Active Directory - No users available in GUI

[jaydee99]

Hi,

I'm trying to connect my FreeNAS to my AD on WS2016.

Settings are ok and freenas can connect to my AD

wbinfo -u properly displays all available users and wbinfo -g displays my AD group.
getent passwd only displays local users

But no users / group from AD are shown in the GUI and i can't neither use them when settings permissions on volumes (says users / groups don't exist)

Mapping is already set to rid. I even tried with ad considering i have provided uidNumber and gidNumber in my AD for all users.

What am i doing wrong please ?

Thanx a lot !

 

[Nick2253]

It would help a lot if you could be more specific about what you are doing.

First off, please provide the version of FreeNAS you are using. Second, what troubleshooting steps have you taken to try to fix your problem? And lastly, what GUI are you looking at? Please let us know exactly where you're at.

Some details about your Windows setup would also be nice. What schema version are you using in your domain?

 

[anodos]

Hi,

I'm trying to connect my FreeNAS to my AD on WS2016.

Settings are ok and freenas can connect to my AD

wbinfo -u properly displays all available users and wbinfo -g displays my AD group.
getent passwd only displays local users

But no users / group from AD are shown in the GUI and i can't neither use them when settings permissions on volumes (says users / groups don't exist)

Mapping is already set to rid. I even tried with ad considering i have provided uidNumber and gidNumber in my AD for all users.

What am i doing wrong please ?

Thanx a lot !

Post contents of /usr/local/etc/smb4.conf

 

[jaydee99]

Hi,

So here are more infos about my config :

FreeNAS 11.1U1 running on ESXi 6.5 VM

Windows Server 2016 Active Directory, standard schema (default AD installation)
uidNumber and gidNumber are set for users i want to use and are in the 10000-20000 range

FreeNAS settings :

- Network settings :
Host : freenas
Domain : home.lan
Gateway : 192.168.1.1
DNS 1 : 192.168.1.100 #WS2016 DNS
Network Interface : Add -> em0 -> DHCP #DHCP managed by WS2016

- NTP configuration ok. Using AD server for NTP,

- Directory settings :
DNS : home.lan
Account : Administrateur
Password : PASSWORD
Idmap : ad (uidNumber and gidNumber provided in my AD for users i want to use)
Netbios Name : FREENAS

- SMB settings :
Netbios : FREENAS
Workgroup : HOME
Everything else : default

smb4.conf

Code:

[global]
	encrypt passwords = yes
	dns proxy = no
	strict locking = no
	oplocks = yes
	deadtime = 15
	max log size = 51200
	max open files = 234812
	logging = file
	load printers = no
	printing = bsd
	printcap name = /dev/null
	disable spoolss = yes
	getwd cache = yes
	guest account = nobody
	map to guest = Bad User
	obey pam restrictions = yes
	ntlm auth = no
	directory name cache size = 0
	kernel change notify = no
	panic action = /usr/local/libexec/samba/samba-backtrace
	nsupdate command = /usr/local/bin/samba-nsupdate -g
	server string = FreeNAS Server
	ea support = yes
	store dos attributes = yes
	lm announce = yes
	hostname lookups = yes
	time server = yes
	acl allow execute always = true
	dos filemode = yes
	multicast dns register = yes
	domain logons = no
	idmap config *: backend = tdb
	idmap config *: range = 90000001-100000000
	server role = member server
	workgroup = HOME
	realm = HOME.LAN
	security = ADS
	client use spnego = yes
	local master = no
	domain master = no
	preferred master = no
	ads dns update = yes
	winbind cache time = 7200
	winbind offline logon = yes
	winbind enum users = yes
	winbind enum groups = yes
	winbind nested groups = yes
	winbind use default domain = no
	winbind refresh tickets = yes
	idmap config HOME: backend = ad
	idmap config HOME: range = 10000-90000000
	idmap config HOME: schema mode = rfc2307
	allow trusted domains = no
	client ldap sasl wrapping = plain
	template shell = /bin/sh
	template homedir = None/%D/%U
	netbios name = FREENAS
	create mask = 0666
	directory mask = 0777
	client ntlmv2 auth = yes
	dos charset = CP437
	unix charset = UTF-8
	log level = 1
 

wbinfo -u returns

HOME\administrateur
HOME\invité
HOME\defaultaccount
HOME\krbtgt
HOME\alex
HOME\pauline
HOME\ktpasssystemuser
HOME\ldap

id alex returns :
User doesn't exist

wbinfo -i alex
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user alex

Problem is, ad users and groups don't show in the web interface, neither can i use them for my volumes permissions..

Thanx a lot for helping !

 

[Nick2253]

Username "alex" is different than "HOME\alex".

 

[jaydee99]

I know, but still it's not working :

I checked "Use default domain" in AD settings.

wbinfo -u

Code:

administrateur
invité
defaultaccount
krbtgt
alex
pauline
ktpasssystemuser
ldap

wbinfo -i alex

Code:

failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user alex

wbinfo -i "HOME\alex"

Code:

failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user HOME\alex

 

[jaydee99]

I don't really know what i did, but it's now working !!

smb4.conf looks like

Code:

[global]
	encrypt passwords = yes
	dns proxy = no
	strict locking = no
	oplocks = yes
	deadtime = 15
	max log size = 51200
	max open files = 234812
	logging = file
	load printers = no
	printing = bsd
	printcap name = /dev/null
	disable spoolss = yes
	getwd cache = yes
	guest account = nobody
	map to guest = Bad User
	obey pam restrictions = yes
	ntlm auth = no
	directory name cache size = 0
	kernel change notify = no
	panic action = /usr/local/libexec/samba/samba-backtrace
	nsupdate command = /usr/local/bin/samba-nsupdate -g
	server string = FreeNAS Server
	ea support = yes
	store dos attributes = yes
	lm announce = yes
	hostname lookups = yes
	acl allow execute always = true
	dos filemode = yes
	multicast dns register = yes
	domain logons = no
	idmap config *: backend = tdb
	idmap config *: range = 90000001-100000000
	server role = member server
	workgroup = HOME
	realm = HOME.LAN
	security = ADS
	client use spnego = yes
	local master = no
	domain master = no
	preferred master = no
	ads dns update = yes
	winbind cache time = 7200
	winbind offline logon = yes
	winbind enum users = yes
	winbind enum groups = yes
	winbind nested groups = yes
	winbind use default domain = yes
	winbind refresh tickets = yes
	idmap config HOME: backend = rid
	idmap config HOME: range = 20000-90000000
	allow trusted domains = yes
	client ldap sasl wrapping = plain
	template shell = /bin/sh
	template homedir = /home/%D/%U
	netbios name = FREENAS
	create mask = 0666
	directory mask = 0777
	client ntlmv2 auth = yes
	dos charset = CP437
	unix charset = UTF-8
	log level = 1
  
[Temp]
	path = "/mnt/local/temp"
	printable = no
	veto files = /.snapshot/.windows/.mac/.zfs/
	writeable = yes
	browseable = yes
	access based share enum = no
	vfs objects = zfs_space zfsacl streams_xattr aio_pthread
	hide dot files = yes
	guest ok = yes
	nfs4:mode = special
	nfs4:acedup = merge
	nfs4:chown = true
	zfsacl:acesort = dontcare

Seems like the only real difference is those 2 lines :

Code:

	idmap config HOME: backend = rid
	idmap config HOME: range = 20000-90000000

What did i changed to get that ??

Just one last question : i used this guide to setup AD : https://forums.freenas.org/index.ph...directory-folder-file-user-permissions.20610/

It says that you have to create your pool before AD config but i don't understand why, is it still true with FreeNAS 11 ?

Thanx for helping !!

 

[Nick2253]

I would not recommend following that guide. It is for a version that is very old at this point, and I remember when I set up my AD in 9.3, the process was decently different (many of the steps were either taken care of automatically, or they were workarounds for existing issues that now broke the config).

The procedure you should be following is the one outlined in the documentation: https://doc.freenas.org/11/directoryservice.html