Connect FreeNAS to Nethserver Active Directory

I’m having the same problem happnatious1 is. This is actually a brand new TrueNAS unit from ixSystems running FreeNAS 11.0U2, so it’s the latest and greatest. Just formatted this morning. This is also running a brand-new fresh install of Nethserver.

In fact I also can’t set my domain name as suggested by fausp, I have to use ad.mydomain.nz (this is in fact set as the or FreeNAS complains with Unable to find domain controllers for mydomain.nz. Once I have the domain set correctly, leaving the Encryption set to Off results in the error as described by happnatious, in red at the top of that same page. Setting Encryption to TLS, results in a different error message, returned a result with an error set.

I have actually raised a Bug with FreeNAS because this exception has also made Kerberos unable to start, so I’m not sure if this is actually a fundamental problem.

I’m very interested in replicating the experience you’re having, fausp, of being able to join a FreeNAS 11 box to Nethserver. I’ll try fresh with virtual machines and see if that matters.

I haven’t imported TLS cert yet, I’ll try that too.

Do your TrueNAS use NethServer as DNS server, @ndroftheline?

Yes, and I’ve tested name resolution. I can ping both the nethserver and the ad names perfectly.

Please realize that the DC is NOT on the IP that the Nethserver uses. It is actually on the IP of Nethserver +1
This royally screwed me over for half a day.

I have no issues at all getting Free- or TrueNAS to utilize tha SAMBA4 AD running on Nethserver. I do not even require encryption atm.

If you want to make sure that you use the right IP, set your DNS server on True/FreeNAS to the Nethserver, and use **ntds-**nethserver-fqdn as the hostname.

So when your Nethserver is named foo on domain bar.com, you would enter ntds-foo.bar.com and use foo.bar.com as DNS server.

1 Like

Thanks planet_jeroen for the tips.

I do have the DNS server on FreeNAS set to the Nethserver, and I’m able to ping ad.mydomain.nz and it comes back as what I set as the AD controller’s IP, and I’m also able to ping nethserver.mydomain.nz and it comes back as what I set as Nethserver’s IP.

When you say, “use ntds-nethserver-fqdn as the hostname”, I’m not clear on what you mean. Is it possible you provide screenshots of your FreeNAS config pages?

Clarifying questions: 1. what field do you mean when you say hostname? There is no such field under Directory Service > Active Directory, nor its Advanced fields. I’ve tried to follow your convention for this hostname in varoius fields but they’re rejected on varoius grounds (can’t find AD server, invalid host/port) although ad.mydomain.nz works as domain and nsdc-nethserver.ad.mydomain.nz works in the Domain Controller field, but I still get the BindSimple error with Encryption being set to off.

I am not able to atm, I will add a couple of screenshots tomorrow. I AM running the iX Systems brands of True- and FreeNAS, but I can not imagine that will make much difference in this regard.

Ping me if I forget … time is a scarce thing and my head good for draining spaghetti.

Just an idea:
http://doc.freenas.org/11/directoryservice.html#active-directory

Active Directory places restrictions on which characters are allowed in Domain and NetBIOS names, a limits the length of those names to 15 characters. If there are problems connecting to the realm, verify that your settings do not include any disallowed characters. Also, the Administrator account password cannot contain the $ character. If a $ exists in the domain administrator’s password, kinit will report a “Password Incorrect” error and ldap_bind will report an “Invalid credentials (49)” error.

the total number of characters in my ad’s fqdn is 16. lol. i dont’ think i can change my domain after installation, right? starting over…sigh

Feeling sorry for you, but it’s not your fault, Microsoft is responsible, see https://support.microsoft.com/en-us/help/163409/netbios-suffixes-16th-character-of-the-netbios-name

i actuall don’t think this is the problem - the MS documentation suggests the netbios name is limited to 15 characters (which mine is definitely less than) but that dns hostname is OK up to bytes in length, and that the fqdn is ok up to 150+ bytes.

https://support.microsoft.com/en-us/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and

i’ll try anyway with an extremely short netbios name and domain, but it would surprise me if all companies using active directory have to restrict themselves so carefully on naming their machines. i literally just anmed the domain after the company, and included their TLD. company name is 7 characters, domain is 6 including the fullstops.

Found another Technet article, saying domain names are up to 64 chars.

Fully qualified domain names (FQDNs) in Active Directory cannot exceed 64 characters in total length
NetBIOS computer and domain names are limited to 15 characters.
Domain Name System (DNS) host names are limited to 24 characters.

Good luck for your tests…

Well, i read a little different…
FDQN of the server (host.domain.ext) can be 64 char.
hostname of the server can be up to 24 chars
As usual, NetBios names (computer and Domain) must be up to 15 as usual

fwiw: fresh VM install of latest freenas and nethesis, exact same behavior as outlined above using typical domain for company, which is as an example october.co.nz.

i changed two major things in the next test (doh) using zentyal latest and tglo.af as domain, freenas joined successfully.

next i’m installing another new nethserver with tglo.af as test domain. will let you know.

For testing maybe resetting nethserver-dc is enough instead of a new install:
http://docs.nethserver.org/projects/nethserver-devel/en/v7/nethserver-dc.html#factory-reset

i had already built a new nethserver, ha. the touchless install is very handy. i wanted to keep the old config around anyway because i suspected it’s not the domain length, so hoping to find some other way to make this work.

i’ve now replicated this in three different configs with fresh installs of everything on two virtualization systems. xenserver and proxmox.

freenas 11 will not join my nethserver domain, no matter how short the domain is. right now my domain is ad.tglo.af and freenas is still reporting the bindsimple error.

can i provide logs or outputs of anything in order to narrow down what’s going wrong? i feel like i’ve taken all the defaults.

and, would somebody be able to please try to replicate this, and if you can get a fresh freenas 11 to join a fresh nethserver, provide the same logs/outputs?

I am on the way, my fresh installed FreeNAS will try to join my Nethserver domain cmb.local the next minutes…

For sure. Please do so.

sorry i should have been more specific; what logs/outputs are appropriate for this?

Nethserver and Container:
any file under /var/log/samba/
/var/log/messages | grep “samba|smbd|nmbd”

do we have a preferred pastebin?

i have a tar of the /var/log/samba directory on the container, but don’t know how to get it out of the container. the /var/log/samba directory only has an “old” directory in it on the nethserver.

here’s the /var/log/messages from the nethserver:

[root@nethserver ~]# grep 'samba\|lsmbd\|lnmbd' /var/log/messages > var-log-messages-0.txt
[root@nethserver ~]# cat var-log-messages-0.txt
Aug 31 20:31:40 localhost esmith::event[2071]: expanding /etc/samba/smb.conf
Sep  1 09:09:31 nethserver esmith::event[4161]: expanding /etc/samba/smb.conf
Sep  1 09:13:48 nethserver esmith::event[5922]: Examining /usr/lib/nethserver-dc/ns-samba-4.6.5-1.ns7.x86_64.rpm: ns-samba-4.6.5-1.ns7.x86_64
Sep  1 09:13:48 nethserver esmith::event[5922]: Marking /usr/lib/nethserver-dc/ns-samba-4.6.5-1.ns7.x86_64.rpm to be installed
Sep  1 09:13:48 nethserver esmith::event[5922]: ---> Package ns-samba.x86_64 0:4.6.5-1.ns7 will be installed
Sep  1 09:13:48 nethserver esmith::event[5922]: --> Processing Dependency: python(abi) = 2.7 for package: ns-samba-4.6.5-1.ns7.x86_64
Sep  1 09:13:48 nethserver esmith::event[5922]: --> Processing Dependency: perl >= 5.004 for package: ns-samba-4.6.5-1.ns7.x86_64
Sep  1 09:13:48 nethserver esmith::event[5922]: --> Processing Dependency: /bin/sh for package: ns-samba-4.6.5-1.ns7.x86_64
Sep  1 09:13:48 nethserver esmith::event[5922]: --> Processing Dependency: /bin/sh for package: ns-samba-4.6.5-1.ns7.x86_64
Sep  1 09:13:48 nethserver esmith::event[5922]: --> Processing Dependency: /bin/sh for package: ns-samba-4.6.5-1.ns7.x86_64
Sep  1 09:13:48 nethserver esmith::event[5922]: --> Processing Dependency: /bin/sh for package: ns-samba-4.6.5-1.ns7.x86_64
Sep  1 09:13:48 nethserver esmith::event[5922]: --> Processing Dependency: /usr/bin/env for package: ns-samba-4.6.5-1.ns7.x86_64
Sep  1 09:13:48 nethserver esmith::event[5922]: --> Processing Dependency: /usr/bin/pkg-config for package: ns-samba-4.6.5-1.ns7.x86_64
Sep  1 09:13:48 nethserver esmith::event[5922]: --> Processing Dependency: libacl.so.1(ACL_1.0)(64bit) for package: ns-samba-4.6.5-1.ns7.x86_64
Sep  1 09:13:48 nethserver esmith::event[5922]: --> Processing Dependency: libattr.so.1(ATTR_1.0)(64bit) for package: ns-samba-4.6.5-1.ns7.x86_64
Sep  1 09:13:48 nethserver esmith::event[5922]: --> Processing Dependency: libgcc_s.so.1(GCC_3.0)(64bit) for package: ns-samba-4.6.5-1.ns7.x86_64
Sep  1 09:13:48 nethserver esmith::event[5922]: --> Processing Dependency: libgcc_s.so.1(GCC_3.3.1)(64bit) for package: ns-samba-4.6.5-1.ns7.x86_64
Sep  1 09:13:48 nethserver esmith::event[5922]: --> Processing Dependency: libgnutls.so.28(GNUTLS_1_4)(64bit) for package: ns-samba-4.6.5-1.ns7.x86_64
Sep  1 09:13:48 nethserver esmith::event[5922]: --> Processing Dependency: libgnutls.so.28(GNUTLS_3_1_0)(64bit) for package: ns-samba-4.6.5-1.ns7.x86_64
Sep  1 09:13:48 nethserver esmith::event[5922]: --> Processing Dependency: libsystemd-daemon.so.0(LIBSYSTEMD_DAEMON_31)(64bit) for package: ns-samba-4.6.5-1.ns7.x86_64
Sep  1 09:13:48 nethserver esmith::event[5922]: --> Processing Dependency: libsystemd-journal.so.0(LIBSYSTEMD_JOURNAL_183)(64bit) for package: ns-samba-4.6.5-1.ns7.x86_64
Sep  1 09:13:48 nethserver esmith::event[5922]: --> Processing Dependency: perl(Carp) for package: ns-samba-4.6.5-1.ns7.x86_64
Sep  1 09:13:48 nethserver esmith::event[5922]: --> Processing Dependency: perl(Exporter) for package: ns-samba-4.6.5-1.ns7.x86_64
Sep  1 09:13:48 nethserver esmith::event[5922]: --> Processing Dependency: perl(File::Basename) for package: ns-samba-4.6.5-1.ns7.x86_64
Sep  1 09:13:48 nethserver esmith::event[5922]: --> Processing Dependency: perl(FindBin) for package: ns-samba-4.6.5-1.ns7.x86_64
Sep  1 09:13:48 nethserver esmith::event[5922]: --> Processing Dependency: perl(Getopt::Long) for package: ns-samba-4.6.5-1.ns7.x86_64
Sep  1 09:13:48 nethserver esmith::event[5922]: --> Processing Dependency: perl(strict) for package: ns-samba-4.6.5-1.ns7.x86_64
Sep  1 09:13:48 nethserver esmith::event[5922]: --> Processing Dependency: perl(vars) for package: ns-samba-4.6.5-1.ns7.x86_64
Sep  1 09:13:48 nethserver esmith::event[5922]: --> Processing Dependency: systemd for package: ns-samba-4.6.5-1.ns7.x86_64
Sep  1 09:13:48 nethserver esmith::event[5922]: --> Processing Dependency: systemd for package: ns-samba-4.6.5-1.ns7.x86_64
Sep  1 09:13:48 nethserver esmith::event[5922]: --> Processing Dependency: systemd for package: ns-samba-4.6.5-1.ns7.x86_64
Sep  1 09:13:48 nethserver esmith::event[5922]: --> Processing Dependency: libacl.so.1()(64bit) for package: ns-samba-4.6.5-1.ns7.x86_64
Sep  1 09:13:48 nethserver esmith::event[5922]: --> Processing Dependency: libattr.so.1()(64bit) for package: ns-samba-4.6.5-1.ns7.x86_64
Sep  1 09:13:48 nethserver esmith::event[5922]: --> Processing Dependency: libgcc_s.so.1()(64bit) for package: ns-samba-4.6.5-1.ns7.x86_64
Sep  1 09:13:48 nethserver esmith::event[5922]: --> Processing Dependency: libgnutls.so.28()(64bit) for package: ns-samba-4.6.5-1.ns7.x86_64
Sep  1 09:13:48 nethserver esmith::event[5922]: --> Processing Dependency: liblber-2.4.so.2()(64bit) for package: ns-samba-4.6.5-1.ns7.x86_64
Sep  1 09:13:48 nethserver esmith::event[5922]: --> Processing Dependency: libldap-2.4.so.2()(64bit) for package: ns-samba-4.6.5-1.ns7.x86_64
Sep  1 09:13:48 nethserver esmith::event[5922]: --> Processing Dependency: libpython2.7.so.1.0()(64bit) for package: ns-samba-4.6.5-1.ns7.x86_64
Sep  1 09:13:48 nethserver esmith::event[5922]: --> Processing Dependency: libsystemd-daemon.so.0()(64bit) for package: ns-samba-4.6.5-1.ns7.x86_64
Sep  1 09:13:48 nethserver esmith::event[5922]: --> Processing Dependency: libsystemd-journal.so.0()(64bit) for package: ns-samba-4.6.5-1.ns7.x86_64
Sep  1 09:13:49 nethserver esmith::event[5922]: ns-samba               x86_64 4.6.5-1.ns7             /ns-samba-4.6.5-1.ns7.x86_64
Sep  1 09:14:59 nethserver yum[6858]: Installed: ns-samba-4.6.5-1.ns7.x86_64
Sep  1 09:15:05 nethserver esmith::event[5922]:  Installing : ns-samba-4.6.5-1.ns7.x86_64                              149/150
Sep  1 09:15:05 nethserver esmith::event[5922]:  Verifying  : ns-samba-4.6.5-1.ns7.x86_64                               42/150
Sep  1 09:15:12 nethserver esmith::event[5922]:  ns-samba.x86_64 0:4.6.5-1.ns7
Sep  1 09:15:12 nethserver esmith::event[5922]: expanding /var/lib/machines/nsdc/etc/samba/smb.conf.include
Sep  1 09:15:12 nethserver esmith::event[5922]: expanding /var/lib/machines/nsdc/etc/systemd/system/samba-provision.service
Sep  1 09:15:12 nethserver esmith::event[5922]: Created symlink /var/lib/machines/nsdc/etc/systemd/system/multi-user.target.wants/samba-provision.service, pointing to /etc/systemd/system/samba-provision.service.
Sep  1 09:15:12 nethserver esmith::event[5922]: Created symlink /var/lib/machines/nsdc/etc/systemd/system/multi-user.target.wants/samba.service, pointing to /usr/lib/systemd/system/samba.service.
Sep  1 09:15:50 nethserver esmith::event[7421]: expanding /etc/samba/smb.conf
Sep  1 10:13:06 nethserver esmith::event[21121]: spawn /usr/bin/systemd-run -M nsdc -q -t /usr/bin/samba-tool user setpassword admin

edit: formatting

I’ve seen pastebin.com beeing used.

The container root is here:

cd /var/lib/machines/nsdc

So samba logs are here

cd /var/lib/machines/nsdc/var/log/samba