA.
    basicConstraints       = CA:FALSE
    crlDistributionPoints  = URI:$CRLURL
    nsCertType             = client, email
    keyUsage               = nonRepudiation, digitalSignature, keyEncipherment
    nsComment              = Smart Card Login Certificate
    subjectKeyIdentifier   = hash
    authorityKeyIdentifier = keyid,issuer
    subjectAltName         = email:copy,otherName:msUPN;UTF8:$UPN
    issuerAltName          = issuer:copy
    nsCaRevocationUrl      = $CRLURL
    extendedKeyUsage       = clientAuth,scardLogin
    

Generate a CA Root Certificate

  1. Properly define the variables at the top of openssl.cnf.
  2. See notes on the use of certificates. You will want to use the -config openssl.cnf option to use the above configuration.

Generate a Certificate for Samba

  1. Under the CA_default section of openssl.cnf, set x509_extensions = usr_cert_mskdc and ensure the line is not commented out.
  2. Generate the certificate using openssl req -new -newkey rsa:4096 -keyout private/dc-key.pem -out dc-req.pem -config openssl.cnf -nodes.
  3. Sign the Samba certificate using the CA certificate openssl ca -config openssl.cnf -in dc-req.pem -out dc-cert.pem.

Generate a Smart-Card User Certificate

  1. Under the CA_default section of openssl.cnf, set x509_extensions = usr_cert_scarduser and ensure the line is not commented out.
  2. Generate the certificate using openssl req -new -newkey rsa:2048 -keyout private/user-key.pem -out user-req.pem -config openssl.cnf -nodes. Note that you might have limited key types/sizes to choose from, depending on the type of smartcard you plan to use.
  3. Sign the user certificate using the CA certificate openssl ca -config openssl.cnf -in user-req.pem -out user-cert.pem.
  4. Install the certificate and private key onto a smartcard.

Certificate-Revocation-List Server

  1. Configure, build, and install the apache24 port.
  2. Generate and install a certificate and private key for Apache at /usr/local/etc/apache24/.
  3. Configure Apache, including the following in /usr/local/etc/apache24/httpd.conf:
    1. LoadModule ssl_module modules/mod_ssl.so
    2. ServerName crl.example.com:443
    3. Listen 443
    4. SSLEngine on
    5. SSLCertificateFile /usr/local/etc/apache24/crl.example.com.pem
    6. SSLCertificateKeyFile /usr/local/etc/apache24/crl.example.com.key
  4. Generate the CRL with openssl ca -config openssl.cnf -gencrl -out example.com.crl and install the result in Apache's document directory.

Configure Samba to support certificate-based login

  1. Copy the necessary certificates and the CRL onto the Samba host (see the next step for what Samba will require).
  2. Generate Diffie-Hellman parameters: openssl dhparam 4096 -out dc-dhparams.pem.
  3. Add to smb4.conf:
    tls enabled       = yes
    tls certfile      = /usr/local/samba/private/tls/dc-cert.pem
    tls keyfile       = /usr/local/samba/private/tls/secure/dc-privkey.pem
    tls cafile        = /usr/local/samba/private/tls/cacert.pem
    tls crlfile       = /usr/local/samba/private/tls/ca.crl
    tls dhparams file = /usr/local/samba/private/tls/dc-dhparams.pem
    

Configure Windows to support certificate-based login

  1. Convert your PEM-format CA certificate to DER: openssl x509 -in cacert.pem -out cacert.cer -outform DER.
  2. Convert your user certificate to DER: openssl x509 -in Administrator-cert.pem -out Administrator-cert.cer -outform DER.
Email: www@flyn.org — ✉ 6110 Campfire Court; Columbia, Maryland 21045; USA