Connect FreeNAS to Nethserver Active Directory

alefattorini · June 27, 2017, 10:08am

Looks interesting. Can you share some screenshots and notes about this? It would be helpful for others too.
Let’s start a new topic on Howto

Wow! We can’t wait for that, indeed.

fausp · July 1, 2017, 6:19am

Are you still interested to join AD-Members (FreeNAS / Synology) ?

What I can say is that Synology looks much better than FreeNAS. Radius is working to auth my WIFI-Clients… synchronize the Users/Groups under the GUI works good.

FreeNAS has joined AD but I cannot synchronize the Users/Groups under the GUI… I was able to map a FreeNAS-Share with AD-Credentials on my Windows 7 but I do not fully trust this Situation…

devfx11 · July 2, 2017, 10:38pm

Hi
Yeah i am still interested of course , you could share it as a howto as someone said above, that would help out many others or the developers.
However i am now more inclined on using FreeNAS as just a NAS, using it mostly for a backup solution and doing the main job with Nethserver .

devfx11 · July 2, 2017, 10:39pm

I was not able to join it at all so no i can’t see no AD user.

alefattorini · July 3, 2017, 10:12am

@fausp you can just write down some notes so that other people can contribute

fausp · July 3, 2017, 8:15pm

Please try this:

Part 1

My Domain: privat.lan
My Nethserver Hostname: neth2
My FreeNAS Hostname: freenas
My LDAP server name: nsdc-neth2.privat.lan

On CLI

Install FreeNAS

On Browser

Go to http://FreeNAS-IP and logon
Configure Language, Keyboard and Timezone…
Setup static IP and WebGUI IPv4 Address
Setup Network - Global Configuration - Domain - IPv4 Gateway - Nameserver
Setup Directory Service - Activ Directory (in Advanced Mode)

Domain Name (DNS/Realm-Name): privat.lan
Domain Account Name: admin
Domain Account Password: myNethServerAdminPassword
AD check connectivity frequency (seconds): 60
How many recovery attempts: 10
Encryption Mode: off
Allow Trusted Domains: true
Use Default Domain: true
Allow DNS updates: true
Domain Controller: nsdc-neth2.privat.lan
Global Catalog Server: nsdc-neth2.privat.lan
Enable: true
NetBIOS name: freenas

ON CLI

Join Domain with (LDAP server name):

net ads join -S nsdc-neth2.privat.lan -U admin

Enter admin’s password:
Using short domain name – PRIVAT
Joined ‘FREENAS’ to dns domain ‘privat.lan’

fausp · July 3, 2017, 8:20pm

Part 2

Check it out …

Lists all domain users
root@freenas:~ # wbinfo -u
Lists all domain groups
root@freenas:~ # wbinfo -g
List trusted domains
root@freenas:~ # wbinfo -m
check passwd
root@freenas:~ # getent passwd

alefattorini · July 4, 2017, 9:51am

Just edited your formatting aligning with markup style. Great job, thanks for sharing

happnatious1 · July 4, 2017, 11:53am

When clicking save on the Browser step I get the following error:
BindSimple: Transport encryption required., Strong(er) authentication required

fausp · July 4, 2017, 5:39pm

I used a fresh installed FreeNAS-11.0-RELEASE.iso from 15.06.17 for the test. What Version do you use?

Can you test it on two fresh installed servers (Nethserver, FreeNAS)?

happnatious1 · July 4, 2017, 10:41pm

FreeNAS-11.0-U1

NethServer release 7.3.1611

Unfortunately I’m not in a position to test default installs at the moment.

ndroftheline · August 30, 2017, 7:27am

I’m having the same problem happnatious1 is. This is actually a brand new TrueNAS unit from ixSystems running FreeNAS 11.0U2, so it’s the latest and greatest. Just formatted this morning. This is also running a brand-new fresh install of Nethserver.

In fact I also can’t set my domain name as suggested by fausp, I have to use ad.mydomain.nz (this is in fact set as the or FreeNAS complains with Unable to find domain controllers for mydomain.nz. Once I have the domain set correctly, leaving the Encryption set to Off results in the error as described by happnatious, in red at the top of that same page. Setting Encryption to TLS, results in a different error message, returned a result with an error set.

I have actually raised a Bug with FreeNAS because this exception has also made Kerberos unable to start, so I’m not sure if this is actually a fundamental problem.

I’m very interested in replicating the experience you’re having, fausp, of being able to join a FreeNAS 11 box to Nethserver. I’ll try fresh with virtual machines and see if that matters.

I haven’t imported TLS cert yet, I’ll try that too.

pike · August 30, 2017, 8:38am

Do your TrueNAS use NethServer as DNS server, @ndroftheline?

ndroftheline · August 30, 2017, 10:04am

Yes, and I’ve tested name resolution. I can ping both the nethserver and the ad names perfectly.

planet_jeroen · August 30, 2017, 11:46am

Please realize that the DC is NOT on the IP that the Nethserver uses. It is actually on the IP of Nethserver +1
This royally screwed me over for half a day.

I have no issues at all getting Free- or TrueNAS to utilize tha SAMBA4 AD running on Nethserver. I do not even require encryption atm.

If you want to make sure that you use the right IP, set your DNS server on True/FreeNAS to the Nethserver, and use **ntds-**nethserver-fqdn as the hostname.

So when your Nethserver is named foo on domain bar.com, you would enter ntds-foo.bar.com and use foo.bar.com as DNS server.

ndroftheline · August 31, 2017, 12:32am

Thanks planet_jeroen for the tips.

I do have the DNS server on FreeNAS set to the Nethserver, and I’m able to ping ad.mydomain.nz and it comes back as what I set as the AD controller’s IP, and I’m also able to ping nethserver.mydomain.nz and it comes back as what I set as Nethserver’s IP.

When you say, “use ntds-nethserver-fqdn as the hostname”, I’m not clear on what you mean. Is it possible you provide screenshots of your FreeNAS config pages?

Clarifying questions: 1. what field do you mean when you say hostname? There is no such field under Directory Service > Active Directory, nor its Advanced fields. I’ve tried to follow your convention for this hostname in varoius fields but they’re rejected on varoius grounds (can’t find AD server, invalid host/port) although ad.mydomain.nz works as domain and nsdc-nethserver.ad.mydomain.nz works in the Domain Controller field, but I still get the BindSimple error with Encryption being set to off.

planet_jeroen · August 31, 2017, 12:40am

I am not able to atm, I will add a couple of screenshots tomorrow. I AM running the iX Systems brands of True- and FreeNAS, but I can not imagine that will make much difference in this regard.

Ping me if I forget … time is a scarce thing and my head good for draining spaghetti.

mrmarkuz · August 31, 2017, 1:30am

Just an idea:
http://doc.freenas.org/11/directoryservice.html#active-directory

Active Directory places restrictions on which characters are allowed in Domain and NetBIOS names, a limits the length of those names to 15 characters. If there are problems connecting to the realm, verify that your settings do not include any disallowed characters. Also, the Administrator account password cannot contain the $ character. If a $ exists in the domain administrator’s password, kinit will report a “Password Incorrect” error and ldap_bind will report an “Invalid credentials (49)” error.

ndroftheline · August 31, 2017, 3:03am

the total number of characters in my ad’s fqdn is 16. lol. i dont’ think i can change my domain after installation, right? starting over…sigh

mrmarkuz · August 31, 2017, 3:36am

Feeling sorry for you, but it’s not your fault, Microsoft is responsible, see https://support.microsoft.com/en-us/help/163409/netbios-suffixes-16th-character-of-the-netbios-name