FreeNAS as an AD DC

Joined
Jan 4, 2014
Messages
1,644
I've been using local authentication to gain access to SMB shares and have thus far resisted using Active Directory. I'd now like to at least become familiar with AD to see what the fuss is about, so I'm dipping my big ugly toe in. The goal eventually is to automate syncing of user credentials across several FreeNAS servers, I'm a noob when it comes to AD, and the questions I'm going to ask are probably going to sound pretty dumb to those of you with AD expertise. I apologise in advance.

I believe I can use a FreeNAS server as a standalone DC. However, I get the feeling listening to @anodos that this isn't working as it should under 11.2, so should I wait till AD is moved into a jail? https://www.ixsystems.com/community/threads/11-1-to-11-2-ad-upgrade-issues.74356/

At this stage, I can't even get off first base (Services > Domain Controller > Configure). Referring to the attachment, it doesn't matter what password I try to set, it's not accepted in the dialogue box.
 

Attachments

  • screenshot.161.png
    screenshot.161.png
    9.5 KB · Views: 923
Last edited:

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,546
I've been using local authentication to gain access to SMB shares and have thus far resisted using Active Directory. I'd now like to at least become familiar with AD to see what the fuss is about, so I'm dipping my big ugly toe in. The goal eventually is to automate syncing of user credentials across several FreeNAS servers, I'm a noob when it comes to AD, and the questions I'm going to ask are probably going to sound pretty dumb to those of you with AD expertise. I apologise in advance.

I believe I can use a FreeNAS server as a standalone DC. However, I get the feeling listening to @anodos that this isn't working as it should under 11.2, so should I wait till AD is moved into a jail? https://www.ixsystems.com/community/threads/11-1-to-11-2-ad-upgrade-issues.74356/

At this stage, I can't even get off first base (Services > Domain Controller > Configure). Referring to the attachment, it doesn't matter what password I try to set, it's not accepted in the dialogue box.

I think you're better off running the DC in a jail. Provisioning has been semi-broken since FreeNAS 11.0. I introduced some fixes in 11.2 to make it provision correctly, but there was a code path where we were leaking acl_xattr instead of zfsacl for handling the ACLs. This caused some operations to fail and would leave the domain in a quasi-provisioned state. In U3 I'm forcing zfsacl in source3/param/loadparm.c if FS underlying the default sysvol path is ZFS. This is a permanent fix for provisioning. Next week, if I have time I'll make sure that the same fixed samba is available as a port in the jails.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,546
Quick update on this one. The provisioning code should be fixed in U3, but in 11.3 we're removing the DC role entirely from the 'services' menu. I haven't been able to find time yet to work on anything related to the jails. Your upgrade path in 11.3 will be to promote a jailed samba instance to DC of your freenas domain, then demote the FreeNAS server (and turn off the service). This will need to be done prior to upgrading to 11.3.
 
Top