Is your old account not working? Don't panic, please register again!

*New 11.4 series Release:
2020-05-29: XigmaNAS 11.4.0.4.8453 - released!

*New 12.2 series Release:
2021-05-31: XigmaNAS 12.2.0.4.8458- released!

We really need "Your" help on XigmaNAS Language https://translations.launchpad.net/xigmanas packages. Please help us today!

XigmaNAS talks on IRC https://web.libera.chat/#xigmanas, ircs://irc.libera.chat:6697 (TLS) or irc://irc.libera.chat:6667 (plain text)

[HOWTO] - AD How to make it work and Permissions - Archived

Only Admin's or Moderators can move thread's to this sub-forum.
Nobody should start a new thread on this sub-forum.
Anybody can reply to a thread on this sub-forum.
Forum rules
Set-Up GuideFAQsForum Rules
Post Reply
Hiji56
Advanced User
Advanced User
Posts: 170
Joined: Feb 13th, '21, 11:33
Status: Offline

[HOWTO] - AD How to make it work and Permissions - Archived

#1

Post by Hiji56 »

"
by ldkraemer»02 Aug 2012 04:14
[HOWTO] - AD How to make it work and Permissions - Archived
by plazma247 » Fri May 14, 2010 7:13 pm
Copied from the Old FreeNAS Forum - So it is archived!
Ok, I'm not going to included screen shots with this posting.... after ten days of lost work making FreeNAS work properly I've ran out of steam. But before
the last breath escapes me, I'm passing on what I know...!
1. Install FreeNAS (do the normal assign disks, mount them, take default access settings)
2. Configure access (Active Directory) - If you have your settings correct, you should be able to go into information (MS Active Directory), and see it's
now grabbed the list of users and groups. Ignore the ""failed to create users or groups"" bit in the log. I'm no Linux expert, but I don't believe it's anything
to worry about, since my log still says AD is working FINE !!
3. Enable CIFS/SMB (ensure you select to turn on EA support and Dos attributes)
4. Once you have done that, create a master share to your mount point. I called mine Admin ENSURE. Your master share has set HOSTS ALLOW as your
FIXED STATIC IP ADDRESS of your main SERVER or the Administators IP. In Hosts deny, put ALL. This will block everyone else, also take the tick out of
browseable.
5. On your Windows AD Server (the one you just Inserted the IP address for) map the admin share, either manually create the map, or set the share you
created to browseable. Then map it, and change it back to not browseable once you mapped the drive.
6. Now we have a Secure (well its as good as its going to get) way to administer the share, lets create some folders.
7. Now is the time when it all goes wrong for everyone else, from what I've read. I've heard a few people managed, but no conclusive way, which is why
I'm documenting my procedure. Right click the folder, and select properties. Select the security tab, then the Advanced Button (don't cheat - you need
to press the Advanced Button - it won't work if you don't. You will see why in a minute.)
8. Click add, and select the user(s) or groups you want to add. Once added, select their access permission to the folder. Finally click apply, as soon as you
do you will see you previous had administator, everyone, and wheel listed in users. You added a few but the system has also loaded on creator group,
creator owner, and a second everyone flag.
9. If you use the basic add users, you can't see the second everyone. See one has None in permission, and the other has read and execute. Delete the one
with read and execute permission, and click apply. It should stay gone. Ignore the other permissions, delete anything other than what I say they will just
come back and screw it all up, trust me. The hours I've spent before I realized in advanced, it was duplicating the everyone flag.
10. Now the new folder with permissions in the admin share is accessible by the admins IP only, so we need to share this. Create a new CIFS/SMB share
(ensure you tick inherit permissions and browseable this time), and select to map it to your created (permission set) folder.
11. Test it. The user(s) with permissions can see the folder and use it (read / write) the users who cant can see the folder, cant access it.
AT LAST I HEAR YOU SAY A SOLUTION THAT WORKS, no need for SSH mods.
Plus your admin share means instead of having to backup the individual shares as you would have to do across a network normally for things like backup your
admin share can be used for the backup to have just one single point to grab from, which is pretty handy as I've had to write batch scripts in the past to get
robocopy to discover the list of shares on a server.
So, lets put it to bed. AD works fine in FreeNAS (if you know how) and there is no need to use openfilter instead (which is more complicated than I'm willing
to setup)
Now, my only small gripe with FreeNAS is I can only software mirror 2 drives at a time. I built a 4TB (4 x 1TB) stack hoping to stick em all into a single raid...
Nooooo.... Why not? Can this be changed? I know other Software Raid Systems can do above 2 drives, so why is FreeNAS locked to 2 ???
As a solution to the 2 drive problem, I just created 2 mirrors and set an rsync (local) to map it all 3 times a day, which isn't great but at least offers a fall back,
I did run it once a minute, but i could see it eating the disks inside 12 months, so I set it to 3 times a day instead. If someone has a better solution for being
able to mirror to all 4 drives in FreeNAS, I would love to hear it.
PLAzmA
Al562 Responds:
""http://forums.nas4free.org/viewtopic.ph ... 2396#p2396"" target=""_blank"" rel=""noreferrer"" title=""Opens in new window"" class=""elonw"">Please start a new topic in the Software RAID sub-forum for this issue. Please include the information required, and also any errors you get when trying to create
the RAID array. Please also include your hard drive controller manufacturer, model and chip set. I will be looking for your new topic, and will help as best I can.
Copied from the Old FreeNAS Forum - so it's archived.
Thanks.
Larry Kraemer
"

"
by ldkraemer»02 Aug 2012 06:07
Using FreeNAS with the Microsoft Active Directory
FreeNAS Administrators typically define all user information locally on the FreeNAS Server. This is fine for small networks, but if you own a Large Business,
and have a Large Business Network, you may already have Microsoft's Active Directory deployed. FreeNAS can use the user database of a Microsoft Active
Directory (Windows 2000 / 2003) to authenticate user names & passwords and therefore, remove the need to define users locally.
When Microsoft's Active Directory is being used, the FreeNAS server will authenticate users using the directory for the following services:
CIFS/SMB, FTP, SSH, and Unison.
NOTE:
FreeNAS is considered a pre-Windows 2000 client, and as such the Microsoft Active Directory must be configured with pre-Windows 2000 compatibility.
I'm not sure if this applies to the current version of NAS4Free. Someone needs to clarify if this is still TRUE for the current NAS4Free release.
Assuming Microsoft's Active Directory is installed and running:
1. Go to Access: Active Directory
2. Tick the Enable check box in the title bar of the table.
3. Enter the Active Directory server name in the AD server name field.
For example: The Windows Server 2003 server on my test network is called WS2003, so I entered WS2003.
4. Enter the IP Address of the Active Directory server in the AD Server IP Field.
5. Enter the Domain name for the Active Directory. This is in pre-windows 2000 format.
6. Enter the Domain Administrator account user name (probably Administrator) & password.
7. Finally, click Save.
To check if the FreeNAS is able to communicate with the Active Directory Correctly:
1. Go to Diagnostics: Information
2. Click the MS Domain Tab.
Test the Active Directory:
This will test the connection to the Active Directory.
A successful test will look something like this:
Accessibility test to MS Domain:
Results for net rpc testjoin:
Join to 'FreeNAS' is OK
Ping winbindd to see if it is alive:
Ping to winbindd succeeded on fd 4
check shared secret:
Checking the trust secret via RPC calls succeeded
After the Active Directory is configured, CIFS/SMB, FTP, SSH, and Unison authentication will rely ONLY on account information in the Active Directory.
The authentication method for CIFS/SMB is automatically changed to Domain when the Active Directory is configured for use.
To check this, go to SERVICES: CIFS/SMB and notice that Authentication is now set to Domain.
To test the use of Active Directory, try connecting to the FreeNAS Server via CIFS/SMB, FTP, or SSH and use account information from the Active Directory.
""http://doc.freenas.org/index.php/Active_Directory"" target=""_blank"" rel=""noreferrer"" title=""Opens in new window"" class=""elonw"">Hopefully, this information will also be useful to someone.
Larry Kraemer
Last edited by ldkraemer on 02 Aug 2012 14:15, edited 4 times in total.
"
"
by ldkraemer»02 Aug 2012 12:43
FreeNAS 8.0 & AD
Postby dant3 » Thu May 05, 2011 7:38 am
Copied from the Old FreeNAS Forum - So it is archived!
dant3 Posts:
Anyone got this working yet?
yfinkle Responds:
I'm not sure if it makes a difference but I have a 2008 Domain controller to which I'm trying to authenticate.
I ran the ""/usr/local/bin/freenas-debug -a "" script through ssh.
Looking at the log here...
/var/tmp/freenas-debug.txt
I can see where the errors appear to be occurring see below, its at the end of the debug file. Honestly I have not been able to determine if this is an issue
in windows security policy, or firewall issue on FreeNAS, or something else...if anyone has any ideas .... see my settings below as well.
+--------------------------------------------------------------------------------+
+ Active Directory Status +
+--------------------------------------------------------------------------------+
Active Directory is ENABLED
+--------------------------------------------------------------------------------+
+ Active Directory Settings +
+--------------------------------------------------------------------------------+
WORKGROUP: bla
NETBIOS NAME: beeronnas
ADMINNAME: administrator
WINDOWS VERSION: windows2003
DOMAIN NAME: bla.bla.net
DCNAME: dc.bla.bla.net
+--------------------------------------------------------------------------------+
+ Active Directory Trust Secret +
+--------------------------------------------------------------------------------+
could not obtain winbind interface details!
could not obtain winbind domain name!
Could not check secret
checking the trust secret for domain (null) via RPC calls failed
+--------------------------------------------------------------------------------+
+ Active Directory Users and Groups +
+--------------------------------------------------------------------------------+
+--------------------------------------------------------------------------------+
+ Using wbinfo +
+--------------------------------------------------------------------------------+
+--------------------------------------------------------------------------------+
+ Users +
+--------------------------------------------------------------------------------+
Error looking up domain users
+--------------------------------------------------------------------------------+
+ Groups +
+--------------------------------------------------------------------------------+
Error looking up domain groups
+--------------------------------------------------------------------------------+
+ Using getent +
+--------------------------------------------------------------------------------+
+--------------------------------------------------------------------------------+
+ Users +
+--------------------------------------------------------------------------------+
dant3 Responds:
Do you get this message: in /var/log/messages
freenas: activedirectory does not exist in /etc/rc.d or the local startup
josephdilorenzo Responds:
I was running into the same issue until I changed the admin login to ""mailto:administratordomain.com"">administratordomain.com. Worked like a charm after that.
yfinkle Responds:
Interesting. This got me a littler further. When i used ""mailto:usernamedomain.com"">usernamedomain.com, the NAS object showed up in AD finally.
However, I still have all the winbind failures along with no AD groups or users.
For Joseph, can you see AD users and groups in your freenas and such???
dant3 Responds:
I get the following when trying to connect with ""mailto:administratordomain.com"">administratordomain.com I get the following:
Kerberos_kinit_password ""mailto:administratordomain.com"">administratordomain.com failed. Malformed representation of principal
Failed to join domain: failed to connect to AD: Malfordmed representation of principal.
Have anyone had this error message: I got this log /var/log/console.log
yfinkle Responds:
I have that same error in my log file
Alright, i got it to work.
After seeing those errors in the log, I went back and changed all the settings to what I had originally. As I had mentioned the ""beeronnas"" object had already
hown up in AD so I deleted it to test this out. I made the changes below. I also enabled the CIFS service as recommended in some of the other comments,
I'm not sure this had anything to do with the fix or not.
1. After you make the changes to AD in FreeNAS, the object will not show up in AD initially,
2. I rebooted FreeNAS and bam, object shows up.
3. I checked the logs and debug logs and saw that all groups and users had been pulled from AD.
4. Maybe we were forgetting to reboot...
5. Let me know if that works for you???
Domain Controller Name: ""mailto:blabla.bla.net"">blabla.bla.net
Domain Name: bla.bla.net
Hostname: beeronNAS (this is the computer acct for active directory)
workgroup name: bla
admin name: administrator
admin pass: password
ismashkhy Responds:
I manage to connect my newly built FN8 to my Win2k3 active directory in this process...
In the Active Directory service,
DC name : myAD.mydomain.com
* where myAD = netbios name of your AD machine.
Domain Name : MYDOMAIN.COM
Host Name (NetBios Name) : FSBackup
* where FSBackup = netbios name you assigned for your FN8 (not that of myAD machine!!!!..)
Workgroup Name : MYDOMAIN
Administrator Name : Administrator (this is the domain admin acct or your domain acct with domain admin priv)
Administrator Password : ********** (obviously, your domain acct password)
Windows Version : Windows 2003
Don't forget to input the home folder where you desired to have the users account folders in the CIFS service,
you must create those folders, e.g. user = admin, folder = admin, user = john, folder = john
example output :
/mnt/Shared/Users/admin
/mnt/Shared/Users/john
* where /mnt/Shared/Users = home folder location
and one thing i did just to try if it will work, I replicate and created the user of those who are in my AD
* this is still experimental, i'm open for corrections anf comments about this....
due to some problem having domain users to be able to be used in chown DOMAIN\\username userfolder command
It is confirmed that you should replicate the account to freenas add users
* if you are having problem with that annoying credetials dialog box,
add this to CIFS auxiliary part...
client ntlmv2 auth = yes
ismashkhy Responds:
to double check the list of users,
on the shell, type:
Code: Select all

Code: Select all

wbinfo -u
I guess this is really a bit dilemma for us,
now, as I said before, you need to replicate those users and groups from AD to FreeNAS, it will work as it works with me....
petranator Responds:
For all those who are having trouble getting the users to show up at the box, see:
""http://support.freenas.org/ticket/314"" target=""_blank"" rel=""noreferrer"" title=""Opens in new window"" class=""elonw"">http://support.freenas.org/ticket/314
It worked for me, and now I'm getting user data just fine.
Problem is, I haven't found anyone who can explain exactly how to set shares so that they authenticate against the domain. The only options in FreeNAS 8
are Local Authentication and Anonymous.
In FreeNAS 7, there was also Domain in the drop down, and it worked perfectly.
It's just not there in FreeNAS 8. Anyone have a hack, or an idea of how to use that user info to authenticate shares?
jeprice Responds:
Hi all,
I am using version FreeNAS-8.0.1-RC1-i386 (7508)
After hours of messing around with FreeNAS 8 I have finally got my AD users showing in the CIFS permission drop down.
I was pretty much in the same place as yfinkle with the output from freenas-debug -a looking the same.
However after much more googling I came across this link:
""http://support.freenas.org/ticket/362"" target=""_blank"" rel=""noreferrer"" title=""Opens in new window"" class=""elonw"">http://support.freenas.org/ticket/362
This suggests the a fix to the a problem with winbindd in the i386 version due to some missing files
(these files are present in the amd64 version, so sorry if your having issues with that version):
Code: Select all

Code: Select all

# mount -uw /
# cd /usr/local/lib/samba
# fetch ""http://download.freenas.org/idmap.tar.bz2""
# rm -rf idmap
# tar xjvf idmap.tar.bz2
# cd /etc
# mount -r /
# /usr/local/etc/rc.d/samba onerestart
After following these steps I re ran the freenas-debug -a, and found my users & groups listed.
After Creating a UFS volume I can see Domain Users & Groups in the relative drop downs.
I can access the CIF and the actions I can carry out in it reflect the permissions I have set on FreeNAS.
All seem to be good.
adi_clepcea Responds:
Hello There. I Had the same issue. I had to set the permissions directly on the ZFS share. Now it works. I've set the owner and the group on the zfs share
from the gui. Afterwards I just added the others (other rights i mean) from console (terminal) using the setfacl command. It was a little akward for me as
I was used with posix style acl's and I have choosed Windows ACL in the Change Permissions option of the ZFS share, but I did a getfacl from console for the
share and then just copied the permissions and modified them as needed.


Copied from the Old FreeNAS Forum - so it's archived.


Thanks.

Larry Kraemer
"
"
by esackbauer»21 Aug 2012 18:24
I tried it today with build 188, and while wbinfo works, I still dont see any users and groups from active directory in the GUI.
I tried a command that indicates that rid.so is outdated, just as written above.
The update of rid.so from the freenas download seems not to work.
Any ideas what to do next?
"
Post Reply