AD auth fails after upgrade

[Zach Underwood]

Over the weekend I updated from 9.3x to 9.10-STABLE-201604111739 since then I have be unable to get ad auth to work.

Here is an error in the /var/log/messages
Apr 18 12:17:51 gv-siatnas1 ActiveDirectory: AD_join_domain: net -k ads join dxx.us -S gvdc1.dxx.us -p 389
Apr 18 12:17:52 gv-siatnas1 ActiveDirectory: AD_join_domain: Failed

And this is from a tcpdump on freenas.
294 20.005520 172.26.xx.220 172.26.xx.3 LDAP 109 bindRequest(1) "svc.siatsamba@dxx.us" simple
295 20.006935 172.26.xx.3 172.26.xx.220 LDAP 88 bindResponse(1) success

The domain controller is a windows 2012r2

 

[anodos]

post contents of /usr/local/etc/smb4.conf

 

[Zach Underwood]

Here you go
https://s3.amazonaws.com/zach_underwood/smb4.conf

 

[BeeFGee]

I had the same problem after updating to 9.10 and just found the solution. I am using an Univention Corporate Server with Samba 4 as DC.

1) Set Encryption Mode to TLS and choose the appropriate certificate
2) Set SASL wrapping to sign

These two changes did the trick. Before I got errors about not readable passwords, etc. when I wanted to do the AD join via GUI (worked from CLI with some hacks, however). Hope this solves your problem, too.

 

[Zach Underwood]

For now I have rolled back to 9.3 and it is working again. I have a 2nd server that I will try 9.10 on to see if the above trick works.

 

[DaveBatey]

BeeFGee where are those setting? I too am in this boat from 9.3 to 9.10 no AD

Sent from my P01MA using Tapatalk

 

[kiilo.org]

Dear BeeFGee,

I have same setup here freenas 9.10 and UCS 4.0-5. I could connect by TLS but freenas doesn't join.
see https://bugs.freenas.org/issues/15823
could you enroll your 'hack' here or in the bug report please ...


Thanks
kiilo

 

[dasti]

it seems I have the same kind issue with freenas 9.10 and samba 4.3.9 on freebsd 10.3

 

[Tom Murphy]

https://forums.freenas.org/index.ph...oined-2012-r2-ad-after-days-of-stuggle.44334/

 

[dasti]

I had the same problem after updating to 9.10 and just found the solution. I am using an Univention Corporate Server with Samba 4 as DC.

1) Set Encryption Mode to TLS and choose the appropriate certificate
2) Set SASL wrapping to sign

These two changes did the trick. Before I got errors about not readable passwords, etc. when I wanted to do the AD join via GUI (worked from CLI with some hacks, however). Hope this solves your problem, too.

Hi !

could you post the content of your smb4.conf ? I have the same problem with samba on freebsd, I guess there's some obscur options to configure to make that work

 

[BeeFGee]

Hey guys, sorry for late response, I somehow did not get any mails from the Thread anymore ...

The configuration options I described are available in the Advanced Mode menu beneath "Directory Service" -> "Active Directory"

Here is my /etc/directoryservice/ActiveDirectory/config:

Code:

ad_machine=NAS1$
ad_bindname=myusername
ad_domainname=my.domain.name
ad_basedn=DC=my,DC=domain,DC=name
ad_binddn=myusername@MY.DOMAIN.NAME
ad_userdn=
ad_groupdn=
ad_site=
ad_dcname=domaincontroller.my.domain.name
ad_dchost=domaincontroller.my.domain.name
ad_dcport=389
ad_gcname=domaincontroller.my.domain.name
ad_gchost=domaincontroller.my.domain.name
ad_gcport=3268
ad_krbname=domaincontroller.my.domain.name:88
ad_krbhost=domaincontroller.my.domain.name
ad_krbport=88
ad_kpwdname=domaincontroller.my.domain.name:464
ad_kpwdhost=domaincontroller.my.domain.name
ad_kpwdport=464
ad_krb_realm=MY.DOMAIN.NAME
ad_keytab_principal=
ad_keytab_file=
ad_timeout=60
ad_dns_timeout=60
ad_certfile=/etc/certificates/CA/MY-DOMAIN-CA-CERT.crt
ad_ssl=start_tls
ad_verbose_logging=0
ad_unix_extensions=1

This results in the following /etc/local/smb4.conf:

Code:

[global]
	server max protocol = SMB3
	encrypt passwords = yes
	dns proxy = no
	strict locking = no
	oplocks = yes
	deadtime = 15
	max log size = 51200
	max open files = 470972
	logging = file
	load printers = no
	printing = bsd
	printcap name = /dev/null
	disable spoolss = yes
	getwd cache = yes
	guest account = nobody
	map to guest = Bad User
	obey pam restrictions = yes
	directory name cache size = 0
	kernel change notify = no
	panic action = /usr/local/libexec/samba/samba-backtrace
	nsupdate command = /usr/local/bin/samba-nsupdate -g
	server string = FreeNAS Server
	ea support = yes
	store dos attributes = yes
	lm announce = yes
	hostname lookups = yes
	acl allow execute always = false
	dos filemode = yes
	multicast dns register = no
	domain logons = no
	idmap config *: backend = tdb
	idmap config *: range = 90000001-100000000
	server role = member server
	workgroup = MYDOMAIN
	realm = MY.DOMAIN.NAME
	security = ADS
	client use spnego = yes
	cache directory = /var/tmp/.cache/.samba
	local master = no
	domain master = no
	preferred master = no
	ads dns update = no
	winbind cache time = 7200
	winbind offline logon = yes
	winbind enum users = yes
	winbind enum groups = yes
	winbind nested groups = yes
	winbind use default domain = yes
	winbind refresh tickets = yes
	winbind nss info = rfc2307
	idmap config MYDOMAIN: backend = rid
	idmap config MYDOMAIN: range = 20000-90000000
	allow trusted domains = no
	client ldap sasl wrapping = sign
	template shell = /bin/sh
	template homedir = /home/%U
	netbios name = NAS1
	pid directory = /var/run/samba
	create mask = 0666
	directory mask = 0777
	client ntlmv2 auth = yes
	dos charset = CP437
	unix charset = UTF-8
	log level = 1
...

I hope this still helps someone.

 

[Trent Hennessy]

I had the same problem after updating to 9.10 and just found the solution. I am using an Univention Corporate Server with Samba 4 as DC.

1) Set Encryption Mode to TLS and choose the appropriate certificate
2) Set SASL wrapping to sign

These two changes did the trick. Before I got errors about not readable passwords, etc. when I wanted to do the AD join via GUI (worked from CLI with some hacks, however). Hope this solves your problem, too.

What certificate is required? is this something that needs to generated by the AD?

I'm using a windows SBS 2011 server, which runs a .local domain. Would the certificate need to generated by that and imported to freenas?

 

[BeeFGee]

Just an educated guess, I'm not quite sure:

FreeNas is connecting via SSL to the Domain Controller (DC). This SSL connection is happening based on some SSL certificate available on the DC. For FreeNas to be able to verify the SSL certificate, it has to know the CA certificate of the CA which signed the SSL certificate.

Univention Corporate Server (UCS) creates it's own CA and of course the corresponding SSL certificates for the DC. So I guess you should have something like this also in SBS ... Hope this helped?!

 

[Evi Vanoost]

If you're using Univention, it might be better to use LDAP, the LDAP is on port 7389 and gives you the same results from AD (they sync), it isn't crash prone and it gives you native Unix extensions.

I've tried many different ways and I can't get UCS AD to authenticate through PAM (even though getent passwd works) which means although Samba works, AFP and SSH to the FreeNAS server doesn't.

The other issue is you have to set up the IDMAP in FreeNAS AD to connect to LDAP regardless in order to get the correct Unix ID's (otherwise services like NFS won't work) since the Samba in UCS doesn't have RFC2307 extensions enabled (I did do it manually but the ID's don't sync automatically between LDAP and Samba). This results in noticeably slow logins since it now has to negotiate between two different LDAP services and then do the translation. If you don't use IDMAP, you'll get some 'random' UID's (they're not random, they're calculated based on the SID) that don't match up with the posixAccount, if you ever do connect a proper NFS, you may have to do a chown on every single file on your server (and with billions of files in 100's of TB that could take weeks)

Kerberos also doesn't work for AFP no matter what I try and you have to manually create (in Samba using ldapmodify) and export the Kerberos service keytabs for afpserver and NFS, it's a big hassle in the end and LDAP authentication 'just works'.

I'm also having issues with Samba crashing randomly when AD to UCS is active, after a few hours, the Samba server will have crashed.

Oh and since the interface doesn't work at this point (there is a bug report) setting root certificates, you have to import them manually using sqlite3 into the FreeNAS configuration databases. UCS doesn't allow authentication over non-SSL/TLS so you HAVE to have the UCS root CA into FreeNAS and select it during configuration.

 

[BeeFGee]

SSH is working for my box with the AD accounts via Kerberos authentication, but I give you a point for the ID mapping. I didn't get rf2307 to work properly and I didn't want to do this via LDAP at this point, so my ID backend is currently calculated which is OK, as I only have one box.
However, I'd like to have unique IDs nevertheless... I think I give this another shot when I have time and try to do everything via LDAP.... Thanks for hinting me towards this again ;-)