Can't join to Samba AD DC

[Noxuser]

I used the cert that was created on my domain controller, and copied that over to the freenas.

Just the CA or both CA and certificate?

 

[Icarus_XI]

Just the CA or both CA and certificate?

I did both the CA and Cert.

 

[Daniel Alves BH]

Just to complement the previous post, this is the FreeNAS log when I start the directory service in FreeNAS:

[root@hjxxiii-app] ~# tail -f /var/log/messages
Dec 13 15:42:20 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 15:42:20 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 15:42:20 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 15:42:20 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 15:42:20 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: /usr/local/bin/net -d 0 getlocalsid
Dec 13 15:42:21 hjxxiii-app notifier: Performing sanity check on Samba configuration: OK
Dec 13 15:42:21 hjxxiii-app notifier: Starting nmbd.
Dec 13 15:42:21 hjxxiii-app notifier: Starting smbd.
Dec 13 15:42:21 hjxxiii-app notifier: Starting winbindd.
Dec 13 15:42:21 hjxxiii-app DomainController: /usr/sbin/service ix-resolv quietstop
Dec 13 16:56:36 hjxxiii-app DomainController: /usr/local/bin/python /usr/local/www/freenasUI/middleware/notifier.py stop cifs
Dec 13 16:56:38 hjxxiii-app notifier: Stopping winbindd.
Dec 13 16:56:38 hjxxiii-app notifier: Waiting for PIDS: 20215.
Dec 13 16:56:38 hjxxiii-app notifier: Stopping smbd.
Dec 13 16:56:38 hjxxiii-app notifier: Waiting for PIDS: 20210.
Dec 13 16:56:38 hjxxiii-app notifier: Stopping nmbd.
Dec 13 16:56:39 hjxxiii-app notifier: Waiting for PIDS: 20206, 20206.
Dec 13 16:56:40 hjxxiii-app DomainController: /usr/sbin/service ix-kerberos quietstart
Dec 13 16:56:41 hjxxiii-app DomainController: /usr/sbin/service ix-resolv quietstart
Dec 13 16:56:42 hjxxiii-app DomainController: /usr/sbin/service ix-nsswitch quietstart
Dec 13 16:56:43 hjxxiii-app DomainController: /usr/sbin/service ix-pam quietstart
Dec 13 16:56:43 hjxxiii-app DomainController: /usr/local/bin/python /usr/local/www/freenasUI/middleware/notifier.py start cifs
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: /sbin/sysctl -n 'kern.maxfilesperproc'
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: mount
Dec 13 16:56:47 hjxxiii-app generate_smb4_conf.py: [common.pipesubr:66] Popen()ing: /usr/local/bin/net -d 0 getlocalsid
Dec 13 16:56:48 hjxxiii-app notifier: Performing sanity check on Samba configuration: OK
Dec 13 16:56:48 hjxxiii-app notifier: Starting samba.

 

[Daniel Alves BH]

I was able to resolve by removing strong samba4 authentication, putting the global parameters below in smb.conf, then restarting samba4 only.

ldap server require strong auth = no
tls verify peer = no_check

 

[joesnow1234]

Sorry to trouble you all, I met the same probelm https://forums.freenas.org/index.php?threads/freenas-failed-to-integrate-with-samba-dcs.56832/
Can someone offer me a hint? Thanks.

 

[joesnow1234]

The stupid thing is that I only add certs/CA on the first DCs, but juding from log, FreeNAS tried to connect the 2nd one. Which caused the weird problem.

 

[joesnow1234]

Create a CA and import to FreeNAS also works.
Then you need to sign a cert/key by this CA and configure on smb.conf.

 

[Daniel Alves BH]

Create a CA and import to FreeNAS also works.
Then you need to sign a cert/key by this CA and configure on smb.conf.

I was able to resolve by removing strong samba4 authentication, putting the global parameters below in smb.conf, then restartingsamba4 only.


ldap server require strong auth = no tls verify peer = no_check

I needed to disable TLS authentication, because other servers such as the inventory OCS Inventory, which does not have TLS authentication (does not generate certificates) would not authenticate in my DC.

 

[joesnow1234]

I am out of curious why my FreeNAS does not show Domain name when I am running

Code:

root@freenas:~ # wbinfo -u
administrator
dns-bdc
dns-pdc
dns-hk
krbtgt
guest
xiaofu
root@freenas:~ # wbinfo -g
allowed rodc password replication group
enterprise read-only domain controllers
denied rodc password replication group
read-only domain controllers
group policy creator owners
ras and ias servers
domain controllers
enterprise admins
domain computers
cert publishers
dnsupdateproxy
domain admins
domain guests
schema admins
domain users
dnsadmins
root@freenas:~ # wbinfo -t
checking the trust secret for domain AD via RPC calls succeeded

 

[joesnow1234]

reset FreeNAS config, right now it seems fine of wbinfo -u