FreeNAS 8.2.0 Active Directory (2008 R2) authentication issue

Constabla · Jul 30, 2012

Hi all,

For the last couple of days I have been trying to set up my new FreeNAS box using the 32 bit FreeNAS 8.2.0 release.
Unfortunately I ran into some issues when trying to set up Active Directory authentication.

Here is how the network configuration looks:

[FreeNAS system]
IP: 172.19.2.6
Hostname: ConstaNAS01
Operating System: FreeNAS-8.2.0-RELEASE-p1-x86 (r11950)

[Domain Controller]
IP: 172.19.2.1
Hostname: ConstaDC01
Domain: Constabla.nl
Operating System: Windows Server 2008R2 X64

IP connectivity, DNS, and NTP all work.
I configured the Active Directory Service and turned it on:
See freenas1.JPG

After that I configured CIFS:
See freenas2.JPG freenas3.JPG & freenas4.JPG

After that I created a Share called Data:
See freenas5.JPG

I can see my Active Directory users and give them permissions.
I made user 'CONSTABLA\Constabla' the owner of the ZFS Data Set.

I've verified AD connectivity by logging on as root using SSH.
Everything seems to be ok:

Code:

[root@ConstaNAS01] ~# wbinfo -u
CONSTANAS01\root
CONSTABLA\constalocaladmin
CONSTABLA\guest
CONSTABLA\krbtgt
CONSTABLA\constaadmin
CONSTABLA\constabla
CONSTABLA\gina
CONSTABLA\sm_4155477fd6de44c3b
CONSTABLA\sm_e1efe100b43147149
CONSTABLA\sm_da1b437080f745df9
CONSTABLA\sm_bcc5aef6898d466e9
[root@ConstaNAS01] ~# wbinfo -g
CONSTABLA\domain computers
CONSTABLA\domain controllers
CONSTABLA\schema admins
CONSTABLA\enterprise admins
CONSTABLA\cert publishers
CONSTABLA\domain admins
CONSTABLA\domain users
CONSTABLA\domain guests
CONSTABLA\group policy creator owners
CONSTABLA\ras and ias servers
CONSTABLA\allowed rodc password replication group
CONSTABLA\denied rodc password replication group
CONSTABLA\read-only domain controllers
CONSTABLA\enterprise read-only domain controllers
CONSTABLA\dnsadmins
CONSTABLA\dnsupdateproxy
CONSTABLA\unixadmins
CONSTABLA\unixallowedlogons
CONSTABLA\organization management
CONSTABLA\public folder management
CONSTABLA\recipient management
CONSTABLA\view-only organization management
CONSTABLA\um management
CONSTABLA\help desk
CONSTABLA\records management
CONSTABLA\discovery management
CONSTABLA\server management
CONSTABLA\delegated setup
CONSTABLA\hygiene management
CONSTABLA\exchange servers
CONSTABLA\exchange trusted subsystem
CONSTABLA\exchange windows permissions
CONSTABLA\exchange all hosted organizations
CONSTABLA\exchangelegacyinterop
CONSTABLA\$g31000-ph08tnaapsjg
CONSTABLA\nas-movies-readaccess
CONSTABLA\nas-data-readaccess
CONSTABLA\nas-music-readaccess
CONSTABLA\nas-software-readaccess
CONSTABLA\nas-tv-shows-readaccess
[root@ConstaNAS01] ~# wbinfo -t
checking the trust secret for domain CONSTABLA via RPC calls succeeded
[root@ConstaNAS01] ~# ls -la /mnt/ConstaStorage/
total 620
drwxr-x---+   10 root                   wheel                            11 Jul 29 20:15 ./
drwxr-xr-x     4 root                   wheel                           512 Jul 30 19:37 ../
drwxr-xr-x+    2 www                    www                               2 Jun 22 22:28 .freenas/
-rw-r--r--     1 root                   wheel                             0 Jun 14 19:23 .windows
drwxr-x---+    6 CONSTABLA\constabla    CONSTABLA\nas-data-readaccess     9 Jul  4 21:44 Data/

So everything seems to be ok, right?
However when I try to open \\ConstaNAS01\Data from my laptop (logged on as user Constabla on the CONSTABLA domain) I get an access denied error.

I can see in the /var/log/samba/log.smbd that the logon request is bounced:

Code:

[2012/07/30 21:11:53.481915,  1] smbd/service.c:1081(make_connection_snum)
  172.19.4.17 (172.19.4.17) connect to service Data initially as user CONSTABLA\constabla (uid=21105, gid=20513) (pid 18076)
[2012/07/30 21:11:53.487131,  1] smbd/sesssetup.c:342(reply_spnego_kerberos)
  Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!

The only error I can see in the logfiles is in /var/log/samba/log.winbindd-idmap:

Code:

[2012/07/30 19:38:14.742326,  0] winbindd/idmap_tdb.c:149(idmap_tdb_upgrade)
  Upgrading winbindd_idmap.tdb from an old version
[2012/07/30 19:38:14.746079,  1] winbindd/idmap.c:201(idmap_init_domain)
  idmap range not specified for domain CONSTANAS01
[2012/07/30 19:38:17.194854,  1] winbindd/idmap.c:288(idmap_init_named_domain)
  no backend defined for idmap config CONSTANAS01
[2012/07/30 19:38:17.196601,  1] winbindd/idmap.c:288(idmap_init_named_domain)
  no backend defined for idmap config NT AUTHORITY
[2012/07/30 19:38:17.210220,  3] winbindd/idmap.c:230(idmap_init_domain)
  idmap backend rid not found
[2012/07/30 19:38:17.212583,  2] lib/module.c:64(do_smb_load_module)
  Module '/usr/local/lib/samba/idmap/rid.so' loaded
[2012/07/30 19:38:17.216873,  1] winbindd/idmap.c:288(idmap_init_named_domain)
  no backend defined for idmap config CONSTANAS01
[2012/07/30 19:38:17.217261,  1] winbindd/idmap.c:288(idmap_init_named_domain)
  no backend defined for idmap config BUILTIN
[2012/07/30 20:32:52.457185,  3] winbindd/winbindd_dual.c:61(child_read_request)
  child_read_request: read_data failed: NT_STATUS_END_OF_FILE
[2012/07/30 20:33:46.513064,  2] lib/module.c:64(do_smb_load_module)
  Module '/usr/local/lib/samba/idmap/rid.so' loaded
[2012/07/30 20:33:53.189467,  2] libsmb/cliconnect.c:1433(cli_session_setup_kerberos_send)
  Doing kerberos session setup
[2012/07/30 20:45:44.309167,  1] winbindd/idmap.c:201(idmap_init_domain)
  idmap range not specified for domain CONSTANAS01

Does anybody know what I'm doing wrong?

Thanks in advance for your help!

Grt,

Constantijn.

gentoo9ball · Jul 31, 2012

same problem, found a trac bug for it: http://support.freenas.org/ticket/1686

Important Announcement for the TrueNAS Community.

FreeNAS 8.2.0 Active Directory (2008 R2) authentication issue

Constabla

Cadet

Attachments

gentoo9ball

Dabbler

Similar threads