What does the Active Directory service "do" in FreeNAS 9.X?

[TremorAcePV]

Hi guys,

This is more so a technical question about what enabling Active Directory on FreeNAS 9.X (any new versions really) actually does to and for a domain.

So say I go to FreeNAS, and I set the Directory Services to Active Directory. Then I go to the settings for that and I set everything correctly to have FreeNAS authenticate and become part of the Domain. What is FreeNAS doing to the Domain if I have Local Master and Time Server unchecked in CIFS Shares?

Is it strictly becoming a part of the domain and trying to get Users/Groups from the DCs? Or is it trying to do more such as what AD DS does in Windows Server (any of them that have it)? Are the two things similar in any way?

The reason I ask is because my co-worker doesn't wish me to enable Active Directory services on FreeNAS because he believes it will interfere with the current DC's on our network in some form. And I'm trying to make him understand that without Active Directory enabled, FreeNAS can't get the Users/Groups from the DC to give out permissions on CIFS Shares, but he believes it can without having any Directory Services enabled at all.

I'm assuming I'm right based on my reading of the FreeNAS wiki and various other material, but I'm uncertain because I don't know the answer to this question.

Thanks,
Vitalius

Edit: Could someone change the Tag to "QUESTION". I had momentary lapse of thought. Thanks.

 

[bigphil]

Configuring FreeNAS to join a current Active Directory domain as a member server is just like any other client that joins the domain. Just make sure to uncheck those two boxes that you mentioned and there will be zero problems on the domain. Make sure to also configure the NTP settings on FreeNAS to point to your authoritative time server in your domain. You're correct about FreeNAS needing to be joined in order to assign permissions to your AD accounts for CIFS access. Without it, the only way around it would be to create local accounts on FreeNAS with the exact same username and password as all of your users...suffice it to say, that's totally impractical. Your co-worker sounds like a paranoid IT guy and he/she needs to give it a rest. Take a system state backup of the DC's holding your FSMO roles if they are so concerned about something going wrong (which it wont if setup correctly following my guide). I posted a nice how to article on configuring the latest version of FreeNAS for Active Directory. http://forums.freenas.org/index.php?threads/using-active-directory-with-freenas.18068/

EDITED

 

[TremorAcePV]

Configuring FreeNAS to join a current Active Directory domain as a member server is just like any other client that joins the domain. Just make sure to uncheck those two boxes that you mentioned and there will be zero problems on the domain. Make sure to also configure the NTP settings on FreeNAS to point to your authoritative time server in your domain. I posted a nice how to article on configuring the latest version of FreeNAS for Active Directory. http://forums.freenas.org/index.php?threads/using-active-directory-with-freenas.18068/

Yes, and thank you for that article (and quick reply). It still hasn't resolved my issues getting FreeNAS to authenticate with my domain, but it has helped me verify a few other things. I have done that with NTP.

I figured that was the answer. I imagine it's just like a normal Windows 7 machine connecting to a Domain. They all have to have Active Directory services enabled (or whatever their equivalent is) to actually authenticate and be part of the Domain.

 

[bigphil]

If you're on the latest version of FreeNAS (or at least 9.2.0) and you follow my guide to the T, it should work without any problems.

 

[TremorAcePV]

You're correct about FreeNAS needing to be joined in order to assign permissions to your AD accounts for CIFS access. Without it, the only way around it would be to create local accounts on FreeNAS with the exact same username and password as all of your users...suffice it to say, that's totally impractical. Your co-worker sounds like a paranoid IT guy and he/she needs to give it a rest. Take a system state backup of the DC's holding your FSMO roles if they are so concerned about something going wrong (which it wont if setup correctly following my guide).EDITED

[just responding to this edited in section]

Exactly. And he is. And I understand why. We don't have a test-bed for this stuff, so we have to cautiously push forward in our production environment. I understand how much of a bad practice that is, but we have little options otherwise. He is paranoid because our network is weird. The first time I enabled Active Directory services, the permissions on our primary file server went wonky. That's back when the FreeNAS machine could authenticate with the Domain (it hasn't since).

So he naturally figured it was FreeNAS doing it because we had no other real answer that we could think of (we weren't touching permissions at the time). This is why he's paranoid about FreeNAS.

If you're on the latest version of FreeNAS (or at least 9.2.0) and you follow my guide to the T, it should work without any problems.

Alright, I'll give it another go from scratch (again). I think part of it is that I've done a bit in the DNS, Users and Groups, and such in Windows Server and it's not liking each new installation of FreeNAS. Respectively, Created Host A record for FreeNAS, Create a FreeNAS specific user who has full control of the FreeNAS Computer account (so I don't have to use the Administrator account in FreeNAS), and things like that.

To be honest, I've been smashing my head against the brick wall that is FreeNAS, Active Directory, and our strange network for the past month+. I'm up for trying anything at this point (that doesn't break what's already in place).

 

[TremorAcePV]

If you're on the latest version of FreeNAS (or at least 9.2.0) and you follow my guide to the T, it should work without any problems.

Update about this.

I started from scratch with FreeNAS 9.2.1.2 RELEASE with my Windows 2008 R2 DC. Prep for my attempt:

• Deleted DNS Host A record for FreeNAS
• Deleted Active Directory Users and Computers accounts for FreeNAS (Both the User and Computer account)
• Reset FreeNAS to Factory Defaults using the Shell's #8 option.

Order of things as I did them:

• Created DNS Host A Record for FreeNAS
• Made AD U&C accounts for both FreeNAS User and Computer
• Configured FreeNAS' Domain, NetBIOS name, Hostname, IP settings, and made my Storage pools. Set CIFS Local Master and Time server for Domain to Unchecked.
• Switched Directory Services to Active Directory.
• Configured Active Directory settings.
• Turned on Directory Services in Control Services (CIFS was off).
• Directory Services failed to start. CIFS started fine. The Event Log mentions winbindd not running.
• Go to Settings>Directory Services>Switch to ----.
• Reboot FreeNAS
• Go to Settings>Directory Services>Switch back to Active Directory.
• Turned on Directory Services in Control Services (CIFS was off).
  Notables from event log:
  

  Mar 12 15:18:11 FREENAS14 winbindd[5227]: [2014/03/12 15:18:11.449589, 0] ../source3/winbindd/winbindd_util.c:634(init_domain_list)
  Mar 12 15:18:11 FREENAS14 winbindd[5227]: Could not fetch our SID - did we join?
  Mar 12 15:18:11 FREENAS14 winbindd[5227]: [2014/03/12 15:18:11.449951, 0] ../source3/winbindd/winbindd.c:1204(winbindd_register_handlers)
  Mar 12 15:18:11 FREENAS14 winbindd[5227]: unable to initialize domain list
  ...
  Mar 12 15:18:36 FREENAS14 winbindd[5881]: [2014/03/12 15:18:36.751952, 0] ../source3/libads/sasl.c:994(ads_sasl_spnego_bind)
  Mar 12 15:18:36 FREENAS14 winbindd[5881]: kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials

  
  The above event happened about 50 times. Then this happened.
  
  

  Mar 12 15:18:40 FREENAS14 manage.py: [py.warnings:744] /usr/local/www/freenasUI/../freenasUI/common/freenasldap.py:744: DeprecationWarning: object() takes no parameters obj = super(FreeNAS_ActiveDirectory_Base, cls).__new__(cls, **kwargs)

Directory Services stayed on this time. Finally. However, I'm still getting the "Invalid Credentials" problem.

Since this is a test, I'm using the Domain Admin credentials rather than the FreeNAS User credentials. It shouldn't be invalid.

 

[bigphil]

Does your domain admin credentials contain any special characters that are possibly causing the issue? If so, I would setup a special user account, like in my instructions, and create a password that is only alphanumeric. try that and let us know what happens.

 

[TremorAcePV]

Does your domain admin credentials contain any special characters that are possibly causing the issue? If so, I would setup a special user account, like in my instructions, and create a password that is only alphanumeric. try that and let us know what happens.

Yes. ^ specifically.

I want to note that I edited that list of my actions because I had to write it after-the-fact, so I remembered more of what I did in order. TL;DR: I made the special user's & computer account, and re-added the DNS Host records before configuring Active Directory. Then I started Directory Services, which failed to start, so I disabled it (Switched it to ---- in the Settings), rebooted, then switched back to AD DS which allowed it to start (I have a feeling that has something to do with "only one directory service can be configured at a time" in the FreeNAS Wiki).

Process taken in retry:

• Changed user in Active Directory to the following:
• User: FREENAS14
  Pass: TEST1234test
• Attempted to start Directory Services (CIFS off), failed (Different issue, winbindd wasn't mentioned, but the samba service was started while the kinit service was force stopped).
• Switched Directory Services to ---- under Settings.
• Reboot FreeNAS
• Switched Directory Services to Active Directory under Settings.
• Attempted to start Directory Services (CIFS off), failed. Notable from event logs:
  

  Mar 12 15:48:29 FREENAS14 root: /usr/local/etc/rc.d/samba_server: WARNING: /usr/local/etc/smb4.conf is not readable.
  Mar 12 15:48:29 FREENAS14 notifier: /usr/local/etc/rc.d/samba_server: WARNING: /usr/local/etc/smb4.conf is not readable.
  Mar 12 15:48:31 FREENAS14 ActiveDirectory: /usr/sbin/service ix-activedirectory quietstart

First time seeing ix-activedirectory quiet start, aside from the one time it worked mentioned above.

The "not readable" makes me want to start back again from Factory Defaults. So on to that.

 

[Pseudobolt]

Code:

Mar 12 15:48:29 FREENAS14 root: /usr/local/etc/rc.d/samba_server: WARNING: /usr/local/etc/smb4.conf is not readable.
Mar 12 15:48:29 FREENAS14 notifier: /usr/local/etc/rc.d/samba_server: WARNING: /usr/local/etc/smb4.conf is not readable.
Mar 12 15:48:31 FREENAS14 ActiveDirectory: /usr/sbin/service ix-activedirectory quietstart

The "not readable" makes me want to start back again from Factory Defaults. So on to that.

I had the same error messages when debugging my AD failing to start. In my case it seems to have been because I had not yet configured a system dataset pool in the Settings menu. After I set one up, I found a bunch of files stored in .system/samba4 on my data pool. Seems like it needs that to store settings, cache, etc.

 

[TremorAcePV]

I had the same error messages when debugging my AD failing to start. In my case it seems to have been because I had not yet configured a system dataset pool in the Settings menu. After I set one up, I found a bunch of files stored in .system/samba4 on my data pool. Seems like it needs that to store settings, cache, etc.

Yes. This fixed my issue. Thanks.

It makes a lot of sense. I figured it'd just stick it on the FreeNAS OS drive if it had some spare space (i.e. take a bit from the space it allocates for upgrading the OS). Oh well.

 

[mauirixxx]

In my case it seems to have been because I had not yet configured a system dataset pool in the Settings menu. After I set one up, I found a bunch of files stored in .system/samba4 on my data pool. Seems like it needs that to store settings, cache, etc.

Interesting - when I wrote up my own guide, I had already created my pools, this is good to note for the future - thanks (non-edit note - seems I had already documented this). My notes were for FreeNAS 9.1.1, though they carried over fine for v9.2.1.3 via the upgrade system.