Joining to Active Directory

[L3192]

Hello,

Looking for some help or guidance with joining a "FreeNAS-9.3-STABLE-201602031011" system to active directory.

I tried using the two guides, but looks like I missing something:

https://forums.freenas.org/index.ph...directory-folder-file-user-permissions.20610/
https://doc.freenas.org/9.3/freenas_directoryservice.html

I fill in the page the the necessary information, but at the end it sits there indicating "please wait..." and then it never connects

I completed the following fields:

domainname
domain account name
domain account password
Netbios
domain controller
kerberos Realm

idmap backend

Then I safe and nothing happens. I checked the /var/log/samba4 directory and the messages file and none have any information.

I suspect my problem is with the idmap backend. I am trying to use "ad" and provide the range of numbers. I need to specify a range we already use on the Linux side so the numbers generated are the same for the groupIDs and UIDs.

Any help would be appreciated.

Thanks!

 

[anodos]

The AD idmap backend pulls uids and gids from active directory. It won't work if you haven't configured these attributes for your users and groups. Most of the time it's easier to just select the RID backend.

 

[L3192]

The AD idmap backend pulls uids and gids from active directory. It won't work if you haven't configured these attributes for your users and groups. Most of the time it's easier to just select the RID backend.

Thanks for the reply. I would select RID if this were my only system. However, I have pre-existing linux machines that all work using the same range of UIDs/GIDs I configured. Is there a way to get this to work manually? I normally do this configuration manually on the Linux systems, but as I understand from reading some older posts, when you do things manually, FreeNas overwrites them anyway on bootup. Is there a way to manually configure this and not have FreeNas revert to a default configuration? Thanks

 

[anodos]

Thanks for the reply. I would select RID if this were my only system. However, I have pre-existing linux machines that all work using the same range of UIDs/GIDs I configured. Is there a way to get this to work manually? I normally do this configuration manually on the Linux systems, but as I understand from reading some older posts, when you do things manually, FreeNas overwrites them anyway on bootup. Is there a way to manually configure this and not have FreeNas revert to a default configuration? Thanks

Post idmap settings for existing Linux machines (or full smb.conf).

I believe that the RID backend generates uids / gids in a deterministic manner. This means if all *nix boxes use an RID backend with same idmap range, then uids / gids of AD users and groups will be the same (without using rfc2307 attributes).

 

[L3192]

Post idmap settings for existing Linux machines (or full smb.conf).

I believe that the RID backend generates uids / gids in a deterministic manner. This means if all *nix boxes use an RID backend with same idmap range, then uids / gids of AD users and groups will be the same (without using rfc2307 attributes).

Ok Thanks. So I ported my smb.conf file from my linux box and modified the FreeNAs smb4.conf file and was able to join the machine. However, once I ran the kinit or testjoin, it reverts back to the original config files and changes are lost, as expected. What has taken me hours of frustrated attempts via the GUI, I was able to do in minutes via the command and directly changing the files. Now the question is, how do I satisfy the FreeNas requirements so it does not revert back to the original changes?

 

[anodos]

Ok Thanks. So I ported my smb.conf file from my linux box and modified the FreeNAs smb4.conf file and was able to join the machine. However, once I ran the kinit or testjoin, it reverts back to the original config files and changes are lost, as expected. What has taken me hours of frustrated attempts via the GUI, I was able to do in minutes via the command and directly changing the files. Now the question is, how do I satisfy the FreeNas requirements so it does not revert back to the original changes?

I can't tell without actually seeing the smb.conf file ;)

 

[L3192]

I can't tell without actually seeing the smb.conf file ;)

Sorry, I don't understand. Is there a way to stop FreeNAS from overwritting the smb4.conf file?

 

[anodos]

Sorry, I don't understand. Is there a way to stop FreeNAS from overwritting the smb4.conf file?

Nope. That's why I need to see your Linux box's smb.conf.

 

[L3192]

Ok, so from reading cyberjock's pdf, the only way do this, would be to apparently install samba in a jail; which is just not practical.

Back to the GUI, can anyone provide any information as to where I can get some logging information for the transactions being performed by the GUI? For instance, when you complete the "Active Directory" configuration page and then click the "save" button, it says "please wait.."; my question is where can I check the progress or lack there of regarding what the gui is doing . I checked the messages file and even the samba logs but do not see anything.

Any help would be appreciated.

Thanks

 

[anodos]

Ok, so from reading cyberjock's pdf, the only way do this, would be to apparently install samba in a jail; which is just not practical.

Back to the GUI, can anyone provide any information as to where I can get some logging information for the transactions being performed by the GUI? For instance, when you complete the "Active Directory" configuration page and then click the "save" button, it says "please wait.."; my question is where can I check the progress or lack there of regarding what the gui is doing . I checked the messages file and even the samba logs but do not see anything.

Any help would be appreciated.

Thanks

Samba is samba. There is no need to use a jail. You just need to configure it correctly in the webgui. I'd give you advice if I knew how your other samba servers are configured. Without this information I can't help much.

 

[L3192]

Samba is samba. There is no need to use a jail. You just need to configure it correctly in the webgui. I'd give you advice if I knew how your other samba servers are configured. Without this information I can't help much.

Samba is samba, except that FreeNas removes my working configuration every time...

The basic config on my other system looks like the following:

workgroup = popcorn
password server = server1.popcorn.com
realm = popcorn.com
security = ads
idmap config * : range = 2000000-30000000
idmap config * : backend = rid
template homedir = /home/%U
template shell = /bin/bash
kerberos method = secrets only
winbind use default domain = true
winbind offline logon = true
netbios name = server1
server string = server1

winbind refresh tickets = yes
winbind enum users = no
winbind enum groups = no
client use spnego = yes
allow trusted domains = no
log file = /var/log/samba/%m.log



Hopefully, this gives you a better idea. Thanks

 

[anodos]

Samba is samba, except that FreeNas removes my working configuration every time...

The basic config on my other system looks like the following:

workgroup = popcorn
password server = server1.popcorn.com
realm = popcorn.com
security = ads
idmap config * : range = 2000000-30000000
idmap config * : backend = rid
template homedir = /home/%U
template shell = /bin/bash
kerberos method = secrets only
winbind use default domain = true
winbind offline logon = true
netbios name = server1
server string = server1

winbind refresh tickets = yes
winbind enum users = no
winbind enum groups = no
client use spnego = yes
allow trusted domains = no
log file = /var/log/samba/%m.log



Hopefully, this gives you a better idea. Thanks

You don't edit the config from the CLI in freenas. Based on what you posted above your 'working config' is using the RID backend. Set this under 'directory service' -> 'Active directory'. Edit your idmap range by going into 'advanced mode', click on the 'edit' button next to 'idmap backend'.

 

[L3192]

You don't edit the config from the CLI in freenas. Based on what you posted above your 'working config' is using the RID backend. Set this under 'directory service' -> 'Active directory'. Edit your idmap range by going into 'advanced mode', click on the 'edit' button next to 'idmap backend'.

Yep, I understand that you can only edit via the GUI, I had already made that change you mentioned(via the GUI) it still does not work and there are no error messages. In fact, I select the verbose box to see if anything shows up in the messages file and nothing happens. At a minimum, I would think we would see some kind of message in the messages file or in the samba4 log directory. Definitely frustrating...

 

[anodos]

Yep, I understand that you can only edit via the GUI, I had already made that change you mentioned(via the GUI) it still does not work and there are no error messages. In fact, I select the verbose box to see if anything shows up in the messages file and nothing happens. At a minimum, I would think we would see some kind of message in the messages file or in the samba4 log directory. Definitely frustrating...

Typically, there's not much in the way of notifications that it succeeded. If you type "wbinfo -g" do you see a list of your AD groups?

In my AD member server I have configured the following parameters under directory service

Code:

Domain Name = foo.com
Domain Account Name = <domain admin user name>
Domain Account Password = <domain admin password>
NetBIOS Name = <hostname of FreeNAS server> ex - kung
Encryption Mode = Off
Verbose logging = checked
Use Default Domain = checked
Allow DNS updates = checked 
Domain Controller = <FQDN of DC> - example DC00.foo.com
Global Catalog Server = <FQDN of global catalog server) - example DC00.foo.com
Kerberos Realm = (from dropdown) foo.com
Idmap Backend = rid (with appropriate groupmap range that does not overlap the one set for builtin groups)
SASL wrapping = plain
Enable = checked