FreeNAS8+AD=Stronger Authentication Required

[Spirit]

Hello all.
I'm trying first time the FreeBSD-based product. All seems fine, but i come to an error i can not solve.

When i try to start an AD service on freenas, it fails with the following messages in logs:

Code:

Oct  3 06:17:56 nas-01-hp freenas[1620]: Executing: /usr/sbin/service ix-pam quietstart
Oct  3 06:17:56 nas-01-hp freenas[1620]: Executing: /usr/sbin/service ix-samba quietstart
Oct  3 06:17:56 nas-01-hp freenas: tdbsam_open: Converting version 0.0 database to version 4.0.
Oct  3 06:17:56 nas-01-hp freenas: tdbsam_convert_backup: updated /var/etc/private/passdb.tdb file.
Oct  3 06:17:56 nas-01-hp freenas: Importing account for root...ok
Oct  3 06:17:57 nas-01-hp freenas[1620]: Executing: /usr/sbin/service ix-kinit quietstart
Oct  3 06:18:07 nas-01-hp freenas[1620]: Executing: /usr/sbin/service ix-activedirectory quietstart
Oct  3 06:18:08 nas-01-hp freenas: [2011/10/03 06:18:08.546736,  0] libads/sasl.c:823(ads_sasl_spnego_bind)
Oct  3 06:18:08 nas-01-hp freenas:   kinit succeeded but ads_sasl_spnego_krb5_bind failed: Strong(er) authentication required
Oct  3 06:18:08 nas-01-hp freenas: Failed to join domain: failed to connect to AD: Strong(er) authentication required
Oct  3 06:18:18 nas-01-hp freenas[1620]: Executing: /usr/sbin/service samba forcestop
Oct  3 06:18:18 nas-01-hp freenas[1620]: Executing: /usr/bin/killall nmbd
Oct  3 06:18:18 nas-01-hp freenas: No matching processes were found
Oct  3 06:18:18 nas-01-hp freenas[1620]: Executing: /usr/bin/killall smbd
Oct  3 06:18:18 nas-01-hp freenas: No matching processes were found
Oct  3 06:18:18 nas-01-hp freenas[1620]: Executing: /usr/bin/killall winbindd
Oct  3 06:18:18 nas-01-hp freenas: No matching processes were found
Oct  3 06:18:18 nas-01-hp freenas[1620]: Executing: /usr/sbin/service samba quietstart
Oct  3 06:18:19 nas-01-hp freenas: Removing stale Samba tdb files:  done
Oct  3 06:18:19 nas-01-hp freenas[1620]: Executing: /usr/sbin/service ix-kerberos quietstart
Oct  3 06:18:19 nas-01-hp freenas[1620]: Executing: /usr/sbin/service ix-nsswitch quietstart
Oct  3 06:18:19 nas-01-hp freenas: Generating host.conf.
Oct  3 06:18:19 nas-01-hp freenas[1620]: Executing: /usr/sbin/service ix-pam quietstart
Oct  3 06:18:19 nas-01-hp freenas[1620]: Executing: /usr/sbin/service ix-samba quietstart
Oct  3 06:18:19 nas-01-hp freenas: tdbsam_open: Converting version 0.0 database to version 4.0.
Oct  3 06:18:19 nas-01-hp freenas: tdbsam_convert_backup: updated /var/etc/private/passdb.tdb file.
Oct  3 06:18:19 nas-01-hp freenas: Importing account for root...ok
Oct  3 06:18:20 nas-01-hp freenas[1620]: Executing: /usr/sbin/service ix-kinit quietstart
Oct  3 06:18:20 nas-01-hp freenas[1620]: Executing: /usr/sbin/service ix-activedirectory quietrestart
Oct  3 06:18:21 nas-01-hp freenas: No realm set, are we joined ?
Oct  3 06:18:21 nas-01-hp freenas[1620]: Executing: /usr/sbin/service samba forcestop
Oct  3 06:18:21 nas-01-hp freenas[1620]: Executing: /usr/bin/killall nmbd
Oct  3 06:18:21 nas-01-hp freenas: No matching processes were found
Oct  3 06:18:21 nas-01-hp freenas[1620]: Executing: /usr/bin/killall smbd
Oct  3 06:18:21 nas-01-hp freenas: No matching processes were found
Oct  3 06:18:21 nas-01-hp freenas[1620]: Executing: /usr/bin/killall winbindd
Oct  3 06:18:21 nas-01-hp freenas: No matching processes were found
Oct  3 06:18:21 nas-01-hp freenas[1620]: Executing: /usr/sbin/service samba quietstart
Oct  3 06:18:21 nas-01-hp freenas: Removing stale Samba tdb files: . done

I found, that it comes from the "Domain Controller: LDAP server signing requirements" policy. The fast way, wich comes to mind, is to set it OFF, but it's very unlikely.

So, may be there is a way, to change configs at FreeNAS, so it will negotiate with AD properly?

Thanks in advance.

 

[gastonc]

DC authentication

I have the same issue. I would like to enforce strong authentication against a DC but as of right now I do not see an obvious option to do so.

 

[JesseCrowther]

I had this issue. I disabled the "Domain controller: LDAP server signing requirements" in GP and it worked

http://technet.microsoft.com/en-us/library/jj852234.aspx

Then I used (wbinfo -u) and chose one of the accounts that appeared and used (net ads join -U "username")

Then it worked

Hope this helps