Building FreeBSD File Server

Introduction

Recently at my job, I was faced with a task to develop a file server explicitly suited for the requirements of the company. Needless to say, any configuration of a kind depends on what the infrastructure needs. So, drawing from my personal experience and numerous materials on the web, I came up with the combination FreeBSD+SAMBA+AD as the most appropriate. It appears to be a perfect choice for this environment, and harmonic addition to the existing network configuration since FreeBSD + SAMBA + AD enables admins with the broad range of possibilities for access control. However, as nothing is perfect, this configuration isn’t the best choice if your priority is data protection because it won’t be able to reach the necessary levels of reliability and fault tolerance without outside improvements.

Now, since we’ve established that, let’s move on to the next point. This article’s describing the process of building a test environment while concentrating primarily on the details of the configuration. As the author, though, I must say I’m in no way suggesting that this is the only way! The following configuration will be presented in its initial stage, with the minimum requirements necessary to get the job done, and its purpose in one specific situation only. Here, look at this as a useful strategy to solve similar tasks. Well, let’s get started!

So, what’s to begin with?

As you can probably guess from the previous commentaries, the creation of such a server doesn’t require much since FreeBSD isn’t resource-hungry at all. For reducing its hardware footprint, I have created it in a VM on the ESXi 6.5 host. As a datastore, 1TB WD Black (Western Digital) hard disk drive has served my needs perfectly. We’ll place there two HDD (VM OS and storage). These are the parameters for the VM:

  • 2 x Intel(R) Xeon(R) CPU E5-2660 @ 2.20GHz;
  • 1 x 4 GB RAM;
  • 1 x 16 GB HDD;
  • 1 x 900 GB HDD;
  • 1 x SCSI controller (Type: LSI Logic SAS);
  • 1 x CD/DVD drive;
  • 1 x 1 Gb/s LAN (Type: E1000E).

As these parameters suggest, we’ll spend 16GB HDD on the OS itself and 900GB – on storage. Keep in mind that such division comes on purpose! That way, you can connect this VM to another datastore or, on the other hand, connect your storage with another VM if the need arises. Connect the disks with the SCSI controller (Type: LSI Logic SAS). The ESXi host, introduced in the cluster under VMware vSphere 6.5, is responsible for resiliency.

Well, to test the network resource efficiency, let’s create 2 VMs with the following parameters:

  • 1 x Intel(R) Xeon(R) CPU E5-2660 @ 2.20GHz;
  • 1 x 4 GB RAM;
  • 1 x 30 GB HDD;
  • 1 x SCSI controller (Type: LSI Logic SAS);
  • 1 x 1 Gb/s LAN (Type: E1000E).

Move to the next point: test environment according to the following scheme.

Test environment according

Proceed with the following steps in this order:

  1. Connect HDD to the ESXi host, then create a datastore, and create a VM on this datastore;
  2. Install the FreeBSD on the VM;
  3. Install and configure the necessary services and utilities;
  4. Create a network resource;
  5. Introduce server to the enterprise domain;
  6. Check the connection and work with the resource from more than one VM under different credentials.

Create a VM on the ESXi host. Find out how to do that here. After it’s done, download from here an image file for the OS installation, copy it to the ESXi server datastore, and then connect this file to the newly created VM. Connect the image as a Datastore ISO File of CD/DVD drive (just look it up here). Further installation and configuration require this VM to have an internet connection.

Datastore ISO File

Time to get to work!

Installation time!

Since there’s a lot of materials on the installation of FreeBSD, we really have no point in giving it too much attention. Let’s just narrow it down to some crucial moments. Now, start the booting process and proceed with the installation.

FreeBSD

First, a piece of advice on where to start. When you are choosing optional system components, stick to the minimum (lib32, ports, src). You can add the rest later if there is a need.

Stick to the minimum

Speaking of the disk partition, here comes a tricky part. The 900GB disk partition is performed manually, but the 16GB partitioning is performed automatically. The purpose of the automatic partitioning is for OS to pick itself the most appropriate layout. Eventually, the final structure should look like this.

Final structure should

The next step is the network configuration. We have to make sure the server works correctly, so let’s assign it a static IP address.

Network configuration

Now, decline the IPv6 configuration. Pick DNS servers addresses.

Pick DNS servers addresses

In general, these are all the details you should look out for. The rest, if necessary, is here. Finally, we can move on to the configuration of the server itself.

However, first, let’s install and configure some additional components that’ll make it easy to create and administer this server.

Here we begin with the ports updating manually via commands: portsnap fetch and portsnap extract for the first booting, portsnap fetch and portsnap update for the following use.

Install Midnight Commander (mc). You can install mc from the ports with no trouble at all if you follow this set of commands in the given order:

  • whereis mc (find out the location of the necessary port);
  • cd /usr/ports/misc/mc (move to the located directory);
  • make config (make the installation configuration, keep the default settings);
  • make install clean (start the installation, observe its process, in the setup wizard pop-up windows keep the default settings except for the IPv6 support);
  • rehash (update files in the search routes);
  • mc (run manager).

Set the remote access to the server via ssh. First, move to /etc/ssh/ (use mc) and edit the sshd_config file, changing the parameter PermitRootLogin value to yes in process. Then, remove the comment icon at the beginning of the “#” line. In the very same file, you can change the SSH file standard value for security purposes (remove the comment icon and change the Port 22 value to the free one, prepared in advance), even though I didn’t do that. Now, finish editing and save the results. Restart the service with the following command: service sshd restart. Now, for security purposes, create an account with the root access rights. Use the adduser utility (you can find more information about this utility here). Fill in the necessary fields and create a user with the adminfs username. You can also complete this task during the OS installation process. All you should do is add another user using the OS setup wizard interface. For further comfortable use of the created resources, it would help if you have created an identical account with the same credentials in the AD and added it to the admin group.

Script

Furthermore, you will manage and configure this server via SSH with the putty utility. Connect to the server remotely. Log into the system as the new user (adminfs). Now, using the su -l command, upgrade the user to root (you’ll need root credentials), and, eventually, proceed with all the further configurations with the root rights (run the command after each rebooting).

For efficient access control management in newly created 900GB disk (in my case its /dev/da1p1), you should turn in ACL support and configure auto-mounting during the OS boot. Let’s look at the gpart show –p disk partitions listing and find our 900GB disk with created structure.

gpart show –p disk partitions listing

Turn on the ACL list of permissions, tunefs -a enable /dev/da1p1. This’ll allow you to manage permissions attached to the files (for more details, use man tunefs). Then, you’ll have to edit the /etc/fstab file for the further auto-mounting during the OS boot. Run the /dev/da1p1 /mnt ufs rw 1 1. command with the auto-mount parameters.

Turn on the ACL list

Now, it’s time to mount the disks in this file with the mount –a command, then check if it all went down properly with the mount command.

Mount the disks

Assign the chmod 776 shared_vol rights to it right away (you can find more with man chmod).

chmod 776 shared_vol

Now, that’s important. Before continuing configuration, you should perform the clock synchronization with the NTP server. In this particular case, the NTP service is running on a domain controller. Use the ntpdate «insert your NTP Server IP» command for it. The clock synchronization is necessary for the correct connection to the AD.

Install and configure Kerberos to work with AD:

  • cd /usr/ports/security/heimdal;
  • make install clean (start the installation, observe its process, in the setup wizard pop-up windows keep the default settings except for the IPv6 support);
  • rehash (update files in the search routes);
  • move to /etc and create krb5.conf file; enter the following lines:

Here, the “COMPANY DOMAIN.COM” is a domain name without quotes (changed for security purposes), and 172.16.0.2 is the first domain controller IP address;

  • Run the kinit -p adminfs command to get a ticket from Kerberos (adminfs is a domain account with the domain admin rights), you’ll need credentials for this one;
  • Check the connection with klist command.

C:\256a7a58eabf5d387e365940c6508bce

Edit the file of Name Service Manager settings – /etc/nsswitch.conf.

You can find more about the purpose and settings of this file from reference.

For correct configuration, comment all the existing line with «#» and add the following lines:

Now, time to proceed with the installation and configuration of Samba itself:

  • cd /usr/ports/net/samba48/ (last available version of samba48 port);
  • make install clean (start the installation, at the first step, choose options according to the image; the rest of the settings on this page leave intact. Observe the installation process, in the setup wizard pop-up windows keep the default settings except for the IPv6 support);

C:\0ff78aa187c8f7eafbf0e89ea1dee16c

  • rehash (update files in the search routes);
  • Edit the /etc/rc.conf file, so that during the OS boot it will start all services necessary for to Samba to work. Add the following lines in the file:

You can find more about these lines (man inetd, man samba, etc);

  • Move to directory: /user/local/etc/ and create the smb4.conf file (you can find more details here) with the following contents:

Here, the “COMPANY DOMAIN.COM” and “COMPANY DOMAIN” are domain names without quotes (changed for security purposes);

  • Check the configuration file with the following command: testparm; if everything is alright, you won’t see any notifications about errors;

testparm

  • reboot (reboot the server to install the settings);
  • check the state of the installed services with the following command: ps aux | grep “Service name”.

Service name

To make sure that the configuration is successful, all you have to do is introduce the server to the enterprise domain:

  • net ads join –U adminfs (the adminfs account must have enough rights to introduce the server to the enterprise domain because you’ll need the password. If everything works fine, you’ll get this response: «Joined ‘FS-TEST’ to realm ‘COMPANY DOMAIN.COM‘»);
  • wbinfo –p (check the winbindd service availability);
  • wbinfo –u (domain users listing);
  • wbinfo –g (available domain users groups listing);
  • id adminfs (adminfs user id).

Well, now the installation and configuration of the file server are finished, so it’s time to move to the testing.

In order to check your newly created server to see if it works just about right, enter one of the testing VMs and move to your server’s IP address: \\172.16.0.91. When everything is ok, you’ll connect your network resource!

Сheck your newly created server

In conclusion

If there’s anything wrong ever in the slightest, you’ll have to go back and check all files. Then, try creating, deleting, copying, and managing access rights to files and directories in one of the testing VMs. Try thesame thing with another VM using different domain user accounts. If the permissions set right, you wouldn’t be able to access the files of other users. That’s it! Your file server is done and ready to go. Hope you save time and effort with my help!