Samba Active Directory(2003 schema) integrated FreeNAS file server

RegularJoe

Patron
Joined
Aug 19, 2013
Messages
330
Hi All,

I am running FreeNAS-11.2-U5(Build Date: Jun 24, 2019 18:41) on a VMware cluster running Intel Xeon processors.

FreeBSD fspub1.na.avonroot.lan 11.2-STABLE FreeBSD 11.2-STABLE #0 r325575+6aad246318c(HEAD): Mon Jun 24 17:25:47 UTC 2019 root@nemesis:/freenas-releng/freenas/_BE/objs/freenas-releng/freenas/_BE/os/sys/FreeNAS.amd64 amd64


This is kicking my butt. I have a virtual FreeNAS server running in VMware ESXi with a static IP address I am trying to add it to a 2003 active directory domain that has multiple sites and trusts. I only want to user users from the local domain and setup a public server.

The first few questions should be easy for someone to answer:
1) each change I make do I need to reboot the FreeNAS server, i.e. AD, Samba, DNS servers, NTP servers?
2) is there one location or a series of commands I can use to completely zero what changes I have attempted, i.e. delete the /custom/apps/samba4/config/*
3) I am trying this in the legacy interface, is that 100% broken for adding a FN box to AD?
4) should I use an older or beta version of freenas that is known to work?

So far:
1) assign the NTP server to one of the local AD servers and verify the date on the FreeNAS box
2) set the time zone correctly
3) use the windows AD server for DNS and set the host name and domain to match AD
4) create the DNS A name in DNS and verify the reverse DNS record is created
5) from the freenas host and other hosts verify you can ping hostname and FQDN of the FreeNAS box
6) from the FreeNAS box verify you can ping the domain by name

In Services SMB:
1) local Master disabled
2) Domain logins unchecked

Here is the /var/log/messages errors:
Jul 22 10:25:05 fspub1 ActiveDirectory: /usr/local/bin/python /usr/local/bin/midclt call notifier.stop cifs
Jul 22 10:25:07 fspub1 ActiveDirectory: /usr/sbin/service ix-hostname quietstart
Jul 22 10:25:07 fspub1 ActiveDirectory: /usr/sbin/service ix-kerberos quietstart default NA.AVONROOT.LAN
Jul 22 10:25:07 fspub1 ActiveDirectory: /usr/sbin/service ix-nsswitch quietstart
Jul 22 10:25:08 fspub1 ActiveDirectory: /usr/sbin/service ix-ldap quietstart
Jul 22 10:25:08 fspub1 ActiveDirectory: /usr/sbin/service ix-kinit quietstart
Jul 22 10:25:09 fspub1 ActiveDirectory: kerberos_start: /usr/bin/kinit --renewable --password-file=/tmp/tmp.VB62jfnI svc-FN@NA.AVONROOT.LAN
Jul 22 10:25:10 fspub1 ActiveDirectory: kerberos_start: Successful
Jul 22 10:25:10 fspub1 ActiveDirectory: /usr/sbin/service ix-kinit status
Jul 22 10:25:11 fspub1 ActiveDirectory: kerberos_status: klist -t
Jul 22 10:25:11 fspub1 ActiveDirectory: kerberos_status: Successful
Jul 22 10:25:11 fspub1 ActiveDirectory: /usr/local/bin/python /usr/local/bin/midclt call notifier.start cifs
Jul 22 10:25:17 fspub1 ActiveDirectory: /usr/sbin/service ix-activedirectory quietstart
Jul 22 10:25:19 fspub1 ActiveDirectory: activedirectory_start: checking if we are joined already
Jul 22 10:25:19 fspub1 ActiveDirectory: AD_testjoin_domain: net -k ads testjoin NA.AVONROOT.LAN -S 192.168.180.126 -p 389
Jul 22 10:25:20 fspub1 ActiveDirectory: AD_testjoin_domain: Failed
Jul 22 10:25:20 fspub1 ActiveDirectory: activedirectory_start: trying to join domain
Jul 22 10:25:20 fspub1 ActiveDirectory: AD_join_domain: net -k ads join NA.AVONROOT.LAN -S 192.168.180.126 -p 389
Jul 22 10:25:22 fspub1 ActiveDirectory: AD_join_domain: Failed
Jul 22 10:25:23 fspub1 uwsgi: [middleware.exceptions:36] [MiddlewareError: Active Directory failed to reload.]
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
Try following sequence:
Code:
sqlite3 /data/freenas-v1.db "UPDATE directoryservice_activedirectory SET ad_enable=1"
service ix-hostname start
service ix-kerberos start
service ix-kinit start
service ix-pre-samba start
net -k -d 5 ads join


The last command should give you verbose output on what's failing during the domain join.
 

RegularJoe

Patron
Joined
Aug 19, 2013
Messages
330
"net -k -d 5 ads join" does give me a lot to look at
Starting GENSEC submechanism gse_krb5
smb_signing_check_pdu: BAD SIG: wanted SMB signature of
[0000] 56 2B F8 6B 60 A2 C1 D9 V+.k`...
smb_signing_check_pdu: BAD SIG: got SMB signature of
[0000] 42 53 52 53 50 59 4C 20 BSRSPYL
smb_signing_good: BAD SIG: seq 1
SPNEGO login failed: {Access Denied} A process has requested access to an object but has not been granted those access rights.
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : 'FSPUB1$'
netbios_domain_name : NULL
dns_domain_name : NULL
forest_name : NULL
dn : NULL
domain_guid : 00000000-0000-0000-0000-000000000000
domain_sid : NULL
domain_sid : (NULL SID)
modified_config : 0x00 (0)
error_string : 'failed to lookup DC info for domain 'NA.AVONROOT.LAN' over rpc: {Access Denied} A process has requested access to an object but has not been granted those access rights.'
domain_is_ad : 0x00 (0)
set_encryption_types : 0x00000000 (0)
krb5_salt : NULL
result : WERR_ACCESS_DENIED
Failed to join domain: failed to lookup DC info for domain 'NA.AVONROOT.LAN' over rpc: {Access Denied} A process has requested access to an object but has not been granted those access rights.
return code = -1
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
"net -k -d 5 ads join" does give me a lot to look at
Starting GENSEC submechanism gse_krb5
smb_signing_check_pdu: BAD SIG: wanted SMB signature of
[0000] 56 2B F8 6B 60 A2 C1 D9 V+.k`...
smb_signing_check_pdu: BAD SIG: got SMB signature of
[0000] 42 53 52 53 50 59 4C 20 BSRSPYL
smb_signing_good: BAD SIG: seq 1
SPNEGO login failed: {Access Denied} A process has requested access to an object but has not been granted those access rights.
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : 'FSPUB1$'
netbios_domain_name : NULL
dns_domain_name : NULL
forest_name : NULL
dn : NULL
domain_guid : 00000000-0000-0000-0000-000000000000
domain_sid : NULL
domain_sid : (NULL SID)
modified_config : 0x00 (0)
error_string : 'failed to lookup DC info for domain 'NA.AVONROOT.LAN' over rpc: {Access Denied} A process has requested access to an object but has not been granted those access rights.'
domain_is_ad : 0x00 (0)
set_encryption_types : 0x00000000 (0)
krb5_salt : NULL
result : WERR_ACCESS_DENIED
Failed to join domain: failed to lookup DC info for domain 'NA.AVONROOT.LAN' over rpc: {Access Denied} A process has requested access to an object but has not been granted those access rights.
return code = -1
For testing purposes try using a member of domain admins to perform the join.
 

RegularJoe

Patron
Joined
Aug 19, 2013
Messages
330
so with the user at the legacy GUI it fails, when I drop to a command prompt and type in "net -k -d 5 ads join -U xxxxxx" and enter the password it appears to work. Is this an issue with using the legacy GUI, too long of username in the GUI, bad characters in the GUI password?

the password is something like : mypasswordhas1number!doh
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
so with the user at the legacy GUI it fails, when I drop to a command prompt and type in "net -k -d 5 ads join -U xxxxxx" and enter the password it appears to work. Is this an issue with using the legacy GUI, too long of username in the GUI, bad characters in the GUI password?

the password is something like : mypasswordhas1number!doh
Password length shouldn't matter. We actually don't use the password for the domain join, we use it to get a kerberos ticket that is then used for the domain join. You're getting the ticket.
 

RegularJoe

Patron
Joined
Aug 19, 2013
Messages
330
Anodos,

On this domain only domain admins can add a computer to the domain. I am not understanding why from the command line it appears to work when I pass a -U domain admin and key in the password but from the New GUI and Legacy it fails. Is there something else to look at?

Thanks,
Joe
 

RegularJoe

Patron
Joined
Aug 19, 2013
Messages
330
Anodos,

I am getting closer!

There are times I get this error in the legacy GUI and the new Angular GUI.
  • {'desc': 'Invalid credentials', 'info': '80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece'}
It seems that the person configuring the AD settings could assume change a setting and press apply, it appears in 11.2 u5 that you have to disable the service and then enable the service with the new setting. This is bad for samba users as they get KICKED off the file server.

So I spun up a new server on a different subnet running 11.2 u1 and last night upgraded it to 11.2 u5(no issues the same odd responses happen on both versions )

with our old 2003 domain I had to have
Idmap backend: rid
Winbind NSS Info: --------

As soon as I say Winbind NSS Info: rfc2307(I should not be using this as the schema is old and has no UNIX/NIS attributes)
I get this error but everything works: Aug 1 08:39:12 FileServerPub1 ActiveDirectory: AD_status_domain: Not okay
How do I find out what is "Not okay"

For some reason idmap backed : ad fails every time(2003 schema does not have UNIX extensions or Server for NIS )
with LDAP there is a way to query AD to see if the schema has these features and cough up an error code to the FreeNAS user.

Thanks,
Joe
 

RegularJoe

Patron
Joined
Aug 19, 2013
Messages
330
So it looks like many of my issues have to do with trying to change "Active Directory" settings while the service is enabled.

If I disable active directory, make my changes and re-enable it the service works.

I had an issue in the past connecting from a windows server with the "Computer Management" mmc snap in and tying to open "System tools" so I could view "Share folders" and make changes. From a server 2003 host this would not work unless SMB1 was enabled for the samba service.

The other issue I have is that the fresh install of 11.2 u1 would not work but if I installed the virtual FreeNAS in the same L2 subnet as 2 of the domain controllers I can get everything to work perfect, I tested another install over the WAN at a site 300 miles away and I have the same issue where I cannot get the system to attach to active directory.
 

RegularJoe

Patron
Joined
Aug 19, 2013
Messages
330
Anodos,

What does this mean? Could it be that I need to be a domain admin to add this server to the domain?

root@fspub1[~]# service ix-kinit start
ERROR: {'desc': 'Invalid credentials', 'info': '80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 51f, vece'}
root@fspub1[~]#

This fails : net -k -d 5 ads join

This works :
net -k -d 5 ads join -U $DomainAdminAccount

So all of this had to do with errors joining the computer to the domain, most every company I have ever worked for has NEVER allowed users to add their own workstations to the domain like Microsoft wants. All computers must be joined to the domain via a user in the domain administrators group or some other group. Is there an easy command that the "service ix-pre-samba start" command to puke out a human readable error code that tells us the computer could not join the domain.

Thanks,
Joe
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
Anodos,

What does this mean? Could it be that I need to be a domain admin to add this server to the domain?
You need elevated permissions to join the AD domain. You can have a subset of the permissions normally held by domain admins. This is detailed in the samba wiki (and various places by me in these forums).

root@fspub1[~]# service ix-kinit start
ERROR: {'desc': 'Invalid credentials', 'info': '80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 51f, vece'}
root@fspub1[~]#
This usually means that your username or password is wrong

This fails : net -k -d 5 ads join
This fails because you didn't get a kerberos ticket above (-k)

This works :
net -k -d 5 ads join -U $DomainAdminAccount
This works because (1) you're using a privileged account and (2) you typed in correct credentials

So all of this had to do with errors joining the computer to the domain, most every company I have ever worked for has NEVER allowed users to add their own workstations to the domain like Microsoft wants. All computers must be joined to the domain via a user in the domain administrators group or some other group. Is there an easy command that the "service ix-pre-samba start" command to puke out a human readable error code that tells us the computer could not join the domain.
AD service has been pretty much entirely rewritten in 11.3 (which should be entering Beta soon-ish). 11.2 is basically in maintenance mode (security and major bug fixes only).
 

RegularJoe

Patron
Joined
Aug 19, 2013
Messages
330
Anodos,

Will 11.3 allow us to add printer?

Is there a way to start testing 11.3?

Many companies make the print server and file server the same host. I do not like it but I have been asked to setup a Samba AD integrated print server.

Thanks,
Joe
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
Anodos,

Will 11.3 allow us to add printer?

Is there a way to start testing 11.3?

Many companies make the print server and file server the same host. I do not like it but I have been asked to setup a Samba AD integrated print server.

Thanks,
Joe
No. I don't think we'll ever add printer support.
 

RegularJoe

Patron
Joined
Aug 19, 2013
Messages
330
Anodos,

We are asked to do printer accounting and assign costs per department. Papercut has a linux package so that print server will have to be Linux if we decide to buy papercut.

Thanks,
Joe
 

RegularJoe

Patron
Joined
Aug 19, 2013
Messages
330
Anodos,

I have the jail setup and I still see in the jail there is no cups...

smbd -b | grep "HAVE_CUPS"


I think to use samba(active directory enabled printers and queues) in a jail I have to make reference to the base FreeBSD os and that version of Samba. Am I missing something or is there something I need to read up on so I can accomplish this print server task?

BTW I think the AD plugin in future versions of FreeNAS should be base on the honor system but allow us to pay per month/year to use it. For this feature a phone home would be useful to show via a globe where the users are that don't pay to use the premium plugin.

Thanks,
Joe
 

RegularJoe

Patron
Joined
Aug 19, 2013
Messages
330
For testing purposes try using a member of domain admins to perform the join.

So I am still not understanding why the user and password I put in the GUI cannot actually add the computer to the domain. If the FreeNAS GUI is not using that username and password for "net -k -d 5 ads join" what is it using it for? Can I just make that account in the GUI a domain user? Is that account just checking for LDAP attributes?
 
Top