Not able to communicate with smb shares from freenas

UCS - Univention Corporate Server
#1

hello anyone

can you point me to a way to get the system to allow me to log into my nass system. all folders I have created except one will not me log in. there seems to be multiple issues but I cannot seem to get the issue resolved.
not able to access smb folder have reset password several times but does not help.
tried to add root ca. to enable but not able to get it copied to the system.
was able to log in with users created on both systems but it fails.

I have messed with it now until things are really a mess please if you can help give me direction to get this sorted out would be appreciated.
thanks rich45

#2

Hi,

did I get it right you are using two separate domains (one with UCS, the other with FreeNAS)?

This will not work. One or the other will have to join the other domain to be able to share accounts and permissions.

/CV

#3

Mr. Christian Voelker

thank you for responding. there is only one domain UCS trying to communicate with frenas system as a storage server. i am using the Extended domain services documentation chapter 2 i think i have the cert copied on to the nas system but asking for pass phrase and serial number where do these items come from. if you have access to any other documentation that will help please share that with me.
my real issue is i am real new to the OS both of them and not sure how to accomplish these tasks.

thanks
GB

#4

Hi @rich45,

there are several posts relating Freenas and UCS - but some of them are in german. But the short version is:

  1. create a certificate for freenas on UCS like this: How to create an UCS-CA signed certificate for a non-UCS system within domain
  2. copy this cert to freenas (is going to ‘certificates’ in the Freenas-GUI) as well as the UCS CAcert (is going to ‘CAs’ in the Freenas-GUI). I’m still using the old Freenas GUI.
  3. In Freenas, go to the ‘directory service’ tap (back-translation from german, but something like this). Enter the values for ‘kerberos realm’.
  4. in Freenas, still ‘directory service’, Enter the values for the UCS Administrator in the ‘active directory’ tab. This is straight foreward, just use ‘tls’ and select the cert you entered in step 2. Select the realm too.
  5. before you join the UCS like this - consider the possibility to add the freenas server in the UCS GUI as new computer - like this, perhaps you can also skip step 1 as the certs are generated automatically. I chose the role UCS - member server - although this is experimental and you can not expect to select any strictly UCS related setting in the advanced setting - you can (for the last years) add shares from freenas to UCS Domain. If you don’t make a computer account before joining UCS, Freenas will show up after the join as a windows computer.
  6. Join UCS from Freenas-GUI.

best,
Bernd

Unable to get ucs to connect to storage server free nas
#5

lebernd

thanks for the help working on this.

rich

#6

lebernd
thanks but i can not figure out how to use this command. i am copying the command to the Konsole app. tried typing it in changeing where it uses the appropriate server name still fails.

please help if you can thanks

#7

Hi @rich45

so perhaps it is the best way to add the computer (freenas-server) to the UCS through the univention managment console. (Like I said, I would recommend the ‘member server’ role. But even ‘ip managed’ will create the needed certs)
This way you will find the certs in /etc/univention/ssl/ . Every computer has it’s own directory there.

Best,
Bernd

#8

thank you bernd
i reinstalled unc as there were multiple errors. now the only error is dealing with the virtual manager.

however when i try to import ca from the folder you mentioned above and open with okular, copy contents the nass sytem is not able to interpertet some parts of the file

Request Method: POST
Request URL: http://192.168.0.12/system/CA/import/
Software Version: FreeNAS-11.1-U6 (caffd76fa)
Exception Type: UnicodeEncodeError
Exception Value: ‘ascii’ codec can’t encode character ‘\u2029’ in position 1821: ordinal not in range(128)
Exception Location: /usr/local/lib/python3.6/site-packages/OpenSSL/crypto.py in load_certificate, line 1648
Server time: Sat, 9 Mar 2019 18:44:15 -0700

Unicode error hint

The string that could not be encoded/decoded was: C:2C X509

same thing with the pvt key

not sure how to handle this help if you can please

rich45

#9

Hi @rich45

only copy this part of the certificates:

-----BEGIN CERTIFICATE-----
...
...
-----END CERTIFICATE-----

for all certificates. If you use cat on the UCS-side, you can copy-paste these parts into the freenas-gui.

Best,
Bernd

#10

lebernd
thank you this helped I have the certificate and the key in. not sure what is next looking at manual ladp when trying to configure on freenas i get BindSimple: Transport encryption required., Strong(er) authentication required.

sir thank you for your patience this is going slow for me but must feel like pulling teeth for you

rich45

#11

Hello again,

well, going slow is no problem - that’s what I do all the time.

You can also take a look at: UCS and Freenas

So the questions that have to be answered with ‘yes’:

  • did you import the UCS-CA too?
  • did you enable ‘tls’ from the freenas-gui (directory - active directory)?
  • did you select the imported freenas-cert on the same page from the drop-down menu below?

Best,
Bernd

#12

hello lebernd

well i have completed what i think needs to be done but on the active directory page 3 errors. Unable to find domain controllers for zachery.algae-farm.local. 2. domain controller: Invalid Host/Port: [Errno 61] Connection refused. global catalog Invalid Host/Port: [Errno 61] Connection refused

is this port related.

thanks
rich45

#13

lebernd
sir there is somthing very wrong here

i see what is supposed to be the domain controller in computers and the storage server.
LDAP has nothing not sure if this is working right
nass is not able to find a domain controller.

what do you think should i reinstall the system the way i have done in past.
new ucs domain
default network (this may be the issue the setting here 192.168.0.0

the gateway is 192.168.0.1

maybe this is why i am having so many issues. tried to edit the default network settings but unable to edit the name or ipaddress.

i know this is confusing as you can not see what i am if there is a record i can send you let me know

thanks

#14

Where do you see it? In UMC? This is always helpful to specify as you are working with two web-interfaces: UCS and freenas.

I’m not sure what ‘has nothing’ means in this context.

That is the error from above?

Hm, maybe. Can you post the ip-address and subnet of UCS-Master and Freenas?

What exactly did you try? Where?

Can you check if the UCS-Server is known from Freenas? Do you have a console on freenas where you can check at least something like: ping ucs-master.ucs-domain.dom.
If not, you can enter the values in the network-settings on freenas. There is a field ‘hostname database’ and more important add the ucs-master as ‘nameserver’.
(timeservers are also important, set them on freenas (system tab) to the ucs-master)

Best, Bernd

#15

lebernd
lets start over i have fresh install of ucs. manual network setup. new ucs domain. I have created one unix member server named it drive. other than this what configuration needs to be done.
i guess the real question is when the installation is complete and updates are done. what is next is there an article i can read to get some idea of what needs to be done. confused.

in devices on umc computers domain controller(zachery) and unix member server (drive)
LDAP
in the computers container i see domain controller and member server.
in the domain controller container nothing is listed.
freenas:
continues to not able to communicate with the domain controller
Unable to find domain controllers for ALGAE-FARM.LOCAL. is the error i see algae-farm.local is the dns/realm name.

IP address
ucs master 192.168.0.15/24
freenas 192.168.0.12/24
this is the result of ping zachery from frenas

Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 6870 0 0000 3f 01 9736 192.168.0.12 198.105.244.228

92 bytes from zachery.algae-farm.local (192.168.0.15): Redirect Host(New addr: 1
92.168.0.1)
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 6879 0 0000 3f 01 972d 192.168.0.12 198.105.244.228

92 bytes from zachery.algae-farm.local (192.168.0.15): Redirect Host(New addr: 1
92.168.0.1)
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 543c 0 0000 3f 01 ab6a 192.168.0.12 198.105.244.228

92 bytes from zachery.algae-farm.local (192.168.0.15): Redirect Host(New addr: 1
92.168.0.1)
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 6890 0 0000 3f 01 9716 192.168.0.12 198.105.244.228

92 bytes from zachery.algae-farm.local (192.168.0.15): Redirect Host(New addr: 1
92.168.0.1)
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 68b6 0 0000 3f 01 96f0 192.168.0.12 198.105.244.228

this is the result of ping to drive the freenas system
Administrator@zachery:~$ ping drive
PING drive.algae-farm.local (192.168.0.12) 56(84) bytes of data.
64 bytes from drive.algae-farm.local (192.168.0.12): icmp_seq=1 ttl=64 time=0.245 ms
64 bytes from drive.algae-farm.local (192.168.0.12): icmp_seq=2 ttl=64 time=0.256 ms
64 bytes from drive.algae-farm.local (192.168.0.12): icmp_seq=3 ttl=64 time=0.256 ms
64 bytes from drive.algae-farm.local (192.168.0.12): icmp_seq=4 ttl=64 time=0.255 ms

in the ping from umc what is this: Redirect Host(New addr: 1
92.168.0.1)

bernd I hope this help you figure out what is going on. what document would you sugges in reading so i can know how it is supposed to work and what changes need to be made thank you
rich45

#16

Hi rich45,

you can format code-postings with:

```
… code …
```

so that they are better to read.

  1. On the UCS side:
  • you have to install the App ‘active directory domain controler’.
  • you can leave the UCS-side as it is then after you added freenas as a computer.
  • after a new install the certificates have changed, so you will have to do the steps to import them to freenas again.
  1. On the freenas side:
  • system: ntp-server is 192.168.0.15 , import CA and Cert from ucs.
  • network: hostname drive , domain algae-farm.local , nameserver1 192.168.0.15
  • directory - kerberos realms: realm ALGAE-FARM.LOCAL , kdc and Admin Server and Password server is zachery.algae-farm.local
  • directoy - active directory: domain algae-farm.local , domain account name Administrator , Domain Account Password ucs administrator password , encryption TLS, Certificate - chose the imported ucs-cert for drive. Kerberos Realm ALGAE-FARM.LOCAL , SASL wrapping sign , NetBIOS Name DRIVE. Check enable, the other values can be left with their standard value.

I think that is about all it is.

So there seems to be a problem with the nameserver on freenas. Check your network-settings on freenas, especially the nameserver. What is the output of: dig zachery.algae-farm.local ?
(The results from ucs to freenas look good).

Best, Bernd

#17

Bernd
thanks again the app you are speaking about active directory compatable domain controller which is installed.

hope this is correct as i do not see one in not installed apps

not sure what this is: What is the output of: dig zachery.algae-farm.local ? the out put of ping for the fqdn?.

thanks
rich45

#18

It should be listed there - did you restart the system?

No, it should list a DNS answer (hopefully from the UCS DNS). You have to run this command from freenas console/ ssh.

#19

‘’’’
…code…
; <<>> DiG 9.11.2 <<>> zacery.algae-farm.local
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 14414
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;zacery.algae-farm.local. IN A

;; AUTHORITY SECTION:
algae-farm.local. 3600 IN SOA zachery.algae-farm.local. root.a
lgae-farm.local. 32 28800 7200 604800 3600

;; Query time: 2 msec
;; SERVER: 192.168.0.15#53(192.168.0.15)
;; WHEN: Sat Mar 23 12:11:41 MDT 2019
;; MSG SIZE rcvd: 101
;;;;;

not sure if this is correct but this is the output from freenas to domain controller

#20

well, that means freenas is looking at the right place. BUT: there should be also:

;; ANSWER SECTION:
zacery.algae-farm.local.	900	IN	A	192.168.0.15

It is possible that there is no such response because the hostname differs: in the posts above the UCS fdqn is zachery.algae-farm.local while the master is now called: zacery.algae-farm.local.
The right command then would be: dig zacery.algae-farm.local
What is the output answer of that?

(The code formating isn’t working… place code in between ```… ``` - for more on this make a websearch for ‘markup language’)

Mastodon