i think i can mark this as solved. but i didn’t open it. when i have a moment to pursue enabling authentitation between nethserver and freenas i’ll open another thread. or put it in a wiki.
I opened this thread and i’m glad so many people joined it.
The workaround is very nice, good to know it works that way.
But makes your AD very insecure.
ndroftheline you mentioned he got it working on Zentyal.
I would like to ask you ndroftheline did you need to set up any certificates there or it just worked ?
If so how or what settings it is used there ?
Can not the same method be implemented on Nethserver ?
downloaded FreeNAS 11 U3 fully motivated at first.
Tried to join FreeNAS to Nethserver again, but no luck.
Via GUI I get certificate error:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate), Connect error
Played around with certs for hours importing from Nethserver, tried CSR, tried self-signed cert from FreeNAS on Nethserver with no luck. Tried CA with and without keys, nothing helped.
Then I just tried joining Nethserver AD via samba-tool on FreeNAS cli and it WORKED as member ánd as DC, without any certificate but I can’t see users or groups from my domain, so I am giving up at this point. My solution for FreeNAS at the moment is disabling strong auth as described earlier in this thread:
root@freenas:~ # samba-tool domain join cmb.local DC -U admin -W CMB Finding a writeable DC for domain 'cmb.local' Found DC nsdc-server.cmb.local Password for [CMB\admin]: workgroup is CMB realm is cmb.local Adding CN=FREENAS,OU=Domain Controllers,DC=cmb,DC=local Adding CN=FREENAS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cmb,DC=local Adding CN=NTDS Settings,CN=FREENAS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cmb,DC=local Adding SPNs to CN=FREENAS,OU=Domain Controllers,DC=cmb,DC=local Setting account password for FREENAS$ Enabling account Calling bare provision Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema A Kerberos configuration suitable for Samba AD has been generated at /var/db/samba4/private/krb5.conf Provision OK for domain DN DC=cmb,DC=local Starting replication Schema-DN[CN=Schema,CN=Configuration,DC=cmb,DC=local] objects[402/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=cmb,DC=local] objects[804/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=cmb,DC=local] objects[1206/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=cmb,DC=local] objects[1550/1550] linked_values[0/0] Analyze and apply schema objects Partition[CN=Configuration,DC=cmb,DC=local] objects[402/1616] linked_values[0/1] Partition[CN=Configuration,DC=cmb,DC=local] objects[804/1616] linked_values[0/1] Partition[CN=Configuration,DC=cmb,DC=local] objects[1206/1616] linked_values[0/1] Partition[CN=Configuration,DC=cmb,DC=local] objects[1608/1616] linked_values[0/1] Partition[CN=Configuration,DC=cmb,DC=local] objects[1616/1616] linked_values[32/32] Replicating critical objects from the base DN of the domain Partition[DC=cmb,DC=local] objects[97/97] linked_values[25/25] Partition[DC=cmb,DC=local] objects[314/217] linked_values[25/25] Done with always replicated NC (base, config, schema) Replicating DC=DomainDnsZones,DC=cmb,DC=local Partition[DC=DomainDnsZones,DC=cmb,DC=local] objects[41/41] linked_values[0/0] Replicating DC=ForestDnsZones,DC=cmb,DC=local Partition[DC=ForestDnsZones,DC=cmb,DC=local] objects[18/18] linked_values[0/0] Exop on[CN=RID Manager$,CN=System,DC=cmb,DC=local] objects linked_values Committing SAM database Sending DsReplicaUpdateRefs for all the replicated partitions Setting isSynchronized and dsServiceName Setting up secrets database Joined domain CMB (SID S-1-5-21-890086496-3770272300-3508276966) as a DC
Then I tried to list the AD users but no luck again, so time to say good night!
root@freenas:~ # wbinfo -u Error looking up domain users root@freenas:~ # wbinfo -g failed to call wbcListGroups: WBC_ERR_DOMAIN_NOT_FOUND Error looking up domain groups
To delete FreeNAS member computer:
ldbdel --url=/var/lib/samba/private/sam.ldb CN=FREENAS,CN=Computers,DC=cmb,DC=local
To delete FreeNAS DC
ldbdel --url=/var/lib/samba/private/sam.ldb “CN=RID Set,CN=FREENAS,OU=Domain Controllers,DC=cmb,DC=local”
Both commands have to be executed on the NSDC, to get into NSDC do:
systemd-run -M nsdc -t /bin/bash
I have followed with bated breath on this topic. It’s amazing seeing the support and involvement from everyone.
Wanted to ask if there was any progress made. I need to implement a solution soon a (and yes it’s my issue) but I’d prefer to use Nethserver if possible. All the best.
you can make it work with this:
But this is just a workaround. We have to make it work with certs. You motivated me to give it another try, I’ll report my results…
@ndroftheline, did you try it with certs?
Hey @mrmarkuz , sorry it’s been so long - I didn’t have time because the client went with MS AD. But I’ve gotten my lab back online and keen to try to make it work. I’ve installed Nethserver and FreeNAS and am now back to where we were before.
I found this, which seems to have some tantalizing successes with samba4:
I’ve tried to upload FreeNAS-generated self-signed CA and certificates based on it and not had success yet.
I’m keen to make the changes to the smb.conf file as discussed in the FreeNAS thread, but I don’t know how to edit files in the container…any thoughts? I don’t know what editor is installed on the container, if any.
The container files are under
/var/lib/machines/nsdc so you may just use the editor of your host system.
With following commands you create a custom template for the containers smb.conf.include:
mkdir -p /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/samba/smb.conf.include echo "# accept join from FreeNAS" > /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/samba/smb.conf.include/20auth echo "ldap server require strong auth = no" >> /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/samba/smb.conf.include/20auth expand-template /var/lib/machines/nsdc/etc/samba/smb.conf.include
I asked some of our freenas users:
wow that’s a great thread, and so cool to see major members from the freenas forums here on nethserver forums. exciting!
i had forgotten about the container filesystems being mounted, thanks. it does appear there’s already an include set up for the global section that’s being auto-generated, do you know how i can add to that file? or how to make a custom include that will go in the global section of the smb.conf file?
also, there appears to be a slight mistake in one of your commands;
echo "ldap server require strong auth = no" > /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/samba/smb.conf.include/20auth
should probably be
echo "ldap server require strong auth = no" >> /etc/e-smith/templates-custom/var/lib/machines/nsdc/etc/samba/smb.conf.include/20auth
diff: > should be >>
You’re right. I corrected it, thanks.
With the commands I wrote. They create a custom template which will put the entry in the containers /etc/samba/smb.conf.include file.
It is not templated so you may write directly to smb.conf. But I don’t know if a container update will remove the changes. So I think it’s better to use the templated smb.conf.include.
oh i see how this works now, awesome. how did you know the location to put the templated smb.conf includes? i’m assuming it’s documented somewhere, but didn’t stumble across it yet searching docs or google.
It’s not directly documented AFAIK but you can assume it when you read this:
I’m trying to follow the instructions at the freenas link above. Which in fact are basically exactly what the Samba4 documentation says: https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC#Using_the_Samba_autogenerated_self-signed_certificate_.28default.29
it seems our instance of samba4 doesn’t create the keys as shown there, so i created the directories manually, copied the exported .crt and .key files from the FreeNAS, put them in the directories specified, and tried to target the keys in the smb.conf file using the templated approach you suggested.
unfortunately this still results in an error when trying to connect. i’ll get the error later.
edit: something didn’t like the link, had to escape an underscore after a ) . strange?
well. i was getting a socket not connected error, research on that problem was inconclusive but was seeing some odd kerberos errors. i’ve wiped the freenas and will start fresh.
Hi again, I’m trying to connect a FreeNAS to the nethserver againg, but this time the error is that freenas can’t reach de LDAP server that in my case is:
Can’t ping the network address of the Acount provider services. ¿It’s posible to do that?
NetBIOS domain name: HEALPERCI
LDAP server: 192.168.1.67
LDAP server name: nsdc-nethserver.ad.healperci.com
Bind Path: dc=AD,dc=HEALPERCI,dc=COM
LDAP port: 389
Server time: Sun, 21 Apr 2019 19:17:18 -05
KDC server: 192.168.1.67
Server time offset: 0
Last machine account password change: Sun, 21 Apr 2019 18:59:30 -05
Join is OK
For this to work, the Samba container needs to be used as DNS server within the network, or your DNS should be made aware of the samba domain.
No luck joining freenas to nethserver too
Client of mine likes to have/browse previous-versions and freenas provides that , but after many test&tries I couldn’t join freenas server to nethserver-AD. One of the tries (what marcus did also) was to fire CA on freenas up , issue cert for nehserver , which seemed t be most obvious way to go , but still no success …
Since I had big problems using NetH file share because using ntfs permission slowed down the system too much , in order to override that I’m using separate debian file/samba server joined to NethServer AD domain … but debian samba file server does not provide snapshots out-of-the-box and in the same time browsable with “previous-versions” in windows client . so I figured that freenas could be perfect solution.
But it took me hours and hours to admit “no go”
Has anybody got this solved ? I’d like very much to avoid workaround because it is about very serious and important client … which one is not ?
Thank you very much in advance
Can anybody help here?