FreeNAS8 and ActiveDirectory

[glk70]

Hello folks

I've a recently setup a freenas8 server, and I've a FreeNAS7 laready running perfectly (almost ;) )

I'm trying to create a cifa (samba) share in FreeNas8 and let access ONLY TO specified usergroups from active directory (not locals)
1) difference from freenas7, ActiveDirectory Authentication is not available
2) difference from freenas7, ActiveDirectory users and groups are not "imported" into freenas (i.e. freebsd authentication)

my condition is

Code:

FREENAS 7 
nas01:~# net ads user
nas01:~#

nas01:~# net ads group
nas01:~#

nas01:~# wbinfo -u
administrator
guest
krbtgt
... omissis...

Code:

FREENAS 8

nas02# wbinfo -u
root  (only root) 

nas02# wbinfo -g
nas02#

nas02# net ads user
Administrator
Guest
krbtgt
...omissis...

as you can see the two server are responding to the commands without error, yet the comands acts in a strange way in FREENAS8.
Actually the FN8 server cas see ALL USERS and ALL GROUPS in active directory, but is not importing the UID in its authentication system.

this inhibits from authenticating Active Directory users in cifs and samba share, and also in AFP and NFS (which should user AD authentication if available, according to documentation)

Any suggestions ?
I've not mangled any configuration file in bot FN servers. just used the interface.
Both server have EXACTLY the same configuration.
And this makes me believe something is changed in FN8....

 

[James]

You'll need to post screenshots of your FN8 CIFS and AD config screens. I'm assuming you've seen http://doc.freenas.org/index.php/Active_Directory ?

 

[glk70]

do not really understand why you need the config as I can access AD
anyway
here it is
Active Directory

snapshot_nas02AD

CIFS

snapshot_nas02CIFS01


snapshot_nas02CIFS02 di glk70, su Flickr

Before you say, the ONLY options in CIFS configuration is Anonymous, LocalUser. NO AD Authentication available

The local DNS has a record referring to the NAS server for both direct and reverse zone search.

 

[glk70]

Ok I think I got the problem

I think that

Code:

Jul 15 17:59:28 nas02 freenas: Failed to join domain: failed to find DC for domain SDNET.LOCAL

is clear enough as error.
Just two problems
1) the domain name IS SDNET.LOCAL
2) THERE IS an active DC for SDNET.LOCAL, and I can query it issuing the comand

Code:

nas02# net ads info
LDAP server: aaa.bbb.ccc.ddd
LDAP server name: Srv01.sdnet.local
Realm: SDNET.LOCAL
Bind Path: dc=SDNET,dc=LOCAL
LDAP port: 389
Server time: Fri, 15 Jul 2011 18:02:23 CEST
KDC server: 192.168.51.11
Server time offset: 2
nas02#

Any Hint on the reason I cannot join the domain ?

her is the complete log after a Samba restart

Code:

Jul 15 17:59:15 nas02 freenas[1684]: Executing: /usr/sbin/service ix-kerberos quietstart
Jul 15 17:59:15 nas02 freenas[1684]: Executing: /usr/sbin/service ix-nsswitch quietstart
Jul 15 17:59:15 nas02 freenas: Generating host.conf.
Jul 15 17:59:15 nas02 freenas[1684]: Executing: /usr/sbin/service ix-pam quietstart
Jul 15 17:59:15 nas02 freenas[1684]: Executing: /usr/sbin/service ix-samba quietstart
Jul 15 17:59:15 nas02 freenas: tdbsam_open: Converting version 0.0 database to version 4.0.
Jul 15 17:59:15 nas02 freenas: tdbsam_convert_backup: updated /var/etc/private/passdb.tdb file.
Jul 15 17:59:15 nas02 freenas: Importing account for root...ok
Jul 15 17:59:17 nas02 freenas[1684]: Executing: /usr/sbin/service ix-kinit quietstart
Jul 15 17:59:27 nas02 freenas[1684]: Executing: /usr/sbin/service ix-activedirectory quietstart
Jul 15 17:59:28 nas02 freenas: Failed to join domain: failed to find DC for domain SDNET.LOCAL
Jul 15 17:59:40 nas02 freenas[1684]: Executing: /usr/sbin/service samba forcestop
Jul 15 17:59:40 nas02 freenas: Stopping winbindd.
Jul 15 17:59:40 nas02 freenas: Waiting for PIDS: 32700.
Jul 15 17:59:40 nas02 freenas: Stopping smbd.
Jul 15 17:59:46 nas02 freenas: Waiting for PIDS: 32696.
Jul 15 17:59:46 nas02 freenas: Stopping nmbd.
Jul 15 17:59:46 nas02 freenas: Waiting for PIDS: 32692.
Jul 15 17:59:46 nas02 freenas[1684]: Executing: /usr/bin/killall nmbd
Jul 15 17:59:46 nas02 freenas: No matching processes were found
Jul 15 17:59:46 nas02 freenas[1684]: Executing: /usr/bin/killall smbd
Jul 15 17:59:46 nas02 freenas: No matching processes were found
Jul 15 17:59:46 nas02 freenas[1684]: Executing: /usr/bin/killall winbindd
Jul 15 17:59:46 nas02 freenas: No matching processes were found
Jul 15 17:59:46 nas02 freenas[1684]: Executing: /usr/sbin/service samba quietstart
Jul 15 17:59:46 nas02 freenas: Removing stale Samba tdb files: ...... done
Jul 15 17:59:46 nas02 freenas: Starting nmbd.
Jul 15 17:59:46 nas02 freenas: Starting smbd.
Jul 15 17:59:46 nas02 freenas: Starting winbindd.

 

[glk70]

UP

Hey !! nobody have any idea ?

 

[mr_mike_m]

My -Working- AD configuration

Having just spent 3 days configuring this for Active Directory, I'm going to add my steps for a successful install:
(some of these steps may be obvious or even unneccessary, but I reinstalled MANY times over those 3 days)
I am using the Beta 4 release of 8.0.1, and it is working perfectly with AD integration.

1. Decide on a name and IP address for your FreeNAS server. WRITE DOWN BOTH!!! - I used a static IP
2. Add the name / IP to your DNS server with an "A" record
3. Install FreeNAS, but do not connect to the network (yet)
4. once installed, use the console screens to change the network settings with your static IP and DNS settings
5. Reboot and connect to the network
6. Login to the web interface
7. Under NETWORK / GLOBAL CONFIGURATION, set the hostname (from Step 1!) and domain. (NOTE: I didn't properly set the HOSTNAME early on, (left as freenas) and I think this messed up AD usage.)
8. Click OK to save the config
9. Click SERVICES and the configuration "wrench" to edit the Active Directory Settings
Domain Controller Name: hostname (or IP) of a domain controller (I didn't put the FQDN, just the host)
Domain Name: yourdomain.com
Host Name: use the SAME NAME as in step 1, in UPPER CASE. (Note: THIS REALLY Screwed me up, after reading on-line, I mistakingly put the PDC's name here as it read "Windows Host Name" --- BAD MOVE!)
WorkGroup Name: Your "old style" domain name (I put mine in UPPER CASE)
Admin Name: someadmin (I used a Domain Admin account)
Admin Password: somepassword (Domain admin account password)
10. Click OK
11. Click on the OFF/ON to activate Active Directory
12. Click on the CIFS configuration "wrench" to edit CIFS settings: (If I didn't include a setting here, I left as the default)
Authentication Model: Leave at LOCAL USER
NetBIOS Name: The name of your server (from step 1, remember??) in UPPER CASE
WorkGroup: Your "old style" domain name (like in the AD config, I put min in UPPER CASE
Description: Whatever you want. I left mine as the default "FreeNAS Server" for now.
Local Master: Checked (may not be needed - will test)
Time Server: Checked (may not be needed - will test)
Large RW support: Checked
Send files with senfile(2): checked
EA Support: Checked
Support DOS file Attributes: checked
Allow Empty Password: NOT checked
Enable AIO: checked
13. Click OK
14. Click OFF/ON to activate CIFS
15. (optional - I edited SSH to allow "Login as ROOT" so I could use PuTTY to connect and get a command line)
16. At this point I rebooted FreeNAS
17. When it came back up, I used Putty and tested with: "wbinfo -u" and "wbinfo -g" command lines to see my active directory users and groups.

Part 2 - Configuring Shares

Your milage may vary - I have a single hardware RAID5 volume on a Dell 2650 server with a Perc3/Di controller.

1. I created a single volume with ZFS and took all the defaults. I named mine, shocker, "RAID5"
2. When it was done, I created a few ZFS Datasets. You can grant various options for compression etc. for each data set.
3. Once you create a ZFS dataset, use the "CHANGE PERMISSIONS", and the Active Directory users (and/or GROUPS) can be selected for your security. you can individually share them out as windows/Cifs share with separate permissions for each. The AD Security CANNOT be set from the CIFS / Windows shares as far as I can determine.

 

[Wi1d]

I'm having issues with this on FreeNAS 8 too. Like mr_mike_m, I'm pretty sure I got my settings filled out in the FreeNAS CIFS and AD forms however I can't get it to populate my users and I'm only seeing local user or anonymous which really doesn't make much sense..

I finally got it to join the domain via shell by running 'net ads join -U'. I also added my domain controller to the host file. net ads user and net ads groups work now. After rebooting wbinfo -u and -g worked as well.

When I add the window share AD user and groups are not listed. I'm guessing I need to do this manually in the samba config.

 

[Wi1d]

I'm stuck. I still can't access shares on the freenas box using AD. I've tried the 'Rebuild LDAP/AD Cache' button under settings/advanced. I've tried adding 'valid users' to 'Auxiliary Parameters' for my share. I can see the freenas box in ADU&G and using nbtstat -a. Running 'net ads testjoin' comes back OK from the freeNAS box. Running 'net ads user', 'net ads group', 'wbinfo -u', or 'wbinfo -g' all populate with data from AD on the freenas box.

I tried changing permissions to AD users from the cli and that fails as well:

freenas# mkdir /mnt/BACKUPS/test
freenas# chown media:"domain admins" /mnt/BACKUPS/test/
chown: domain admins: Invalid argument
freenas# chown media /mnt/BACKUPS/test/
chown: media: Invalid argument
freenas#

 

[mr_mike_m]

When I add the window share AD user and groups are not listed. I'm guessing I need to do this manually in the samba config.

As far as I know, YOU WILL NOT SEE AD users/groups on the Windows Shares. The AD users and groups will show up under the permissions of the ZFS storage volume (or dataset) you created. (My "RAID5" volume for instance)

I believe AD permissions will also show up on UFS storage volumes "permissions" button too, but I'm not at the office to test.

Again - The AD permissions don't show - or are not settable via the web interface for Windows Shares. They DO show up for Volume Permissions.

From what I've gathered from this forum and other locations, creating storage volumes under ZFS seems to be the preferred method because it allows creation of "sub volumes", which are ZFS datasets that can have their own Windows / AD permissions. Then you create a Windows Share to use that sub-volume.

 

[mr_mike_m]

I believe AD permissions will also show up on UFS storage volumes "permissions" button too, but I'm not at the office to test.

Just created a UFS based storage volume on a spare disk outside my RAID5 container, and AD permissions can be applied.

 

[dyzophoria]

Just created a UFS based storage volume on a spare disk outside my RAID5 container, and AD permissions can be applied.

are you using windows 2003 or windows 2008 r2 for authentication? , im currently trying to set it up 2008 and i just can't seem to make it work (it joins with the domain, but AD users and groups don't show even under the ZFS dataset.

 

[Wi1d]

For what it is worth I finally gave up and loaded FreeBSD 8. AD works exactly as I expect and RAID-Z is awesome.

 

[mr_mike_m]

are you using windows 2003 or windows 2008 r2 for authentication? , im currently trying to set it up 2008 and i just can't seem to make it work (it joins with the domain, but AD users and groups don't show even under the ZFS dataset.

I currently have 2003 and 2008 AD DC's, so my domain functional level is stuck at 2003 until I upgrade the last of the 2003 boxes.

 

[mr_mike_m]

Rebuild...

Just rebuilt my FreeNAS8-Beta4 box again this afternoon.

Following my previous posts, I am successfully authenticating AD against a 2003 server. I have not tried to authenticate against a 2008 box yet, but I seem to remember reading, when I started upgrading my AD boxes to 2008, that authentication with third party - especially Samba - may break. I think there may be some registry entry on the 2008 boxes to "correct" this, but haven't researched any further.

A minor change from my previous installation settings: UNCHECKED "Local Master" and UNCHECKED "Time Server for Domain" on the CIFS settings. It did not make a difference being able to see AD users and groups.

 

[alistair]

I had some major headaches getting permissions to work on a granular level with AD, but after upgrading to Beta4 my worries were sorted, or so I thought.
A few days ago authentication stopped working so I reverted to guest access. When I couldn't find any faults I switched on the AD authentication, but now I cannot apply permissions to folders anymore. I get the following error when opening the security tab:
"the permissions on "x" are incorrectly ordered, which may cause some entries to be ineffective.
I have created a new Volume and share and tested permissions which is fine. The trouble is my main volume which I need to get working is all screwed up. When I ignore the error and go into the properties, the same permissions are set for full control and deny for each user / group. I suspect that this is causing the problem. How do I reset the permissions again?
Also how do I view any logs to see where the fault lies. I cannot find any reference to logs.

 

[dyzophoria]

I currently have 2003 and 2008 AD DC's, so my domain functional level is stuck at 2003 until I upgrade the last of the 2003 boxes.

i currently have a 2003 dc online just for the freenas to authenticate with,lol, but altogether for now I just switched back to guest access as it seems I can't do anything to make cifs authenticate with child domains (which sucks).

I can however using SSH confirm that I can get the SID of users on child domains by issuing

wbinfo -u user@child

so im guessing this has something to do with samba, unless some of you have successfully authenticated child domains with it.

 

[DynamoHum]

For 2008Rx AD's :
troubleshooting today i noticed something that tells me it might not have to do with AD interaction but the Freenas script that imports the fetched users/groups in the Freenas internal list.
I managed to connect properly to the AD, everythign seemed to work fine, no errors *** on imports or connect, but still no users or groups in FN8, so i looked around, and went to look inside the /var/tmp/.cache/... all the way to index.db, and i looked in the file, all the groups and users are effectivly there. It has queried and recieved answer properly.
So i suspect its more a simple question of data formating, iow the groups and users are not being replied in the same format as in a 2003 AD environment, and that would cause problems when importing in the Freenas system.
Unfortunatly i do not have access to a 2003AD env at the moment, nor the time to setup one for testing, so i am hoping that some of you who have previously stated you had access to both environments, to compare the content of teh different index.db files located in the /var/tmp/.cache subdirs ( it is where the ix-activedirectory applets/scripts stores temp data) and see if any notable differences show up to explain the failing of making AD objects available and useable.
Thanks in advance to anyone shedding time on that.

*** There is still the problem with one of the scripts involved in -ix-activedirectory that will error out on "file not found" for activedirectory. (if you symlink, the symlink disapears on reboot), when it is called manualy or reseted from teh FN web gui.

 

[dyzophoria]

i currently have a 2003 dc online just for the freenas to authenticate with,lol, but altogether for now I just switched back to guest access as it seems I can't do anything to make cifs authenticate with child domains (which sucks).

I can however using SSH confirm that I can get the SID of users on child domains by issuing

wbinfo -u user@child

so im guessing this has something to do with samba, unless some of you have successfully authenticated child domains with it.

ok i tried clearing my head and having a go at it again, i feel stupid, I tried adding this to the Auxillary commad lines of CIFS, and viola it works, im authenticating child domains again. lol

Code:

allow trusted domains = Yes

i'll do more testing to see if everything is working fine, will definitely update is something comes up

@DynamoHum

i'll try to look at those index files if time permits me to do more testing, since we are at a bit of a rush to get this NAS functioning even if it means doing so with a temporary 2003dc atm

 

[dyzophoria]

ok update, it seems my post regarding child domains working , its only partially working, it seems it can technically authenticate, but I can't add users from child domains, home folders of users on child domains arent even accessible , even though the shares shows up when accessing the nas through \\yournasname

 

[DynamoHum]

Sorry ppl , pls ignore my prev post ... 22 hours continous at work does that sometimes ... a lil sleep made me wake up lol, i had missread teh date when i saw the post on samba`s maillist ... i read the fix the did in 2008 ...( ok yes i need a slap ! and sleep ! ;op)
but teh one for the content of index.db is still valid tho, i am curious to see if there has been a change in the format of the answers in 2008.
Because if do join the domain, you will see in those files that you have indeed queried and recieved all the users and groups, they just don`t endup anywhere to be used in FN