FreeNAS 11 + samba4 AD DC - Can't contact LDAP server

[vainkop]

I have a fresh

Code:

FreeNAS-11-MASTER-201706020409 (373d389)

installation + AD DC is on CentOS 6 + samba4 & authenticates Windows 7-10 machines ok. The ad scheme is very simple, all users are in one default ou=Users. I'm trying to configure Freenas through the web interface.

I've created an smb share & it is accessible on the network, but I have to set 'allow guests' in FreeNAS to access it as AD authentication doesn't work yet.

Also, on the Services -> SMB I've changed 'WORKGROUP' to 'XYZ' (domain name in CAPS without '.com').

Code:

Auxiliary parameters:
workgroup = XYZ
realm=xyz.com

Freenas network config :

Code:

Hostname: fs
Domain: xyz.com
IPv4 Default Gateway: 192.168.199.8 //router
IPv6 Default Gateway:	 //empty
Nameserver 1: 192.168.199.6 //dc
Nameserver 2: 192.168.199.8 //router
Nameserver 3: 8.8.8.8

On AD DC I've created a user: 'freenas01' & added him to 'Domain Admins' group.

Created machine 'fs' & gave 'full control' security permissions to 'freenas01' user on it.


Trying to setup an Active Directory authentication for an smb share.

In Directory->Directory Service->Active Directory

Code:

Domain Name (DNS/Realm-Name): xyz.com
Domain Account Name: freenas01
Domain Account Password: xyz12345
Enable: checked

When I click save I get: '{'desc': "Can't contact LDAP server"}' error.

Trying to figure out how to correctly fill in the following fields in Advanced:

Code:

User Base: cn=Users,dc=xyz,dc=com
Group Base:	 //empty
Site Name:  Default-First-Site-Name
Domain Controller:  192.168.199.6
Global Catalog Server:  192.168.199.6:389	 //without 389 port I get additional error: 'Invalid Host/Port: [Errno 61] Connection refused'
Kerberos Realm:	//tried empty & tried creating one on a kerberos realms tab(see below) & then setting it here, no luck.
AD timeout:  60
DNS timeout: 60
Kerberos Principal:	//empty
Idmap backend: rid
Winbind NSS Info: rfc2307
SASL wrapping: plain
Enable: checked
NetBIOS name: fs
NetBIOS alias:	//empty

Kerberos realms tab:

Code:

Realm:  xyz.com
KDC: 192.168.199.6:88
Admin Server: 192.168.199.6
Password Server: 192.168.199.6:464

When I click save it doesn't say anything about ports, but I'm not sure about Admin Server not having port or others having them :(

I also tried configuring LDAP on a LDAP tab, but I get 'Notice: samba extensions not detected. CIFS authentication to LDAP disabled' error.

Code:

Hostname:  192.168.199.6
Base DN:  dc=xyz,dc=com
Bind DN:  cn=freenas01,cn=users,dc=xyz,dc=com
Bind password: xyz12345
Enable: checked

I have no encryption enabled, no LDAPS & etc.

Please help.

Docs used:
https://doc.freenas.org/11/directoryservice.html
https://www.mai-hawaii.com/FreeNAS-AD/FreeNAS_9.3.x_setup#Setting_up_Active_Directory_.26_CIFS
https://wiki.samba.org/index.php/Id...07_and_template_winbind_NSS_info_Mode_Options

 

[dlavigne]

Do you have the same issue with 11.0-RELEASE?

 

[vainkop]

Do you have the same issue with 11.0-RELEASE?

Was there a major change?
I haven't tried 11-RELEASE, but it wasn't working on 9-RELEASE & FreeNAS-11-MASTER-201706020409 (373d389) nightly so I'm obviously missing smth in configs.

Can you advice on what exactly?

 

[Ericloewe]

11 saw a lot of AD changes up until release.

 

[ian351c]

Not sure if this is your exact issue, but I ran into this error when upgrading from 9.3 to something newer. FreeNAS 9.3 came with Samba 4.1 (IIRC) and in Samba 4.2 (again IIRC) they changed the default to require TLS for LDAP. I put ldap server require strong auth = no and tls enabled = no into the [global] section of smb4.conf on the AD server and the error went away.

 

[EsJ]

Hi,

in FreeNAS 9.10.2 and Samba 4.3.11 AD DC on Ubuntu 16.04 this is working without disabling TLS in your smb.conf.