Unable to use CA cert for encryption in joining active directory in 11.3

E

Ender117

Patron
Joined
Aug 20, 2018
Messages
219
I have always been using encryption mode with my own CA in the AD, a setup very similar to this: https://help.univention.com/t/cool-solution-connecting-ucs-to-freenas/12794

However, after updating to 11.3, this setup no longer works. The update process created a cert "migrated for active directory" but the WebGUI refuse to use it to join AD and complains about "no private key", and there shouldn't be any for a (imported) root CA. Additionally, CA (expect for that migrated cert) can no longer be selected from the "Certificate" drop down.

Is this behavior intended? AFAIK a client certificate is not required for AD
 
N

norbert.hanke

Dabbler
Joined
Aug 6, 2019
Messages
11
Same here. On one system I was able to get rid of that migrated CA certificate and re-import it as a "true" CA certificate and join AD again. On the other system I'm still struggling.
@Ender117 did you find a solution in the meantime?
 
I

ianrm

Dabbler
Joined
Aug 22, 2020
Messages
27
Hi,
I will ask my CA question here rather than a new thread. How do you import a CA into 11.0.3u4? There does not appear to be an option of import?
Ian
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
Uploaded CA certificates are automatically trusted. The GUI drop-down in 11.3 is used for client certificates (SASL_EXTERNAL). So leave SSL on, but de-select certificate in GUI.

That said, by default middleware in 11.3 performs GSSAPI binds, and so you can get encryption by simply turning off SSL and selecting SEAL under ldap_sasl_wrapping. In 12.0 this is becoming our default (and only) method of providing strong authentication for middleware (SASL_SEAL on GSSAPI bind) as we're switching to using libnet / libads python bindings from samba.
 
I

ianrm

Dabbler
Joined
Aug 22, 2020
Messages
27
Hi anodos,
on my mac mini running 10.15.6 macOS Safari refuses to accept the FreeNAS CA, untrusted, Firefox needs an exception to access to the FreeNAS GUI.
I want to install my network CA on the FereNAS but there does not appear to be away of ding this. The firewall requires an exception to allow the freeNAS to access the internet, as a result there is no checking of the downloaded updates etc.

Ian

Update:- found there is no way of importing a CA, you have to copy and paste the CA elements into the FreNAS GUI.
 
Last edited:
You must log in or register to reply here.

Similar threads

C
  • Locked
SOLVED FreeNAS 11.0U4 won't join Samba AD server. Self-signed cert confusion.
Replies
1
Views
1K
ChinookTx
C
W
Active Directory Server SSL Certificate
Replies
1
Views
2K
anodos
anodos
J
  • Locked
SOLVED FreeNAS failed to integrate with Samba DCS
Replies
7
Views
3K
joesnow1234
J
G
  • Locked
AD Certificate Import confusion
Replies
4
Views
3K
Grimm Spector
G
K
FreeNAS-11.3-U2 not joining active directory
2
Replies
20
Views
5K
Henning Kessler
H
Top