Unable to join domain with LDAP or AD

[PeterAS17]

Good evening,

It's been a full week since I've been trying to make my NAS join my Windows Server 2016 AD domain.

Even after following over 20 tutorials, documentation, and trying to solve the problem by myself, I'm still unable to make it join the domain.

Trying with AD:
I get this error while trying to enable AD:

In the Samba logs:
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED

AD Setup in the GUI:

No access to the shared folder (normal AD account, Administrator account and FreeNAS' root account can't login)

Trying with LDAP:
When enabling LDAP, everything seems to be fine...

But Samba services stops with the following errors:
[2018/04/14 22:10:07.571323, 1] ../source3/passdb/pdb_ldap_util.c:237(add_new_domain_info)
add_new_domain_info: failed to add domain dn= sambaDomainName=IG,dc=ig,dc=prv with: No such attribute
00000057: LdapErr: DSID-0C091027, comment: Error in attribute conversion operation, data 0, v3839
[2018/04/14 22:10:07.571347, 0] ../source3/passdb/pdb_ldap_util.c:314(smbldap_search_domain_info)
smbldap_search_domain_info: Adding domain info for IG failed with NT_STATUS_UNSUCCESSFUL
[2018/04/14 22:10:07.571359, 0] ../source3/passdb/pdb_ldap.c:6643(pdb_ldapsam_init_common)
pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it.
[2018/04/14 22:10:07.571366, 0] ../source3/passdb/pdb_interface.c:180(make_pdb_method_name)
pdb backend ldapsam:ldap://srv-01.ig.prv did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)


LDAP setup in the GUI:

No access to the shared folder (normal AD account, Administrator account and FreeNAS' root account can't login)


Samba setup in the GUI:

Samba configuration file:

[global]
encrypt passwords = yes
dns proxy = no
strict locking = no
oplocks = yes
deadtime = 15
max log size = 51200
max open files = 171047
logging = file
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
getwd cache = yes
guest account = nobody
map to guest = Bad User
obey pam restrictions = yes
ntlm auth = no
directory name cache size = 0
kernel change notify = no
panic action = /usr/local/libexec/samba/samba-backtrace
nsupdate command = /usr/local/bin/samba-nsupdate -g
server string = nas-01
ea support = yes
store dos attributes = yes
lm announce = yes
hostname lookups = yes
acl allow execute always = true
dos filemode = yes
multicast dns register = yes
local master = no
idmap config *: backend = tdb
idmap config *: range = 90000001-100000000
server role = member server
security = user
passdb backend = ldapsam:ldap://srv-01.ig.prv
ldap admin dn = cn=(the binding admin account)
ldap suffix = dc=ig,dc=prv
ldap user suffix = ou=(the OU)
ldap group suffix = ou=(the OU)
ldap machine suffix = ou=(the OU)
ldap ssl = off
ldap replication sleep = 1000
ldap passwd sync = yes
ldapsam:trusted = yes
workgroup = IG
domain logons = yes
idmap config IG: backend = ldap
idmap config IG: range = 10000-90000000
netbios name = NAS-01
create mask = 0666
directory mask = 0777
client ntlmv2 auth = yes
dos charset = CP437
unix charset = UTF-8
log level = 1


[storage]
path = "/mnt/storage"
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
access based share enum = no
vfs objects = zfs_space zfsacl streams_xattr
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare


I really hope somebody can help me with this... I'm going crazy because it hasn't been working for a full week now and I still got no answers for this problem

 

[Mihalich]

FreeNAS version?
Maybe updating the system will help you.

 

[PeterAS17]

FreeNAS version?
Maybe updating the system will help you.

It's in the version 11.1 U4, stable train.

 

[Mihalich]

It's in the version 11.1 U4, stable train.

Does the user have the right to join the domain?
Did you create a shared folder?
Does Freenas ping by name?
Hostname?
NTP?
U4 version has different settings

 

[PeterAS17]

Does the user have the right to join the domain?
Did you create a shared folder?
Does Freenas ping by name?
Hostname?
NTP?
U4 version has different settings

Thanks for your reply.
Yes, I've created a shared folder that is accessible if I use a guest account (with the Guests Allowed checkbox). My Nas does ping by name, and it's hostname has the domain suffix (like name.domain). NTP server is set to the DC.

Going to try with your settings. If I don't comment in 15min, it's because it's not working on my side neither... :/

 

[Mihalich]

In your screenshot, the AD settings window looks different. Why so?

 

[PeterAS17]

In your screenshot, the AD settings window looks different. Why so?

I have no idea actually.... But anyways, I've replaced my FreeNAS with a Windows computer I had around here, so this thread is no longer very important for me :)

 

[a779202374]

Hey guys .

I get an error same like you Error:[MiddlewareError:b'Active Directory failed to reload.']

A few days ago ...

Before I shut down, domain control and freenas were turned off, and then freenas was activated at first, and then domain control started. Because the domain control is in the virtual machine. I didn't notice, so I started the freenas first and then found that the connection was not domain controlled. I restarted the freenas and I can't automatically connect it.

By the way .My Freenas version is 'FreeNAS-11.0-U2 '.WinServer is 'Windows Server 2012R2'.

 

[eaykoc]

I had the same error today. In my case the problem was the time difference between FreeNAS 11.1-U5 and the ADC. (For some reason, nas does not sync time with the ntp servers I've configured...)

After manually synchronizing the date of nas to adc then nas was able to join domain again.