FreeNAS 9.1 - Windows 2008 R2 issues after enabling AD integration

[drzoidberg33]

Hi All,

I have had a very rough week. Bought a new NAS box, installed FreeNAS 9.1 on it and all was well. Until that is I tried activating Directory Services on the FreeNAS box to connect to our local Windows Server box.

I followed this guide: http://doc.freenas.org/index.php/Directory_Services

After many attempts and setting changes to try to get it to work (kept on failing at "active directory: ad join domain: failed") I discovered that I could no longer log in to my Windows box due to some trust issues. At this time, not realising it was the FreeNAS box causing the issue, I Googled everything to try and sort out the issues with no success. I actually managed to basically destroy the box completely after many attempts to try and recover it.

So thinking the issue was related to something else (we had just had issues the previous day with low disk space and Exchange errors), I restored from a backup image of Windows Server and we were back up. Now still unaware that the FreeNAS integration to AD caused the previous issue (I mean really, how could it?) I tried again to get it working, this time fully managing to break the DNS server on the Windows box and thus subsequently everything reliant on this (including Exchange, again!).

Only after getting errors for the second time after attempting this did I realise it must have something to do with the FreeNAS install as I found a few similar reports on my Google searches on the DNS issue.

TL;DR version: I completely managed to destroy two Windows Server 2008 R2 AD installs while attempting to activate Directory Services on FreeNAS.

Does anyone have a better step by step guide on how to do this as I really don't feel like going through for a third time. Also, there should be some kind of warning on the guide page I used mentioning that "incorrect" setups could cause issues with your Active Directory.

If I cannot get this working, is there another similar opensource NAS solution with AD integration?

Thanks in advance.

 

[drzoidberg33]

Think I found the issue, wish I had read this thread before installing: http://forums.freenas.org/threads/before-you-setup-ad-authentication-please-read.2447/

Still no clear resolution here though once you're actually in this situation.

I don't see how this doesn't affect more people though, that NETBIOS name entry has no indication that it should be for the local box and not the domain controller. Kind of a massive oversight considering the consequences.

 

[flyshoo]

I'm having the same issue. I recently upgraded from 8.3.1 to 9.1.0(GUI update). I followed the steps and still can't resolve the issue. I have 2 DCs running Windows Server R2 with no errors in the event log. My DCs are fine I can join hosts to the domain and exchange works. The post has a jpg of the AD setup but my installation doesn't have a text field for Domain Controller Name. The other interesting thing I have noticed is the CIFS starts after attempting to bind. I'm going to give up and wait for more information. I think some posters are guessing but we need a developer to post a solution.

 

[flyshoo]

Whoops, my time was off by more than 5 minutes. Kerberos is time sensitive, my bad.
Good luck.

 

[drzoidberg33]

Whoops, my time was off by more than 5 minutes. Kerberos is time sensitive, my bad.
Good luck.

Thanks. The time thing is one of the first things I checked - set ntp to use the same sources before even starting.

I did come right eventually though, restored Windows from back up again and then put the correct value in the field of death. AD integration is now working. Permission settings are also very non-intuitive and not many official sources with guides on what is actually the proper way of doing it. I did come right and permissions work fine for our Windows users. Now I'm just trying to figure out how to get the recycle bin to work, but not a huge issue right now.

I hope somebody reads this thread before making the same "mistake" I did :D

 

[paleoN]

I don't see how this doesn't affect more people though, that NETBIOS name entry has no indication that it should be for the local box and not the domain controller.

Table 8.4a, NetBIOS Name | string | hostname of FreeNAS® system

Also, there should be some kind of warning on the guide page I used mentioning that "incorrect" setups could cause issues with your Active Directory.

Agreed. This should be mentioned explicitly.

 

[dlavigne]

https://bugs.freenas.org/issues/3470. If the bug isn't fixed in time for 9.2.0, I'll put a big warning in the 9.2.0 docs.

 

[woodelf]

Oh how I wish I'd Googled FreeNAS domain issues before setting-up a quick test one evening. I'd tried to use AD authorisation but when it didn't work I shut-down the FreeNAS (9.1.1) box.
However, the following morning no one could sign-in because of trust issues with our DC.

We're only a small 20 user office with one virtualised Win.2008r2 DC, a Buffalo TeraStation NAS - we disabled AD integration and as the SQL services on the DC were still running we were fortunately able to get-by.

It took 3 days before I realised what I'd done.

 

[mauirixxx]

Active Directory Integration

FreeNAS can serve up files via the CIFS protocol - primarily used by Windows based operating systems. The following is a step by step for integrating FreeNAS v9.1.1 with our Windows Server 2008 R2 domain, assuming you have FreeNAS already up and running, and your pools are made:

• Click on Settings -> Directory Service -> Active Directory. Click save.
• Click on Services -> Directory Services -> Active Directory.
  • Domain name (DNS/Realm-Name): ohanalan.net
  • NetBIOS Name: files
  • Workgroup Name: OHANALAN
  • Administrator Name: freenas
  • Adminsitrator Password: YEAHRIGHT (do NOT use a password that contains a % symbol)
  • Confirm Administrator Password: YEAHRIGHT
    • Advanced Mode
    • Only Use default domain should be checked, leave everything else blank or automatically filled in
• Click on Services -> CIFS
  • Authentication Model: Local User
  • NetBIOS name: files
  • Workgroup: OHANALAN
  • Description: Media Server
  • DOS Charset: CP437
  • Unix Charset: UTF-8
  • Log level: Minimum
  • Local Master: Unchecked
  • Time Server for Domain: Unchecked
  • Guest account: nobody
  • File mask: blank
  • Directory mask: blank
  • EA Support: Checked
  • Support DOS File Attribute: Checked
  • Allow Empty Password: Unchecked
  • Auxiliary paramaters: Blank
  • Enable home directories: Unchecked
  • Enable home directories browsing: Unchecked
  • Home directories: blank
  • Homes auxiliary paramters: blank
  • Unix Extensions: Checked
  • Zeroconf share discovery: Checked
  • Hostname lookups: Checked

At this point you should be able to turn on CIFS & Directory Services. Now you need to sharea directory for clients to use.
Creating a share

• Click on Sharing -> Windows (CIFS) Shares -> Add Windows (CIFS) Shares
• Name: Media
• Comment: Videos, photos, installers
• Path: /mnt/"pool name"
• Browsable to network clients: Checked
• Leave everything else blank/unchecked
  • Advanced Mode
  • Leave everything blank/unchecked
    • Click OK

This will enable the directory to be seen by Windows clients. Now to set the permissions so you can write/delete files/folders on the FreeNAS server.
Permissions

The following is how you're supposed change the file & folder permissions via the WebGUI:

• Click on Storage -> Volumes -> /mnt/"pool name" -> Change Permissions
  • Owner (user): administrator
  • Owner (group): domain admins
  • Mode: Uncheck Write -> Other, place a check in the rest.
  • Type of ACL: Windows
  • Set permission recursively

Due to a bug in the v9.1.1 webGUI, you instead have to type the following via the Shell:

• /usr/local/www/freenasUI/tools/winacl.sh -o administrator -g "domain admins" -p /mnt/"pool name" -r

The webUI bug should be fixed in the next version, see HERE for that report.
-----------------------------------------------------------------------------------------------------------------------

The above is a copy and paste from my own internal wiki here at home, with my own notes added in. The official docs left a little to be desired - the % symbol in the password tripped me up for over a week, it worked GREAT via the shell, but via the webUI - no action. Once I figured THAT out, everything else came together, until the very end when I played hell with permissions. Thanks to this post I completed my foray into FreeNAS + Windows Server 2008 R2 domain integration.

Hope this helps someone. My documentation above is rather scattershot, as I documented AFTER the fact (stupid me), and I don't remember the order in which to perform certain actions, I might (most likely not) clean up my internal docs in the future.

If someone else wants to take my notes and organize it into a better looking how-to that would be awesome :)

 

[mauirixxx]

More stuff I should probably add:

Windows Server 2008 R2 can act as a time server (actually I think all versions of Windows Server can do this), so one of the first things I do is change the NTP settings and point them to both my DC's before I do anything with Active Directory.

 

[dlavigne]

Regarding the % in the password, please create a report at bugs.freenas.org and post the issue number here.

 

[mauirixxx]

Regarding the % in the password, please create a report at bugs.freenas.org and post the issue number here.

Sorry for the delay, bug report #3734 has been filed and reported here as requested.

 

[TheSmoker]

Setting user/group through GUI in 9.2.1.3 still not fixed. Also when doing :
/usr/local/www/freenasUI/tools/winacl.sh -o administrator -g "domain admins" -p /mnt/tank0/test1 -r
Gives me the following error:
chown: domain admins: illegal group name
But if i do: wbinfo -g
I get:
allowed rodc password replication group
enterprise read-only domain controllers
denied rodc password replication group
read-only domain controllers
group policy creator owners
ras and ias servers
domain controllers
enterprise admins
domain computers
cert publishers
dnsupdateproxy
domain admins
domain guests
schema admins
domain users
dnsadmins
So how do I fix this?

 

[dlavigne]

Do you know if there is an active bug report on this one?

 

[TheSmoker]

Do you know if there is an active bug report on this one?

Not sure. There are some bugs posted and mine behaves like a combination of 2-3 other bugs.