FreeNAS connection to Windows Server 20120R2 Active Directory

[JacobTennant]

I am trying to setup 2 old server to function with my Windows Server 2012R2 Active Directory.

I have followed the setup to the letter from this highly referenced "How-To"

http://forums.freenas.org/index.php...directory-folder-file-user-permissions.20610/

However when I reach the Dataset File/Folder Permissions sections I cannot get the Owner(user): or Owner(group): to accept the values that should be placed there as per the "How-To".

Freenas responds that the user/group is not valid.

When I look into the dropdowns for those areas. none of my users or groups from my AD is there?

I have tried multiple workarounds listed but none of them seem to fix this problem.

 

[JacobTennant]

UPDATE!!! After much frustration I have been able decypher that my problem is stat my freenas servers are not joining the domain!

I have tried like the "How-To" showed to create the DNS entry and create the computer account in AD-Users & Computers manually.

I have also tried to join the domain thru the "net join" command and cannot get it to connect to the domain.

If I use the command " net ads join -U dc1.blahblahblah.edu -D domjoin" I get the following error...

Host not configured as a member server.
Invalid config. Exiting....
Failed to join domain: This operation is only allowed for the PDC of the domain.

if I try "net rpc join -u domjoin" I get the following error...
Cannot join as a standalone server.

Any ideas???

 

[mauirixxx]

Time to verify stuff on the freenas box:

Time is synced to your AD DC?
DNS is pointed towards you AD DC?
Did you create a user specific to FreeNAS, or just use the Administrator account (not that it matters outside of potential security issues, just curious)?
What does "wbinfo -t" display - if successful, does "-g" or "-u" display any results?
Does ping dc1.blahblahblah.edu return an internal or external DNS result?
What does "host -t srv _ldap._tcp.blahblahblah.edu" return?

Time and DNS are the 2 biggest obstacles in getting FreeNAS to successfully connect to AD. In the past, special characters in the password have played hell with getting it to join, but I think that got fixed back in 9.1.1 or so, so that should be a non-issue. If you can, hop on IRC, there's plenty of people that can assist you in real-time.

 

[JacobTennant]

Time is being synced to AD
DNS is pointed to AD DC
Yes freenasadmin with Administrators privileges
wbinfo -u & -g returns nothing.

wbinfo -t returns,
checking the trust secret for domain PIERPONT.EDU via RPC calls failed
error code was NT_STATUS_NO_SUCH_DOMAIN (0xc00000df)
failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR

host -t srv _ldap._tcp.blahblahblah.edu returns,
host: invalid type: srv_ldap._tcp.pierpont.edu

 

[mauirixxx]

wbinfo -t returns,
checking the trust secret for domain PIERPONT.EDU via RPC calls failed
error code was NT_STATUS_NO_SUCH_DOMAIN (0xc00000df)
failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR

host -t srv _ldap._tcp.blahblahblah.edu returns,
host: invalid type: srv_ldap._tcp.pierpont.edu

see this right here tell's me it's a DNS issue, or you may have issues with your Active Directory (highly unlikely).

There's no firewall between your freenas box and your DC is there?

 

[JacobTennant]

I would check for answers to your reply but a thunderstorm knocked out the power to my office this evening around 6pm Eastern time and it has not been restored yet, 10pm Eastern time. . .

Maybe I am mistaken with FreeNAS server as I am wanting to create a storage server that I can have users home storage area created automatically by the AD server when I create a new user.

My system is for the small community college I work for as we are separating from our parent university where everyone has a "U" drive of network based storage. Since we are in the process of separation this system I am building is a proof of concept for the CIO and not a real production system. If it work it will be the basis for a full production system as the parent university is all windows all teh time and I don't have the budget for that.

 

[mauirixxx]

Maybe I am mistaken with FreeNAS server as I am wanting to create a storage server that I can have users home storage area created automatically by the AD server when I create a new user.

Once you get your Active Directory issues sorted, this is definitely something you can do - it's something a GPO can handle.

My system is for the small community college I work for as we are separating from our parent university where everyone has a "U" drive of network based storage.

Again, a GPO is your best friend for that, and FreeNAS will happily serve up all the storage it has :)

 

[JacobTennant]

Once I got everything up and running again this morning, all firewalls were turned OFF on the AD server so thats was not my problem unless there is some firewall on hte FreeNAS server itself. They are both in the same vlan.

 

[mauirixxx]

Once I got everything up and running again this morning, all firewalls were turned OFF on the AD server so thats was not my problem unless there is some firewall on hte FreeNAS server itself. They are both in the same vlan.

AFAIK, there's no firewall on FreeNAS.

 

[JacobTennant]

Well then I am at a loss of what could be blocking my FN from joining the domain?

I also tried the IRC chat and the mailing lists with no direction from them either...

 

[cyberjock]

JacobTennant, you may be better off contacting iXsystems and getting a quote for a TrueNAS server. Just offering an idea...

 

[mauirixxx]

host -t srv _ldap._tcp.blahblahblah.edu returns,
host: invalid type: srv_ldap._tcp.pierpont.edu

this tells me you may have typed it correctly here in the forum, but may have skipped a space bar tap when typing it in your freenas console.

Code:

host -t srv _ldap._tcp.pierpont.edu

For example, from my home setup:

Code:

[root@files] ~# host -t srv _ldap._tcp.paytonohana.net
_ldap._tcp.paytonohana.net has SRV record 0 100 389 po-login.paytonohana.net.
[root@files] ~#

If your DNS is setup properly, you should see similar results. If not, you got DNS issues. For example:

Code:

[root@files] ~# host -t srv_ldap._tcp.paytonohana.net
host: invalid type: srv_ldap._tcp.paytonohana.net
[root@files] ~#

I failed to put a space between srv and the underscore, got the same result as you did above.

 

[optimus1337]

I'm pretty much having the same issues. I had AD working on 9.2.1.3 then I upgraded to 9.2.1.5 and it broke. DNS checks out, I have created a user and computer in AD, time is correct between domain and freenas. When I run wbinfo -t I get

could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
checking the trust secret for domain (null) via RPC calls failed
failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE
Could not check secret


I have spent hours reading forums but I can't find the solution, any help would be much appreciated.

 

[dlavigne]

Any of the (many) suggestions in https://bugs.freenas.org/issues/4111 help to fix it?

 

[optimus1337]

Any of the (many) suggestions in https://bugs.freenas.org/issues/4111 help to fix it?

I appreciate your reply. Yes, I have seen this post, it didn't fix my issue.

I should reword this "It didn't address my issue" I am configuring the workgroup name within the AD settings, I have it all caps as suggested from a dozen places around the internets.

 

[MJTHOMAS00]

Same problem here!

[root@APS-FNAS02 ~]# wbinfo -t could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE could not obtain winbind domain name! checking the trust secret for domain (null) via RPC calls failed failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE Could not check secret
[root@APS-FNAS02 ~]# host -t srv _ldap._tcp.apsllc.local _ldap._tcp.apsllc.local has SRV record 0 100 389 aps-sdc3.apsllc.local. _ldap._tcp.apsllc.local has SRV record 0 100 389 ld-apsdc.apsllc.local. _ldap._tcp.apsllc.local has SRV record 0 100 389 aps-sdc1.apsllc.local.
[root@APS-FNAS02 ~]# wbinfo -g failed to call wbcListGroups: WBC_ERR_WINBIND_NOT_AVAILABLE Error looking up domain groups

[root@APS-FNAS02 ~]# wbinfo -u Error looking up domain users

 

[mauirixxx]

while I'm no expert, I'm guessing this:

WBC_ERR_WINBIND_NOT_AVAILABLE

means the CIFS service isn't running. Again, just a guess. There's a bug that shows the CIFS service as running, even though it's not, and you can't turn it OFF. Easy to fix, could this apply to you?

Your DNS output looks good (though you may want to consider doing away with .local eventually).

Also, verify your time is in fact synchronized to your AD controller, like so:

Code:

service ntpd stop && ntpdate 10.10.10.3 && service ntpd start

Obviously replace 10.10.10.3 IP address with the IP of your AD server.

That's all I got. Good luck :)

 

[jobsoftinc]

FYI for anyone else reading this. I had a very similar behavior. And like the original poster, everything appeared to check out. I finally found the problem with my FreeNAS 9.3.1. It was the same issue reported here:

http://www.kombitz.com/2012/03/05/samba-net-ads-join-dns-update-failed-error-fixed/

In my /etc/hosts file, I had two entries for 127.0.0.1 (the FreeBSD default 'localhost localhost.my.domain' and the one FreeNAS install appended specific to my hostname and domain). I commented out the FreeBSD default entry, and everything started working. The was a fresh 9.3 install with updates up through 9.3.1 applied immediately thereafter.