Can't join to Samba AD DC

[Joeman3000]

Recently my FreeNAS Mini (FreeNAS-9.10-STABLE-201605021851) won't join to my Samba AD DC anymore and will spit out the following message:

Code:

{'info': 'BindSimple: Transport encryption required.', 'desc': 'Strong(er) authentication required'}.

Screenshot of this is attached to this post.

My Samba AD DC (Version 4.2.10) is running Debian Jessie and from what I understand so far, it's not playing nice because of a security vulnerability that was patched in Samba. I tried switching to TLS encryption mode on FreeNAS, but it kicks back a message saying it doesn't want to use a self-signed certificate. I can join Windows machines to this AD DC, but FreeNAS doesn't seem to want to cooperate. FreeNAS will join perfectly fine to a Windows 2008 R2 AD DC though. I also fired up a fresh VM of FreeNAS and Debian Samba AD DC and it will still throw this error.

Anyone have an idea what could be going on?

 

[cyberjock]

Based on some work I've done recently on AD with FreeNAS, here's some info that may be useful.

1. If you are using AD, you can only use self-signed certs if the entire cert chain is made available to the FreeNAS. That means that the CA must be on the FreeNAS that signed for the AD certs.
2. You must use TLS 1.2 or higher when using Samba 4.3 (which is available on the version that have the badlocks patch), the most recent and one prior version if memory serves me right.

Hope this helps.

 

[Joeman3000]

Your advice put me in the right path to getting it working, thank you!

Here's what I did in case anyone else gets stuck on this problem:

I created a CA and a certificate in FreeNAS and copied them over to the Debian Samba AD DC server. Then I added the following lines to the Samba server configuration file in the global section:

Code:

tls enabled = yes
tls cafile = /path/to/cert/samba-root-ca.pem
tls certfile = /path/to/cert/samba-cert.pem
tls keyfile = /path/to/cert/samba-key.pem

I reloaded the configuration and joined FreeNAS to the AD DC after setting the following settings under advanced mode:

Code:

Encryption mode: TLS
Certificate: Samba Root CA
SASL Wrapping: sign

Having the certificate signed by a CA in FreeNAS worked and setting SASL wrapping to "signed" was what got it working again for me.

(Update - 05/30/2017: I've corrected a typo in the tls enabled configuration parameter.)

 

[cyberjock]

I'm glad my advice helped. I wasn't sure how helpful it would be, but I figured I'd give you what I had and hope it was enough. :D

 

[John Doe]

@Joeman3000 where exactly did you put the advanced configuration? Can you copy paste it?

 

[Joeman3000]

@Joeman3000 where exactly did you put the advanced configuration? Can you copy paste it?

The only advanced configuration I needed to do to the FreeNAS was in Advanced Mode under Directory Service->Active Directory where I changed the options: Encryption mode, Certificate, and SASL Wrapping. The values I used are posted above, except that the certificate will be the CA you will be using.

 

[John Doe]

I'm doing the exact thing and I get:

• Connect error, error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate)

 

[Joeman3000]

I'm doing the exact thing and I get:

• Connect error, error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate)

You have to make sure you are using an SSL certificate that is signed by a CA (even self-signed CA). The one that is generated by Samba will not work, so the easiest option I found is to create the CA and a certificate signed signed by the new CA in FreeNAS. Once you've created the CA and certificate, export the CA (private key is not needed) and export the certificate and private key, then copy those to your Samba server. In your Samba server's config you will need to add config options shown above with tls enabled, tls cafile, tls certfile, tls keyfile. You will need to restart the Samba services after you've updated your configuration. I found that just reloading the config will not work for some reason.

 

[nickchacha]

You have to make sure you are using an SSL certificate that is signed by a CA (even self-signed CA). The one that is generated by Samba will not work, so the easiest option I found is to create the CA and a certificate signed signed by the new CA in FreeNAS. Once you've created the CA and certificate, export the CA (private key is not needed) and export the certificate and private key, then copy those to your Samba server. In your Samba server's config you will need to add config options shown above with tls enable, tls cafile, tls certfile, tls keyfile. You will need to restart the Samba services after you've updated your configuration. I found that just reloading the config will not work for some reason.

I know this is coming in a bit late but would you kindly confirm where exactly we are supposed to copy the keys in Samba4. Are we supposed to add them on cert.pem or where exactly are they supposed to go. Thanks

 

[Joeman3000]

I know this is coming in a bit late but would you kindly confirm where exactly we are supposed to copy the keys in Samba4. Are we supposed to add them on cert.pem or where exactly are they supposed to go. Thanks

You just need to put them in a place where Samba can access them. For example, on my Debian system I put them under the "/etc/samba/tls" directory. This may differ depending on your OS and distribution. You may also have to adjust the permissions of the certificate files to 600 if they are not already, because Samba will not start otherwise.

You can find more detailed information on the Samba Wiki here: https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC

 

[nickchacha]

Thanks alot @Joeman3000 but baby step would really help. I have tried all ways around but am still getting that encryption error (Same as the one posted above : Image) here is my samba configurations

Code:

[global]
		netbios name = MAIL
		realm = MYDOMAIN.COM
		workgroup = MYDOMAIN
		 server role = active directory domain controller
		idmap_ldb:use rfc2307 = yes
		tls enable = yes
		tls cafile = /usr/local/samba/private/tls/SambaConnect.pem
		tls certfile = /usr/local/samba/private/tls/SignSamba.pem

[netlogon]
		path = /usr/local/samba/var/locks/sysvol/mydomain.com/scripts
		read only = No

[sysvol]
		path = /usr/local/samba/var/locks/sysvol
		read only = No

Please assist. Am very new on encryption. Thanks.
Environment: Centos
Samba -V: Samba version 4.4.6
More Details: Error in Samba -

Code:

Unknown parameter encountered: "tls enable"
Ignoring unknown parameter "tls enable"

You just need to put them in a place where Samba can access them. For example, on my Debian system I put them under the "/etc/samba/tls" directory. This may differ depending on your OS and distribution. You may also have to adjust the permissions of the certificate files to 600 if they are not already, because Samba will not start otherwise.

You can find more detailed information on the Samba Wiki here: https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC

 

[Joeman3000]

Thanks alot @Joeman3000 but baby step would really help. I have tried all ways around but am still getting that encryption error (Same as the one posted above : Image) here is my samba configurations

Please assist. Am very new on encryption. Thanks.
Environment: Centos
Samba -V: Samba version 4.4.6
More Details: Error in Samba -

Code:

Unknown parameter encountered: "tls enable"
Ignoring unknown parameter "tls enable"

Sounds like your server doesn't have the GnuTLS package installed, so Samba won't recognize the "tls enable" configuration parameter. I'm more familiar with how Debian distributions work, but you should just be able to install GnuTLS then Samba should automatically be able to use it.

 

[Daniel Alves BH]

Hi,

I was able to join freenas 9.10.1 stable in samba 4.5 through the certificate, but freenas is only pulling users and groups from the system, it is not pulling the users and groups I have in my AD.

My enviroment:
Samba 4.5
CentOS 6.8
freenas 9.10.1 stable

[root@hjxxiii-app ~]# wbinfo -u
HOSP-JOAOXXIII\administrator
HOSP-JOAOXXIII\krbtgt
HOSP-JOAOXXIII\guest

[root@hjxxiii-app ~]# wbinfo -g
HOSP-JOAOXXIII\cert publishers
HOSP-JOAOXXIII\ras and ias servers
HOSP-JOAOXXIII\allowed rodc password replication group
HOSP-JOAOXXIII\denied rodc password replication group
HOSP-JOAOXXIII\dnsadmins
HOSP-JOAOXXIII\enterprise read-only domain controllers
HOSP-JOAOXXIII\domain admins
HOSP-JOAOXXIII\domain users
HOSP-JOAOXXIII\domain guests
HOSP-JOAOXXIII\domain computers
HOSP-JOAOXXIII\domain controllers
HOSP-JOAOXXIII\schema admins
HOSP-JOAOXXIII\enterprise admins
HOSP-JOAOXXIII\group policy creator owners
HOSP-JOAOXXIII\read-only domain controllers
HOSP-JOAOXXIII\dnsupdateproxy

[root@hjxxiii-app ~]# wbinfo -t
checking the trust secret for domain HOSP-JOAOXXIII via RPC calls succeeded
[root@hjxxiii-app ~]#


Does anyone have an idea of what it can be?

 

[Daniel Alves BH]

Just to complement the previous post, this is the FreeNAS log when I start the directory service in FreeNAS:

[root@hjxxiii-app] ~# tail -f /var/log/messages
Dec 13 15:42:20 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 15:42:20 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 15:42:20 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 15:42:20 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 15:42:20 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: /usr/local/bin/net -d 0 getlocalsid
Dec 13 15:42:21 hjxxiii-app notifier: Performing sanity check on Samba configuration: OK
Dec 13 15:42:21 hjxxiii-app notifier: Starting nmbd.
Dec 13 15:42:21 hjxxiii-app notifier: Starting smbd.
Dec 13 15:42:21 hjxxiii-app notifier: Starting winbindd.
Dec 13 15:42:21 hjxxiii-app DomainController: /usr/sbin/service ix-resolv quietstop
Dec 13 16:56:36 hjxxiii-app DomainController: /usr/local/bin/python /usr/local/www/freenasUI/middleware/notifier.py stop cifs
Dec 13 16:56:38 hjxxiii-app notifier: Stopping winbindd.
Dec 13 16:56:38 hjxxiii-app notifier: Waiting for PIDS: 20215.
Dec 13 16:56:38 hjxxiii-app notifier: Stopping smbd.
Dec 13 16:56:38 hjxxiii-app notifier: Waiting for PIDS: 20210.
Dec 13 16:56:38 hjxxiii-app notifier: Stopping nmbd.
Dec 13 16:56:39 hjxxiii-app notifier: Waiting for PIDS: 20206, 20206.
Dec 13 16:56:40 hjxxiii-app DomainController: /usr/sbin/service ix-kerberos quietstart
Dec 13 16:56:41 hjxxiii-app DomainController: /usr/sbin/service ix-resolv quietstart
Dec 13 16:56:42 hjxxiii-app DomainController: /usr/sbin/service ix-nsswitch quietstart
Dec 13 16:56:43 hjxxiii-app DomainController: /usr/sbin/service ix-pam quietstart
Dec 13 16:56:43 hjxxiii-app DomainController: /usr/local/bin/python /usr/local/www/freenasUI/middleware/notifier.py start cifs
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: /sbin/sysctl -n 'kern.maxfilesperproc'
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: /usr/local/bin/net -d 0 getlocalsid
Dec 13 16:56:48 hjxxiii-app notifier: Performing sanity check on Samba configuration: OK
Dec 13 16:56:48 hjxxiii-app notifier: Starting samba.

 

[Daniel Alves BH]

Thanks alot @Joeman3000 but baby step would really help. I have tried all ways around but am still getting that encryption error (Same as the one posted above : Image) here is my samba configurations

Code:

[global]
		netbios name = MAIL
		realm = MYDOMAIN.COM
		workgroup = MYDOMAIN
		 server role = active directory domain controller
		idmap_ldb:use rfc2307 = yes
		tls enable = yes
		tls cafile = /usr/local/samba/private/tls/SambaConnect.pem
		tls certfile = /usr/local/samba/private/tls/SignSamba.pem

[netlogon]
		path = /usr/local/samba/var/locks/sysvol/mydomain.com/scripts
		read only = No

[sysvol]
		path = /usr/local/samba/var/locks/sysvol
		read only = No

Please assist. Am very new on encryption. Thanks.
Environment: Centos
Samba -V: Samba version 4.4.6
More Details: Error in Samba -

Code:

Unknown parameter encountered: "tls enable"
Ignoring unknown parameter "tls enable"

Try "tls enabled"

I was with this same mistake:

Unknown parameter encountered: "tls enable"
Ignoring unknown parameter "tls enable"

 

[Icarus_XI]

Hi All,

I was hoping someone might be able to give me a minute for some assistance. After completing everything above as far as creating the CA, and Certificate. Then exporting those to my Samba AD DS server. Further editing smb.conf, verifying permissions, restarting samba, also making sure AD DNS are still working. I'm getting a different error than what I see above from others.

On Freenas on the Active Directory under advanced, I selected TLS, then chose the CA, and changed SASL to sign. when I save I receive the error:

• Connect error, TLS: hostname does not match CN in peer certificate

when creating the CA and Cert. should I have made the Common Name: freenas.mydomain.lcl?

 

[Icarus_XI]

Update:

Re-created the CA and Cert using the DC as the common name, now getting a new error message:

• Connect error, error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate)

 

[Icarus_XI]

Final Update:

I was able to resolve the cert issue. Everything is now working as expected.

 

[Noxuser]

Final Update:

I was able to resolve the cert issue. Everything is now working as expected.

I am experiencing that exact same behaviour - what did you do to resolve the issue?

Thanks in advance!

 

[Icarus_XI]

I am experiencing that exact same behaviour - what did you do to resolve the issue?

Thanks in advance!

I used the cert that was created on my domain controller, and copied that over to the freenas.