11.1 to 11.2 AD Upgrade Issues?

[JR Gonzalez]

I was wondering if anybody here using a FreeNAS box as an AD DC has upgraded from 11.1 to 11.2 yet and had any issues with AD being completely wiped after the upgrade. I found myself in an absolute nightmare when I had gone from 9.10 to 11.1. I had to completely rebuild the entire AD. Luckily it was a small home network but I can see that as being a major issue on larger infrastructures. I had to rejoin all the clients in the home and add the users from scratch.

 

[anodos]

You'll be jumping from Samba 4.7 to 4.9. I'd say before upgrading, at a minimum stop Samba and create a manual snapshot of the .system/samba4 dataset and make sure to back up the various samba tdb files. This should help with rolling back if needed (which is always a serious annoyance in an AD environment. If I were using it in an enterprise environment, I might consider installing the the samba49 port from our ports tree in a FreeBSD server VM (not on the FreeNAS) or a FreeNAS jail: https://github.com/freenas/ports/tree/freenas/master/net/samba49, configure the DC, and join it to AD as a second domain controller. This will give an avenue for service continuity if the DC service breaks during an upgrade. This is also one of those reasons why I want to move this into a plugin.

 

[anodos]

Okay. I was poking around this code again and realized that there is a significant issue in domain provisioning that I merged in for U3 a while back. If you're running a DC or planning to do so, you should hold off until the next U release (and still proceed with caution).

 

[Clipper]

Hi,

I just installed a fresh 11.2-U2 and tried to make it an AD DC (it's for home use). That didn't work at all, even though the settings seems correct. Samba start but there doesn't seem to be any dns/kerberos/etc. services running. The samba logs are full of errors.

Is it worth for me detailing the setup and errors ? or AD DC never worked in 11.2-U2 and I should instead wipe and wait for a next release ?

Also, I saw somewhere that running both AD DC and SMB share services wasn't recommended, is that just a warning or it really won't work ?

Thanks

 

[anodos]

Hi,

I just installed a fresh 11.2-U2 and tried to make it an AD DC (it's for home use). That didn't work at all, even though the settings seems correct. Samba start but there doesn't seem to be any dns/kerberos/etc. services running. The samba logs are full of errors.

Is it worth for me detailing the setup and errors ? or AD DC never worked in 11.2-U2 and I should instead wipe and wait for a next release ?

Also, I saw somewhere that running both AD DC and SMB share services wasn't recommended, is that just a warning or it really won't work ?

Thanks

AD DC has more or less never worked correctly. I made a push for U3 to make it fully-functional, but had to revert some changes to zfsacl which were required for ACLs to be correctly handled by the DC role. Large numbers of users with an unsupported permissions configuration won out over users who might be able to enjoy having a DC :)

That episode highlights some of the tensions between trying to thoroughly support DC service and having a NAS for filesharing. In 11.3 I plan to fully move the DC role into an iocage plugin.

 

[Clipper]

I understand. Well, in the meantime I will try to setup a fully functioning DC in a jail as per samba4 documentation. Then, try to connect the FreeNAS Active Directory, Kerberos and SMB services to it. Will report on how that worked (or not)

 

[anodos]

I understand. Well, in the meantime I will try to setup a fully functioning DC in a jail as per samba4 documentation. Then, try to connect the FreeNAS Active Directory, Kerberos and SMB services to it. Will report on how that worked (or not) :)

It's a little more complex than that. In order to successfully provision on ZFS, you actually need my Samba 4.9 port (upstream FreeBSD one won't work). https://github.com/freenas/ports/tree/freenas/master/net/samba49

Basic steps:
1) Create jail
2) Add datasets to jail (one for /usr/ports, one for /usr/src, one for /var/db/samba4 (this will be sysvol share)). These should have "unix" permissions type.
3) On the jail host, git clone the freenas ports repo to the ports dataset git clone https://github.com/freenas/ports.git /mnt/<pool>/ports and same for os repo git clone https://github.com/freenas/os.git /mnt/<pool>/src
4) SSH in to the freenas server and type "tmux". This will allow you to detach the samba build. Then type iocage list to list your jails and iocage console <dc jail> to enter the jail.
5) Once you're in the jail cd /usr/ports/net/samba49 and make install BATCH="YES". This will install the samba49 port and all of its dependencies.

 

[Clipper]

mmh ok. looks a bit complex but not unfeasible. I also thought of sticking into a Debian VM instead, but that looked like not being a good idea as per that thread:

Can FreeNAS use a domain controller thats running on a vm using freenas storage​

​

What are the odds of success between jail and VM ?

 

[anodos]

mmh ok. looks a bit complex but not unfeasible. I also thought of sticking into a Debian VM instead, but that looked like not being a good idea as per that thread:

Can FreeNAS use a domain controller thats running on a vm using freenas storage​

​

What are the odds of success between jail and VM ?

They both face the same sort of chicken-and-egg scenario. I believe I significantly improved this recently. The boot may hang for a while because DNS is unavailable (your DNS is hosted in the VM / jail), but we should be able to recover from it. I still don't think it's a great design decision. It's better to at least have a second DC that isn't on the FreeNAS server and have that be NS1 for the FreeNAS server.

 

[Clipper]

... It's better to at least have a second DC that isn't on the FreeNAS server and have that be NS1 for the FreeNAS server.

Noted