Greets - I've been playing between FreeNas and some other OSS NAS options, as well as a TechNet copy of Win Storage Server lately and I really prefer FreeNas. (I even had a personal FreeNas installation many years ago on an ancient system, but that's long since gone).
The intent of this NAS is to replace some troublesome standalone Netgear boxes, as well as support a number of new Apple clients, and if at all possible, integrate with our Zentyal-provided AD.
I have been through many tutorials and understand the unique and sometimes invisible challenges that AD integration creates, so if it just doesn't pan out, oh well.
Many of the trouble tickets I've seen relate to not getting groups AND users to show up for shares authentication, or not getting joined to the domain, etc. My problem is more unique - I can connect to the domain, wbinfo and DNS show good, AD and CIFS turn on, the cache rebuilds, but in the shares view, I only have local users listed (first dropdown). But I DO have Domain Groups listed (2nd dropdown).
The setup:
FreeNas multiple versions as USB image on an AMD Quad Core with 6gb ram ECC DDR3, a 250gb standalone sata drive for FreeNas' own use/logging and a pair of 500gb sata drives as a mirror raid for testing. I will eventually increase the amount of storage space, but I see no need to load everything into the box if it can't work at 500gb. Besides, I have read the manual on how much ram to have per gig many times, plus extra for AD, so this should cover the bases for a sandbox testing rig.
Zentyal 3.5 is my DC, with internal(primary) DNS on that machine, and secondary DNS lists on my ZyXel VPN router.
The domain is tested and operational with Windows, Apple and Linux clients.
I first tried with FN 9.2.1.8 usb image, and was unable to get either users or groups to show up in the shares modal.
So I dumped that, and tried an OpenMediaVault which failed miserably.
So I dumped that and researched for specific versions that some members claimed to get working, particularly the "how to get AD working in FreeNas tutorials", and specifically downloaded those versions, which were: 9.1.1, 9.2.0 and 9.2.1.5. All three of these versions behaved exactly the same way:
a) they load, acquire a dhcp addr from my net, I use that to log into the box, set up new password, hostname and network parameters. Reboot and login as new ip
b) dump the freebsd timeservers and load the standard ntp.org pools, change timezone, resynch clocks and have less than 0.03 sec difference to my DC.
c) set up the solo drive as "sysvol" (arbitrary name), with a dataset uncompressed, available to FreeNas - although the only version I found that you can change where the sys pool is kept is in 9.2.1.8, probably a new feature; thus in the earlier versions this just sat there.
d) set up a zfs volume on the pair of 500gb, mirror and created a dataset within that volume for sharing. Nothing difficult there.
e) enable AD as the directory service, then go into the services-AD modal and set up credentials
f) wait a minute, and let the modal close, watch the console that "things happened".
g) calm myself everytime the console shows "unable to find LDAP server" as other posts have indicated this is normal
h) open a shell (either SSH or the web view, both work) and get positive results from wbinfo - I get a user list, a group list and a good trust result. Everytime.
i) check DNS - both pings and resolutions point in the right direction and to the right hosts.
j) start up a CIFS config, make sure netbios and hostnames are happy.
k) start up a CIFS share on the dataset made earlier
l) open the dataset permissions for this share in an attempt to set the owner user and group to domain credentials after changing the ACL to Windows.....
And that's where it falls apart - the user dropdown is populated ONLY with local users.
But unlike all other complaints I've read, the group dropdown IS POPULATED with Domain Groups!
Unfortunately, if I choose the root user and Domain Admins group, I can't authenticate the share.
If I make the share guest access, I can get in, so the share is functioning at least.
I understand there is a complex interaction between Samba4 AD and the FreeNas AD authentication model, and it's not perfect, but it appears many folks claim to have it working, so what specific information can I send next to help this along?
Normally at this point folks ask for voluminous logs because the problem reported is "I can't connect at all", however FN is joining the domain and gathering credential info, it's just not populating it into one dropdown.
Since it's recurrent across multiple versions of FN that I've tried, I realize it may be more than just FN, but FN is a big part of the puzzle.
If there's any helpful hints, I'd appreciate it!
Regards,
Ted.
The intent of this NAS is to replace some troublesome standalone Netgear boxes, as well as support a number of new Apple clients, and if at all possible, integrate with our Zentyal-provided AD.
I have been through many tutorials and understand the unique and sometimes invisible challenges that AD integration creates, so if it just doesn't pan out, oh well.
Many of the trouble tickets I've seen relate to not getting groups AND users to show up for shares authentication, or not getting joined to the domain, etc. My problem is more unique - I can connect to the domain, wbinfo and DNS show good, AD and CIFS turn on, the cache rebuilds, but in the shares view, I only have local users listed (first dropdown). But I DO have Domain Groups listed (2nd dropdown).
The setup:
FreeNas multiple versions as USB image on an AMD Quad Core with 6gb ram ECC DDR3, a 250gb standalone sata drive for FreeNas' own use/logging and a pair of 500gb sata drives as a mirror raid for testing. I will eventually increase the amount of storage space, but I see no need to load everything into the box if it can't work at 500gb. Besides, I have read the manual on how much ram to have per gig many times, plus extra for AD, so this should cover the bases for a sandbox testing rig.
Zentyal 3.5 is my DC, with internal(primary) DNS on that machine, and secondary DNS lists on my ZyXel VPN router.
The domain is tested and operational with Windows, Apple and Linux clients.
I first tried with FN 9.2.1.8 usb image, and was unable to get either users or groups to show up in the shares modal.
So I dumped that, and tried an OpenMediaVault which failed miserably.
So I dumped that and researched for specific versions that some members claimed to get working, particularly the "how to get AD working in FreeNas tutorials", and specifically downloaded those versions, which were: 9.1.1, 9.2.0 and 9.2.1.5. All three of these versions behaved exactly the same way:
a) they load, acquire a dhcp addr from my net, I use that to log into the box, set up new password, hostname and network parameters. Reboot and login as new ip
b) dump the freebsd timeservers and load the standard ntp.org pools, change timezone, resynch clocks and have less than 0.03 sec difference to my DC.
c) set up the solo drive as "sysvol" (arbitrary name), with a dataset uncompressed, available to FreeNas - although the only version I found that you can change where the sys pool is kept is in 9.2.1.8, probably a new feature; thus in the earlier versions this just sat there.
d) set up a zfs volume on the pair of 500gb, mirror and created a dataset within that volume for sharing. Nothing difficult there.
e) enable AD as the directory service, then go into the services-AD modal and set up credentials
f) wait a minute, and let the modal close, watch the console that "things happened".
g) calm myself everytime the console shows "unable to find LDAP server" as other posts have indicated this is normal
h) open a shell (either SSH or the web view, both work) and get positive results from wbinfo - I get a user list, a group list and a good trust result. Everytime.
i) check DNS - both pings and resolutions point in the right direction and to the right hosts.
j) start up a CIFS config, make sure netbios and hostnames are happy.
k) start up a CIFS share on the dataset made earlier
l) open the dataset permissions for this share in an attempt to set the owner user and group to domain credentials after changing the ACL to Windows.....
And that's where it falls apart - the user dropdown is populated ONLY with local users.
But unlike all other complaints I've read, the group dropdown IS POPULATED with Domain Groups!
Unfortunately, if I choose the root user and Domain Admins group, I can't authenticate the share.
If I make the share guest access, I can get in, so the share is functioning at least.
I understand there is a complex interaction between Samba4 AD and the FreeNas AD authentication model, and it's not perfect, but it appears many folks claim to have it working, so what specific information can I send next to help this along?
Normally at this point folks ask for voluminous logs because the problem reported is "I can't connect at all", however FN is joining the domain and gathering credential info, it's just not populating it into one dropdown.
Since it's recurrent across multiple versions of FN that I've tried, I realize it may be more than just FN, but FN is a big part of the puzzle.
If there's any helpful hints, I'd appreciate it!
Regards,
Ted.
