TLS for 2 different Server (FreeNas)


#1

HI,

I’m running UCS 4.2-2 errata209, with an succesfull AD2008R2 take over.
Now I want to join the FreeNAS-11.1-RC1 with AD Connection.
One Idea is to add the Cert into UCS.https://forums.freenas.org/index.php?threads/cant-join-to-samba-ad-dc.43513/
But I have a TLS configuration on my UCS DC.
tls enabled = yes
tls keyfile = /etc/univention/ssl/myserver.dom/private.key
tls certfile = /etc/univention/ssl/myserver.dom/cert.pem
tls cafile = /etc/univention/ssl/ucsCA/CAcert.pem

Is it possible to create a second tls section in the smb.conf like:

tls enabled = yes
tls cafile = /etc/univention/ssl/mynas.dom/samba-root-ca.pem
tls certfile = /etc/univention/ssl/mynas.dom/samba-cert.pem
tls keyfile = /etc/univention/ssl/mynas.dom/samba-key.pem

thanks for your support

Stephan


#2

Hi Stephan,

you can find some discussion about UCS and FreeNAS here on the forum too.
I have FreeNAS 11.0 running and it is working with:

I found it useful in my case to

  1. add Freenas to UCS as a new member-server so that you can enable freenas-shares also from UCS. Else (with no prior UCS record) the join will show FreeNAS as Windows-Workstation.
  2. import the UCS-CAcert to freenas, enter the kerberos setting (perhaps you even don’t have to)
  3. join with tls and sasl = sign

Best, Bernd


#3

@lebernd,
Thanks for you answer. I tried to intstall the UCS-CAert into FreeNas but, it tolds me that this is not a valid Certificate. So I tried to do it the other way arround.
I have the same target to use Freenas in my enviroment.
How did you successfull import the pem to freenas.
Thanks
Stephan


#4

I did it this way:

  • ssh into UCS. Copy the output from:
    root@ucs: cat /etc/univention/ssl/ucsCA/CAcert.pem

  • Paste to the FreeNAS GUI window: System - CAs - Import CA. (Chose a name, no private key, no passphrase)
    Copy-paste has to include
    -----BEGIN CERTIFICATE-----

    -----END CERTIFICATE-----

  • The certificate should then be usable in the drop-down-menu in the AD setting.

If that doesn’t work:
At what point do you get the error?
What GUI do you use? The new beta or the old one? (I’ve followed the steps with the old GUI)
Best
Bernd


#5

Thanks Bernd,
that was my mistake, I didn’t inclueded the
—BEGIN …----- & —End

I could create the Cert.
I’ve uses the old GUI.
But now I runnung in a differnt issue:
could not obtain winbind interface details wbc_err_winbind_not_available
I just digging on it. May you have a idea for me.

Kind Regards
Stephan


#6

Well I don’t know - but :wink: :

Some questions:

  • UCS-AD join went well?
  • what is the context of the error? Trying to select a UCS-User?
  • ntp is correct and synced with UCS?
  • kerberos setting is right?
  • FreeNAS reboot didn’t help?
  • Winbind is running on FreeNAS?

Bernd


#7

HI Bernd,

sorry for coming back so late.
I have reinstalled my freenas on 11-MASTER-20171118035. Added the Cert. and he joint the Domain directly.
I think there was a issue on the 11. RC1 version of Freenas.
Thanks for your support.

KR
Stephan