FreeNAS8 and ActiveDirectory

[dyzophoria]

I sure hope stuff will be fixed in the next beta or release, I can't really do anything about users/groups from child domains.

when i do wbinfo -u , all users are displayed ( including ones from child domains )

when I try to set permissions on shares using windows explorer (right click properties security)

I can add users from the main domain ok, but when I add users from the child domain, once I press ok or apply, they vanish completely

 

[pankoff]

Freenas 8.0.1 + AD 2003 + AD 2008

Hello!
Who happened to get users from AD?

Code:

freenas# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: apankoff@TEST.NET

  Issued           Expires        Principal
Aug 25 16:21:02  >>>Expired<<<  krbtgt/TEST.NET@TEST.NET
Aug 25 16:21:06  >>>Expired<<<  ldap/dc1.test.net@test.NET
Aug 25 16:21:06  >>>Expired<<<  ldap/dc1.test.net@test.NET
freenas# wbinfo -p
Ping to winbindd succeeded
freenas# wbinfo -t
checking the trust secret for domain TEST via RPC calls failed
Could not check secret
freenas# wbinfo -c
changing the trust secret for domain TEST via RPC calls failed
Could not change secret
freenas# wbinfo -u
TESTFREENAS+pankoff
freenas# wbinfo -g
freenas# 

I get users on 2008 r2 sp1 domen.

Code:

freenas# wbinfo -t
checking the trust secret for domain TEST2008 via RPC calls succeeded
freenas# wbinfo -g
domain computers
domain users
domain guests
.................
schema admins
enterprise admins
freenas# wbinfo -u
FREENAS+pankoff
guest
administrator
................
nataliam
freenas#        

CIFS is not in the domain users. In the "Authentication Model" only "Anonimous" and "Local user"

 

[unclepips]

Windows Server 2003 R2 & FreeNAS 8

Hi,
I am setting up a test system at the moment, before launching the FreeNAS onto my network.
I am having great difficulty in getting this to work. The problem is probably that I don't fully understand what needs to go where, as I am a basic user of Active Directory and you could say a FreeNAS Virgin.

My Setup is as follows:-

Windows
Windows 2003 Server R2 Standard i386
Full Computer Name: dropserver.drop.local
Domain: drop.local

IP Address: 172.20.0.232 / 255.255.0.0
Router IP: 172.20.0.1
DNS Server: 172.20.0.232

DNS Configured both Forward Lookup Zone & Reverse Lookup Zone, with forwarders set to: 8.8.8.8 (Google) / 158.152.1.43 (my ISP) / 158.152.1.58 (my ISP)

Also added an entry for the Freenas: dropnas 172.20.0.230

FreeNAS Setup

FreeNAS: FreeNAS-8.0.1-BETA4-amd64
IP Address: 172.20.0.230 Subnet: 255.255.0.0/16

Hostname: dropnas
Domain: drop.local
IPv4 Default Gateway: 172.20.0.1
IPv6 Default Gateway:
Nameserver 1: 172.20.0.232
Nameserver 2:
Nameserver 3:

Active Directory Settings
Domain Controller Name: 172.20.0.232
Domain Name: drop.local
Host Name: DROP
Workgroup Name: DROP
Administrator Name: Administrator
Password: ******

CIFS Settings
Authentication Model: Local User
NetBIOS Name: DROPNAS
Workgroup: DROP
Description: DropNAS Server
DOS charset: CP437
UNIX charset: UTF-8
Local Master: yes
Time Server for Domain: yes
Guest Account: nobody
Allow Guest Access: no
Only Allow Guest Access: no
File Mask: none
Directory Mask: none
Large RW Support: yes
Send Files with sendfile(2): yes
EA Support: no
Support DOS File Attributes: yes
Allow Empty Password: no
Auxiliary parameters: none
Enable Home Directories: no
Enable Home Directories Browsing: no
Home directories: none
Enable AIO: yes
Minimal AIO read size: 1
Minimal AIO write size: 1

Both Active Directory and CIFS Services are switched ON.

I have then created a UFS share in Sharing > Windows called data which is at /mnt/disk1 with the following configuration:-

Name: data
Comment: data store
Path: /mnt/disk1
Export Read Only: no
Browable to Network Clients: yes
Inherit Permissions: no
Export Recycle Bin: no
Show hidden files: no
Guest Account: www
Allow Guest Access: no
Only Allow Guest Access: no
Hosts Allows: none
Hosts Deny: none
Auxilliary Parameters: none

With these settings set, I have now rebooted the FreeNAS unit, and all appears to be ok at the console screen with no obvious errors.

However, I still don't appear to be able to see my list of users from Active Directory in the list of Users in the FreeNAS unit.

If I turn off Active Directory service on the FreeNAS then start it again, I get this info from var/log/messages:-

Code:

Aug 31 14:28:58 dropnas freenas[1576]: Executing: /usr/sbin/service ix-kerberos quietstart
Aug 31 14:28:58 dropnas freenas[1576]: Executing: /usr/sbin/service ix-nsswitch quietstart
Aug 31 14:28:59 dropnas freenas: Generating host.conf.
Aug 31 14:28:59 dropnas freenas[1576]: Executing: /usr/sbin/service ix-pam quietstart
Aug 31 14:28:59 dropnas freenas[1576]: Executing: /usr/sbin/service ix-samba quietstart
Aug 31 14:28:59 dropnas freenas: tdbsam_open: Converting version 0.0 database to version 4.0.
Aug 31 14:28:59 dropnas freenas: tdbsam_convert_backup: updated /var/etc/private/passdb.tdb file.
Aug 31 14:28:59 dropnas freenas: Importing account for sshuser...ok
Aug 31 14:28:59 dropnas freenas[1576]: Executing: /usr/sbin/service ix-kinit quietstart
Aug 31 14:29:09 dropnas freenas[1576]: Executing: /usr/sbin/service ix-activedirectory quietstart
Aug 31 14:29:15 dropnas freenas: Using short domain name -- DROP
Aug 31 14:29:15 dropnas freenas: Joined 'DROP' to realm 'drop.local'
Aug 31 14:29:25 dropnas freenas[1576]: Executing: /usr/sbin/service samba forcestop
Aug 31 14:29:25 dropnas freenas: winbindd not running? (check /var/run/samba/winbindd.pid).
Aug 31 14:29:26 dropnas freenas: Stopping smbd.
Aug 31 14:29:26 dropnas freenas: Stopping nmbd.
Aug 31 14:29:26 dropnas freenas[1576]: Executing: /usr/bin/killall nmbd
Aug 31 14:29:26 dropnas freenas: No matching processes were found
Aug 31 14:29:26 dropnas freenas[1576]: Executing: /usr/bin/killall smbd
Aug 31 14:29:26 dropnas freenas: No matching processes were found
Aug 31 14:29:26 dropnas freenas[1576]: Executing: /usr/bin/killall winbindd
Aug 31 14:29:26 dropnas freenas: No matching processes were found
Aug 31 14:29:26 dropnas freenas[1576]: Executing: /usr/sbin/service samba quietstart
Aug 31 14:29:26 dropnas freenas: Removing stale Samba tdb files: ........ done
Aug 31 14:29:26 dropnas freenas: Starting nmbd.
Aug 31 14:29:26 dropnas freenas: Starting smbd.
Aug 31 14:29:26 dropnas freenas: Starting winbindd.

Can anyone tell if my settings are correct, or is there something totally obviously wrong that I am missing?

Any help would be greatly appreciated.

Regards,
Phil.

Additional Info:-
What I forgot to mention is that I have followed mr_mike_m post on this thread (#6), but still struggling.
If I browse to My Network Places > Entire Network > Microsoft Windows Network > Drop > DropNAS Server (Drop) I then get asked for a username and password. I have to enter: admin / freenas (I have left password as default as this is only a test system).
I then see the DATA folder that I have created, but when I double click this I get:-

\\Drop\data is not accessible. You might not have permission to use this network resource. Contact the Administrator...... etc.

 

[mr_mike_m]

Additional Info:-
What I forgot to mention is that I have followed mr_mike_m post on this thread (#6), but still struggling.
If I browse to My Network Places > Entire Network > Microsoft Windows Network > Drop > DropNAS Server (Drop) I then get asked for a username and password. I have to enter: admin / freenas (I have left password as default as this is only a test system).
I then see the DATA folder that I have created, but when I double click this I get:-

\\Drop\data is not accessible. You might not have permission to use this network resource. Contact the Administrator...... etc.[/QUOTE]

Phil-

Are you able to connect to the box via Putty? If so, have you run "wbinfo -u" and "wbinfo -g" and you are able to see the list of AD users and groups?

I took a quick glance at your config files, and everything looked fine.

 

[unclepips]

Hi Mike,
I have just tried Putty (never used it before) and I get the following:-

$ wbinfo -u
Error looking up domain users
wbinfo: _mcleanup: wbinfo.gmon: Permission denied
$ wbinfo -g
Error looking up domain groups
wbinfo: _mcleanup: wbinfo.gmon: Permission denied
$

:o(

 

[tladuke]

I don't know why, but copy/pasting the Admin account in AD to a different account and then using the new account in the FreeNAS conf was the final step in getting the thing to completely join the domain.

 

[louis-m]

i'd like to come in here.

You CAN set permissions via cifs. What you have to remember is that there are underlying file permissions.
Limits set by kernel level access control such as file permissions, file system mount options and ACLs cannot be overridden by Samba.
Think of Samba as a layer on top of file permissions advertising file and print services etc.
If only the owner has write permissions, it doesn't matter what you set in Samba unless you are the owner.

You can set the file permissions at 777 and control access via samba with "valid users = somebody, somebody else" in the extra options box.
However, this isn't great as *nix users would be able to connect to the share as the file system permissions are set at 777.
Much better to set the underlying file permissions to who you want hence why freenas has windows permissions at the file system level as well.

It's not that different to windows in that you have file permissions and then have share permissions on top.

 

[tladuke]

That makes sense.

I am setting the permissions on ZFS datasets though. They are set to, for example:
drwxrwx--- 3 domain\administrat domain\domain user 9 Sep 9 11:20 home



I just su'd from root to domain\me and touched a file:
-rw-r--r-- 1 domain\me domain\domain user


a file created through explorer as the same user looks like this
-rw-rw---- 1 domain\administrat domain\domain user

 

[mr_mike_m]

Hi Mike,
I have just tried Putty (never used it before) and I get the following:-

$ wbinfo -u
Error looking up domain users
wbinfo: _mcleanup: wbinfo.gmon: Permission denied
$ wbinfo -g
Error looking up domain groups
wbinfo: _mcleanup: wbinfo.gmon: Permission denied
$

:o(

Well... I just upgraded to the latest, and now, my test box is not able to see AD info. My wbinfo queries are returning errors.

I don't know why you are receiving the "Permision denied" error.

 

[louis-m]

when you touch a file via ssh etc, you are using *nix to create it and you create a 644 or -rw-r--r--
when you create via explorer, you are using samba and samba file creation can be set differently to *nix file creation. my samba boxes are set to 755 or -rwxr-xr-x by default although i could force them to 644 if needed.
i haven't checked freenas, but i would imagine it's roughly the same.

 

[unclepips]

I have been googling to try and find a solution to this, and the more I read the more and more I get p***ed off with it all!

The latest thing I have found, is that with the latest compile of v8 for i386 (what I am using at the moment) it was compiled with some files missing!!!!

To rectify this you have to enter the following at the shell:-

Code:

# mount -uw /
# cd /usr/local/lib/samba
# fetch "http://download.freenas.org/idmap.tar.bz2"
# rm -rf idmap
# tar xjvf idmap.tar.bz2
# cd /etc
# mount -r /
# /usr/local/etc/rc.d/samba onerestart

(this was pasted from: http://sourceforge.net/apps/phpbb/freenas/viewtopic.php?f=75&t=736)

As I have been playing about with various settings, I decided to do a fresh install of the FreeNAS.

I then followed mr_mike's example as before. Entered all my server info as before (except I realised I was entering the NETBIOS name incorrectly. I was entering the domain here and not the PC name! I found this by IPCONFIG /all at the Windows CMD prompt and entered the HOSTNAME as my NETBIOS name.)

I can now use PUTTY to to wbinfo -u without any errors. However, it only lists SSHUSER (a user I created in the FREENAS to allow me to SSH into it). wbinfo -g shows no groups.

I have also tried Wi1d's advice (post 7 on this thread on page 1) net ads join -U username.

If I try this at the Shell, I get:-

Code:

Failed to join domain: failed to lookup DC info for domain 'DROP.LOCAL' over rpc: Login failure

If I try this via PuTTY I get:-

Code:

[2011/09/14 12:28:59.186619,  0] passdb/secrets.c:73(secrets_init)
  Failed to open /var/etc/private/secrets.tdb
Failed to join domain: Unable to open secrets database

 

[Scallica]

I am having an issue applying permissions to my volume. I successfully joined my FreeNAS system to a domain. If I type 'wbinfo -u' or 'wbinfo -g' I can see all of my users and groups. However, when I click the permissions button on the volume I do not see AD users and groups. Is there anything else I should do or check?

 

[unclepips]

FINALLY I have a working FreeNAS with Active Directory!!
Thanks to everyone who has contributed on this thread. What I have done is done a load of screenshots of the configurations etc. So I will start a new thread and post the link to it on here once I have written it.
It will be a step-by-step guide (almost like a Dummies Guide to setting up a FreeNAS and AD).

The biggest problem I have come across is the POOR terminology on the FeeeNAS, as it is not clear sometimes what to put in some of the boxes. Sometimes it means the NETBIOS of the AD Server, sometimes it means the NETBIOS of the FreeNAS - it would be helpful to specify what they want!! As with anything, once you know it is obvious. (rant over).

Watch this space........

 

[mr_mike_m]

FINALLY I have a working FreeNAS with Active Directory!!

Congratulations!!

The biggest problem I have come across is the POOR terminology on the FeeeNAS, as it is not clear sometimes what to put in some of the boxes. Sometimes it means the NETBIOS of the AD Server, sometimes it means the NETBIOS of the FreeNAS - it would be helpful to specify what they want!! As with anything, once you know it is obvious. (rant over).

I agree 100%, and that is what's given me the most frustration.

Now I have to go fix my installation, because after doing an upgrade with the "GUI" package (RC2), I've lost connectivity to my AD...

Looking forward to your "Dummy's Guide" post.

-MM

 

[mr_mike_m]

I'm now working again too.... But "WHY?"... I have no idea. I needed to manually do a

Code:

"net ads join -U someadminuser"

before my "wbinfo" commands would come back with users and groups. The whole time "net ads user / group" commands would return the proper AD users and groups. Strange!

 

[karmalicious]

FINALLY I have a working FreeNAS with Active Directory!!

Congrats.

I signed up since my first problem occured when Freenas lost all my domain users/groups. It worked from the start, but now I can't domain users to show up in permissions, but I can list them either which way and all connections report back that they are fine.

Really looking forward to that guide.

 

[mr_mike_m]

I've noticed when my setup ISN'T working, that WinBind is the reason. I've rebooted and Winbind just won't start until I do it manually, then everything runs fine. Just realized that the "WB" in "wbinfo" command stands for WINBIND! :smack: :o

if you issue: "wbinfo -p" that will tell you if you can "ping" the Winbind daemon. If you get an error, winbind isn't running.

I have NOT yet figured out why my WinBind daemon refuses to start.

 

[trunglam]

I just try new release version (09/30/2011) and here is my trouble with this

[root@freenas] ~# wbinfo -p
Ping to winbindd succeeded

[root@freenas] ~# net ads join -U admin
Enter admin's password:
[2011/10/05 18:06:49.517172, 0] libads/sasl.c:823(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
Failed to join domain: failed to connect to AD: Invalid credentials

I also read carefully all about seting up AD in side Freenas 8 but not success.

So I need help from all,

Thanks.

 

[unclepips]

Sorry Guys for the delay in preparing the Step-by-step guide to setting this up.
I installed the NAS into my Customer's network, and left their server copying over all the files to the NAS (used Total Commander trial so it copied with user file & directory permissions).
Took over 15 hours to copy across, only to find EVERYONE had FULL ACCESS to EVERYTHING!!!!!!!

So back to the drawing board. My problem turns out to be that I was using a UFS partition and it would NOT allow me to set directory permissions. Changing this to a ZFS partition and Happy Days, all is working fine. So I have spent today compiling this guide so that hopefully this will help others in getting their NAS's working fully with A.D.

I have uploaded the guide to my website: http://www.raindropsoftware.co.uk/freenassetup

The copy across of all their data is now scheduled for Sunday evening (outside working hours) so fingers crossed, Monday morning everyone will be happy!

Cheers,
Phil.

 

[jhahn]

@unclepips You wrote a nice howto, thank you.
Small comment:
In my setup i didn't need to reboot the NAs server, i had an access to AD immediately.
When i created a windows share, i specified

Auxiliary Parameters write list = admin,@BERLICALL\samba
valid users = admin,@BERLICALL\samba

where admin is a freenas user and
BERLICALL\samba an AD group. Only this user have access to share

login over ssh to freenas server and execute
tail -f -n200 /var/log/message
to see what happen

Cheers Johann
Sorry for my bad english