Project

General

Profile

Bug #42659

Add tip to Guide about configuring AD with two FreeNAS systems

Added by JR Gonzalez 7 months ago. Updated about 1 month ago.

Status:
Done
Priority:
No priority
Assignee:
Timothy Moore II
Category:
Documentation
Target version:
Seen in:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
No
Needs Doc:
No
Needs Merging:
No
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

I am attempting to join the AD of a FreeNAS DC with a FreeNAS client. I've connected numerous clients (Windows, MacOS, FreeBSD, Linux (Centos 7), etc). When attempting to join the domain I receive:

freenas uwsgi: [middleware.exceptions:36] [MiddlewareError: Active Directory failed to reload.]

I am also forced to use a cert for TLS (which you don't really set on the DC side). I imported the internal CA cert from the DC (it only allows the use of CA certs in the client) but that didn't work either.

Maybe I am missing something? I went over the documentation and it seems very straightforward. Both AD DC and Client are 11.1-U6

Verbose logging shows Kerberos working but the connection to the domain not. I'm guessing maybe something to do with the use of SSL or TLS? There isn't much information related to the encryption.

Log (redacted):

Aug 22 17:30:10 freenas ActiveDirectory: /usr/sbin/service ix-hostname quietstart
Aug 22 17:30:11 freenas ActiveDirectory: kerberos_start: /usr/bin/kinit --renewable --password-file=/tmp/tmp.yUQHW0yf
Aug 22 17:30:12 freenas ActiveDirectory: /usr/sbin/service ix-kerberos quietstart default DOMAIN.ORG
Aug 22 17:30:12 freenas ActiveDirectory: kerberos_start: Successful
Aug 22 17:30:14 freenas ActiveDirectory: /usr/sbin/service ix-nsswitch quietstart
Aug 22 17:30:15 freenas ActiveDirectory: /usr/sbin/service ix-ldap quietstart
Aug 22 17:30:15 freenas ActiveDirectory: /usr/sbin/service ix-kinit quietstart
Aug 22 17:30:16 freenas ActiveDirectory: kerberos_start: /usr/bin/kinit --renewable --password-file=/tmp/tmp.CbxoZVC3
Aug 22 17:30:17 freenas ActiveDirectory: kerberos_start: Successful
Aug 22 17:30:17 freenas ActiveDirectory: /usr/sbin/service ix-kinit status
Aug 22 17:30:18 freenas ActiveDirectory: kerberos_status: klist -t
Aug 22 17:30:18 freenas ActiveDirectory: kerberos_status: Successful
Aug 22 17:30:18 freenas ActiveDirectory: /usr/local/bin/python /usr/local/bin/midclt call notifier.start cifs
Aug 22 17:30:25 freenas ActiveDirectory: /usr/sbin/service ix-activedirectory quietstart
Aug 22 17:30:28 freenas ActiveDirectory: activedirectory_start: checking if we are joined already
Aug 22 17:30:28 freenas ActiveDirectory: AD_testjoin_domain: net -k ads testjoin DOMAIN.ORG -S ad.domain.org -p 389
Aug 22 17:30:29 freenas ActiveDirectory: AD_testjoin_domain: Failed
Aug 22 17:30:29 freenas ActiveDirectory: activedirectory_start: trying to join domain
Aug 22 17:30:29 freenas ActiveDirectory: AD_join_domain: net -k ads join DOMAIN.ORG -S ad.domain.org -p 389
Aug 22 17:30:30 freenas ActiveDirectory: AD_join_domain: Failed
Aug 22 17:30:30 freenas ActiveDirectory: /usr/local/bin/python /usr/local/bin/midclt call notifier.stop cifs
Aug 22 17:30:32 freenas ActiveDirectory: /usr/sbin/service samba_server forcestop
Aug 22 17:30:33 freenas ActiveDirectory: /usr/sbin/service ix-pre-samba start
Aug 22 17:30:37 freenas ActiveDirectory: /usr/sbin/service ix-kinit forcestop
Aug 22 17:30:37 freenas ActiveDirectory: /usr/sbin/service ix-hostname quietstart
Aug 22 17:30:39 freenas ActiveDirectory: /usr/sbin/service ix-kerberos restart
Aug 22 17:30:40 freenas ActiveDirectory: /usr/sbin/service ix-nsswitch quietstop
Aug 22 17:30:41 freenas ActiveDirectory: /usr/sbin/service ix-pam quietstop
Aug 22 17:30:43 freenas ActiveDirectory: /usr/sbin/service ix-cache quietstop &
Aug 22 17:30:53 freenas uwsgi: [middleware.exceptions:36] [MiddlewareError: Active Directory failed to reload.]

Settings: only changed from default
Domain Name: DOMAIN.ORG
Domain Account Name: Administrator #(tried DOMAIN\Administrator (bad login) and other user who has admin access
Domain Account Password: *** #Valid can login on other joined systems
Encryption Mode: TLS #tried SSL as well
Certificate: CACert #I can only choose the CA cert? Am I doing something wrong here? There wasn't any documentation about this other than choosing the certificate.
Verbose Logging: Checked
Allow DNS Updates: Checked
Kerberos Realm: DOMAIN.ORG
Netbios Name: AD

I believe my issue is with the certificates?

History

#1 Updated by JR Gonzalez 7 months ago

After looking around. I wound up having to import the CA cert/key to the client and use it on the client using TLS and setting SASL to sign. I think this will only require a documentation update because the documentation doesn't really point this out when joining FreeNAS to FreeNAS. I will test it out a bit to make sure it is working and post that this is "fixed" later.

#2 Updated by Dru Lavigne 7 months ago

  • Category changed from Services to Documentation
  • Assignee changed from Release Council to Dru Lavigne

#3 Updated by Dru Lavigne 6 months ago

  • Assignee changed from Dru Lavigne to Warren Block

#4 Updated by JR Gonzalez 6 months ago

Seems to be working. Although. Would it be possible to have it use a normal certificate instead of a CA certificate? This seems a bit off. Or is that the normal way it functions?

#5 Updated by Warren Block 5 months ago

  • Assignee changed from Warren Block to Timothy Moore II

#6 Updated by Timothy Moore II 5 months ago

  • Status changed from Unscreened to Screened

#7 Updated by Timothy Moore II 3 months ago

  • Status changed from Screened to In Progress

WIP Docs PR: https://github.com/freenas/freenas-docs/pull/528 [angulargui]. Needs an additional PR to port text and fixes to [master] when this PR is ready to merge.

#8 Updated by Dru Lavigne 3 months ago

  • Target version changed from Backlog to 11.2-U2

#9 Updated by Timothy Moore II 2 months ago

Port of docs changes to master branch: https://github.com/freenas/freenas-docs/pull/576

#10 Updated by Dru Lavigne 2 months ago

  • Subject changed from Unable to Join FreeNAS AD DC Domain with FreeNAS Client to Add tip to Guide about configuring AD with two FreeNAS systems
  • Status changed from In Progress to Ready for Testing
  • Needs Doc changed from Yes to No
  • Needs Merging changed from Yes to No

#14 Updated by Jeff Ervin about 1 month ago

52708
52713
52717
52722
52726
52731
52740

Test Failed.

The only reason I failed this is Figure 9.1.1 in both Legacy and Angular guides. Within the Certificates section of that table, the text doesn't match the PR I checked it against. My guess is the text that's in there now is a change that was made after this ticket was created. If that be the case, I will change it to Passed Testing. I don't want to assume...

#15 Updated by Jeff Ervin about 1 month ago

  • Status changed from Failed Testing to Passed Testing
  • Needs QA changed from Yes to No

#16 Updated by Dru Lavigne about 1 month ago

  • Status changed from Passed Testing to Done

Also available in: Atom PDF