errors trying to join AD

[rbgnr111]

We have been having issues getting freenas 9.3 to join AD.
with some modifications to the smb4.conf, I'm able to get it to join from the cli, but on reboot anything that had been done gets wiped out.
the domain requires ssl or tls, adding ssl or tls without specifying a self signed certificate, just gives me "option error"
if I specify a self signed certificate, then all I get is "{'info': 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (unable to get local issuer certificate)', 'desc': "Can't contact LDAP server"}"

I've verified that there is a DNS entry for the server, and even prepopulated a AD object for the server. I can see that the object had been updated when I was able to join from the cli, but no luck from the web interface.

any help would be greatly appreciated!!

 

[anodos]

What specific modifications are you making to the smb4.conf to get it to work?

 

[dlavigne]

Also, which build (from System -> Information)?

 

[rbgnr111]

in sbm4.conf to get it to join, I updated the following:
Realm=<kerberos realm in uppercase>
domain=<domain fqdn>
security=ads
workgroup=<smb domain>

then ran this:
net ads join <domain fqdn> -s <local DC> -u <admin>

using that I can join, but don't have the ability to manage or do much from within the web interface, and still am unable to configure the domain in the web interface. upon reboot, all of the smb settings get wiped out.

system info is:
Build FreeNAS-9.3-STABLE-201601181840
Platform Intel(R) Xeon(R) CPU 5160 @ 3.00GHz
Memory 2020MB
System Time Tue Jan 19 13:14:10 CST 2016
Uptime 1:14PM up 3 mins, 0 users
Load Average 0.58, 0.66, 0.32

 

[rbgnr111]

I've also attempted the nightly build also, but still get the same errors with that path also.

 

[dlavigne]

It makes sense that everything is overwritten on reboot if you're editing smb4.conf manually. Have you setup the Kerberos Realms, Kerberos Keytabs, and Kerberos Settings in the GUI? If yes, paste the output of running all of the commands mentioned in
http://doc.freenas.org/9.3/freenas_directoryservice.html#if-the-system-will-not-join-the-domain. Also, be sure to do this from your most recent STABLE build, not a nightly.

 

[rbgnr111]

Awesome!!! that looks like it did it...