bigphil
Patron
- Joined
- Jan 30, 2014
- Messages
- 486
Hello everyone! First post on the forum :) Here goes.
Man oh man...I cant believe all of the posts on here about issues with getting FreeNAS to work with Active Directory. After going through quite a few posts on here as well as other boards, here are the steps I think might be a little easier for people.
First things first...make sure you have a sound AD environment. DNS is working correctly, verify your SRV records (in the FreeNAS shell, you can run this command without the quotes "host -t srv _kerberos._tcp.windows.domain.com" where windows.domain.com is your fqdn of your domain. It should come back with something like this "_kerberos._tcp.windows.domain.com has SRV record 0 100 88 dc.windows.domain.com". If not, you have some DNS issues. Verify your network settings in FreeNAS and your AD DNS records. I would recommend configuring your FreeNAS box to point to your domain controller as its DNS server. Another thing is to make sure you have your NTP settings correct. On the domain controller that holds the FSMO PDC role (run this command from your dc "netdom query fsmo"), double check your NTP settings. If you've never set anything, I recommend using these settings...run from a command prompt on the PDC:
w32tm /config /manualpeerlist:"time.windows.com,0x1" /syncfromflags:manual /reliable:yes /update
After you run that command, restart the Windows Time Service. This will make your PDC sync from an external time source which is highly recommended. Its also a good idea to make sure your client pc's on your domain are set to sync from the domain hierarchy. You can do this by running the following command on client pc's and member servers:
w32tm /config /syncfromflags:domhier /update
You should now set your FreeNAS system to point to this PDC as its primary NTP server. Add it to the NTP server settings in FreeNAS and be sure to mark the option to prefer this server for NTP. Don't forget to set the time zone too!
Before you continue any further, you need to make sure you create a ZFS Volume/Pool on FreeNAS and verify that it's in a healthy state. Now go to System/Settings and set the option "System dataset pool" option to be your new Pool. If you don't create a pool before continuing below, you wont be able to start the Directory Services service or the CIFS service!
Now on the FreeNAS box, set the Directory Service on the System/Settings/General tab to be Active Directory. Next...DISABLE the following two CIFS service settings: Local Master, Time Server for Domain. If you don't do this, don't come crying when strange stuff happens ;-)
Ok, now that we are all set there, now its time to create an AD computer account for your FreeNAS box in AD. For this article, we'll call it NAS1. After this, create an A record for the NAS1 computer account in your DNS server. Now create a new user account that is configured with a Non-Expiring password. We'll call it, NAS1USER. Now go back to the computer account, NAS1, and open the properties of the account. On the security tab, add the NAS1USER account with Full Control permissions. What this does is get around the issue of having to use an Administrator or Domain Admin account to join AD and set the secure channel for the account. The new feature in 9.2.1 for using a Keytab file seems like a nice idea, but the documentation is not quite ready from what I see. What's currently on the wiki for this seems wrong to me. It says, and I quote, "hostname is the fully qualified hostname of the domain controller." I think it should be hostname = NAS1, i.e. the hostname of your FreeNAS system. I'm speculating here, but I wouldn't trust it yet without some definitive documentation and tests. Regardless...the documentation also states to fill in the Directory Services settings "Domain Account Name" and "Domain Account Password" with a less privileged account for running lookups. Ummm...ok, so that will still be in the database in clear text? Oh well, if it needs it...it needs it. The good thing is, that for this config, you insert the NAS1USER account here. So it is a less privileged account BUT it has Full Control of the NAS1 computer account. Boom...it all works! Users and Groups get populated when setting permissions on a Dataset and CIFS shares work as expected. For the CIFS permissions, you'll need to edit your Dataset permissions and change it to Windows / Mac ACL style and change Owner (user) to be an AD account and Owner (group) to be an AD group of your choice. These two accounts will have inherited permissions to the share. One note here is that there is currently an issue with "Share Permissions" being set to Everyone. You can change it using compmgmt.msc to connect to the FreeNAS system, but it will revert back when you reboot the NAS. Info here: https://bugs.freenas.org/issues/3644
Troubleshooting help:
Some good articles with more info on Samba and AD integration with Kerberos:
http://itscblog.tamu.edu/joining-samba-to-a-windows-2008-r2-domain/
http://wiki.samba.org/index.php/Samba_&_Active_Directory
http://forums.fedoraforum.org/archive/index.php/t-217600.html
http://doc.freenas.org/index.php/Directory_Services#Troubleshooting_Tips
Well, that's all I have for now. I hope it helps!
Tested on Windows Server 2012 Active Directory, Windows Server 2012 function level
FreeNAS FreeNAS-9.2.1-RC-83ae0c1-x64
Man oh man...I cant believe all of the posts on here about issues with getting FreeNAS to work with Active Directory. After going through quite a few posts on here as well as other boards, here are the steps I think might be a little easier for people.
First things first...make sure you have a sound AD environment. DNS is working correctly, verify your SRV records (in the FreeNAS shell, you can run this command without the quotes "host -t srv _kerberos._tcp.windows.domain.com" where windows.domain.com is your fqdn of your domain. It should come back with something like this "_kerberos._tcp.windows.domain.com has SRV record 0 100 88 dc.windows.domain.com". If not, you have some DNS issues. Verify your network settings in FreeNAS and your AD DNS records. I would recommend configuring your FreeNAS box to point to your domain controller as its DNS server. Another thing is to make sure you have your NTP settings correct. On the domain controller that holds the FSMO PDC role (run this command from your dc "netdom query fsmo"), double check your NTP settings. If you've never set anything, I recommend using these settings...run from a command prompt on the PDC:
w32tm /config /manualpeerlist:"time.windows.com,0x1" /syncfromflags:manual /reliable:yes /update
After you run that command, restart the Windows Time Service. This will make your PDC sync from an external time source which is highly recommended. Its also a good idea to make sure your client pc's on your domain are set to sync from the domain hierarchy. You can do this by running the following command on client pc's and member servers:
w32tm /config /syncfromflags:domhier /update
You should now set your FreeNAS system to point to this PDC as its primary NTP server. Add it to the NTP server settings in FreeNAS and be sure to mark the option to prefer this server for NTP. Don't forget to set the time zone too!
Before you continue any further, you need to make sure you create a ZFS Volume/Pool on FreeNAS and verify that it's in a healthy state. Now go to System/Settings and set the option "System dataset pool" option to be your new Pool. If you don't create a pool before continuing below, you wont be able to start the Directory Services service or the CIFS service!
Now on the FreeNAS box, set the Directory Service on the System/Settings/General tab to be Active Directory. Next...DISABLE the following two CIFS service settings: Local Master, Time Server for Domain. If you don't do this, don't come crying when strange stuff happens ;-)
Ok, now that we are all set there, now its time to create an AD computer account for your FreeNAS box in AD. For this article, we'll call it NAS1. After this, create an A record for the NAS1 computer account in your DNS server. Now create a new user account that is configured with a Non-Expiring password. We'll call it, NAS1USER. Now go back to the computer account, NAS1, and open the properties of the account. On the security tab, add the NAS1USER account with Full Control permissions. What this does is get around the issue of having to use an Administrator or Domain Admin account to join AD and set the secure channel for the account. The new feature in 9.2.1 for using a Keytab file seems like a nice idea, but the documentation is not quite ready from what I see. What's currently on the wiki for this seems wrong to me. It says, and I quote, "hostname is the fully qualified hostname of the domain controller." I think it should be hostname = NAS1, i.e. the hostname of your FreeNAS system. I'm speculating here, but I wouldn't trust it yet without some definitive documentation and tests. Regardless...the documentation also states to fill in the Directory Services settings "Domain Account Name" and "Domain Account Password" with a less privileged account for running lookups. Ummm...ok, so that will still be in the database in clear text? Oh well, if it needs it...it needs it. The good thing is, that for this config, you insert the NAS1USER account here. So it is a less privileged account BUT it has Full Control of the NAS1 computer account. Boom...it all works! Users and Groups get populated when setting permissions on a Dataset and CIFS shares work as expected. For the CIFS permissions, you'll need to edit your Dataset permissions and change it to Windows / Mac ACL style and change Owner (user) to be an AD account and Owner (group) to be an AD group of your choice. These two accounts will have inherited permissions to the share. One note here is that there is currently an issue with "Share Permissions" being set to Everyone. You can change it using compmgmt.msc to connect to the FreeNAS system, but it will revert back when you reboot the NAS. Info here: https://bugs.freenas.org/issues/3644
Troubleshooting help:
Some good articles with more info on Samba and AD integration with Kerberos:
http://itscblog.tamu.edu/joining-samba-to-a-windows-2008-r2-domain/
http://wiki.samba.org/index.php/Samba_&_Active_Directory
http://forums.fedoraforum.org/archive/index.php/t-217600.html
http://doc.freenas.org/index.php/Directory_Services#Troubleshooting_Tips
Well, that's all I have for now. I hope it helps!
Tested on Windows Server 2012 Active Directory, Windows Server 2012 function level
FreeNAS FreeNAS-9.2.1-RC-83ae0c1-x64