UCS and Freenas

imran · May 4, 2017, 8:52am

I have been trying to get the AD integration but i am having an issue it saying something this “” Strong(er) authentication required, BindSimple: Transport encryption required “”

is their a way i can reduce this password policy in ldap, i cant quite find the ldap settings.

any help will be much appreciated.

Kind Regards
Imran

thorp-hansen · May 4, 2017, 9:03am

I think you are searching for this UCR Variable on the UCS:

root@ucs-6194:~# ucr search strong
samba/ldap/server/require/strong/auth: <empty>
 This variable can be used to adjust the Samba option "ldap server require strong auth" (see man smb.conf). UCS default is "allow_sasl_over_tls".

Set it as follows and try again:

root@ucs-6194:~# ucr set samba/ldap/server/require/strong/auth='no'

Grandjean · May 4, 2017, 9:12am

Just to make that clear: This means that Samba/AD requires all connections to be encrypted. Disabling this (ucr set samba/ldap/server/require/strong/auth='no') allows plain, unencrypted connections again. So, if you trust your network, that might be fine, but please be aware that it lowers the security a lot.
The better solution would be if FreeNAS can be configured to use transport encryption (LDAPS).

Best regards,
Michael Grandjean

imran · May 4, 2017, 9:17am

Hi Thx guys,

This sorted the issue, yea i was testing out out, Freenas requries its cert installed in ucs.

Much appreciate the help

lebernd · May 4, 2017, 12:54pm

Hi Imran,

I have it working the other way around: I’ve imported the UCS-CAcert from /etc/univention/ssl/ucsCA/CAcert.pem to Freenas and choose this for the ad-connection:

This way I don’t have to disable encryption.

imran · May 8, 2017, 1:24pm

Thx yea I got it working as you mentioned, much appreciated!

plaste · July 27, 2017, 4:41pm

Hi,

i’m having the same problems joining my freenas into the UCS Domain. I tried to follow your method and import the UCS CA cert, but i seem to miss the correct passphrase. Could someone please post the necessary steps in detail? Thank you very much,

Sebastian

lebernd · July 27, 2017, 5:03pm

Hi Sebastian,

you don’t need a passphrase for the CAcert.
Just copy the output from UCS
me@myucs:~# cat /etc/univention/ssl/ucsCA/CAcert.pem
with the “-----BEGIN … END CERTIFICATE-----” into the gui-box in freenas and enter a serial (you can enter any number as you won’t create ucs-ssl-certificates on the freenas system).

Best,
Bernd

plaste · July 27, 2017, 5:34pm

thank you very much for the quick answer. got the cert imported. when trying to join the domain, i get a middleware error, saying

Error: [MiddlewareError: b’Active Directory failed to reload.

any idea what could be the problem. thanks for helping,
sebastian

lebernd · July 27, 2017, 5:40pm

google is pointing to errors related to dns… So just guessing:

did you enter the UCS nameserver under freenas: ‘network’? (I also entered the UCS name and ip into the /etc/hosts - box)
is the timeserver the same for UCS and freenas?

plaste · July 28, 2017, 8:49am

hi lebernd,

sorry i couldn’t reply yesterday. i think i managed to join finally. had to set the SASL Wrapping from plain to Sign and then the system told me it updated directory successfully.

however, should the domain users and groups not be added in freenas so they can be used for permissions etc.? i still can see only the built in ones. is this done via ldap? i haven’t added any info in the ldap tab in freenas.

thank you very much

lebernd · July 28, 2017, 10:06am

No, that’s the normal behavior. I think it was a corral project to show them over the user gui, so perhaps some time…
You can pick the users and groups from UCS in freenas when you create a new volume and share in the permission settings.

For the groups though, I have to start typing ‘domain’ and it will show all the ‘domain user’ etc. groups starting with ‘domain’. I think the drop-down menu is limited to a certain number of users and groups, so you don’t see them all on the first klick.

plaste · July 28, 2017, 10:15am

following the freenas guide i quried for domain users / groups with wbinfo - / wbinfo -g and i can see the domain users and groups unfortunately i can’t see them in web gui and can’t select them in the permission drop downs. When i try to select a user in the dropdown i get error messages in the shell like fatal error, run database recovery, Groups could not be retrieved …

anyone got and idea? i’m thinking of reinstalling and starting from scratch…

lebernd · July 28, 2017, 12:51pm

Hm, perhaps this get’s really freenas related - so probably more help in the forum there?

From my experience, when I select a domain user, there is a kinit process starting message in freenas. So is kerberos running?

For further help some screenshots would be perhaps helpful. I don’t know much about the system your running. Is it the new beta-gui? Did you already add users to freenas? etc. Multiple setups can still give same errors for different reasons…

And yes, sometimes a fresh start makes sense - in my opinion.

plaste · July 28, 2017, 2:51pm

i actually can select domain users and groups now by typing the first letters in the dropdown and i can use the shares from my windows machine. so quite happy now. we made a major upgrade to our network with new switch, new ethernet cards all in 10GBE. since i have also some networking hickups i think i need to fix that before diving further into freenas.

thank you very much for your support, you got me up and going witf freenas and AD !

have a nice weekend,
sebastian