Connect FreeNAS to Nethserver Active Directory

/var/lib/machines/nsdc/var/log/samba

has a ‘cores’ directory with two empty directories ‘smbd’ and ‘winbindd’

all files are empty except the following two files:

[root@nethserver samba]# cat log.smbd
[2017/09/01 09:15:36.989911,  0] ../lib/util/become_daemon.c:124(daemon_ready)
  STATUS=daemon 'smbd' finished starting up and ready to serve connections

[root@nethserver samba]# cat log.winbindd
[2017/09/01 09:15:35.942131,  0] ../source3/winbindd/winbindd_cache.c:3171(initialize_winbindd_cache)
  initialize_winbindd_cache: clearing cache and re-creating with version number 2
[2017/09/01 09:15:36.261151,  0] ../lib/util/become_daemon.c:124(daemon_ready)
  STATUS=daemon 'winbindd' finished starting up and ready to serve connections

i’ll try an older freeNAS, but i was able to join to Zentyal with current version of freenas. i’ll also try turnkeylinux domain controller.

I think I found at least another workaround on the internet for joining FreeNAS 11 U2 to Nethserver AD when FreeNAS and TLS not enabled in samba RE-SOLVED! is not working for you. The tip came from FreeNAS 11 + samba4 AD DC - Can't contact LDAP server | TrueNAS Community
WARNING! This is just a workaround because it deactivates the strong auth requirement on your DC, which might be relevant from perspective of security.
Quick and dirty way for testing:
Add a line to the NSDC container smb.conf in the global section:
nano /var/lib/machines/nsdc/etc/samba/smb.conf
Add this line to global section: ldap server require strong auth = no
Restart samba on nsdc:
systemctl -M nsdc restart samba

Join domain in FreeNAS webui. Only domain, username and password are needed.

Then test on FreeNAS shell if you can see the AD users:
root@freenas:~ # wbinfo -u CMB\administrator CMB\krbtgt CMB\markus CMB\guest CMB\admin

If this works, respect the templates, erase the new line in smb.conf and do:
mkdir -p /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/samba/smb.conf.include echo "# accept join from FreeNAS" >> /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/samba/smb.conf.include/20global echo "ldap server require strong auth = no" >> /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/samba/smb.conf.include/20global expand-template /var/lib/machines/nsdc/etc/samba/smb.conf.include

I used smb.conf.include because smb.conf on nsdc may be erased. If I misunderstood something in the e-smith template system, please tell me, this is my first try…

awesome! with this test i can join my freenas to nethserver. now to figure out how to actually enable strong auth for production

also need to learn more about how domain users are syncronized to the freenas, but that’s for another thread. here i’ll continue with trying to get encryption enabled by setting up the certs correctly. thanks so much!

You’re welcome!

Thank you in advance that you are going to mess with the certs as FreeNAS wants passphrase certificates and I normally don’t use FreeNAS so I don’t have to fight with its web UI…

Not following so far, did you resolve this topic? Can you mark it as solved?
@mrmarkuz

i think i can mark this as solved. but i didn’t open it. when i have a moment to pursue enabling authentitation between nethserver and freenas i’ll open another thread. or put it in a wiki.

Hi

I opened this thread and i’m glad so many people joined it.
The workaround is very nice, good to know it works that way.
But makes your AD very insecure.

ndroftheline you mentioned he got it working on Zentyal.
I would like to ask you ndroftheline did you need to set up any certificates there or it just worked ?
If so how or what settings it is used there ?
Can not the same method be implemented on Nethserver ?

Hi,
downloaded FreeNAS 11 U3 fully motivated at first.
Tried to join FreeNAS to Nethserver again, but no luck.
Via GUI I get certificate error:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate), Connect error

Played around with certs for hours importing from Nethserver, tried CSR, tried self-signed cert from FreeNAS on Nethserver with no luck. Tried CA with and without keys, nothing helped.
Then I just tried joining Nethserver AD via samba-tool on FreeNAS cli and it WORKED as member ánd as DC, without any certificate but I can’t see users or groups from my domain, so I am giving up at this point. My solution for FreeNAS at the moment is disabling strong auth as described earlier in this thread:

root@freenas:~ # samba-tool domain join cmb.local DC -U admin -W CMB
Finding a writeable DC for domain 'cmb.local'
Found DC nsdc-server.cmb.local
Password for [CMB\admin]:
workgroup is CMB
realm is cmb.local
Adding CN=FREENAS,OU=Domain Controllers,DC=cmb,DC=local
Adding CN=FREENAS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cmb,DC=local
Adding CN=NTDS Settings,CN=FREENAS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cmb,DC=local
Adding SPNs to CN=FREENAS,OU=Domain Controllers,DC=cmb,DC=local
Setting account password for FREENAS$
Enabling account
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
A Kerberos configuration suitable for Samba AD has been generated at /var/db/samba4/private/krb5.conf
Provision OK for domain DN DC=cmb,DC=local
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=cmb,DC=local] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=cmb,DC=local] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=cmb,DC=local] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=cmb,DC=local] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=cmb,DC=local] objects[402/1616] linked_values[0/1]
Partition[CN=Configuration,DC=cmb,DC=local] objects[804/1616] linked_values[0/1]
Partition[CN=Configuration,DC=cmb,DC=local] objects[1206/1616] linked_values[0/1]
Partition[CN=Configuration,DC=cmb,DC=local] objects[1608/1616] linked_values[0/1]
Partition[CN=Configuration,DC=cmb,DC=local] objects[1616/1616] linked_values[32/32]
Replicating critical objects from the base DN of the domain
Partition[DC=cmb,DC=local] objects[97/97] linked_values[25/25]
Partition[DC=cmb,DC=local] objects[314/217] linked_values[25/25]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=cmb,DC=local
Partition[DC=DomainDnsZones,DC=cmb,DC=local] objects[41/41] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=cmb,DC=local
Partition[DC=ForestDnsZones,DC=cmb,DC=local] objects[18/18] linked_values[0/0]
Exop on[CN=RID Manager$,CN=System,DC=cmb,DC=local] objects[3] linked_values[0]
Committing SAM database
Sending DsReplicaUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain CMB (SID S-1-5-21-890086496-3770272300-3508276966) as a DC

Then I tried to list the AD users but no luck again, so time to say good night!

root@freenas:~ # wbinfo -u
Error looking up domain users
root@freenas:~ # wbinfo -g
failed to call wbcListGroups: WBC_ERR_DOMAIN_NOT_FOUND
Error looking up domain groups

To delete FreeNAS member computer:

ldbdel --url=/var/lib/samba/private/sam.ldb CN=FREENAS,CN=Computers,DC=cmb,DC=local

To delete FreeNAS DC

ldbdel --url=/var/lib/samba/private/sam.ldb “CN=RID Set,CN=FREENAS,OU=Domain Controllers,DC=cmb,DC=local”

Both commands have to be executed on the NSDC, to get into NSDC do:

systemd-run -M nsdc -t /bin/bash

My sources:
https://doc.freenas.org/11/directoryservice.html

I have followed with bated breath on this topic. It’s amazing seeing the support and involvement from everyone.

Wanted to ask if there was any progress made. I need to implement a solution soon a (and yes it’s my issue) but I’d prefer to use Nethserver if possible. All the best.
Dave

Hi @dvanremortel,

you can make it work with this:

But this is just a workaround. We have to make it work with certs. You motivated me to give it another try, I’ll report my results…

@ndroftheline, did you try it with certs?

Hey @mrmarkuz , sorry it’s been so long - I didn’t have time because the client went with MS AD. But I’ve gotten my lab back online and keen to try to make it work. I’ve installed Nethserver and FreeNAS and am now back to where we were before.

I found this, which seems to have some tantalizing successes with samba4:

I’ve tried to upload FreeNAS-generated self-signed CA and certificates based on it and not had success yet.

I’m keen to make the changes to the smb.conf file as discussed in the FreeNAS thread, but I don’t know how to edit files in the container…any thoughts? I don’t know what editor is installed on the container, if any.

The container files are under /var/lib/machines/nsdc so you may just use the editor of your host system.

With following commands you create a custom template for the containers smb.conf.include:

mkdir -p /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/samba/smb.conf.include
echo "# accept join from FreeNAS" > /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/samba/smb.conf.include/20auth
echo "ldap server require strong auth = no" >> /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/samba/smb.conf.include/20auth
expand-template /var/lib/machines/nsdc/etc/samba/smb.conf.include

I asked some of our freenas users:

wow that’s a great thread, and so cool to see major members from the freenas forums here on nethserver forums. exciting!

i had forgotten about the container filesystems being mounted, thanks. it does appear there’s already an include set up for the global section that’s being auto-generated, do you know how i can add to that file? or how to make a custom include that will go in the global section of the smb.conf file?

also, there appears to be a slight mistake in one of your commands;

echo "ldap server require strong auth = no" > /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/samba/smb.conf.include/20auth

should probably be

echo "ldap server require strong auth = no" >> /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/samba/smb.conf.include/20auth

diff: > should be >>

You’re right. I corrected it, thanks.

With the commands I wrote. They create a custom template which will put the entry in the containers /etc/samba/smb.conf.include file.

It is not templated so you may write directly to smb.conf. But I don’t know if a container update will remove the changes. So I think it’s better to use the templated smb.conf.include.

oh i see how this works now, awesome. how did you know the location to put the templated smb.conf includes? i’m assuming it’s documented somewhere, but didn’t stumble across it yet searching docs or google.

It’s not directly documented AFAIK but you can assume it when you read this:

docs.nethserver.org/projects/nethserver-devel/en/v7/nethserver-dc.html#factory-reset

OK.

I’m trying to follow the instructions at the freenas link above. Which in fact are basically exactly what the Samba4 documentation says: https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC#Using_the_Samba_autogenerated_self-signed_certificate_.28default.29

it seems our instance of samba4 doesn’t create the keys as shown there, so i created the directories manually, copied the exported .crt and .key files from the FreeNAS, put them in the directories specified, and tried to target the keys in the smb.conf file using the templated approach you suggested.

unfortunately this still results in an error when trying to connect. i’ll get the error later.

edit: something didn’t like the link, had to escape an underscore after a ) . strange?

well. i was getting a socket not connected error, research on that problem was inconclusive but was seeing some odd kerberos errors. i’ve wiped the freenas and will start fresh.