On 01/09/2019 21:46, Rowland penny via samba wrote:> On 01/09/2019 21:37, Robert Wooden wrote: >> No, thanks anyway, Rowland. >> >> There are some FreeNAS posted command line tests that need to work >> (pushing me back to kerberos) that are part of their troubleshooting. >> Once I get that right, if I need to, I'll be back here with questions. > > Where can I Find the tests ? > > I get the feeling that I could just alter smb4.conf to what I think it > should be, kinit as Administrator and then run 'net ads join -k', but > would the freenas web GUI be in sync ? > > Rowland > > >OK, I have figured this out and you do not need a certificate ;-) Log into the Freenas web gui as root. I used the winbind 'ad' backend, but you could probably use the 'rid' backend instead. Services -> SMB -> Configure Workgroup: SAMDOM Local Master: NO Domain Logons: NO Time server For Domain: NO UNIX Extension; YES Zeroconf share discovery: YES Hostnames Lookups: YES Allow Execute Always: YES Obey Pam Restrictions: YES Range Low: 3000 Range High: 7999 NOTE: the above range is for the default (*) domain Click 'SAVE' Directory Services -> Active Directory -> ADVANCED MODE Click 'EDIT IDMAP' and set the DOMAIN range before doing anything else Range Low: 10000 Range High: 999999 Schema mode: rfc2307 Click 'SAVE' Active Directory -> ADVANCED MODE Domain Name: samdom.example.com Domain Account Name: Administrator Domain Account Password: xxxxxxxxxx Encryption Mode: Off Certificate: NONE UNIX extensions: YES Use Default Domain: YES Allow DNS updates: YES # not sure about this, but set it anyway Disable Freenas updates: YES Site Name: Default-First-Site-Name Kerberos Realm: SAMDOM.EXAMPLE.COM Idmap backend: ad Winbind NSS info: rfc2307 Enable Click 'SAVE' and you should join the domain Rowland
On Mon, Sep 2, 2019 at 5:20 AM Rowland penny via samba < samba at lists.samba.org> wrote:> OK, I have figured this out and you do not need a certificate ;-) > > Log into the Freenas web gui as root. > > I used the winbind 'ad' backend, but you could probably use the 'rid' > backend instead. > > Services -> SMB -> Configure > > Workgroup: SAMDOM > Local Master: NO > Domain Logons: NO > Time server For Domain: NO > > UNIX Extension; YES > Zeroconf share discovery: YES > Hostnames Lookups: YES > Allow Execute Always: YES > Obey Pam Restrictions: YES > > Range Low: 3000 > Range High: 7999 > > NOTE: the above range is for the default (*) domain > > Click 'SAVE' > > Directory Services -> Active Directory -> ADVANCED MODE > > Click 'EDIT IDMAP' and set the DOMAIN range before doing anything else > > Range Low: 10000 > Range High: 999999 > Schema mode: rfc2307 > > Click 'SAVE' > > Active Directory -> ADVANCED MODE > > Domain Name: samdom.example.com > Domain Account Name: Administrator > Domain Account Password: xxxxxxxxxx > > Encryption Mode: Off > Certificate: NONE > > UNIX extensions: YES > Use Default Domain: YES > Allow DNS updates: YES # not sure about this, but set it anywayDisable Freenas updates: YES> > Site Name: Default-First-Site-Name > Kerberos Realm: SAMDOM.EXAMPLE.COM > Idmap backend: ad > Winbind NSS info: rfc2307 > > Enable > > Click 'SAVE' and you should join the domain > > Rowland"Allow DNS updates" should be checked for most situations. When it's unchecked the server doesn't do dynamic DNS updates (like when "clustering=yes"). It's related to an HA product. The directory services code is being significantly rewritten for the next version of FreeNAS (11.3). Most of the parameters you've highlighted as unnecessary are actually being removed. If you only want to use the RID backend, you typically need to only enter "Domain Name", "Domain Account Name", and "Domain Account Password". Thank you for highlighting the need to configure idmap ranges prior to joining AD. AD site (assuming such exists) will be automatically detected and workgroup is automatically detected and populated. I believe in most cases the "tests" requested in the forums are to kinit and then "net -d 5 -k ads join". Andrew
On 02/09/2019 12:18, Andrew Walker wrote:> On Mon, Sep 2, 2019 at 5:20 AM Rowland penny via samba > <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote: > > OK, I have figured this out and you do not need a certificate ;-) > > Log into the Freenas web gui as root. > > I used the winbind 'ad' backend, but you could probably use the 'rid' > backend instead. > > Services -> SMB -> Configure > > Workgroup: SAMDOM > Local Master: NO > Domain Logons: NO > Time server For Domain: NO > > UNIX Extension; YES > Zeroconf share discovery: YES > Hostnames Lookups: YES > Allow Execute Always: YES > Obey Pam Restrictions: YES > > Range Low: 3000 > Range High: 7999 > > NOTE: the above range is for the default (*) domain > > Click 'SAVE' > > Directory Services -> Active Directory -> ADVANCED MODE > > Click 'EDIT IDMAP' and set the DOMAIN range before doing anything else > > Range Low: 10000 > Range High: 999999 > Schema mode: rfc2307 > > Click 'SAVE' > > Active Directory -> ADVANCED MODE > > Domain Name: samdom.example.com <http://samdom.example.com> > Domain Account Name: Administrator > Domain Account Password: xxxxxxxxxx > > Encryption Mode: Off > Certificate: NONE > > UNIX extensions: YES > Use Default Domain: YES > Allow DNS updates: YES # not sure about this, but set it anyway > > Disable Freenas updates: YES > > Site Name: Default-First-Site-Name > Kerberos Realm: SAMDOM.EXAMPLE.COM <http://SAMDOM.EXAMPLE.COM> > Idmap backend: ad > Winbind NSS info: rfc2307 > > Enable > > Click 'SAVE' and you should join the domain > > Rowland > > > ?"Allow DNS updates" should be checked for most situations. When it's > unchecked the server doesn't do dynamic DNS updates (like when > "clustering=yes"). It's related to an HA product.That makes it like most Unix domain members and wouldn't affect me, I use DHCP to update dns records ;-)> > The directory services code is being significantly rewritten for the > next version of FreeNAS (11.3). Most of the parameters you've > highlighted as unnecessary are actually being removed. If you only > want to use the RID backend, you typically need to only enter "Domain > Name", "Domain Account Name", and "Domain Account Password". Thank you > for highlighting the need to configure idmap ranges prior to joining > AD. AD site (assuming such exists) will be automatically detected and > workgroup is automatically detected and populated. I believe in most > cases the "tests" requested in the forums are to kinit and then "net > -d 5 -k ads join". > > AndrewAll fair comments, I just tested it because I couldn't understand why it seemed to require a certificate to join the domain, something I have never used. You probably do not need to set the ranges before the join, but you definitely need to set them before starting Samba. Rowland