Connecting to AD server on a different VLAN

Status
Not open for further replies.

dkusek

Explorer
Joined
Mar 16, 2016
Messages
78
All hardware exceeds all minimum requirements.
FreeNAS 9.10 (newest, stable version)

Just trying to check my thinking on parameters and get a high level view of what is going on.

We have an AD server that is on VLAN A and a FreeNAS we are trying to connect to on VLAN B. There is a complex firewall in place to prohibit traffic between the two VLANs but we have put an exemption in the service to allow the FreeNAS's specific mac address to go through. To our eyes, it is completely open. Share can be access on the VLAN B and by admins with similar mac address exemptions who are on a different VLAN. We can ping the AD server from the Callisto and the "dig" command gives us the PTR record we are looking for. The AD server has had the object and DNS A record created. To put it plainly, we have spent over 24 hours over about 2 weeks in dealing with this particular issue. We have done fresh installs, factory restores, and save boot configs along the way to make sure we could go back so no stale information is being saved.

The issue for this particular installation, as we have successfully bound AD to FreeNAS on many different occasions, is that we continually get "Cant contact LDAP server" and "Invalid credentials, 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v2580" as alternating errors.

We also tried a TCP packet dump to see exactly what was going on with the handshake. The FreeNAS is able to contact the AD server successfully but then immediately unbinds. We have not been able to research this as we have not seen this problem elsewhere in forums or AD server forums in general.

We have checked and researched both and have added fresh DNS records and objects to the AD with simple passwords and username to verify we are using correct credentials. Again, we have done this many times. The only key difference we see if the separation of the FreeNAS and the AD server. There is a strict security requirement that does not allow us to put the FreeNAS and the AD server on the same VLAN or else we would try that.

One thing we were thinking about was changing the security setting to allow for the specific IP address as it is static rather than the mac address....

All in all, any informed responses or constructive advice on this situation would be appreciate. It is a difficult situation because of the multiple layers we are dealing with. For that, I understand if feedback is limited. More or less I would just like to know if AD or if FreeNAS or both support binding while on separate VLANS...

Thank you.
 

dkusek

Explorer
Joined
Mar 16, 2016
Messages
78
At this time, we are awaiting further diagnostic information from the client we are assisting. We are trying to eliminate the VLAN variable by putting the FreeNAS on the same VLAN as the AD server. That being said, we have duplicated the VLAN issue by doing so in test (putting the FreeNAS on a different VLAN than the AD server was successful). We have most likely, therefore, narrowed the culprit down to a setting in the user's firewall and not the FreeNAS appliance or AD server.

FreeNAS is able to operate with AD on a separate VLAN as we have proven thus this can be marked as resolved. I will update further if we get specific data as to what the key issue was in the user's setup.

Thank you for checking in!
 

tvsjr

Guru
Joined
Aug 29, 2015
Messages
959
Probably not much help, but I have this setup at home... FreeNAS lives in a separate VLAN from my AD DCs. With proper firewall rules, it joins the domain just fine. I do have occasional issues... the DCs are virtualized, with their storage on FreeNAS, so FreeNAS will hang at boot for a bit trying to find the DCs that aren't yet started (chicken and egg). But, once up and running, everything is good. I didn't have to do anything special.

It sounds like you're in a pretty secure environment... have the DCs been hardened, perhaps to the DISA STIGs? Some of those settings can present challenges when joining to domains - especially non-Windows systems.

The various logs in /var/log/samba4 might be illuminating.
 
Status
Not open for further replies.
Top