Hi Forum,
this is my first post here and I want say thanks for this very feature rich product!
I'd like to use it in our company as a replacement for a commercial NAS solution, therefor it is crucial to connect it to the corporate AD.
The AD consists of a root domain with several sub domains, the domain join should happen against the root domain, but the most users are located in the sub domains.
I've created a computer object in the root domain and a service account with full permissions on this computer object, also a corresponding keytab file has been created. This keyfile is uploaded under "Kerberos Keytabs", under Kerberos Realms I've added the Realm of the root domain.
Within the "Active Directory" settings I put in the service account as "Domain Account Name", selected the corresponding Kerberos Realm and Kerberos Principal, unchecked "Use Default Domain" and checked "Allow Trusted Domains" and "UNIX extensions" and tried several "Idmap backend" settings. User/Group caching setting does not make any difference as well.
Now, when I enable the domain or start the cachetool, there is an error getting the data from the SUBDOMAIN.
Can somebody point me in the right direction please?
Thanks
SeyBirk
Running FreenNAS 11U4
Output from /var/log/messages while domain join:
Sep 28 14:24:25 freenas01 ActiveDirectory: kerberos_status: klist -t
Sep 28 14:24:25 freenas01 ActiveDirectory: kerberos_status: Successful
Sep 28 14:24:26 freenas01 ActiveDirectory: activedirectory_status: checking status
Sep 28 14:24:26 freenas01 ActiveDirectory: AD_status_domain: net -k ads status rootdomain.com
Sep 28 14:24:27 freenas01 ActiveDirectory: AD_status_domain: Okay
Sep 28 14:24:30 freenas01 ActiveDirectory: /usr/sbin/service ix-hostname quietstart
Sep 28 14:24:31 freenas01 ActiveDirectory: /usr/sbin/service ix-kerberos quietstart default ROOTDOMAIN.COM
Sep 28 14:24:33 freenas01 ActiveDirectory: /usr/sbin/service ix-nsswitch quietstart
Sep 28 14:24:33 freenas01 ActiveDirectory: /usr/sbin/service ix-ldap quietstart
Sep 28 14:24:33 freenas01 ActiveDirectory: /usr/sbin/service ix-kinit quietstart
Sep 28 14:24:34 freenas01 ActiveDirectory: kerberos_start: /usr/bin/kinit --renewable -t /etc/kerberos/freenas01.keytab -k host/freenas01.rootdomain.com@ROOTDOMAIN.COM
Sep 28 14:24:34 freenas01 ActiveDirectory: kerberos_start: Successful
Sep 28 14:24:34 freenas01 ActiveDirectory: /usr/sbin/service ix-kinit status
Sep 28 14:24:35 freenas01 ActiveDirectory: kerberos_status: klist -t
Sep 28 14:24:35 freenas01 ActiveDirectory: kerberos_status: Successful
Sep 28 14:24:35 freenas01 ActiveDirectory: /usr/sbin/service ix-sssd start
Sep 28 14:24:37 freenas01 ActiveDirectory: /usr/sbin/service sssd onestart
Sep 28 14:24:37 freenas01 root: /usr/local/etc/rc.d/sssd: WARNING: /usr/local/etc/sssd/sssd.conf is not readable.
Sep 28 14:24:37 freenas01 root: /usr/local/etc/rc.d/sssd: WARNING: failed precmd routine for sssd
Sep 28 14:24:37 freenas01 ActiveDirectory: /usr/local/bin/python /usr/local/bin/midclt call notifier.start cifs
Sep 28 14:24:40 freenas01 ActiveDirectory: /usr/sbin/service ix-activedirectory quietstart
Sep 28 14:24:43 freenas01 ActiveDirectory: activedirectory_start: checking if we are joined already
Sep 28 14:24:43 freenas01 ActiveDirectory: AD_testjoin_domain: net -k ads testjoin rootdomain.com -S dc04.rootdomain.com -p 389
Sep 28 14:24:45 freenas01 ActiveDirectory: AD_testjoin_domain: Successful
Sep 28 14:24:45 freenas01 ActiveDirectory: activedirectory_start: skipping join, already joined
Sep 28 14:24:45 freenas01 ActiveDirectory: /usr/sbin/service ix-activedirectory status
Sep 28 14:24:46 freenas01 ActiveDirectory: activedirectory_status: checking status
Sep 28 14:24:46 freenas01 ActiveDirectory: AD_status_domain: net -k ads status rootdomain.com
Sep 28 14:24:47 freenas01 ActiveDirectory: AD_status_domain: Okay
Sep 28 14:24:47 freenas01 ActiveDirectory: /usr/local/bin/python /usr/local/bin/midclt call notifier.stop cifs
Sep 28 14:24:51 freenas01 ActiveDirectory: /usr/local/bin/python /usr/local/bin/midclt call notifier.start cifs
Sep 28 14:24:55 freenas01 ActiveDirectory: /usr/sbin/service ix-pam quietstart
Sep 28 14:24:56 freenas01 ActiveDirectory: /usr/sbin/service ix-cache quietstart &
Sep 28 14:25:13 freenas01 /cachetool.py: [common.freenasusers:335] Directory Users could not be retrieved: {'desc': 'Referral', 'info': 'Referral:\nldap://SUBDOMAIN.ROOTDOMAIN.com/DC=SUBDOMAIN,DC=ROOTDOMAIN,DC=com'}
Traceback (most recent call last):
File "/usr/local/www/freenasUI/common/freenasusers.py", line 332, in __init__
self.__users = dir(**kwargs)
File "/usr/local/www/freenasUI/common/freenasldap.py", line 2594, in __init__
self.__get_users()
File "/usr/local/www/freenasUI/common/freenasldap.py", line 2697, in __get_users
ad_users = self.get_users()
File "/usr/local/www/freenasUI/common/freenasldap.py", line 2187, in get_users
self.dchandle, self.basedn, scope, filter, self.attributes
File "/usr/local/www/freenasUI/common/freenasldap.py", line 1848, in _search
clientctrls, timeout, sizelimit
File "/usr/local/www/freenasUI/common/freenasldap.py", line 428, in _search
id, resp_ctrl_classes=paged_ctrls
File "/usr/local/lib/python3.6/site-packages/l
Sep 28 14:25:13 freenas01 /cachetool.py: dap/ldapobject.py", line 680, in result3
resp_ctrl_classes=resp_ctrl_classes
File "/usr/local/lib/python3.6/site-packages/ldap/ldapobject.py", line 687, in result4
ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
File "/usr/local/lib/python3.6/site-packages/ldap/ldapobject.py", line 263, in _ldap_call
result = func(*args,**kwargs)
ldap.REFERRAL: {'desc': 'Referral', 'info': 'Referral:\nldap://SUBDOMAIN.ROOTDOMAIN.com/DC=SUBDOMAIN,DC=ROOTDOMAIN,DC=com'}
Sep 28 14:25:41 freenas01 /cachetool.py: [common.freenasusers:217] Directory Groups could not be retrieved: {'desc': 'Referral', 'info': 'Referral:\nldap://SUBDOMAIN.ROOTDOMAIN.com/DC=SUBDOMAIN,DC=ROOTDOMAIN,DC=com'}
Sep 28 14:25:42 freenas01 ActiveDirectory: kerberos_status: klist -t
Sep 28 14:25:42 freenas01 ActiveDirectory: kerberos_status: Successful
Sep 28 14:25:43 freenas01 ActiveDirectory: activedirectory_status: checking status
Sep 28 14:25:43 freenas01 ActiveDirectory: AD_status_domain: net -k ads status rootdomain.com
Sep 28 14:25:44 freenas01 ActiveDirectory: AD_status_domain: Okay
Samba wize it looks quite ok:
root@freenas01:~ # wbinfo -t
checking the trust secret for domain ROOTDOMAIN via RPC calls succeeded
root@freenas01:~ # wbinfo -D ROOTDOMAIN
Name : ROOTDOMAIN
Alt_Name : ROOTDOMAIN.com
SID : S-1-5-21-1719516974-4151221516-4053140022
Active Directory : Yes
Native : Yes
Primary : Yes
root@freenas01:~ # wbinfo -D SUBDOMAIN
Name : SUBDOMAIN
Alt_Name : SUBDOMAIN.ROOTDOMAIN.com
SID : S-1-5-21-676079285-2602053330-1765456227
Active Directory : Yes
Native : No
Primary : No
root@freenas01:~ # ls -l /usr/local/etc/sssd/
total 4
-rw-r--r-- 1 root wheel 1909 Sep 28 13:14 sssd.conf.sample
this is my first post here and I want say thanks for this very feature rich product!
I'd like to use it in our company as a replacement for a commercial NAS solution, therefor it is crucial to connect it to the corporate AD.
The AD consists of a root domain with several sub domains, the domain join should happen against the root domain, but the most users are located in the sub domains.
I've created a computer object in the root domain and a service account with full permissions on this computer object, also a corresponding keytab file has been created. This keyfile is uploaded under "Kerberos Keytabs", under Kerberos Realms I've added the Realm of the root domain.
Within the "Active Directory" settings I put in the service account as "Domain Account Name", selected the corresponding Kerberos Realm and Kerberos Principal, unchecked "Use Default Domain" and checked "Allow Trusted Domains" and "UNIX extensions" and tried several "Idmap backend" settings. User/Group caching setting does not make any difference as well.
Now, when I enable the domain or start the cachetool, there is an error getting the data from the SUBDOMAIN.
Can somebody point me in the right direction please?
Thanks
SeyBirk
Running FreenNAS 11U4
Output from /var/log/messages while domain join:
Sep 28 14:24:25 freenas01 ActiveDirectory: kerberos_status: klist -t
Sep 28 14:24:25 freenas01 ActiveDirectory: kerberos_status: Successful
Sep 28 14:24:26 freenas01 ActiveDirectory: activedirectory_status: checking status
Sep 28 14:24:26 freenas01 ActiveDirectory: AD_status_domain: net -k ads status rootdomain.com
Sep 28 14:24:27 freenas01 ActiveDirectory: AD_status_domain: Okay
Sep 28 14:24:30 freenas01 ActiveDirectory: /usr/sbin/service ix-hostname quietstart
Sep 28 14:24:31 freenas01 ActiveDirectory: /usr/sbin/service ix-kerberos quietstart default ROOTDOMAIN.COM
Sep 28 14:24:33 freenas01 ActiveDirectory: /usr/sbin/service ix-nsswitch quietstart
Sep 28 14:24:33 freenas01 ActiveDirectory: /usr/sbin/service ix-ldap quietstart
Sep 28 14:24:33 freenas01 ActiveDirectory: /usr/sbin/service ix-kinit quietstart
Sep 28 14:24:34 freenas01 ActiveDirectory: kerberos_start: /usr/bin/kinit --renewable -t /etc/kerberos/freenas01.keytab -k host/freenas01.rootdomain.com@ROOTDOMAIN.COM
Sep 28 14:24:34 freenas01 ActiveDirectory: kerberos_start: Successful
Sep 28 14:24:34 freenas01 ActiveDirectory: /usr/sbin/service ix-kinit status
Sep 28 14:24:35 freenas01 ActiveDirectory: kerberos_status: klist -t
Sep 28 14:24:35 freenas01 ActiveDirectory: kerberos_status: Successful
Sep 28 14:24:35 freenas01 ActiveDirectory: /usr/sbin/service ix-sssd start
Sep 28 14:24:37 freenas01 ActiveDirectory: /usr/sbin/service sssd onestart
Sep 28 14:24:37 freenas01 root: /usr/local/etc/rc.d/sssd: WARNING: /usr/local/etc/sssd/sssd.conf is not readable.
Sep 28 14:24:37 freenas01 root: /usr/local/etc/rc.d/sssd: WARNING: failed precmd routine for sssd
Sep 28 14:24:37 freenas01 ActiveDirectory: /usr/local/bin/python /usr/local/bin/midclt call notifier.start cifs
Sep 28 14:24:40 freenas01 ActiveDirectory: /usr/sbin/service ix-activedirectory quietstart
Sep 28 14:24:43 freenas01 ActiveDirectory: activedirectory_start: checking if we are joined already
Sep 28 14:24:43 freenas01 ActiveDirectory: AD_testjoin_domain: net -k ads testjoin rootdomain.com -S dc04.rootdomain.com -p 389
Sep 28 14:24:45 freenas01 ActiveDirectory: AD_testjoin_domain: Successful
Sep 28 14:24:45 freenas01 ActiveDirectory: activedirectory_start: skipping join, already joined
Sep 28 14:24:45 freenas01 ActiveDirectory: /usr/sbin/service ix-activedirectory status
Sep 28 14:24:46 freenas01 ActiveDirectory: activedirectory_status: checking status
Sep 28 14:24:46 freenas01 ActiveDirectory: AD_status_domain: net -k ads status rootdomain.com
Sep 28 14:24:47 freenas01 ActiveDirectory: AD_status_domain: Okay
Sep 28 14:24:47 freenas01 ActiveDirectory: /usr/local/bin/python /usr/local/bin/midclt call notifier.stop cifs
Sep 28 14:24:51 freenas01 ActiveDirectory: /usr/local/bin/python /usr/local/bin/midclt call notifier.start cifs
Sep 28 14:24:55 freenas01 ActiveDirectory: /usr/sbin/service ix-pam quietstart
Sep 28 14:24:56 freenas01 ActiveDirectory: /usr/sbin/service ix-cache quietstart &
Sep 28 14:25:13 freenas01 /cachetool.py: [common.freenasusers:335] Directory Users could not be retrieved: {'desc': 'Referral', 'info': 'Referral:\nldap://SUBDOMAIN.ROOTDOMAIN.com/DC=SUBDOMAIN,DC=ROOTDOMAIN,DC=com'}
Traceback (most recent call last):
File "/usr/local/www/freenasUI/common/freenasusers.py", line 332, in __init__
self.__users = dir(**kwargs)
File "/usr/local/www/freenasUI/common/freenasldap.py", line 2594, in __init__
self.__get_users()
File "/usr/local/www/freenasUI/common/freenasldap.py", line 2697, in __get_users
ad_users = self.get_users()
File "/usr/local/www/freenasUI/common/freenasldap.py", line 2187, in get_users
self.dchandle, self.basedn, scope, filter, self.attributes
File "/usr/local/www/freenasUI/common/freenasldap.py", line 1848, in _search
clientctrls, timeout, sizelimit
File "/usr/local/www/freenasUI/common/freenasldap.py", line 428, in _search
id, resp_ctrl_classes=paged_ctrls
File "/usr/local/lib/python3.6/site-packages/l
Sep 28 14:25:13 freenas01 /cachetool.py: dap/ldapobject.py", line 680, in result3
resp_ctrl_classes=resp_ctrl_classes
File "/usr/local/lib/python3.6/site-packages/ldap/ldapobject.py", line 687, in result4
ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
File "/usr/local/lib/python3.6/site-packages/ldap/ldapobject.py", line 263, in _ldap_call
result = func(*args,**kwargs)
ldap.REFERRAL: {'desc': 'Referral', 'info': 'Referral:\nldap://SUBDOMAIN.ROOTDOMAIN.com/DC=SUBDOMAIN,DC=ROOTDOMAIN,DC=com'}
Sep 28 14:25:41 freenas01 /cachetool.py: [common.freenasusers:217] Directory Groups could not be retrieved: {'desc': 'Referral', 'info': 'Referral:\nldap://SUBDOMAIN.ROOTDOMAIN.com/DC=SUBDOMAIN,DC=ROOTDOMAIN,DC=com'}
Sep 28 14:25:42 freenas01 ActiveDirectory: kerberos_status: klist -t
Sep 28 14:25:42 freenas01 ActiveDirectory: kerberos_status: Successful
Sep 28 14:25:43 freenas01 ActiveDirectory: activedirectory_status: checking status
Sep 28 14:25:43 freenas01 ActiveDirectory: AD_status_domain: net -k ads status rootdomain.com
Sep 28 14:25:44 freenas01 ActiveDirectory: AD_status_domain: Okay
Samba wize it looks quite ok:
root@freenas01:~ # wbinfo -t
checking the trust secret for domain ROOTDOMAIN via RPC calls succeeded
root@freenas01:~ # wbinfo -D ROOTDOMAIN
Name : ROOTDOMAIN
Alt_Name : ROOTDOMAIN.com
SID : S-1-5-21-1719516974-4151221516-4053140022
Active Directory : Yes
Native : Yes
Primary : Yes
root@freenas01:~ # wbinfo -D SUBDOMAIN
Name : SUBDOMAIN
Alt_Name : SUBDOMAIN.ROOTDOMAIN.com
SID : S-1-5-21-676079285-2602053330-1765456227
Active Directory : Yes
Native : No
Primary : No
root@freenas01:~ # ls -l /usr/local/etc/sssd/
total 4
-rw-r--r-- 1 root wheel 1909 Sep 28 13:14 sssd.conf.sample