Freenas as Active Directory Member - samba share access when domain controller is offline

[itm001]

Hi,

I added Freenas as a domain member to a Windows Server 2012 r2 domain controller without problems.
Would like to have access to the samba shares using the active directory permissions when the domain controller is offline.
Can Freenas use something like "cashed credentials" so the shares can be accessed when the domain controller is offline?

Thanks,
Tim

FreeNAS-11.2-U2.1
MB Supermicro X11SCA-F
i3-8300
64 GiB ECC

Code:

Testparm:
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Load smb config files from /usr/local/etc/smb4.conf
Processing section "[iso]"
Processing section "[shares]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER

# Global parameters
[global]
        allow trusted domains = No
        client ldap sasl wrapping = plain
        deadtime = 15
        disable spoolss = Yes
        dns proxy = No
        domain master = No
        dos charset = CP437
        hostname lookups = Yes
        kernel change notify = No
        lm announce = Yes
        load printers = No
        local master = No
        logging = file
        max log size = 51200
        max open files = 1882001
        nsupdate command = /usr/local/bin/samba-nsupdate -g
        obey pam restrictions = Yes
        panic action = /usr/local/libexec/samba/samba-backtrace
        preferred master = No
        printcap name = /dev/null
        realm = xxx.LOCAL
        security = ADS
        server min protocol = SMB2_02
        server role = member server
        server string = FreeNAS Server
        template shell = /bin/sh
        time server = Yes
        winbind cache time = 7200
        winbind enum groups = Yes
        winbind enum users = Yes
        winbind offline logon = Yes
        winbind refresh tickets = Yes
        workgroup = xxx
        idmap config cis: range = 20000-90000000
        idmap config cis: backend = rid
        idmap config *: range = 90000001-100000000
        idmap config * : backend = tdb
        acl allow execute always = Yes
        create mask = 0666
        directory mask = 0777
        directory name cache size = 0
        dos filemode = Yes
        strict locking = No


[iso]
        path = "/mnt/Tank/shares/iso"
        read only = No
        veto files = /.snapshot/.windows/.mac/.zfs/
        vfs objects = zfs_space zfsacl streams_xattr
        zfsacl:acesort = dontcare
        nfs4:chown = true
        nfs4:acedup = merge
        nfs4:mode = special


[shares]
        path = "/mnt/Tank/shares"
        read only = No
        veto files = /.snapshot/.windows/.mac/.zfs/
        vfs objects = zfs_space zfsacl streams_xattr
        zfsacl:acesort = dontcare
        nfs4:chown = true
        nfs4:acedup = merge
        nfs4:mode = special

 

[dlavigne]

Did you find a solution for this?

 

[itm001]

We want to be able to access the samba shares in case the windows server domain controller is down.
Think the easiest solution is to remove the active directory authentication for the samba shares and use Freenas local user authentication.

 

[anodos]

We want to be able to access the samba shares in case the windows server domain controller is down.
Think the easiest solution is to remove the active directory authentication for the samba shares and use Freenas local user authentication.

There isn't really much to do about this. AD architecture is clustered specifically for this reason. It is expected to _always_ be available. One option will be to install samba in a FreeNAS jail and use samba-tool to join the jailed instance to AD as a "read only domain controller" (RODC). With appropriate DNS configuration, the FreeNAS server will fail over to the jailed RODC if other components of the AD domain are unavailable.