Not following so far, did you resolve this topic? Can you mark it as solved?
@mrmarkuz 
i think i can mark this as solved. but i didn’t open it. when i have a moment to pursue enabling authentitation between nethserver and freenas i’ll open another thread. or put it in a wiki.
3 Likes
Hi
I opened this thread and i’m glad so many people joined it.
The workaround is very nice, good to know it works that way.
But makes your AD very insecure.
ndroftheline you mentioned he got it working on Zentyal.
I would like to ask you ndroftheline did you need to set up any certificates there or it just worked ?
If so how or what settings it is used there ?
Can not the same method be implemented on Nethserver ?
Hi,
downloaded FreeNAS 11 U3 fully motivated at first.
Tried to join FreeNAS to Nethserver again, but no luck.
Via GUI I get certificate error:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate), Connect error
Played around with certs for hours importing from Nethserver, tried CSR, tried self-signed cert from FreeNAS on Nethserver with no luck. Tried CA with and without keys, nothing helped.
Then I just tried joining Nethserver AD via samba-tool on FreeNAS cli and it WORKED as member ánd as DC, without any certificate 
but I can’t see users or groups from my domain, so I am giving up at this point. My solution for FreeNAS at the moment is disabling strong auth as described earlier in this thread:
root@freenas:~ # samba-tool domain join cmb.local DC -U admin -W CMB
Finding a writeable DC for domain 'cmb.local'
Found DC nsdc-server.cmb.local
Password for [CMB\admin]:
workgroup is CMB
realm is cmb.local
Adding CN=FREENAS,OU=Domain Controllers,DC=cmb,DC=local
Adding CN=FREENAS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cmb,DC=local
Adding CN=NTDS Settings,CN=FREENAS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cmb,DC=local
Adding SPNs to CN=FREENAS,OU=Domain Controllers,DC=cmb,DC=local
Setting account password for FREENAS$
Enabling account
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
A Kerberos configuration suitable for Samba AD has been generated at /var/db/samba4/private/krb5.conf
Provision OK for domain DN DC=cmb,DC=local
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=cmb,DC=local] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=cmb,DC=local] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=cmb,DC=local] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=cmb,DC=local] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=cmb,DC=local] objects[402/1616] linked_values[0/1]
Partition[CN=Configuration,DC=cmb,DC=local] objects[804/1616] linked_values[0/1]
Partition[CN=Configuration,DC=cmb,DC=local] objects[1206/1616] linked_values[0/1]
Partition[CN=Configuration,DC=cmb,DC=local] objects[1608/1616] linked_values[0/1]
Partition[CN=Configuration,DC=cmb,DC=local] objects[1616/1616] linked_values[32/32]
Replicating critical objects from the base DN of the domain
Partition[DC=cmb,DC=local] objects[97/97] linked_values[25/25]
Partition[DC=cmb,DC=local] objects[314/217] linked_values[25/25]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=cmb,DC=local
Partition[DC=DomainDnsZones,DC=cmb,DC=local] objects[41/41] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=cmb,DC=local
Partition[DC=ForestDnsZones,DC=cmb,DC=local] objects[18/18] linked_values[0/0]
Exop on[CN=RID Manager$,CN=System,DC=cmb,DC=local] objects[3] linked_values[0]
Committing SAM database
Sending DsReplicaUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain CMB (SID S-1-5-21-890086496-3770272300-3508276966) as a DCThen I tried to list the AD users but no luck again, so time to say good night!
root@freenas:~ # wbinfo -u
Error looking up domain users
root@freenas:~ # wbinfo -g
failed to call wbcListGroups: WBC_ERR_DOMAIN_NOT_FOUND
Error looking up domain groupsTo delete FreeNAS member computer:
ldbdel --url=/var/lib/samba/private/sam.ldb CN=FREENAS,CN=Computers,DC=cmb,DC=local
To delete FreeNAS DC
ldbdel --url=/var/lib/samba/private/sam.ldb “CN=RID Set,CN=FREENAS,OU=Domain Controllers,DC=cmb,DC=local”
Both commands have to be executed on the NSDC, to get into NSDC do:
systemd-run -M nsdc -t /bin/bash
My sources:
https://doc.freenas.org/11/directoryservice.html
I have followed with bated breath on this topic. It’s amazing seeing the support and involvement from everyone.
Wanted to ask if there was any progress made. I need to implement a solution soon a (and yes it’s my issue) but I’d prefer to use Nethserver if possible. All the best.
Dave
Hi @dvanremortel,
you can make it work with this:
But this is just a workaround. We have to make it work with certs. You motivated me to give it another try, I’ll report my results…
@ndroftheline, did you try it with certs?
2 Likes
Hey @mrmarkuz , sorry it’s been so long - I didn’t have time because the client went with MS AD. But I’ve gotten my lab back online and keen to try to make it work. I’ve installed Nethserver and FreeNAS and am now back to where we were before.
I found this, which seems to have some tantalizing successes with samba4:
I’ve tried to upload FreeNAS-generated self-signed CA and certificates based on it and not had success yet.
I’m keen to make the changes to the smb.conf file as discussed in the FreeNAS thread, but I don’t know how to edit files in the container…any thoughts? I don’t know what editor is installed on the container, if any.
The container files are under /var/lib/machines/nsdc so you may just use the editor of your host system.
With following commands you create a custom template for the containers smb.conf.include:
mkdir -p /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/samba/smb.conf.include
echo "# accept join from FreeNAS" > /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/samba/smb.conf.include/20auth
echo "ldap server require strong auth = no" >> /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/samba/smb.conf.include/20auth
expand-template /var/lib/machines/nsdc/etc/samba/smb.conf.include
I asked some of our freenas users:
wow that’s a great thread, and so cool to see major members from the freenas forums here on nethserver forums. exciting!
i had forgotten about the container filesystems being mounted, thanks. it does appear there’s already an include set up for the global section that’s being auto-generated, do you know how i can add to that file? or how to make a custom include that will go in the global section of the smb.conf file?
also, there appears to be a slight mistake in one of your commands;
echo "ldap server require strong auth = no" > /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/samba/smb.conf.include/20auth
should probably be
echo "ldap server require strong auth = no" >> /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/samba/smb.conf.include/20auth
diff: > should be >>
You’re right. I corrected it, thanks.
With the commands I wrote. They create a custom template which will put the entry in the containers /etc/samba/smb.conf.include file.
It is not templated so you may write directly to smb.conf. But I don’t know if a container update will remove the changes. So I think it’s better to use the templated smb.conf.include.
oh i see how this works now, awesome. how did you know the location to put the templated smb.conf includes? i’m assuming it’s documented somewhere, but didn’t stumble across it yet searching docs or google.
It’s not directly documented AFAIK but you can assume it when you read this:
docs.nethserver.org/projects/nethserver-devel/en/v7/nethserver-dc.html#factory-reset
OK.
I’m trying to follow the instructions at the freenas link above. Which in fact are basically exactly what the Samba4 documentation says: https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC#Using_the_Samba_autogenerated_self-signed_certificate_.28default.29
it seems our instance of samba4 doesn’t create the keys as shown there, so i created the directories manually, copied the exported .crt and .key files from the FreeNAS, put them in the directories specified, and tried to target the keys in the smb.conf file using the templated approach you suggested.
unfortunately this still results in an error when trying to connect. i’ll get the error later.
edit: something didn’t like the link, had to escape an underscore after a ) . strange?
well. i was getting a socket not connected error, research on that problem was inconclusive but was seeing some odd kerberos errors. i’ve wiped the freenas and will start fresh.
1 Like
Hi again, I’m trying to connect a FreeNAS to the nethserver againg, but this time the error is that freenas can’t reach de LDAP server that in my case is:
nsdc-nethserver.ad.healperci.com
The real is ad.healperci.com
Can’t ping the network address of the Acount provider services. ¿It’s posible to do that?
NetBIOS domain name: HEALPERCI
LDAP server: 192.168.1.67
LDAP server name: nsdc-nethserver.ad.healperci.com
Realm: AD.HEALPERCI.COM
Bind Path: dc=AD,dc=HEALPERCI,dc=COM
LDAP port: 389
Server time: Sun, 21 Apr 2019 19:17:18 -05
KDC server: 192.168.1.67
Server time offset: 0
Last machine account password change: Sun, 21 Apr 2019 18:59:30 -05
Join is OK
whenCreated: 20190421235930.0Z
name: NETHSERVER
objectSid: S-1-5-21-3107762322-1194793952-4137654034-1104
accountExpires: 9223372036854775807
sAMAccountName: NETHSERVER$
pwdLastSet: 132003647703699690
dNSHostName: nethserver.healperci.com
servicePrincipalName: HOST/NETHSERVER
servicePrincipalName: HOST/nethserver.healperci.com
whenChanged: 20190421235931.0Z
lastLogon: 132003656834894360
distinguishedName: CN=NETHSERVER,CN=Computers,DC=ad,DC=healperci,DC=com
For this to work, the Samba container needs to be used as DNS server within the network, or your DNS should be made aware of the samba domain.
No luck joining freenas to nethserver too 
Client of mine likes to have/browse previous-versions and freenas provides that , but after many test&tries I couldn’t join freenas server to nethserver-AD. One of the tries (what marcus did also) was to fire CA on freenas up , issue cert for nehserver , which seemed t be most obvious way to go , but still no success …
Since I had big problems using NetH file share because using ntfs permission slowed down the system too much , in order to override that I’m using separate debian file/samba server joined to NethServer AD domain … but debian samba file server does not provide snapshots out-of-the-box and in the same time browsable with “previous-versions” in windows client . so I figured that freenas could be perfect solution.
But it took me hours and hours to admit “no go”
Has anybody got this solved ? I’d like very much to avoid workaround because it is about very serious and important client … which one is not ?
Thank you very much in advance
BR
Tonci