SOLVED FreeNAS 11.0U4 won't join Samba AD server. Self-signed cert confusion.

Status
Not open for further replies.

ChinookTx

Dabbler
Joined
Feb 11, 2016
Messages
29
Good day all:

I’ve been fighting with trying to join my FreeNAS (11.0U4) server to a Samba AD Server running on Ubuntu 16.04. There are a few posts about this, and I’ve taken most of my hints from these posts, but bottom line: The AD will allow Windows/Mac machines to join no problem, but FreeNAS will not connect.

Fresh install of both FreeNAS and Ubuntu 16.04 in a VM. Configured AD on Ubuntu.

By default, just trying to join FreeNAS without mods, the AD join fails with:
Code:
{'info': 'BindSimple: Transport encryption required.', 'desc': 'Strong(er) authentication required'}.

So what I did was generate a CA on the FreeNAS box, and generate a cert signed with that CA. Exported the CA cert, signed cert and key and copied over to my AD server. In it’s smb.conf, I’ve added:
Code:
tls enabled = yes
tls certfile = /path/to/the/cert/cert.crt # This is certificate signed by CA, exported from FreeNAS.
tls keyfile = /path/to/the/cert/cert.key # This is the key for above cert, exported from FreeNAS.
tls cafile = /path/to/the/ca/ca.crt # This is CA certificate, generated on the CA tab in FreeNAS.

In Freenas, I changed the following in Advanced on the Directory connection window:
Code:
Encryption mode: TLS
Certificate: My cert I generated in FreeNAS
SASL Wrapping: sign

Restart the service, and try to join FreeNAS. Now I get:
Code:
Connect error, error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate)

I’m not sure what I’m doing wrong… or if I’m doing anything right! Especially with regards to the certificates.

Somehow I think I should have something generated on the AD side and imported on FreeNAS, and not the other way around??
 

ChinookTx

Dabbler
Joined
Feb 11, 2016
Messages
29
Answering my own question. I created a CA and certs on my AD Server instead, and imported the CA in FreeNAS. Then used that imported CA to connect to the server and everything is working.
 
Status
Not open for further replies.
Top