SOLVED FreeNAS failed to integrate with Samba DCS

Status
Not open for further replies.
J

joesnow1234

Dabbler
Joined
Aug 7, 2017
Messages
14
Hi, I am builing a samba to act as AD DCs, and plan to integrate with FreeNAS ( latest version
FreeNAS-11.0-U2 (e417d8aa5) so that users could restrict to access their owned folders of SMB shares.etc.

I first create a CA named CA in FreeNAS( System =>CAs) with common name freenas.xxx.com, and then sign a certificate with this CA with common name pdc.xxx.com , follow this instruction
https://forums.freenas.org/index.php?threads/cant-join-to-samba-ad-dc.43513/

config snippest of smb.conf is
Code:
		idmap_ldb:use rfc2307 = yes
		tls enabled  = yes
		tls keyfile  = /usr/var/lib/samba/private/tls/key.pem # This is certificate signed by CA
		tls certfile = /usr/var/lib/samba/private/tls/cert.pem # This is the corresponding key of key.pem, see above.
		tls cafile   = /usr/var/lib/samba/private/tls/ca.pem	#  This is CA pem, in CA of FreeNAS.

The attachment is directory service.

when I click "save" button, errors raise up with
Code:
    

  • {'desc': 'Connect error', 'info': 'error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate)'}
    •

juding from error, it seems that FreeNAS does not recognize CA's ceritificate(ca.pem) . If it's centos /debian I would like to add ca.pem to system cert store and update-ca-cert. But for FreeNAS, I don't know how.

So what's wrong with my setup? I also wonder where does the related log locate? /var/log/messages shows nothing useful.

Thanks.
 

Attachments

  • 2017-08-08_162812.png
    2017-08-08_162812.png
    23.9 KB · Views: 367
  • 2017-08-08_162917.png
    2017-08-08_162917.png
    24.5 KB · Views: 388
Artion

Artion

Patron
Joined
Feb 12, 2016
Messages
331
Is the AD DC another system, or the FN box? Will the FN box be the CA or you generate the certificates elsewhere? If this is the case, have you tried to import the CA certificate as in the image below?

upload_2017-8-8_14-38-21.png
 
Last edited:
J

joesnow1234

Dabbler
Joined
Aug 7, 2017
Messages
14
Yes AD DC is built with Samba 4.6.6( the latest version) and its ip is 172,16.234.204.
While FreeNAS is 172.16.234.206 .
I generated CA (ca.pem) on FreeNAS ( System ->CAs) and then signed a cert/key with this CA for Samba DC, as mentioned in the post cert.pem/key.pem.

So FreeNAS is the CA.
 
J

joesnow1234

Dabbler
Joined
Aug 7, 2017
Messages
14
Oh, I finally fingure out the root cause.

I only add certs/CA on the first DCs, but juding from log, FreeNAS tried to connect the 2nd one. Which caused the weird problem.

BTW, the detailed log located at '/var/log/debug.log.

Create CA and import to FreeNAS also works.
 
Artion

Artion

Patron
Joined
Feb 12, 2016
Messages
331
Is this issue solved? Consider editig the post and adding as Solved...:)
 
Artion

Artion

Patron
Joined
Feb 12, 2016
Messages
331
This is how it's done:
1. Click on Thread Tools -> Edit Title
2. Select SOLVED in the Prefix dropdown menu
3. Save changes


upload_2017-8-16_9-42-0.png


upload_2017-8-16_9-42-13.png


upload_2017-8-16_9-42-28.png
 
Status
Not open for further replies.

Similar threads

C
  • Locked
SOLVED FreeNAS 11.0U4 won't join Samba AD server. Self-signed cert confusion.
Replies
1
Views
1K
ChinookTx
C
D
  • Locked
FreeNAS authentication problem in Samba4
Replies
3
Views
3K
Daniel Alves BH
D
J
  • Locked
Can't join to Samba AD DC
2
Replies
29
Views
16K
joesnow1234
J
T
I need help diagnosing SMB log *SMB Failed to Start*
Replies
4
Views
2K
techwilee
T
dredhorse
  • Locked
Certificate Questions and Issues
Replies
2
Views
2K
dredhorse
dredhorse
Top