Using Active Directory with FreeNAS

[bigphil]

Hello everyone! First post on the forum :) Here goes.

Man oh man...I cant believe all of the posts on here about issues with getting FreeNAS to work with Active Directory. After going through quite a few posts on here as well as other boards, here are the steps I think might be a little easier for people.

First things first...make sure you have a sound AD environment. DNS is working correctly, verify your SRV records (in the FreeNAS shell, you can run this command without the quotes "host -t srv _kerberos._tcp.windows.domain.com" where windows.domain.com is your fqdn of your domain. It should come back with something like this "_kerberos._tcp.windows.domain.com has SRV record 0 100 88 dc.windows.domain.com". If not, you have some DNS issues. Verify your network settings in FreeNAS and your AD DNS records. I would recommend configuring your FreeNAS box to point to your domain controller as its DNS server. Another thing is to make sure you have your NTP settings correct. On the domain controller that holds the FSMO PDC role (run this command from your dc "netdom query fsmo"), double check your NTP settings. If you've never set anything, I recommend using these settings...run from a command prompt on the PDC:

w32tm /config /manualpeerlist:"time.windows.com,0x1" /syncfromflags:manual /reliable:yes /update

After you run that command, restart the Windows Time Service. This will make your PDC sync from an external time source which is highly recommended. Its also a good idea to make sure your client pc's on your domain are set to sync from the domain hierarchy. You can do this by running the following command on client pc's and member servers:

w32tm /config /syncfromflags:domhier /update

You should now set your FreeNAS system to point to this PDC as its primary NTP server. Add it to the NTP server settings in FreeNAS and be sure to mark the option to prefer this server for NTP. Don't forget to set the time zone too!

Before you continue any further, you need to make sure you create a ZFS Volume/Pool on FreeNAS and verify that it's in a healthy state. Now go to System/Settings and set the option "System dataset pool" option to be your new Pool. If you don't create a pool before continuing below, you wont be able to start the Directory Services service or the CIFS service!

Now on the FreeNAS box, set the Directory Service on the System/Settings/General tab to be Active Directory. Next...DISABLE the following two CIFS service settings: Local Master, Time Server for Domain. If you don't do this, don't come crying when strange stuff happens ;-)

Ok, now that we are all set there, now its time to create an AD computer account for your FreeNAS box in AD. For this article, we'll call it NAS1. After this, create an A record for the NAS1 computer account in your DNS server. Now create a new user account that is configured with a Non-Expiring password. We'll call it, NAS1USER. Now go back to the computer account, NAS1, and open the properties of the account. On the security tab, add the NAS1USER account with Full Control permissions. What this does is get around the issue of having to use an Administrator or Domain Admin account to join AD and set the secure channel for the account. The new feature in 9.2.1 for using a Keytab file seems like a nice idea, but the documentation is not quite ready from what I see. What's currently on the wiki for this seems wrong to me. It says, and I quote, "hostname is the fully qualified hostname of the domain controller." I think it should be hostname = NAS1, i.e. the hostname of your FreeNAS system. I'm speculating here, but I wouldn't trust it yet without some definitive documentation and tests. Regardless...the documentation also states to fill in the Directory Services settings "Domain Account Name" and "Domain Account Password" with a less privileged account for running lookups. Ummm...ok, so that will still be in the database in clear text? Oh well, if it needs it...it needs it. The good thing is, that for this config, you insert the NAS1USER account here. So it is a less privileged account BUT it has Full Control of the NAS1 computer account. Boom...it all works! Users and Groups get populated when setting permissions on a Dataset and CIFS shares work as expected. For the CIFS permissions, you'll need to edit your Dataset permissions and change it to Windows / Mac ACL style and change Owner (user) to be an AD account and Owner (group) to be an AD group of your choice. These two accounts will have inherited permissions to the share. One note here is that there is currently an issue with "Share Permissions" being set to Everyone. You can change it using compmgmt.msc to connect to the FreeNAS system, but it will revert back when you reboot the NAS. Info here: https://bugs.freenas.org/issues/3644

Troubleshooting help:
Some good articles with more info on Samba and AD integration with Kerberos:
http://itscblog.tamu.edu/joining-samba-to-a-windows-2008-r2-domain/
http://wiki.samba.org/index.php/Samba_&_Active_Directory
http://forums.fedoraforum.org/archive/index.php/t-217600.html
http://doc.freenas.org/index.php/Directory_Services#Troubleshooting_Tips


Well, that's all I have for now. I hope it helps!

Tested on Windows Server 2012 Active Directory, Windows Server 2012 function level
FreeNAS FreeNAS-9.2.1-RC-83ae0c1-x64

 

[DA-Heath]

Awesome, thanks for the suggestion of using a non-privileged account in the FreeNAS configuration and giving that account access to the FreeNAS Computer object in AD.

I wasted a bunch of time trying to make a working keytab (I'm using samba4 as my DC so I don't have a "ktpass.exe"). But your method doesn't require a keytab and doesn't require an admin password saved in cleartext in FreeNAS' config.

BTW, for the other AD newbs like myself, to see the "Security" tab in the Properties dialog you have to select "Advanced Features" under the "View" menu.

 

[Serverbaboon]

Not sure if my issue was the name of my service account in Windows or changing the name reset everything but based on work practices where we differentiate Live and Dev accounts with svcl- or svcd- my user/service account started "svcl-freenas" and stopped working when I upgraded my domain to Windows 2008R2.

No matter what I did including upgrading to 9.2.1 RC2 could I get it to start, I then remembered reading somewhere that Samab/Kerboros did not seem to like non alphanumeric characters in passwords so I wondered if the same mattered with the name. I renamed my service account to just alpha characters and the service started so just watch out on the names of you user accounts.

@BigPhil: Good stuff elegent solution to giving the user account to many rights. Using your tips I (and renaming my account) fixed my issue such that I have now been able to bounce my test windows Domain to Windows 2012R2. Yes I believe the Keytab commands are wrong, I will try and post the correct command after I have tested it by breaking my Directory Service again.

 

[Serverbaboon]

I think the correct ktpass command should be (its one line I don't know how to wrap the line properly)

ktpass.exe -out freenashost.keytab -princ HOST/freenashost.yourdomain.com@YOURDOMAIN.COM -ptype KRB5_NT_PRINCIPAL -mapuser yourdomain\useraccount -pass thepasword


The above command will complain about not being able to set the SPN if you have previously joined the windows domain with your Freenas box whereupon it will have registered the SPN underlined above against the computer account which is the norm for Windows. You will have to clear the SPN using the SETSPN -D command or delete the computer account. I don't think you need the SETSPN command in the instructions because on Windows 2008+ the KTPASS command creates the SPN for you.

However I say think the above command is correct because I can generate the keytab file but the service still does not start, I can see a failure on the Windows Domain controller for the Service account for the user right SeMachineAccountPrivilege but the next event log messages say the machine account has changed so I don't know why it still fails. Will look at it again over the weekend.

 

[Serverbaboon]

The Documentation's use of the phrase Domain Controller is correct if you are making your Freenas box a Domain controller but I think the wording should not be used to to cut down on confusion.

 

[sybreeder]

I successfully joined to server 2012 domain only when i set workgroup name as domain name. But when i open cifs settings it seems that ad didn't force settings settings to AD. It still is anonymous or local user. It should be like that ?

 

[Serverbaboon]

I successfully joined to server 2012 domain only when i set workgroup name as domain name. But when i open cifs settings it seems that ad didn't force settings settings to AD. It still is anonymous or local user. It should be like that ?

According to this page these settings are ignored when Active Directory is specified.

http://doc.freenas.org/index.php/CIFS
http://doc.freenas.org/index.php/CIFS

 

[Serverbaboon]

Before I have a complete breakdown has anyone actually got the Keytab method of joining a Windows domain to work, I can join using the BigPhil method but not with a keytab file. The latest testing I have done shows the errors when I try John Hixon's command line tests:

Failed to join domain: failed to set machine spn: Constraint violation
Failed to leave domain: failed to connect to AD: Cannot read password.

I know I have not posted full details yet I just want to know if someone has got it to work and more importantly in a 2012 Windows domain.

NB This joining a Domain not acting as a Domain controller.

 

[Serverbaboon]

https://bugs.freenas.org/issues/4225

 

[menziesii]

One problem I encountered getting AD past the net join command is making sure FreeNAS has access to AD services on all of your domain controllers. I work with a 12 site AD installation, and until I allowed ldap/dns access to all DCs, I couldn't get it to work, regardless of trying to specify a local DC. It didn't seem to consider the Sites/Services subnet info in AD for its choice of DC. Hope that helps someone.

 

[bigphil]

One problem I encountered getting AD past the net join command is making sure FreeNAS has access to AD services on all of your domain controllers. I work with a 12 site AD installation, and until I allowed ldap/dns access to all DCs, I couldn't get it to work, regardless of trying to specify a local DC. It didn't seem to consider the Sites/Services subnet info in AD for its choice of DC. Hope that helps someone.

I believe it works like that because, by default each DC creates an A record for the domain in your DNS zone. So for non site specific operations, like joining the domain, the client can potentially connect to any DC that has created an A record for the domain.

 

[jason56k]

I just got a freenas mini and I can't get AD to work no matter what I do. I followed this guide as well as the one on the pfsense website. When I start directory services it fails and the messages "unable to initialize domain list" and "could not fetch our SID - Did we join?" flash on the terminal. Everything appears to be set up correctly according to everything I have found through google.

Unfortunately I'm a BSD noob and was hoping to use this mini to teach myself before I jumped to a bigger NAS to store more important stuff. I'll be spending the weekend just trying to get AD to work. Does anyone have any pointers?

 

[mauirixxx]

It sounds like there's still some back end stuff to configure?

Is Active Directory setup, with Windows clients joining? If Yes,
Is FreeNAS DNS pointed towards your Active Directory server? If Yes,
Is FreeNAS NTP pointed towards your Active Directory server (may not be related, but will save you further permissions errors down the road)?

Honestly, it sounds like the DNS isn't configured properly, but without more info all that statement is my best guess with my experience with AD (DNS *has* to be working properly or all kinds of stuff doesn't work).

What AD backend are you running? 2003, 2008, 2012? My write up was for 2008 R2, but it's pretty much stating the same stuff bigphil's write up did, though he was using 2012 for his AD setup.

 

[coinclink]

I'm having problems getting the directory service to start and it seems to be related to the following lines in the log:

May 2 12:45:51 freenas ActiveDirectory: /usr/local/bin/python /usr/local/www/freenasUI/middleware/notifier.py start cifs
May 2 12:45:52 freenas notifier: No system pool configured!
May 2 12:45:52 freenas root: /usr/local/etc/rc.d/samba_server: WARNING: /usr/local/etc/smb4.conf is not readable.
May 2 12:45:52 freenas notifier: /usr/local/etc/rc.d/samba_server: WARNING: /usr/local/etc/smb4.conf is not readable.

Sure enough, when I look under /usr/local/etc, the file smb4.conf does not exist. If I touch/create the file, it gets deleted when I attempt to start the Directory Services... very confused here...

Here are the steps I took to set up AD settings:

1. Set system to factory defaults
2. Set hostname & network settings
3. Set timezone and ntp servers
4. Set "Directory Service" to "Active Directory" in system settings
5. Created Computer Object on AD server
6. Entered domain name, NetBIOS name, Workgroup, Domain Admin account and Password, and set "use default domain" under Active Directory settings
7. Set up CIFS settings (I have also tried skipping the CIFS settings)
8. Went to "Control Services" and clicked the button to start "Directory Services"

I don't understand what could possibly be going wrong. Why is the smb4.conf file not being created and being deleted when I start the service?? It makes no sense to me.

 

[mauirixxx]

Do you have a system dataset pool configured? As far as I know, this MUST be configured BEFORE setting up Active Directory or CIFS.

 

[Jim E.]

Great post but unfortunately after following your directions on my new FreeNAS-9.2.1.5-RELEASE-x64 (80c1d35) system I'm not able to start Directory Services. Rather than polluting this thread I'm going to start a new one but wanted to give you props for an easy to follow read.

 

[TheSmoker]

How do i apply ZFS based folder quota for each domain user? Any thoughts on that? Thanks!

 

[Jamie Walhouse]

Can anyone please help me to get this working in freenas 9.3 and windows server 2012
I can connect Freenas to domain and list domain accounts in shell, the however don't show in freenas gui dropdowns.
freenas keeps complaining, 'Winbindd' finished starting up and ready to serve connections could not get unix id for SID

and also keeps saying freenas unable to initialize domain list

some info if this helps

[root@freenas ~]# wbinfo -t
checking the trust secret for domain WALHOUSE via RPC calls succeeded

[root@freenas ~]# wbinfo -u
FREENAS\root
WALHOUSE\administrator
WALHOUSE\guest
WALHOUSE\krbtgt
WALHOUSE\jamie
WALHOUSE\josh
WALHOUSE\$rh2000-hlhhf2tqn9vo
WALHOUSE\sm_5c0daa7cef464853b
WALHOUSE\sm_8e10c96d3bed4fb0a
WALHOUSE\sm_b7aaaf53429445cdb
WALHOUSE\sm_ce3b43c6c3e144ae9
WALHOUSE\sm_e54acb9bb0c04ce18
WALHOUSE\sm_99669f3ffdcd4260a
WALHOUSE\sm_ab7238f550194e579
WALHOUSE\sm_64c00d36fa73476d9
WALHOUSE\sm_f680c860641a4450b
WALHOUSE\jen
WALHOUSE\blake
WALHOUSE\stephen
WALHOUSE\donna
WALHOUSE\marg
WALHOUSE\info
WALHOUSE\bec
WALHOUSE\freenasadmin

This is driving me mad, gone over what guides I can find several times

Thanks for any help