SOLVED AD intergration vs ISCSI

[R wkgs]

First off our Organization is a windows shop so far in my time here i have introduced a synology to meet budget and this joined our domain (Mixed 2008 R2 and 2012 R2) without fuss to share shared folders.

Freenas has been my next introduction as we need more storage on a budget(backed up naturally). ISCSI works as expected but I am having issues adding our freenas box to the domain for CIFS shares. Can someone help getting this box on the domain? when i try i get this error message:

{'info': '00002028: LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity checking if SSL\\TLS are not already active on the connection, data 0, v1db1', 'desc': 'Strong(er) authentication required'}.

know i know its due to us requiring signing on LDAP connections and as a organization are not interested in turning it off, so we need to setup certificates but what type the only ones i have access to are .crt files would a CSR through the GUI be a better solution but i would prefer not to involve my bosses unless i know whats needed as i know we will just end up with a copy of windows storage server and in mocking tones be informed that that will have no trouble joining AD.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity=2

If this policy is configured on one's domain controllers in a Windows Domain, non-secure LDAP authentication will fail.

system spec:
supermicro x10sl7-f with 32GB ram

 

[anodos]

First off our Organization is a windows shop so far in my time here i have introduced a synology to meet budget and this joined our domain (Mixed 2008 R2 and 2012 R2) without fuss to share shared folders.

Freenas has been my next introduction as we need more storage on a budget(backed up naturally). ISCSI works as expected but I am having issues adding our freenas box to the domain for CIFS shares. Can someone help getting this box on the domain? when i try i get this error message:


know i know its due to us requiring signing on LDAP connections and as a organization are not interested in turning it off, so we need to setup certificates but what type the only ones i have access to are .crt files would a CSR through the GUI be a better solution but i would prefer not to involve my bosses unless i know whats needed as i know we will just end up with a copy of windows storage server and in mocking tones be informed that that will have no trouble joining AD.



system spec:
supermicro x10sl7-f with 32GB ram

All configuration should be done through the FreeNAS webgui. The relevant configuration options should be under "directory service" -> "active directory" (or whatever it's called). I haven't done this before, but the steps will probably involve changing the default SASL wrapping and selecting the correct certificate.

 

[R wkgs]

slowly making progress the command

Code:

openssl s_client -connect ldap.server.ip.address:636

shows which cert is needed so i just now need to figure out how to convert the .crt files i get issued with to get the plain text private key.

As it happens our organization is getting new certs at the end of the week so will feed back how I am getting on Monday next week.

 

[R wkgs]

Just closing this long overdue update. Once I found out you do not need to fill 'Private Key' when adding a cert all worked as expected.

Shared folders can be accessed from classroom PC's with full windows permissions integrated with AD. Happy using Freenas for the past few months for VM's and students work without issue.

Tip. 'previous versions' / 'shadow copies' every 15 minuets going back a week and autosave in office enforced through group policy is a gift from the heavens with students / teachers who no linger plague me to restore from tape backups when they delete there work. Yes it cane be done without ZFS but not having to thick provision ISCSI and have 4-5 VM's acting as virtual file servers is much more flexible.