Iāve seen pastebin.com beeing used.
The container root is here:
cd /var/lib/machines/nsdc
So samba logs are here
cd /var/lib/machines/nsdc/var/log/samba
Iāve seen pastebin.com beeing used.
The container root is here:
cd /var/lib/machines/nsdc
So samba logs are here
cd /var/lib/machines/nsdc/var/log/samba
It took hours and didnāt work. But itās my test environment and I was testing samba joining the last days and now I canāt even join a Win7 VM to my AD.
Saw this: FreeNAS 11 + samba4 AD DC - Can't contact LDAP server | TrueNAS Community
What about trying older version of FreeNAS?
I get back to you when I tested the Freenas join on a fresh ADā¦
/var/lib/machines/nsdc/var/log/samba
has a ācoresā directory with two empty directories āsmbdā and āwinbinddā
all files are empty except the following two files:
[root@nethserver samba]# cat log.smbd
[2017/09/01 09:15:36.989911, 0] ../lib/util/become_daemon.c:124(daemon_ready)
STATUS=daemon 'smbd' finished starting up and ready to serve connections
[root@nethserver samba]# cat log.winbindd
[2017/09/01 09:15:35.942131, 0] ../source3/winbindd/winbindd_cache.c:3171(initialize_winbindd_cache)
initialize_winbindd_cache: clearing cache and re-creating with version number 2
[2017/09/01 09:15:36.261151, 0] ../lib/util/become_daemon.c:124(daemon_ready)
STATUS=daemon 'winbindd' finished starting up and ready to serve connections
iāll try an older freeNAS, but i was able to join to Zentyal with current version of freenas. iāll also try turnkeylinux domain controller.
I think I found at least another workaround on the internet for joining FreeNAS 11 U2 to Nethserver AD when FreeNAS and TLS not enabled in samba RE-SOLVED! is not working for you. The tip came from FreeNAS 11 + samba4 AD DC - Can't contact LDAP server | TrueNAS Community
WARNING! This is just a workaround because it deactivates the strong auth requirement on your DC, which might be relevant from perspective of security.
Quick and dirty way for testing:
Add a line to the NSDC container smb.conf in the global section:
nano /var/lib/machines/nsdc/etc/samba/smb.conf
Add this line to global section: ldap server require strong auth = no
Restart samba on nsdc:
systemctl -M nsdc restart samba
Join domain in FreeNAS webui. Only domain, username and password are needed.
Then test on FreeNAS shell if you can see the AD users:
root@freenas:~ # wbinfo -u CMB\administrator CMB\krbtgt CMB\markus CMB\guest CMB\admin
If this works, respect the templates, erase the new line in smb.conf and do:
mkdir -p /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/samba/smb.conf.include echo "# accept join from FreeNAS" >> /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/samba/smb.conf.include/20global echo "ldap server require strong auth = no" >> /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/samba/smb.conf.include/20global expand-template /var/lib/machines/nsdc/etc/samba/smb.conf.include
I used smb.conf.include because smb.conf on nsdc may be erased. If I misunderstood something in the e-smith template system, please tell me, this is my first tryā¦
awesome! with this test i can join my freenas to nethserver. now to figure out how to actually enable strong auth for production
also need to learn more about how domain users are syncronized to the freenas, but thatās for another thread. here iāll continue with trying to get encryption enabled by setting up the certs correctly. thanks so much!
Youāre welcome!
Thank you in advance that you are going to mess with the certs as FreeNAS wants passphrase certificates and I normally donāt use FreeNAS so I donāt have to fight with its web UIā¦
i think i can mark this as solved. but i didnāt open it. when i have a moment to pursue enabling authentitation between nethserver and freenas iāll open another thread. or put it in a wiki.
Hi
I opened this thread and iām glad so many people joined it.
The workaround is very nice, good to know it works that way.
But makes your AD very insecure.
ndroftheline you mentioned he got it working on Zentyal.
I would like to ask you ndroftheline did you need to set up any certificates there or it just worked ?
If so how or what settings it is used there ?
Can not the same method be implemented on Nethserver ?
Hi,
downloaded FreeNAS 11 U3 fully motivated at first.
Tried to join FreeNAS to Nethserver again, but no luck.
Via GUI I get certificate error:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate), Connect error
Played around with certs for hours importing from Nethserver, tried CSR, tried self-signed cert from FreeNAS on Nethserver with no luck. Tried CA with and without keys, nothing helped.
Then I just tried joining Nethserver AD via samba-tool on FreeNAS cli and it WORKED as member Ć”nd as DC, without any certificate but I canāt see users or groups from my domain, so I am giving up at this point. My solution for FreeNAS at the moment is disabling strong auth as described earlier in this thread:
root@freenas:~ # samba-tool domain join cmb.local DC -U admin -W CMB
Finding a writeable DC for domain 'cmb.local'
Found DC nsdc-server.cmb.local
Password for [CMB\admin]:
workgroup is CMB
realm is cmb.local
Adding CN=FREENAS,OU=Domain Controllers,DC=cmb,DC=local
Adding CN=FREENAS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cmb,DC=local
Adding CN=NTDS Settings,CN=FREENAS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cmb,DC=local
Adding SPNs to CN=FREENAS,OU=Domain Controllers,DC=cmb,DC=local
Setting account password for FREENAS$
Enabling account
Calling bare provision
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
A Kerberos configuration suitable for Samba AD has been generated at /var/db/samba4/private/krb5.conf
Provision OK for domain DN DC=cmb,DC=local
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=cmb,DC=local] objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=cmb,DC=local] objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=cmb,DC=local] objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=cmb,DC=local] objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=cmb,DC=local] objects[402/1616] linked_values[0/1]
Partition[CN=Configuration,DC=cmb,DC=local] objects[804/1616] linked_values[0/1]
Partition[CN=Configuration,DC=cmb,DC=local] objects[1206/1616] linked_values[0/1]
Partition[CN=Configuration,DC=cmb,DC=local] objects[1608/1616] linked_values[0/1]
Partition[CN=Configuration,DC=cmb,DC=local] objects[1616/1616] linked_values[32/32]
Replicating critical objects from the base DN of the domain
Partition[DC=cmb,DC=local] objects[97/97] linked_values[25/25]
Partition[DC=cmb,DC=local] objects[314/217] linked_values[25/25]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=cmb,DC=local
Partition[DC=DomainDnsZones,DC=cmb,DC=local] objects[41/41] linked_values[0/0]
Replicating DC=ForestDnsZones,DC=cmb,DC=local
Partition[DC=ForestDnsZones,DC=cmb,DC=local] objects[18/18] linked_values[0/0]
Exop on[CN=RID Manager$,CN=System,DC=cmb,DC=local] objects[3] linked_values[0]
Committing SAM database
Sending DsReplicaUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain CMB (SID S-1-5-21-890086496-3770272300-3508276966) as a DC
Then I tried to list the AD users but no luck again, so time to say good night!
root@freenas:~ # wbinfo -u
Error looking up domain users
root@freenas:~ # wbinfo -g
failed to call wbcListGroups: WBC_ERR_DOMAIN_NOT_FOUND
Error looking up domain groups
To delete FreeNAS member computer:
ldbdel --url=/var/lib/samba/private/sam.ldb CN=FREENAS,CN=Computers,DC=cmb,DC=local
To delete FreeNAS DC
ldbdel --url=/var/lib/samba/private/sam.ldb āCN=RID Set,CN=FREENAS,OU=Domain Controllers,DC=cmb,DC=localā
Both commands have to be executed on the NSDC, to get into NSDC do:
systemd-run -M nsdc -t /bin/bash
My sources:
https://doc.freenas.org/11/directoryservice.html
I have followed with bated breath on this topic. Itās amazing seeing the support and involvement from everyone.
Wanted to ask if there was any progress made. I need to implement a solution soon a (and yes itās my issue) but Iād prefer to use Nethserver if possible. All the best.
Dave
Hi @dvanremortel,
you can make it work with this:
But this is just a workaround. We have to make it work with certs. You motivated me to give it another try, Iāll report my resultsā¦
@ndroftheline, did you try it with certs?
Hey @mrmarkuz , sorry itās been so long - I didnāt have time because the client went with MS AD. But Iāve gotten my lab back online and keen to try to make it work. Iāve installed Nethserver and FreeNAS and am now back to where we were before.
I found this, which seems to have some tantalizing successes with samba4:
Iāve tried to upload FreeNAS-generated self-signed CA and certificates based on it and not had success yet.
Iām keen to make the changes to the smb.conf file as discussed in the FreeNAS thread, but I donāt know how to edit files in the containerā¦any thoughts? I donāt know what editor is installed on the container, if any.
The container files are under /var/lib/machines/nsdc
so you may just use the editor of your host system.
With following commands you create a custom template for the containers smb.conf.include:
mkdir -p /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/samba/smb.conf.include
echo "# accept join from FreeNAS" > /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/samba/smb.conf.include/20auth
echo "ldap server require strong auth = no" >> /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/samba/smb.conf.include/20auth
expand-template /var/lib/machines/nsdc/etc/samba/smb.conf.include
I asked some of our freenas users:
wow thatās a great thread, and so cool to see major members from the freenas forums here on nethserver forums. exciting!
i had forgotten about the container filesystems being mounted, thanks. it does appear thereās already an include set up for the global section thatās being auto-generated, do you know how i can add to that file? or how to make a custom include that will go in the global section of the smb.conf file?
also, there appears to be a slight mistake in one of your commands;
echo "ldap server require strong auth = no" > /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/samba/smb.conf.include/20auth
should probably be
echo "ldap server require strong auth = no" >> /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/samba/smb.conf.include/20auth
diff: > should be >>
Youāre right. I corrected it, thanks.
With the commands I wrote. They create a custom template which will put the entry in the containers /etc/samba/smb.conf.include file.
It is not templated so you may write directly to smb.conf. But I donāt know if a container update will remove the changes. So I think itās better to use the templated smb.conf.include.
oh i see how this works now, awesome. how did you know the location to put the templated smb.conf includes? iām assuming itās documented somewhere, but didnāt stumble across it yet searching docs or google.
Itās not directly documented AFAIK but you can assume it when you read this:
docs.nethserver.org/projects/nethserver-devel/en/v7/nethserver-dc.html#factory-reset