Not able to communicate with smb shares from freenas

lebernd
thank you for the time you have given me.
some success.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
frome free nas to dc.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3568
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;zachery.algae-farm.local. IN A

;; ANSWER SECTION:
zachery.algae-farm.local. 900 IN A 192.168.0.15

;; AUTHORITY SECTION:
algae-farm.local. 900 IN NS zachery.algae-farm.local.

;; ADDITIONAL SECTION:
zachery.algae-farm.local. 900 IN AAAA 2605:6000:b785:8500:223:54ff:fe0
7:ed3e

;; Query time: 2 msec
;; SERVER: 192.168.0.15#53(192.168.0.15)
;; WHEN: Sun Mar 24 10:48:29 MDT 2019
;; MSG SIZE rcvd: 111

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

frome dc to freenas
; <<>> DiG 9.10.3-P4-Univention <<>> zacery.algae-farm.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 38159
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;zacery.algae-farm.local. IN A

;; AUTHORITY SECTION:
algae-farm.local. 3600 IN SOA zachery.algae-farm.local. root.algae-farm.local. 32 28800 7200 604800 3600

;; Query time: 2 msec
;; SERVER: 192.168.0.15#53(192.168.0.15)
;; WHEN: Sun Mar 24 10:55:20 MDT 2019
;; MSG SIZE rcvd: 101
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

i think this is what i was looking for the first time changed default network setting ucs.

questions on things to do.

1. do the folders (built in) have permissions needed for the computer. do i move the computer to this folder to ensure permissions.
   i am talking about the domain controller. the DC and member server are in the computers folder.

active directory page: kerberos principle.
what is this function
where is it.
Active directory still unable to find DC (freenas)
have reboot both systems.

thanks for your help.
rich45

Hi @rich45,

I’m not sure if I can help further. From your posts I can’t really see what you were doing or trying to do (beside the goal of ‘joining a freenas server to the UCS-domain’). Also, for every command output, it is helpful to also see the command and not just the output.
It just seems, that there is a problem with your UCS master server, but I can’t say what went wrong or what is missing on the UCS side. One of the many reasons one can think of regarding the error in freenas unable to find DC is, that there actually is no DC.

You are right, the master server - being really a dc - I think it should be listed inside the ‘dc’ container while freenas can rest as a computer in LDAP. But I’m afraid there is a reason why UCS isn’t listed there and I don’t think just moving it to the ‘dc’-folder in LDAP will make it a DC.

There is so much good documentation by univention of UCS. To understand and explain the concept of DCs on a Samba4 base and all the implied protocols and services (DNS, kerberos…) that is beyond my capabilities. I think univention has some information regarding this subject as blog-posts and even some youtube videos.

What I perhaps would recommend is:
Reading the univention administrator handbook for UCS and making certain, that UCS is installed on the network as master server and checking the ‘active directory compatable domain controller’ already at the end of the initial setup.
Then, if you are sure that the DC is up and running, you don’t have to do anything else on the UCS side than to add freenas as a device.

The steps on the freenas side you find in this thread or other post here in the forum by searching for ‘freenas’. But there has also been a major change in the default web-ui of freenas, starting with 11.2. I’m running freenas 11.1, so I’m not sure if the places in freenas regarding the mentioned entries have changed a little bit or even more.

Best regards,
Bernd

bernd
i am also using 11.1 freenas

in the join log there is this info. if you are not familur please let me know who to contact thank you

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

Configure 01univention-ldap-server-init.inst Fri Mar 22 19:33:17 MDT 2019
2019-03-22 19:33:17.798629651-06:00 (in joinscript_init)
Not updating windows/domain
Not updating kerberos/realm
Starting ldap server(s): slapd …done.
Checking Schema ID: …done.
2019-03-22 19:33:19.870405541-06:00 (in joinscript_save_current_version)
Configure 02univention-directory-notifier.inst Fri Mar 22 19:33:19 MDT 2019
2019-03-22 19:33:19.893118271-06:00 (in joinscript_init)
Starting Univention Directory Notifier Daemon: univention-directory-notifierwarning: univention-directory-notifier: unable to open supervise/ok: file does not exist
failed!
2019-03-22 19:33:19.960073768-06:00 (in joinscript_save_current_version)
Configure 03univention-directory-listener.inst Fri Mar 22 19:33:19 MDT 2019
2019-03-22 19:33:19.978982646-06:00 (in joinscript_init)
warning: univention-directory-listener: unable to open supervise/ok: file does not exist
Configure 04univention-ldap-client.inst Fri Mar 22 19:33:20 MDT 2019
2019-03-22 19:33:20.339761344-06:00 (in joinscript_init)
Create nsswitch/ldap
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

thanks for all your assistance

lebernd

I have set things up as you have described and in the manuals of both unc and freenass.

continue to get not able to find domain controller. have looked at the forms that the search brought up none much help.
did you say earlier that you could just setup shares without joining domain.
if you can please explain this procedure or refer me to someone who can help

thanks
rich45

Hi @rich45

This means that either the UCS DNS is not working as it would ‘out of the box’ OR that freenas isn’t looking at the right place for his DNS requests.

1. you have to have an entry for _gc._tcp in your domain. You can have a look at https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/7fcdce70-5205-44d6-9c3a-260e616a2f04 for more information about this.
   Out of the box IF the active directory domain controller is installed.
2. freenas should look first at the UCS DNS. The ip-address for UCS has to be entered in nameserver 1 (network).

No, I didn’t say that. I’ve said, that you can perhaps use other ROLES for the freenas server while joining UCS. Then afterwards you can access freenas-shares with other UCS-joined desktop computers.

What are the running services on freenas? It is important that you DON’T run the ‘domain controler’ there.

Best, Bernd

lbernd
hi, still struggling along I hope you can helpme
the domain controller is not announcing its self on the network: (the router has blank space where the name should be.)
nass announces self

should not the domain controller announce its self.

ip settings
zachery (dc) static 192.168.0.105

router is gateway and dhcp server
IP: 192.168.0.1

reinstalled unc
manually set network
as the default always shows a 192.168.0.0 gateway and not able to edit.

I am sure there is a way to edit this not able to find in documentation.

had to add external name server before system could communicate to the outside

thank you
rich45

Hi @rich45,

what system do you use as desktop computer?

yes, freenas has mdns-service running on a default setup. On other systems it is called bonjour or avahi-daemon. This service ‘announces’ stuff in the local network (and the reason why .local isn’t a good choice for a ‘local’ domain!)

No, UCS isn’t announcing itself like this but as I wrote, should be found as local DNS server. And as domaincontroller. What is the output of:
dig gc domain.intern where you would have to replace domain.intern with your UCS-domain? Test it form ucs, freenas, your computer (if it knows the dig-command).

I don’t understand that section well.

If you are UCS-UMC: system - network and see your ethernet-device (perhaps ‘eth0’) you can select that item over a checkbox. If it is checked, there will be a new menu-entry above: ‘configure’. Klick on it and you can configure it (like: disable dhcp, set the desired ip-address and mask). After that you can edit the ‘gateway’ too. But perhaps it is easier to select the manual network setup while installing. Like this all the other entrys are set right (I’m not sure if UCS will change the ip-address accordingly everywhere: meaning the computer account for the ucs-system, the default-entrys in DNS and so on).

Of course. In the network settings (system - network) you find first the ‘domain DNS’ - you have to leave ucs there and then ‘external DNS’ where you will probably put the ip-address of your router.

lebernd
thanks
I use windows 10 laptop.

I have changed from .local to intranet

000000000000000000000000000000

Administrator@zachery:~$ dig zachery.algae-farm.intranet

; <<>> DiG 9.10.3-P4-Univention <<>> zachery.algae-farm.intranet
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23325
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;zachery.algae-farm.intranet. IN A

;; ANSWER SECTION:
zachery.algae-farm.intranet. 900 IN A 192.168.0.105

;; AUTHORITY SECTION:
algae-farm.intranet. 900 IN NS zachery.algae-farm.intranet.

;; ADDITIONAL SECTION:
zachery.algae-farm.intranet. 900 IN AAAA 2605:6000:b785:8500:223:54ff:fe07:ed3e

;; Query time: 1 msec
;; SERVER: 192.168.0.105#53(192.168.0.105)
;; WHEN: Sun Apr 14 18:06:29 MDT 2019
;; MSG SIZE rcvd: 114
00000000000000000000000000000000000000000

to drive.intranet
dministrator@zachery:~$ dig drive.intranet

; <<>> DiG 9.10.3-P4-Univention <<>> drive.intranet
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30336
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 13, ADDITIONAL: 4

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;drive.intranet. IN A

;; ANSWER SECTION:
drive.intranet. 10 IN A 198.105.254.228
drive.intranet. 10 IN A 198.105.244.228

;; AUTHORITY SECTION:
. 21461 IN NS h.root-servers.net.
. 21461 IN NS m.root-servers.net.
. 21461 IN NS g.root-servers.net.
. 21461 IN NS i.root-servers.net.
. 21461 IN NS f.root-servers.net.
. 21461 IN NS a.root-servers.net.
. 21461 IN NS c.root-servers.net.
. 21461 IN NS b.root-servers.net.
. 21461 IN NS d.root-servers.net.
. 21461 IN NS e.root-servers.net.
. 21461 IN NS l.root-servers.net.
. 21461 IN NS k.root-servers.net.
. 21461 IN NS j.root-servers.net.

;; ADDITIONAL SECTION:
B.ROOT-SERVERS.net. 587752 IN AAAA 2001:500:200::b
E.ROOT-SERVERS.net. 587752 IN AAAA 2001:500:a8::e
G.ROOT-SERVERS.net. 587752 IN AAAA 2001:500:12::d0d

;; Query time: 66 msec
;; SERVER: 192.168.0.105#53(192.168.0.105)
;; WHEN: Sun Apr 14 18:17:44 MDT 2019
;; MSG SIZE rcvd: 389
000000000000000000000000000000000000000000000
how does this look to you

000000000000000000000000000000000000000000000

[root@drive ~]# dig zachery.algae-farm.intranet

; <<>> DiG 9.11.2 <<>> zachery.algae-farm.intranet
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1580
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;zachery.algae-farm.intranet. IN A

;; ANSWER SECTION:
zachery.algae-farm.intranet. 900 IN A 192.168.0.105

;; AUTHORITY SECTION:
algae-farm.intranet. 900 IN NS zachery.algae-farm.intranet.

;; ADDITIONAL SECTION:
zachery.algae-farm.intranet. 900 IN AAAA 2605:6000:b785:8500:223:54ff:fe07:ed3e

;; Query time: 2 msec
;; SERVER: 192.168.0.105#53(192.168.0.105)
;; WHEN: Sun Apr 14 18:22:31 MDT 2019
;; MSG SIZE rcvd: 114

000000000000000000000000000000000000000000000

i have rebooted freenas os and have regained access to smb shares on the windows system.
so some progress
thanks for sticking with this

rich45

This is seams to be good. (Please try again to put code into three backticks or use the </> sign in the menu of the forum post editor - and: consider using a dedicated linux-account to ssh into ucs. If ucs needs the ‘Administrator’-account it will tell you e.g when you install an app over the command-line. On the same level of ‘security’ better use root over Administrator. Use the Administrator-account if needed in UMC - the UCS-website)

This is telling that:

• the fqdn for freenas is not well-formed. It should be hostname.ucs-domain which will give:
  drive.algae-farm.intranet. You need to change that in freenas in two places. 1. system - information (fqdn: drive.algae-farm.intranet), 2. network - general (hostname: drive, domain: algae-farm.intranet). Don’t forget to reboot.
• The output like this is telling: ‘drive.intranet’ has a public ip-address. It tells that UCS is not handling this record (but looking elsewhere for an answer - external DNS).
• It is NOT telling if you already have a UCS computer-account for freenas as UCS will form the fqdn like this: drive.algae-farm.intranet

As this is the same output as the first one - this is good. And tells me that you have entered the UCS as nameserver on freenas.

So you have to change:

• domainname under freenas. The domainname is algae-farm.intranet
• check the dig commands I gave you: dig gc algae-farm.intranet (for now you have only checked for computers/hostnames - for the domaincontroller you will have to check for services)

@rich45 another thing:

have you tried to join your windows 10 laptop to UCS?
As this should work ‘out of the box’ I would recommend that you try this join before the more advanced join of freenas. The join for windows is well documented in the UCS-docs.

If this join is successful, you can be sure that UCS is well configured as a domain-controler.
And just move to adjust freenas settings.
It is possible that the wrong or missing domainname in freenas was the main reason why freenas is telling that it can’t find a domain-controler…

legernd
joined lap to domain
nass can not find domain controller
I created the nass computer in unc
drive is the only name unc would accept
no certs were created in root/etc/uninvention/ssl for drive or the now added laptop.
the lap top was added in the computer container as windows workstation/server.

the dig gc command from unc
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

Administrator@zachery:~$ dig gc drive.algae-farm.intranet

; <<>> DiG 9.10.3-P4-Univention <<>> gc drive.algae-farm.intranet
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30033
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 13, ADDITIONAL: 4

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;gc. IN A

;; ANSWER SECTION:
gc. 10 IN A 198.105.254.228
gc. 10 IN A 198.105.244.228

;; AUTHORITY SECTION:
. 476 IN NS g.root-servers.net.
. 476 IN NS j.root-servers.net.
. 476 IN NS i.root-servers.net.
. 476 IN NS h.root-servers.net.
. 476 IN NS c.root-servers.net.
. 476 IN NS d.root-servers.net.
. 476 IN NS a.root-servers.net.
. 476 IN NS m.root-servers.net.
. 476 IN NS l.root-servers.net.
. 476 IN NS k.root-servers.net.
. 476 IN NS e.root-servers.net.
. 476 IN NS f.root-servers.net.
. 476 IN NS b.root-servers.net.

;; ADDITIONAL SECTION:
B.ROOT-SERVERS.net. 602093 IN AAAA 2001:500:200::b
E.ROOT-SERVERS.net. 602093 IN AAAA 2001:500:a8::e
G.ROOT-SERVERS.net. 602093 IN AAAA 2001:500:12::d0d

;; Query time: 42 msec
;; SERVER: 192.168.0.105#53(192.168.0.105)
;; WHEN: Sat Apr 20 13:42:52 MDT 2019
;; MSG SIZE rcvd: 377

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54617
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;drive.algae-farm.intranet. IN A

;; ANSWER SECTION:
drive.algae-farm.intranet. 900 IN A 192.168.0.14

;; AUTHORITY SECTION:
algae-farm.intranet. 900 IN NS zachery.algae-farm.intranet.

;; ADDITIONAL SECTION:
zachery.algae-farm.intranet. 900 IN A 192.168.0.105
zachery.algae-farm.intranet. 900 IN AAAA 2605:6000:b785:8500:223:54ff:fe07:ed3e

;; Query time: 2 msec
;; SERVER: 192.168.0.105#53(192.168.0.105)
;; WHEN: Sat Apr 20 13:42:52 MDT 2019
;; MSG SIZE rcvd: 136
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

from freenass

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

;; AUTHORITY SECTION:
. 124 IN NS d.root-servers.net.
. 124 IN NS e.root-servers.net.
. 124 IN NS h.root-servers.net.
. 124 IN NS i.root-servers.net.
. 124 IN NS a.root-servers.net.
. 124 IN NS g.root-servers.net.
. 124 IN NS f.root-servers.net.
. 124 IN NS k.root-servers.net.
. 124 IN NS c.root-servers.net.
. 124 IN NS l.root-servers.net.
. 124 IN NS j.root-servers.net.
. 124 IN NS b.root-servers.net.
. 124 IN NS m.root-servers.net.

;; ADDITIONAL SECTION:
B.ROOT-SERVERS.net. 601741 IN AAAA 2001:500:200::b
E.ROOT-SERVERS.net. 601741 IN AAAA 2001:500:a8::e
G.ROOT-SERVERS.net. 601741 IN AAAA 2001:500:12::d0d

;; Query time: 43 msec
;; SERVER: 192.168.0.105#53(192.168.0.105)
;; WHEN: Sat Apr 20 13:48:45 MDT 2019
;; MSG SIZE rcvd: 377

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56705
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;zachery.algae-farm.intranet. IN A

;; ANSWER SECTION:
zachery.algae-farm.intranet. 900 IN A 192.168.0.105

;; AUTHORITY SECTION:
algae-farm.intranet. 900 IN NS zachery.algae-farm.intranet.

;; ADDITIONAL SECTION:
zachery.algae-farm.intranet. 900 IN AAAA 2605:6000:b785:8500:223:54ff:fe07:ed3e

;; Query time: 2 msec
;; SERVER: 192.168.0.105#53(192.168.0.105)
;; WHEN: Sat Apr 20 13:48:45 MDT 2019
;; MSG SIZE rcvd: 114
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

for some reason part of the command seems cut off not sure i have the window expanded all the way.

tried to creat cert per the direction you gave me earlier but no matter how i typed the command it failed.

you ask if i could use a dedicated machine with unc but i do not have a machine.

question: the CA should be from unc and the certificate should be from drive is this correct?

recreated the computer under ip controlled now i have cert
should there be a CA and a cert
or should it be CA for unc?
cert for drive?
any suggestions are welcome
rich45

Hi @rich45,

the post is getting really long and I’m not sure if my answers are behind or above your questions Or if my questions have been answered and in what way…

• The change of the domainname (and resulting fqdn) on freenas - did you do that as described above?
• Is it (hostname+domainname) the same now on the freenas-side as it is on the ucs-side?
• Where and how did you check?

There would be many questions about your last post too, but I’m afraid that this is only confusing.