I'm in the process of upgrading my home network and now has the turn come to replace my old Qnap units with FreeNAS but I'm stuck when trying to connect it to my AD server. I use Nethserver for the AD. With FreeNAS does it look to require me to import the certificate from the AD server. Since I use Let's encrypt will that be a reoccuring task to keep it updated which I would like to avoid. Is my best option to disable the requirement for encryption on my Nethserver?
-
Important Announcement for The TrueNAS Community.
The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
Unable to join FreeNAS to Nethserver AD
- Thread starter mahaq
- Start date
D
dlavigne
Guest
Were you able to resolve this? If not, which version of FreeNAS? Have you also read the requirements and troubleshooting sections of https://www.ixsystems.com/documentation/freenas/11.2/directoryservices.html#active-directory.
Not really, as a temporary workaround have I enabled to run the authentication unencrypted on the AD server. I have read that document but it seems to only be applicable for self-created certificates. In my case am I using let's encrypt as CA. I don't understand the requirement to copy the certificate to the FreeNAS server, everything else I join only requires a secure port and credentials for the admin account.
D
dlavigne
Guest
You do need to import the certificate so that the FreeNAS system can verify the certificate chain.
danb35
Hall of Famer
- Joined
- Aug 16, 2011
- Messages
- 15,504
I can't see why it should be necessary to import the Neth server's certificate; that seems like a very strange restriction on FreeNAS' part. But it should be possible to automate importing the renewed cert into FreeNAS with something similar to my deploy-freenas.py script. That exact script wouldn't work, but with some adjustment of the API endpoints I'd expect you could do what you need.
@danb35, that script could solve that problem but I did however run into a different problem that I find a bit odd. Only a subset of the groups from the AD server are shown when trying to set permissions on the pools. None of the groups I've created are shown. When I test wbinfo -g from the shell are all groups listed so somewhere internally in FreeNAS are the groups lost.
I realized that I missed to answer a previous question from @dlavigne which I of course should have had in my initial post. The version I'm trying to configure is FreeNAS-11.2-U4.1.
I realized that I missed to answer a previous question from @dlavigne which I of course should have had in my initial post. The version I'm trying to configure is FreeNAS-11.2-U4.1.
Last edited:
Did any one ever get this working with encryption?
Or a script to update the cert auto-magically?
Also is there any information any where as to why this has to be done this way on FreeNAS?
After all like others have said seem's like a strange way of doing things. I have never had to do this, with any system ever before!
My Qnap connected fine, Xigmanas connected fine, Zentyal Connected fine. I can go on listing many devices that work and do not require you to import certs.
Other than this issue, thus far very impressed with FreeNAS's capability.
Thanks in advance for any answers.
Or a script to update the cert auto-magically?
Also is there any information any where as to why this has to be done this way on FreeNAS?
After all like others have said seem's like a strange way of doing things. I have never had to do this, with any system ever before!
My Qnap connected fine, Xigmanas connected fine, Zentyal Connected fine. I can go on listing many devices that work and do not require you to import certs.
Other than this issue, thus far very impressed with FreeNAS's capability.
Thanks in advance for any answers.
I agree that FreeNAS in many ways looks like a great product but I gave up and installed XigmaNAS instead.
Just a quick input, but are you using let's encrypt for your AD servers CA? Or just to encrypt the web interface?
An AD server typically creates it's own CA and then encrypts traffic over port 636 (using ssl) or 389 (using tls).
For example you should be able to pull the cert using something like
openssl s_client -connect ad.server.com:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldapserver.pem
An AD server typically creates it's own CA and then encrypts traffic over port 636 (using ssl) or 389 (using tls).
For example you should be able to pull the cert using something like
openssl s_client -connect ad.server.com:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldapserver.pem
Similar threads
- Locked