Freenas 8.3.1 + Server 2008 R2 + Active Directory

Status
Not open for further replies.
L

lord.nemesi

Cadet
Joined
May 13, 2013
Messages
6
Ciao a tutti,
come da oggetto. Ho un DC Server 2008 R2; il server DNS funziona a meraviglia. Seguendo la documentazione mi sono assicurato che il nas pingi il server e viceversa. Il server DNS risolve correttamente il nome del nas. Fin qui tutto bene, ma il servizio AD non ne vuole sapere di partire. La cosa curiosa è che vedo il nas nello snapin di "Utenti e Computer di AD", inoltre i comandi wbinfo (-u, -g, -t) listano correttamente utenti e gruppi di dominio. Tuttavia dall'interfaccia grafica non posso assegnare permessi corretti agli share di rete, perché utenti e gruppi non vengono listati. Il comando "net ads join" va a buon fine solo con l'utente Administrator di domio. Sono un po' perplesso, ho avuto un problema simile con un NAS QNAP, ma ho risolto aggiungendo alla sezione glibal del file "smb.conf" la seguente riga:

Code:
client ldap sasl wrapping = sign


Inutile dire che ho fatto lo stesso con freenas ma nisba. Questo è il log durante il tentativo di avvio del servizio AD:

May 14 09:15:40 freenas ActiveDirectory: /usr/local/bin/python /usr/local/www/freenasUI/middleware/notifier.py stop cifs
May 14 09:15:42 freenas notifier: dbus not running? (check /var/run/dbus/dbus.pid).
May 14 09:15:42 freenas notifier: Will not 'restart' dbus because dbus_enable is NO.
May 14 09:15:42 freenas notifier: Stopping avahi-daemon.
May 14 09:15:42 freenas notifier: Failed to kill daemon: No such file or directory
May 14 09:15:42 freenas notifier: Will not 'restart' avahi_daemon because avahi_daemon_enable is NO.
May 14 09:15:43 freenas notifier: winbindd not running? (check /var/run/samba/winbindd.pid).
May 14 09:15:43 freenas notifier: Stopping smbd.
May 14 09:15:43 freenas notifier: Waiting for PIDS: 2029.
May 14 09:15:43 freenas notifier: Stopping nmbd.
May 14 09:15:43 freenas notifier: Waiting for PIDS: 2026.
May 14 09:15:43 freenas notifier: False
May 14 09:15:43 freenas ActiveDirectory: /usr/sbin/service ix-kerberos quietstart
May 14 09:15:43 freenas ActiveDirectory: AD_init: binddn = Administrator@NETECO.LAN
May 14 09:15:43 freenas ActiveDirectory: AD_locate_domain_controllers: domain=neteco.lan, site=
May 14 09:15:43 freenas ActiveDirectory: AD_locate_domain_controllers: record=_ldap._tcp.dc._msdcs.neteco.lan
May 14 09:15:43 freenas ActiveDirectory: __get_SRV_records: host=_ldap._tcp.dc._msdcs.neteco.lan
May 14 09:15:43 freenas ActiveDirectory: __get_SRV_records: dig -t srv +short +nocomments _ldap._tcp.dc._msdcs.neteco.lan
May 14 09:15:43 freenas ActiveDirectory: __get_SRV_host: trying fragserver.neteco.lan:389
May 14 09:15:43 freenas ActiveDirectory: __get_SRV_host: Okay
May 14 09:15:43 freenas ActiveDirectory: AD_init: dchost = fragserver.neteco.lan, dcport = 389
May 14 09:15:43 freenas ActiveDirectory: AD_query_rootDSE: filter = (objectclass=*), attributes =
May 14 09:15:43 freenas notifier: ldap_bind: Strong(er) authentication required (8)
May 14 09:15:43 freenas notifier: additional info: 00002028: LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1db1
May 14 09:15:43 freenas ActiveDirectory: AD_init: basedn =
May 14 09:15:43 freenas ActiveDirectory: AD_query_rootDSE: filter = (objectclass=*), attributes =
May 14 09:15:43 freenas notifier: ldap_bind: Strong(er) authentication required (8)
May 14 09:15:43 freenas notifier: additional info: 00002028: LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1db1
May 14 09:15:43 freenas ActiveDirectory: AD_query_rootDSE: filter = (objectclass=*), attributes = dnsRoot
May 14 09:15:43 freenas notifier: ldap_bind: Strong(er) authentication required (8)
May 14 09:15:43 freenas notifier: additional info: 00002028: LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1db1
May 14 09:15:43 freenas ActiveDirectory: AD_get_partition: config = , basedn = CN=Partitions,, ncname =
May 14 09:15:43 freenas ActiveDirectory: AD_query: basedn = CN=Partitions,, filter = ncname=, attributes = ncname= dnsRoot
May 14 09:15:43 freenas ActiveDirectory: AD_locate_domain_global_catalog_servers: domain=, site=
May 14 09:15:43 freenas ActiveDirectory: AD_init: gchost = , gcport = 3268
May 14 09:15:43 freenas ActiveDirectory: AD_locate_kerberos_servers: domain=neteco.lan, proto=, site=
May 14 09:15:43 freenas ActiveDirectory: AD_locate_kerberos_servers: record=_kerberos._udp.neteco.lan
May 14 09:15:43 freenas ActiveDirectory: __get_SRV_records: host=_kerberos._udp.neteco.lan
May 14 09:15:43 freenas ActiveDirectory: __get_SRV_records: dig -t srv +short +nocomments _kerberos._udp.neteco.lan
May 14 09:15:43 freenas ActiveDirectory: __get_SRV_host: trying fragserver.neteco.lan:88
May 14 09:15:43 freenas ActiveDirectory: __get_SRV_host: Okay
May 14 09:15:43 freenas ActiveDirectory: AD_init: krbhost = fragserver.neteco.lan, krbport = 88
May 14 09:15:43 freenas ActiveDirectory: AD_locate_kpasswd_servers: domain=neteco.lan, proto=, site=
May 14 09:15:43 freenas ActiveDirectory: AD_locate_kpasswd_servers: record=_kpasswd._udp.neteco.lan
May 14 09:15:43 freenas ActiveDirectory: __get_SRV_records: host=_kpasswd._udp.neteco.lan
May 14 09:15:43 freenas ActiveDirectory: __get_SRV_records: dig -t srv +short +nocomments _kpasswd._udp.neteco.lan
May 14 09:15:43 freenas ActiveDirectory: __get_SRV_host: trying fragserver.neteco.lan:464
May 14 09:15:43 freenas ActiveDirectory: __get_SRV_host: Okay
May 14 09:15:44 freenas ActiveDirectory: AD_init: kpwdhost = fragserver.neteco.lan, kpwdport = 464
May 14 09:15:44 freenas ActiveDirectory: generate_krb5_conf: krbhost=fragserver.neteco.lan, kpwdhost=fragserver.neteco.lan, domainname=neteco.lan
May 14 09:15:44 freenas ActiveDirectory: /usr/sbin/service ix-nsswitch quietstart
May 14 09:15:44 freenas ActiveDirectory: /usr/sbin/service ix-pam quietstart
May 14 09:15:44 freenas ActiveDirectory: /usr/sbin/service ix-kinit quietstart
May 14 09:15:44 freenas ActiveDirectory: AD_init: config exists, loading values from /etc/ActiveDirectory/config
May 14 09:15:44 freenas ActiveDirectory: kerberos_start: kinit --password-file=/tmp/tmp.jZazIKlf Administrator@NETECO.LAN
May 14 09:15:44 freenas ActiveDirectory: kerberos_start: Successful
May 14 09:15:54 freenas ActiveDirectory: /usr/sbin/service ix-kinit status
May 14 09:15:55 freenas ActiveDirectory: AD_init: config exists, loading values from /etc/ActiveDirectory/config
May 14 09:15:55 freenas ActiveDirectory: kerberos_status: klist -l | grep -q ^Administrator@NETECO.LAN
May 14 09:15:55 freenas ActiveDirectory: kerberos_status: Successful
May 14 09:15:55 freenas ActiveDirectory: /usr/sbin/service ix-samba quietstart
May 14 09:15:55 freenas ActiveDirectory: AD_init: config exists, loading values from /etc/ActiveDirectory/config
May 14 09:15:55 freenas ActiveDirectory: AD_init: config exists, loading values from /etc/ActiveDirectory/config
May 14 09:15:55 freenas ActiveDirectory: generate_smb_config: checking testparm issues
May 14 09:15:55 freenas ActiveDirectory: generate_smb_config: testparm: Load smb config files from /usr/local/etc/smb.conf
May 14 09:15:55 freenas ActiveDirectory: generate_smb_config: testparm: max_open_files: increasing sysctl_max (11095) to minimum Windows limit (16384)
May 14 09:15:55 freenas ActiveDirectory: generate_smb_config: testparm: rlimit_max: increasing rlimit_max (11095) to minimum Windows limit (16384)
May 14 09:15:55 freenas ActiveDirectory: generate_smb_config: testparm: WARNING: The "idmap uid" option is deprecated
May 14 09:15:55 freenas ActiveDirectory: generate_smb_config: testparm: WARNING: The "idmap gid" option is deprecated
May 14 09:15:55 freenas ActiveDirectory: generate_smb_config: testparm: Loaded services file OK.
May 14 09:15:55 freenas ActiveDirectory: generate_smb_config: testparm: WARNING: The setting 'security=ads' should NOT be combined with the 'password server' parameter.
May 14 09:15:55 freenas ActiveDirectory: generate_smb_config: testparm: (by default Samba will discover the correct DC to contact automatically).
May 14 09:15:55 freenas ActiveDirectory: generate_smb_config: testparm: Server role: ROLE_DOMAIN_MEMBER
May 14 09:15:55 freenas ActiveDirectory: generate_smb_config: testparm: Press enter to see a dump of your service definitions
May 14 09:15:55 freenas ActiveDirectory: /usr/local/bin/python /usr/local/www/freenasUI/middleware/notifier.py start cifs
May 14 09:15:57 freenas ActiveDirectory: AD_init: config exists, loading values from /etc/ActiveDirectory/config
May 14 09:15:57 freenas ActiveDirectory: AD_init: config exists, loading values from /etc/ActiveDirectory/config
May 14 09:15:57 freenas ActiveDirectory: generate_smb_config: checking testparm issues
May 14 09:15:57 freenas ActiveDirectory: generate_smb_config: testparm: Load smb config files from /usr/local/etc/smb.conf
May 14 09:15:57 freenas ActiveDirectory: generate_smb_config: testparm: max_open_files: increasing sysctl_max (11095) to minimum Windows limit (16384)
May 14 09:15:57 freenas ActiveDirectory: generate_smb_config: testparm: rlimit_max: increasing rlimit_max (11095) to minimum Windows limit (16384)
May 14 09:15:57 freenas ActiveDirectory: generate_smb_config: testparm: WARNING: The "idmap uid" option is deprecated
May 14 09:15:57 freenas ActiveDirectory: generate_smb_config: testparm: WARNING: The "idmap gid" option is deprecated
May 14 09:15:57 freenas ActiveDirectory: generate_smb_config: testparm: Loaded services file OK.
May 14 09:15:57 freenas ActiveDirectory: generate_smb_config: testparm: WARNING: The setting 'security=ads' should NOT be combined with the 'password server' parameter.
May 14 09:15:57 freenas ActiveDirectory: generate_smb_config: testparm: (by default Samba will discover the correct DC to contact automatically).
May 14 09:15:57 freenas ActiveDirectory: generate_smb_config: testparm: Server role: ROLE_DOMAIN_MEMBER
May 14 09:15:57 freenas ActiveDirectory: generate_smb_config: testparm: Press enter to see a dump of your service definitions
May 14 09:15:58 freenas notifier: Removing stale Samba tdb files: ....... done
May 14 09:15:58 freenas notifier: Starting nmbd.
May 14 09:15:58 freenas notifier: Starting smbd.
May 14 09:15:58 freenas notifier: Starting winbindd.
May 14 09:15:58 freenas notifier: True
May 14 09:15:58 freenas ActiveDirectory: /usr/sbin/service ix-activedirectory quietstart
May 14 09:15:58 freenas ActiveDirectory: AD_init: config exists, loading values from /etc/ActiveDirectory/config
May 14 09:15:58 freenas ActiveDirectory: activedirectory_start: trying to join domain
May 14 09:15:58 freenas ActiveDirectory: AD_join_domain: net ads join -U Administrator
May 14 09:16:01 freenas notifier: Using short domain name -- NETECO
May 14 09:16:01 freenas notifier: Joined 'FREENAS' to dns domain 'neteco.lan'
May 14 09:16:01 freenas ActiveDirectory: AD_join_domain: Successful
May 14 09:16:01 freenas ActiveDirectory: /usr/sbin/service ix-activedirectory status
May 14 09:16:02 freenas ActiveDirectory: AD_init: config exists, loading values from /etc/ActiveDirectory/config
May 14 09:16:02 freenas ActiveDirectory: activedirectory_status: checking status
May 14 09:16:02 freenas ActiveDirectory: AD_status_domain: net ads status -U Administrator
May 14 09:16:03 freenas ActiveDirectory: AD_status_domain: Okay
May 14 09:16:03 freenas ActiveDirectory: /usr/local/bin/python /usr/local/www/freenasUI/middleware/notifier.py stop cifs
May 14 09:16:05 freenas notifier: dbus not running? (check /var/run/dbus/dbus.pid).
May 14 09:16:05 freenas notifier: Will not 'restart' dbus because dbus_enable is NO.
May 14 09:16:05 freenas notifier: Stopping avahi-daemon.
May 14 09:16:05 freenas notifier: Failed to kill daemon: No such file or directory
May 14 09:16:05 freenas notifier: Will not 'restart' avahi_daemon because avahi_daemon_enable is NO.
May 14 09:16:05 freenas notifier: winbindd not running? (check /var/run/samba/winbindd.pid).
May 14 09:16:05 freenas notifier: Stopping smbd.
May 14 09:16:05 freenas notifier: Waiting for PIDS: 6137.
May 14 09:16:05 freenas notifier: Stopping nmbd.
May 14 09:16:05 freenas notifier: Waiting for PIDS: 6133.
May 14 09:16:05 freenas notifier: False
May 14 09:16:05 freenas ActiveDirectory: /usr/local/bin/python /usr/local/www/freenasUI/middleware/notifier.py start cifs
May 14 09:16:07 freenas ActiveDirectory: AD_init: config exists, loading values from /etc/ActiveDirectory/config
May 14 09:16:07 freenas ActiveDirectory: AD_init: config exists, loading values from /etc/ActiveDirectory/config
May 14 09:16:07 freenas ActiveDirectory: generate_smb_config: checking testparm issues
May 14 09:16:07 freenas ActiveDirectory: generate_smb_config: testparm: Load smb config files from /usr/local/etc/smb.conf
May 14 09:16:07 freenas ActiveDirectory: generate_smb_config: testparm: max_open_files: increasing sysctl_max (11095) to minimum Windows limit (16384)
May 14 09:16:07 freenas ActiveDirectory: generate_smb_config: testparm: rlimit_max: increasing rlimit_max (11095) to minimum Windows limit (16384)
May 14 09:16:07 freenas ActiveDirectory: generate_smb_config: testparm: WARNING: The "idmap uid" option is deprecated
May 14 09:16:07 freenas ActiveDirectory: generate_smb_config: testparm: WARNING: The "idmap gid" option is deprecated
May 14 09:16:07 freenas ActiveDirectory: generate_smb_config: testparm: Loaded services file OK.
May 14 09:16:07 freenas ActiveDirectory: generate_smb_config: testparm: WARNING: The setting 'security=ads' should NOT be combined with the 'password server' parameter.
May 14 09:16:07 freenas ActiveDirectory: generate_smb_config: testparm: (by default Samba will discover the correct DC to contact automatically).
May 14 09:16:07 freenas ActiveDirectory: generate_smb_config: testparm: Server role: ROLE_DOMAIN_MEMBER
May 14 09:16:07 freenas ActiveDirectory: generate_smb_config: testparm: Press enter to see a dump of your service definitions
May 14 09:16:07 freenas notifier: Removing stale Samba tdb files: ...... done
May 14 09:16:07 freenas notifier: Starting nmbd.
May 14 09:16:07 freenas notifier: Starting smbd.
May 14 09:16:07 freenas notifier: Starting winbindd.
May 14 09:16:07 freenas notifier: True
May 14 09:16:07 freenas ActiveDirectory: /usr/sbin/service ix-cache quietstart &
May 14 09:16:08 freenas notifier: No handlers could be found for logger "common.freenasusers"
May 14 09:16:09 freenas ActiveDirectory: AD_init: config exists, loading values from /etc/ActiveDirectory/config
May 14 09:16:09 freenas ActiveDirectory: kerberos_status: klist -l | grep -q ^Administrator@NETECO.LAN
May 14 09:16:09 freenas ActiveDirectory: kerberos_status: Successful
May 14 09:16:09 freenas ActiveDirectory: AD_init: config exists, loading values from /etc/ActiveDirectory/config
May 14 09:16:09 freenas ActiveDirectory: activedirectory_status: checking status
May 14 09:16:09 freenas ActiveDirectory: AD_status_domain: net ads status -U Administrator
May 14 09:16:12 freenas ActiveDirectory: AD_status_domain: Okay
Click to expand...
 
gian4nas

gian4nas

Patron
Joined
Oct 13, 2011
Messages
389
Ciao

non sono un esperto in ladp, ma leggendo il log ho notato questo:
LdapErr: DSID-0C0901FC
Click to expand...
e questo:
The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1db1
Click to expand...

Facendo una rapida ricerca ho trovato questo, dove si deduce che è un errore di autentificazione via SSL\TLS, per tanto controlla se hai attivo/configurato correttamente il tale servizio sul nas.

Saluti
 
L

lord.nemesi

Cadet
Joined
May 13, 2013
Messages
6
Ciao,
avevo visto l'errore, e so anche da cosa è causato. Il DC, per policy, richiede quel tipo di autenticazione. Non sono però riuscito a trovare il sistema di abilitare ssl/tls, su frreenas, in relazione al servizio AD. Se potessi illuminarmi te ne sarei grato.

Grazie :D
 
gian4nas

gian4nas

Patron
Joined
Oct 13, 2011
Messages
389
Ciao

il servizio lo trovi qua, altro purtroppo non so, mi spiace.

Saluti
 
L

lord.nemesi

Cadet
Joined
May 13, 2013
Messages
6
Grazie,
ma quello serve per la connessione ssl/tls all'interfaccia web di freenas. Tipo se lo esponi direttamente ad internet. Infatti prevede la creazione di un certificato autogenerato. :D

Grazie comunque
 
gian4nas

gian4nas

Patron
Joined
Oct 13, 2011
Messages
389
Ciao

scusa, hai perfettamente ragione, nella fretta non ho controllato, vediamo se riesco a farmi perdonare, adesso in pausa pranzo mi sono messo alla ricerca e ti ho trovato questo, estrapolato da qua, se vai in fondo alla pagina sotto la voce "Troubleshooting Tips"

Saluti
 
Status
Not open for further replies.

Similar threads

L
  • Locked
Freenas 8.3.1 + Server 2008 R2 + Active Directory + LDAP Signing
Replies
1
Views
2K
lord.nemesi
L
L
  • Locked
freenas 8.3.0-release-x86 ACTIVE DIRECTORY] problem joining domain
Replies
0
Views
6K
lorenzoASR
L
S
  • Locked
Freenas can't join AD, AD_status_domain: Not okay
Replies
7
Views
7K
Shrek000
S
R
  • Locked
connect Active Directory (Zentyal) wont work
Replies
3
Views
2K
richie1985
R
D
  • Locked
AD connection flapping after upgrade to U5
Replies
1
Views
1K
deafen
D
Top