Do I have to join FreeNAS to AD to authenticate a share against AD?

Status
Not open for further replies.

kwelch007

Cadet
Joined
Nov 10, 2017
Messages
6
Hi All! This is my first post, and I'm brand-new to FreeNAS, so please do not hesitate to correct me wherever I'm wrong. I'm guessing I'm missing something obvious.

So, I have a running FreeNAS-11.0-U4 server running just fine on its own. The goal of this server is to be a target for Veeam and Shadow Copy backups. I wish to restrict access to the NAS to only a select few servers (I understand that part,) but also to only a few select AD users which would only be a Service Account for Veeam and perhaps a Server Admins user accounts. I have a functioning SMB share configured, but it requires "local to the NAS" authentication. I would rather authenticate against my Active Directory.

I understand that this server could technically be joined to my Active Directory Domain, but I'd rather avoid that if possible. Rather, I'd rather it just authenticate against my AD to restrict/allow access. I'm able to do this with the likes of WordPress or other web-type apps/devices, but I'm having trouble making it work for FreeNAS.

I have entered the Active Directory information required as best I know how (I thought it would just work,) but it doesn't cache the Users/Groups as I expected. Further, when I go to the FreeNAS shell and run "wbinfo -t" I get:

-----------------------
root@ilch-freenas:~ # wbinfo -t
checking the trust secret for domain WORKGROUP via RPC calls failed
wbcCheckTrustCredentials(WORKGROUP): error code was NT_STATUS_NO_SUCH_DOMAIN (0xc00000df)
failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
Could not check secret
-----------------------

Why is it checking the NETBIOS Workgroup? As best I can tell, that setting is configured by going to Services -> SMB and changing the Workgroup option (I have tried changing the Workgroup option to the name of my Domain, to no avail.)

Based on what the error is telling me, I'm not surprised that it's failing, but does this mean that I must join the server to the AD Domain? Surely not, or at least I hope.

Worst case, I can make using Authentication internally to the FreeNAS work, but it would be nicer if I could make the server authenticate against my AD without actually joining the server...don't ask why :)

I spent the better part of this afternoon Google'ing and doing trial and error to solve this, and can't wait until someone points me to the simple solution that I obviously missed :)

Thanks in advance for any advice!
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
You have to join it to the domain in order to authenticate against AD. What is the issue with joining to the domain?
 
Last edited:

kwelch007

Cadet
Joined
Nov 10, 2017
Messages
6
Hmm. OK. What about LDAP? If I can do similar with LDAP against an AD, that's fine (this is all in a segmented environment.) I would expect that solution to be similar to authentication against RADIUS or the sort. That said, I tried to back out of AD Integration in FreeNAS in order to try LDAP, and it didn't seem to want to let me "undo" my attempt at AD Integration.
 
Last edited:

Artion

Patron
Joined
Feb 12, 2016
Messages
331
Hmm. OK. What about LDAP? If I can do similar with LDAP against an AD, that's fine (this is all in a segmented environment.) I would expect that solution to be similar to authentication against RADIUS or the sort. That said, I tried to back out of AD Integration in FreeNAS in order to try LDAP, and it didn't seem to want to let me "undo" my attempt at AD Integration.
You can just untick the enable option in the join AD properties.

If you just want only a few users to authenticate on FN just recreate them on FN with the same password as on the AD and you're done.

Inviato dal mio YD201 utilizzando Tapatalk
 
Status
Not open for further replies.
Top