UCS and Freenas

I have been trying to get the AD integration but i am having an issue it saying something this “” Strong(er) authentication required, BindSimple: Transport encryption required “”

is their a way i can reduce this password policy in ldap, i cant quite find the ldap settings.

any help will be much appreciated.

Kind Regards
Imran

I think you are searching for this UCR Variable on the UCS:

root@ucs-6194:~# ucr search strong
samba/ldap/server/require/strong/auth: <empty>
 This variable can be used to adjust the Samba option "ldap server require strong auth" (see man smb.conf). UCS default is "allow_sasl_over_tls".

Set it as follows and try again:

root@ucs-6194:~# ucr set samba/ldap/server/require/strong/auth='no'

Just to make that clear: This means that Samba/AD requires all connections to be encrypted. Disabling this (ucr set samba/ldap/server/require/strong/auth='no') allows plain, unencrypted connections again. So, if you trust your network, that might be fine, but please be aware that it lowers the security a lot.
The better solution would be if FreeNAS can be configured to use transport encryption (LDAPS).

Best regards,
Michael Grandjean

1 Like

Hi Thx guys,

This sorted the issue, yea i was testing out out, Freenas requries its cert installed in ucs.

Much appreciate the help

Hi Imran,

I have it working the other way around: I’ve imported the UCS-CAcert from /etc/univention/ssl/ucsCA/CAcert.pem to Freenas and choose this for the ad-connection:

This way I don’t have to disable encryption.

2 Likes

Thx yea I got it working as you mentioned, much appreciated!

Hi,

i’m having the same problems joining my freenas into the UCS Domain. I tried to follow your method and import the UCS CA cert, but i seem to miss the correct passphrase. Could someone please post the necessary steps in detail? Thank you very much,

Sebastian

Hi Sebastian,

you don’t need a passphrase for the CAcert.
Just copy the output from UCS
me@myucs:~# cat /etc/univention/ssl/ucsCA/CAcert.pem
with the “-----BEGIN … END CERTIFICATE-----” into the gui-box in freenas and enter a serial (you can enter any number as you won’t create ucs-ssl-certificates on the freenas system).

Best,
Bernd

thank you very much for the quick answer. got the cert imported. when trying to join the domain, i get a middleware error, saying

Error: [MiddlewareError: b’Active Directory failed to reload.

any idea what could be the problem. thanks for helping,
sebastian

google is pointing to errors related to dns… So just guessing:

  • did you enter the UCS nameserver under freenas: ‘network’? (I also entered the UCS name and ip into the /etc/hosts - box)
  • is the timeserver the same for UCS and freenas?

hi lebernd,

sorry i couldn’t reply yesterday. i think i managed to join finally. had to set the SASL Wrapping from plain to Sign and then the system told me it updated directory successfully.

however, should the domain users and groups not be added in freenas so they can be used for permissions etc.? i still can see only the built in ones. is this done via ldap? i haven’t added any info in the ldap tab in freenas.

thank you very much

No, that’s the normal behavior. I think it was a corral project to show them over the user gui, so perhaps some time…
You can pick the users and groups from UCS in freenas when you create a new volume and share in the permission settings.

For the groups though, I have to start typing ‘domain’ and it will show all the ‘domain user’ etc. groups starting with ‘domain’. I think the drop-down menu is limited to a certain number of users and groups, so you don’t see them all on the first klick.

following the freenas guide i quried for domain users / groups with wbinfo - / wbinfo -g and i can see the domain users and groups :slight_smile: unfortunately i can’t see them in web gui and can’t select them in the permission drop downs. When i try to select a user in the dropdown i get error messages in the shell like fatal error, run database recovery, Groups could not be retrieved …

anyone got and idea? i’m thinking of reinstalling and starting from scratch…

Hm, perhaps this get’s really freenas related - so probably more help in the forum there?

From my experience, when I select a domain user, there is a kinit process starting message in freenas. So is kerberos running?

For further help some screenshots would be perhaps helpful. I don’t know much about the system your running. Is it the new beta-gui? Did you already add users to freenas? etc. Multiple setups can still give same errors for different reasons…

And yes, sometimes a fresh start makes sense - in my opinion.

i actually can select domain users and groups now by typing the first letters in the dropdown and i can use the shares from my windows machine. so quite happy now. we made a major upgrade to our network with new switch, new ethernet cards all in 10GBE. since i have also some networking hickups i think i need to fix that before diving further into freenas.

thank you very much for your support, you got me up and going witf freenas and AD !

have a nice weekend,
sebastian

Mastodon