Not able to communicate with smb shares from freenas

lebernd
thanks but i can not figure out how to use this command. i am copying the command to the Konsole app. tried typing it in changeing where it uses the appropriate server name still fails.

please help if you can thanks

Hi @rich45

so perhaps it is the best way to add the computer (freenas-server) to the UCS through the univention managment console. (Like I said, I would recommend the ‘member server’ role. But even ‘ip managed’ will create the needed certs)
This way you will find the certs in /etc/univention/ssl/ . Every computer has it’s own directory there.

Best,
Bernd

thank you bernd
i reinstalled unc as there were multiple errors. now the only error is dealing with the virtual manager.

however when i try to import ca from the folder you mentioned above and open with okular, copy contents the nass sytem is not able to interpertet some parts of the file

Unicode error hint

The string that could not be encoded/decoded was: C:2C X509

same thing with the pvt key

not sure how to handle this help if you can please

rich45

Hi @rich45

only copy this part of the certificates:

-----BEGIN CERTIFICATE-----
...
...
-----END CERTIFICATE-----

for all certificates. If you use cat on the UCS-side, you can copy-paste these parts into the freenas-gui.

Best,
Bernd

lebernd
thank you this helped I have the certificate and the key in. not sure what is next looking at manual ladp when trying to configure on freenas i get BindSimple: Transport encryption required., Strong(er) authentication required.

sir thank you for your patience this is going slow for me but must feel like pulling teeth for you

rich45

Hello again,

well, going slow is no problem - that’s what I do all the time.

You can also take a look at: UCS and Freenas

So the questions that have to be answered with ‘yes’:

• did you import the UCS-CA too?
• did you enable ‘tls’ from the freenas-gui (directory - active directory)?
• did you select the imported freenas-cert on the same page from the drop-down menu below?

Best,
Bernd

hello lebernd

well i have completed what i think needs to be done but on the active directory page 3 errors. Unable to find domain controllers for zachery.algae-farm.local. 2. domain controller: Invalid Host/Port: [Errno 61] Connection refused. global catalog Invalid Host/Port: [Errno 61] Connection refused

is this port related.

thanks
rich45

lebernd
sir there is somthing very wrong here

i see what is supposed to be the domain controller in computers and the storage server.
LDAP has nothing not sure if this is working right
nass is not able to find a domain controller.

what do you think should i reinstall the system the way i have done in past.
new ucs domain
default network (this may be the issue the setting here 192.168.0.0

the gateway is 192.168.0.1

maybe this is why i am having so many issues. tried to edit the default network settings but unable to edit the name or ipaddress.

i know this is confusing as you can not see what i am if there is a record i can send you let me know

thanks

Where do you see it? In UMC? This is always helpful to specify as you are working with two web-interfaces: UCS and freenas.

I’m not sure what ‘has nothing’ means in this context.

That is the error from above?

Hm, maybe. Can you post the ip-address and subnet of UCS-Master and Freenas?

What exactly did you try? Where?

Can you check if the UCS-Server is known from Freenas? Do you have a console on freenas where you can check at least something like: ping ucs-master.ucs-domain.dom.
If not, you can enter the values in the network-settings on freenas. There is a field ‘hostname database’ and more important add the ucs-master as ‘nameserver’.
(timeservers are also important, set them on freenas (system tab) to the ucs-master)

Best, Bernd

lebernd
lets start over i have fresh install of ucs. manual network setup. new ucs domain. I have created one unix member server named it drive. other than this what configuration needs to be done.
i guess the real question is when the installation is complete and updates are done. what is next is there an article i can read to get some idea of what needs to be done. confused.

in devices on umc computers domain controller(zachery) and unix member server (drive)
LDAP
in the computers container i see domain controller and member server.
in the domain controller container nothing is listed.
freenas:
continues to not able to communicate with the domain controller
Unable to find domain controllers for ALGAE-FARM.LOCAL. is the error i see algae-farm.local is the dns/realm name.

IP address
ucs master 192.168.0.15/24
freenas 192.168.0.12/24
this is the result of ping zachery from frenas

Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 6870 0 0000 3f 01 9736 192.168.0.12 198.105.244.228

92 bytes from zachery.algae-farm.local (192.168.0.15): Redirect Host(New addr: 1
92.168.0.1)
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 6879 0 0000 3f 01 972d 192.168.0.12 198.105.244.228

92 bytes from zachery.algae-farm.local (192.168.0.15): Redirect Host(New addr: 1
92.168.0.1)
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 543c 0 0000 3f 01 ab6a 192.168.0.12 198.105.244.228

92 bytes from zachery.algae-farm.local (192.168.0.15): Redirect Host(New addr: 1
92.168.0.1)
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 6890 0 0000 3f 01 9716 192.168.0.12 198.105.244.228

92 bytes from zachery.algae-farm.local (192.168.0.15): Redirect Host(New addr: 1
92.168.0.1)
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 68b6 0 0000 3f 01 96f0 192.168.0.12 198.105.244.228

this is the result of ping to drive the freenas system
Administrator@zachery:~$ ping drive
PING drive.algae-farm.local (192.168.0.12) 56(84) bytes of data.
64 bytes from drive.algae-farm.local (192.168.0.12): icmp_seq=1 ttl=64 time=0.245 ms
64 bytes from drive.algae-farm.local (192.168.0.12): icmp_seq=2 ttl=64 time=0.256 ms
64 bytes from drive.algae-farm.local (192.168.0.12): icmp_seq=3 ttl=64 time=0.256 ms
64 bytes from drive.algae-farm.local (192.168.0.12): icmp_seq=4 ttl=64 time=0.255 ms

in the ping from umc what is this: Redirect Host(New addr: 1
92.168.0.1)

bernd I hope this help you figure out what is going on. what document would you sugges in reading so i can know how it is supposed to work and what changes need to be made thank you
rich45

Hi rich45,

you can format code-postings with:

```
… code …
```

so that they are better to read.

1. On the UCS side:

• you have to install the App ‘active directory domain controler’.
• you can leave the UCS-side as it is then after you added freenas as a computer.
• after a new install the certificates have changed, so you will have to do the steps to import them to freenas again.

2. On the freenas side:

• system: ntp-server is 192.168.0.15 , import CA and Cert from ucs.
• network: hostname drive , domain algae-farm.local , nameserver1 192.168.0.15
• directory - kerberos realms: realm ALGAE-FARM.LOCAL , kdc and Admin Server and Password server is zachery.algae-farm.local
• directoy - active directory: domain algae-farm.local , domain account name Administrator , Domain Account Password ucs administrator password , encryption TLS, Certificate - chose the imported ucs-cert for drive. Kerberos Realm ALGAE-FARM.LOCAL , SASL wrapping sign , NetBIOS Name DRIVE. Check enable, the other values can be left with their standard value.

I think that is about all it is.

So there seems to be a problem with the nameserver on freenas. Check your network-settings on freenas, especially the nameserver. What is the output of: dig zachery.algae-farm.local ?
(The results from ucs to freenas look good).

Best, Bernd

Bernd
thanks again the app you are speaking about active directory compatable domain controller which is installed.

hope this is correct as i do not see one in not installed apps

not sure what this is: What is the output of: dig zachery.algae-farm.local ? the out put of ping for the fqdn?.

thanks
rich45

It should be listed there - did you restart the system?

No, it should list a DNS answer (hopefully from the UCS DNS). You have to run this command from freenas console/ ssh.

‘’’’
…code…
; <<>> DiG 9.11.2 <<>> zacery.algae-farm.local
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 14414
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;zacery.algae-farm.local. IN A

;; AUTHORITY SECTION:
algae-farm.local. 3600 IN SOA zachery.algae-farm.local. root.a
lgae-farm.local. 32 28800 7200 604800 3600

;; Query time: 2 msec
;; SERVER: 192.168.0.15#53(192.168.0.15)
;; WHEN: Sat Mar 23 12:11:41 MDT 2019
;; MSG SIZE rcvd: 101
;;;;;

not sure if this is correct but this is the output from freenas to domain controller

well, that means freenas is looking at the right place. BUT: there should be also:

;; ANSWER SECTION:
zacery.algae-farm.local.	900	IN	A	192.168.0.15

It is possible that there is no such response because the hostname differs: in the posts above the UCS fdqn is zachery.algae-farm.local while the master is now called: zacery.algae-farm.local.
The right command then would be: dig zacery.algae-farm.local
What is the output answer of that?

(The code formating isn’t working… place code in between ```… ``` - for more on this make a websearch for ‘markup language’)

lebernd
thank you for the time you have given me.
some success.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
frome free nas to dc.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3568
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;zachery.algae-farm.local. IN A

;; ANSWER SECTION:
zachery.algae-farm.local. 900 IN A 192.168.0.15

;; AUTHORITY SECTION:
algae-farm.local. 900 IN NS zachery.algae-farm.local.

;; ADDITIONAL SECTION:
zachery.algae-farm.local. 900 IN AAAA 2605:6000:b785:8500:223:54ff:fe0
7:ed3e

;; Query time: 2 msec
;; SERVER: 192.168.0.15#53(192.168.0.15)
;; WHEN: Sun Mar 24 10:48:29 MDT 2019
;; MSG SIZE rcvd: 111

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

frome dc to freenas
; <<>> DiG 9.10.3-P4-Univention <<>> zacery.algae-farm.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 38159
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;zacery.algae-farm.local. IN A

;; AUTHORITY SECTION:
algae-farm.local. 3600 IN SOA zachery.algae-farm.local. root.algae-farm.local. 32 28800 7200 604800 3600

;; Query time: 2 msec
;; SERVER: 192.168.0.15#53(192.168.0.15)
;; WHEN: Sun Mar 24 10:55:20 MDT 2019
;; MSG SIZE rcvd: 101
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

i think this is what i was looking for the first time changed default network setting ucs.

questions on things to do.

1. do the folders (built in) have permissions needed for the computer. do i move the computer to this folder to ensure permissions.
   i am talking about the domain controller. the DC and member server are in the computers folder.

active directory page: kerberos principle.
what is this function
where is it.
Active directory still unable to find DC (freenas)
have reboot both systems.

thanks for your help.
rich45

Hi @rich45,

I’m not sure if I can help further. From your posts I can’t really see what you were doing or trying to do (beside the goal of ‘joining a freenas server to the UCS-domain’). Also, for every command output, it is helpful to also see the command and not just the output.
It just seems, that there is a problem with your UCS master server, but I can’t say what went wrong or what is missing on the UCS side. One of the many reasons one can think of regarding the error in freenas unable to find DC is, that there actually is no DC.

You are right, the master server - being really a dc - I think it should be listed inside the ‘dc’ container while freenas can rest as a computer in LDAP. But I’m afraid there is a reason why UCS isn’t listed there and I don’t think just moving it to the ‘dc’-folder in LDAP will make it a DC.

There is so much good documentation by univention of UCS. To understand and explain the concept of DCs on a Samba4 base and all the implied protocols and services (DNS, kerberos…) that is beyond my capabilities. I think univention has some information regarding this subject as blog-posts and even some youtube videos.

What I perhaps would recommend is:
Reading the univention administrator handbook for UCS and making certain, that UCS is installed on the network as master server and checking the ‘active directory compatable domain controller’ already at the end of the initial setup.
Then, if you are sure that the DC is up and running, you don’t have to do anything else on the UCS side than to add freenas as a device.

The steps on the freenas side you find in this thread or other post here in the forum by searching for ‘freenas’. But there has also been a major change in the default web-ui of freenas, starting with 11.2. I’m running freenas 11.1, so I’m not sure if the places in freenas regarding the mentioned entries have changed a little bit or even more.

Best regards,
Bernd

bernd
i am also using 11.1 freenas

in the join log there is this info. if you are not familur please let me know who to contact thank you

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

Configure 01univention-ldap-server-init.inst Fri Mar 22 19:33:17 MDT 2019
2019-03-22 19:33:17.798629651-06:00 (in joinscript_init)
Not updating windows/domain
Not updating kerberos/realm
Starting ldap server(s): slapd …done.
Checking Schema ID: …done.
2019-03-22 19:33:19.870405541-06:00 (in joinscript_save_current_version)
Configure 02univention-directory-notifier.inst Fri Mar 22 19:33:19 MDT 2019
2019-03-22 19:33:19.893118271-06:00 (in joinscript_init)
Starting Univention Directory Notifier Daemon: univention-directory-notifierwarning: univention-directory-notifier: unable to open supervise/ok: file does not exist
failed!
2019-03-22 19:33:19.960073768-06:00 (in joinscript_save_current_version)
Configure 03univention-directory-listener.inst Fri Mar 22 19:33:19 MDT 2019
2019-03-22 19:33:19.978982646-06:00 (in joinscript_init)
warning: univention-directory-listener: unable to open supervise/ok: file does not exist
Configure 04univention-ldap-client.inst Fri Mar 22 19:33:20 MDT 2019
2019-03-22 19:33:20.339761344-06:00 (in joinscript_init)
Create nsswitch/ldap
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

thanks for all your assistance

lebernd

I have set things up as you have described and in the manuals of both unc and freenass.

continue to get not able to find domain controller. have looked at the forms that the search brought up none much help.
did you say earlier that you could just setup shares without joining domain.
if you can please explain this procedure or refer me to someone who can help

thanks
rich45

Hi @rich45

This means that either the UCS DNS is not working as it would ‘out of the box’ OR that freenas isn’t looking at the right place for his DNS requests.

1. you have to have an entry for _gc._tcp in your domain. You can have a look at https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/7fcdce70-5205-44d6-9c3a-260e616a2f04 for more information about this.
   Out of the box IF the active directory domain controller is installed.
2. freenas should look first at the UCS DNS. The ip-address for UCS has to be entered in nameserver 1 (network).

No, I didn’t say that. I’ve said, that you can perhaps use other ROLES for the freenas server while joining UCS. Then afterwards you can access freenas-shares with other UCS-joined desktop computers.

What are the running services on freenas? It is important that you DON’T run the ‘domain controler’ there.

Best, Bernd