[How-To] Properly setup FreeNAS 9.2.1.5 to use Active Directory folder/file/user permissions

Status
Not open for further replies.

Dot19408

Cadet
Joined
Apr 17, 2015
Messages
3
Sorry to open an old thread, but I'm having trouble granting domain users premissions to CIFS shares.

FreeNAS 9.3 STABLE
Lenovo ThinkStation S20 , Xeon W3540, 24GB RAM non-ECC, 4x WD 2TB drives
Installed to 4GB USB drive (Corsair Voyager I think)

FreeNAS appears to have joined the domain.
[root@freenas ~]# wbinfo -t
checking the trust secret for domain MYDOMAIN via RPC calls succeeded

[root@freenas ~]# wbinfo -g
winrmremotewmiusers__
domain computers
domain controllers
schema admins
enterprise admins
cert publishers
domain admins
domain users
domain guests
group policy creator owners
ras and ias servers
allowed rodc password replication group
denied rodc password replication group
read-only domain controllers
enterprise read-only domain controllers
cloneable domain controllers
protected users
dnsadmins
dnsupdateproxy
dhcp users
dhcp administrators
media users
media admin


[root@freenas ~]# wbinfo -u
administrator
guest
krbtgt
DomainUser_X
DomainUser_Y
DomainAdmin_A

root
[root@freenas ~]#

Shareing a Dataset with CIFS
DOMAIN ADMIN HAS ACCESS
 

Matt Funk

Dabbler
Joined
Apr 21, 2015
Messages
21
Also commenting on an old thread it seems. I have a file server that is a 2003 that needs to be decom'd and would like to use FreeNAS as the file server going forward. If I create a share for the users and copy over all the folders and files using robocopy will it keep the folder permissions for all the subfolders in the share as they are copied over? I'm trying to avoid touching all folders to set permissions.
 

Xeo

Cadet
Joined
May 2, 2015
Messages
1
hello,

I use this tutorial but a have problem with doamin users. When I use wbinfo -u I can see only this below:

[root@freenas ~]# wbinfo -u
administrator
guest
krbtgt
 

ric

Contributor
Joined
Dec 22, 2013
Messages
180
Question:
Hi, I know this might be a little bit off topic but just wanted know what are the benefits and advantages of using Active Directory in Freenas.

Currently I have CIFS and NFS setup running on my freenas, and I'd say it's working flawlessly as home file sharing with all my devices including PCs in my LAN.

I would appreciate your input.

Thanks.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
Question:
Hi, I know this might be a little bit off topic but just wanted know what are the benefits and advantages of using Active Directory in Freenas.

Currently I have CIFS and NFS setup running on my freenas, and I'd say it's working flawlessly as home file sharing with all my devices including PCs in my LAN.

I would appreciate your input.

Thanks.
Home users don't need active directory. It's like buying an industrial drill press when you need a cheap hand-held power drill.
 

mauirixxx

Explorer
Joined
Oct 2, 2013
Messages
60
anodos nailed the response.

Also, with the release of FreeNAS 9.3, just about all of the FreeNAS side of things in my original posts are pretty much null & void at this point - however ALL of the Windows domain prep is still valid (dare I say required?).
 

Mr. Gosh

Cadet
Joined
Nov 24, 2013
Messages
8
too sad - this doesn't reflect 9.3 (btw. did really change that much in AD in Freenas9.3?) - bat what if I want to access a Share while the AD is down? is there a logical way without changing the permissions of the share to a non AD user & group?
 

Morphius

Cadet
Joined
Jan 27, 2016
Messages
7
Hello everybody,

I ran into the same problem as Dot19408.
I get:
[root@freenas ~]# wbinfo -u
administrator
guest
krbtgt

And can only login as Administrator.
Has someone solved this issue and can direct me in the right direction so in can use the active directories.

Im using MS server 2012

Thnks from a network NOOB
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
Hello everybody,

I ran into the same problem as Dot19408.
I get:
[root@freenas ~]# wbinfo -u
administrator
guest
krbtgt

And can only login as Administrator.
Has someone solved this issue and can direct me in the right direction so in can use the active directories.

Im using MS server 2012

Thnks from a network NOOB
It sounds like you configured your server as an AD domain controller rather than joining it to your domain as a member server. Post contents of /etc/local/smb4.conf.
 

Morphius

Cadet
Joined
Jan 27, 2016
Messages
7
This is my smb4.conf file

Code:
[global]
    server max protocol = SMB3
    encrypt passwords = yes
    dns proxy = no
    strict locking = no
    oplocks = yes
    deadtime = 15
    max log size = 51200
    max open files = 227756
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    getwd cache = yes
    guest account = nobody
    map to guest = Bad User
    obey pam restrictions = no
    directory name cache size = 0
    kernel change notify = no
    panic action = /usr/local/libexec/samba/samba-backtrace
    nsupdate command = /usr/local/bin/samba-nsupdate -g
    server string = HomeNas
    ea support = yes
    store dos attributes = yes
    lm announce = yes
    hostname lookups = yes
    acl allow execute always = true
    acl check permissions = true
    dos filemode = yes
    multicast dns register = yes
    domain logons = no
    local master = no
    idmap config *: backend = tdb
    idmap config *: range = 10000-100000000
    server role = active directory domain controller
    netbios name = NAS
    workgroup = MORPHIUS
    realm = morphius.nl
    dns forwarder = 10.10.10.3
    idmap_ldb:use rfc2307 = yes
    create mask = 0666
    directory mask = 0777
    client ntlmv2 auth = yes
    dos charset = CP437
    unix charset = UTF-8
    log level = 1

[share]
    path = /mnt/pool_1/share
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    vfs objects = zfs_space zfsacl aio_pthread streams_xattr
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
This is my smb4.conf file

Code:
[global]
       server role = active directory domain controller
 
You have your server configured as an ADDC. This guide is for how to join freenas to an AD member server (different role). To join freenas as an AD member server, you need to configure it through "directory service" -> "active directory" and not through "services" -> "domain controller".
 

Morphius

Cadet
Joined
Jan 27, 2016
Messages
7
Great....just turn off the service and it works
I've been at it for days and then i's somthing this simple

manny manny thnx now i can get back to getting some sleep at night LOL
 

Aristotle

Dabbler
Joined
Dec 27, 2016
Messages
21
Thanks for this tutorial.
I've got everything working except, when i use the default active directory user account "Administrator" with the ad's own password, its not working. it says "web socket connection interrupted".. I also created a user in ad, and tried that user... do i need to use local\username in the username part while logging in?
with that being said, when i go to \\freenas on both my browser and explorer i get the login page and the shared file system respectively.
 

mauirixxx

Explorer
Joined
Oct 2, 2013
Messages
60
Thanks for this tutorial.
I've got everything working except, when i use the default active directory user account "Administrator" with the ad's own password, its not working. it says "web socket connection interrupted".. I also created a user in ad, and tried that user... do i need to use local\username in the username part while logging in?
with that being said, when i go to \\freenas on both my browser and explorer i get the login page and the shared file system respectively.

what are the results of the following:

wbinfo -t (this tests the AD connection)
wbinfo -u (if you have a working connection this will list the AD users)
wbinfo -g (this will list AD groups)

I'm not sure why you're getting a web socket error, i haven't seen that before. also, try rebooting your client machine as well - I'm assuming your client machine joined to the same domain - and finally, getting FreeNAS joined to the domain is for accessing it via Windows Explorer, not Internet Explorer or any other browser.

If everything is working properly you shouldn't be prompted for any username - if you're trying to access FreeNAS from a non domain joined device, then you need to enter the username like so:

domain\username

if your domain is example.net then you would put: example\Aristotle as the username.
 
Last edited by a moderator:

bryce

Explorer
Joined
Apr 15, 2014
Messages
97
I've followed the guide, I'm using FreeNAS11 btw.

When I get to the adding the user/group to the share, I get DOMAIN\user DOMAIN\group is not valid options.

Also, when I do wbinfo -t I get the following
Code:
[root@loki ~]# wbinfo -t														
checking the trust secret for domain VALHALLA via RPC calls failed			
wbcCheckTrustCredentials(VALHALLA): error code was NT_STATUS_NO_SUCH_DOMAIN (0xc
00000df)																		
failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR					
Could not check secret														
[root@loki ~]#

Every other machine connected to my domain controller is working perfectly. Time syncs nicely, all dns is going to the proper places. It's just FreeNAS that can't actually connect and join it.

EDIT: I did the following according to the 9.10 docs.
Code:
[root@loki ~]# sqlite3 /data/freenas-v1.db "update directoryservice_activedirectory set ad_enable=1;"							
[root@loki ~]# echo $?														
0  
[root@loki ~]# service ix-kerberos start										
ERROR: Unable to find kerberos servers for valhalla.xyz						
Traceback (most recent call last):											
  File "/usr/local/libexec/nas/generate_krb5_conf.py", line 538, in <module>	
	main()																	
  File "/usr/local/libexec/nas/generate_krb5_conf.py", line 469, in main		
	ad = Struct(client.call('notifier.directoryservice', 'AD'))				
  File "/usr/local/lib/python3.6/site-packages/middlewared/client/client.py", li
ne 207, in call																
	raise ClientException(c.error, c.trace)									
middlewared.client.client.ClientException: Unable to find kerberos servers for v
alhalla.xyz
[root@loki ~]# service ix-nsswitch start										
[root@loki ~]#
[root@loki ~]# service ix-kinit start										  
ERROR: Unable to find kerberos servers for valhalla.xyz						
[root@loki ~]#	
[root@loki ~]# service ix-kinit status										
ERROR: Unable to find kerberos servers for valhalla.xyz						
[root@loki ~]#	
[root@loki ~]# echo $?														
1																			  
[root@loki ~]#
[root@loki ~]# klist															
klist: No ticket file: /tmp/krb5cc_0
 
Last edited by a moderator:

Sharath

Dabbler
Joined
Aug 28, 2017
Messages
12
I followed this guide, I'm on 9.2.1.6-beta and stuffs acting funky..

wbinfo -u/g/t all shows the right info and works properly. yet getent passwd and group doesn't show the ad users/groups. I don't see any errors at all, and i can't see users or groups in the permissions of shares. Im not sure whats up.

Hi,

i am using 9.10 and i am facing the same issue. were you able to solve this?
 

Ericloewe

Server Wrangler
Moderator
Joined
Feb 15, 2014
Messages
20,175
How about reading the manual, conveniently linked at the top of every page here and in your server's GUI?
 
Status
Not open for further replies.
Top