TLS for 2 different Server (FreeNas)


I’m running UCS 4.2-2 errata209, with an succesfull AD2008R2 take over.
Now I want to join the FreeNAS-11.1-RC1 with AD Connection.
One Idea is to add the Cert into UCS.
But I have a TLS configuration on my UCS DC.
tls enabled = yes
tls keyfile = /etc/univention/ssl/myserver.dom/private.key
tls certfile = /etc/univention/ssl/myserver.dom/cert.pem
tls cafile = /etc/univention/ssl/ucsCA/CAcert.pem

Is it possible to create a second tls section in the smb.conf like:

tls enabled = yes
tls cafile = /etc/univention/ssl/mynas.dom/samba-root-ca.pem
tls certfile = /etc/univention/ssl/mynas.dom/samba-cert.pem
tls keyfile = /etc/univention/ssl/mynas.dom/samba-key.pem

thanks for your support


Hi Stephan,

you can find some discussion about UCS and FreeNAS here on the forum too.
I have FreeNAS 11.0 running and it is working with:

I found it useful in my case to

  1. add Freenas to UCS as a new member-server so that you can enable freenas-shares also from UCS. Else (with no prior UCS record) the join will show FreeNAS as Windows-Workstation.
  2. import the UCS-CAcert to freenas, enter the kerberos setting (perhaps you even don’t have to)
  3. join with tls and sasl = sign

Best, Bernd

Thanks for you answer. I tried to intstall the UCS-CAert into FreeNas but, it tolds me that this is not a valid Certificate. So I tried to do it the other way arround.
I have the same target to use Freenas in my enviroment.
How did you successfull import the pem to freenas.

I did it this way:

  • ssh into UCS. Copy the output from:
    root@ucs: cat /etc/univention/ssl/ucsCA/CAcert.pem

  • Paste to the FreeNAS GUI window: System - CAs - Import CA. (Chose a name, no private key, no passphrase)
    Copy-paste has to include

    -----END CERTIFICATE-----

  • The certificate should then be usable in the drop-down-menu in the AD setting.

If that doesn’t work:
At what point do you get the error?
What GUI do you use? The new beta or the old one? (I’ve followed the steps with the old GUI)

Thanks Bernd,
that was my mistake, I didn’t inclueded the
—BEGIN …----- & —End

I could create the Cert.
I’ve uses the old GUI.
But now I runnung in a differnt issue:
could not obtain winbind interface details wbc_err_winbind_not_available
I just digging on it. May you have a idea for me.

Kind Regards

Well I don’t know - but :wink: :

Some questions:

  • UCS-AD join went well?
  • what is the context of the error? Trying to select a UCS-User?
  • ntp is correct and synced with UCS?
  • kerberos setting is right?
  • FreeNAS reboot didn’t help?
  • Winbind is running on FreeNAS?


HI Bernd,

sorry for coming back so late.
I have reinstalled my freenas on 11-MASTER-20171118035. Added the Cert. and he joint the Domain directly.
I think there was a issue on the 11. RC1 version of Freenas.
Thanks for your support.