setting up kerberos for active directory

dtusernas

Cadet
Joined
Sep 3, 2019
Messages
4
I have looked at and "played" with FreeNAS over the years but, now, I have gotten quite serious, I still consider myself and newbie to FreeNAS (BSD) so, sorry for that.

I am attempting to join a FreeNAS box to an existing Samba 4 Active Directory (Linux OS domain controllers) as a member server.

My main problem appears to be kerberos and it's setup. When I enter all my settings in DirectoryServices/ActiveDirectory I am getting "BindSimple: Transport encryption required., Strong(er) authentication required" complaint (at the bottom in red font color) that shows failure.

I did this: root@freenas01[~]# freenas-debug -a and have attached a file of the output

I post this as I am struggling to locate more detailed documentation for attaching to an existing domain (I do NOT need this FreeNAS box to be domain controller, simply a member server.)

When I search the error string most searches keep leading me to kerberos not connecting to the KDC (which it is not, I know.)

Any suggestions for documentation would be greatly appreciated? Any suggestions for what to do would be greatly appreciated?
 

Attachments

  • FreeNAS-debug_-a_2019-09-03.pdf
    51.5 KB · Views: 662

dtusernas

Cadet
Joined
Sep 3, 2019
Messages
4
Since posting this initial post I have discovered the IX University. There Module 102 better explains the use of the "wizard" and joining an active directory domain.

What I am finding now is that my FreeNAS box cannot locate my DC's, therefore cannot join the domain.

I realized that the nameservers were not pointed at my domain controllers, adjusted that and set a static ip address.

Re-run the wizard to get "{'desc': 'Strong(er) authentication required', 'info': 'BindSimple: Transport encryption required.'}".

So, I still cannot join the domain.

Suggestions? Anyone?
 

dtusernas

Cadet
Joined
Sep 3, 2019
Messages
4
Yes, I have, thank you.

Was busy today and haven't had time 'til now to post that I have discovered that the "active directory" script that 'should' generate the krb5.conf file appears to not be dong so. Hence, kerberos is not starting. (Found a forum post that mentioned "did the krb5.conf file get properly generated . . . that made me go looking.

I can ping the domain controllers. The nameservers are set to the domain controllers. The realm is properly set in ALL CAPS. It seems no matter what I do, kerberos krb5.conf file will not generate properly.

I will be away from the machine for two days.
 
Top