Update to "Cool Solution - Connecting UCS to FreeNAS"

UCS - Univention Corporate Server
#1

After failing to join my test AD with my new FreeNAS storage server I was happy to stumble upon “Cool Solution - Connecting UCS to FreeNAS”. Unfortunately following the steps FreeNAS reliably fails to join.

UCS Version: 4.4-4 | FreeNAS Version: FreeNAS-11.3-U3.1

I followed the instructions as closely as possible, however the values “Setting the Active Directory Service” do not align with the current options given in the UI. Perhaps it might be connected to one of the other values that might need customization.

Here are the options currently used, tried and ultimately failed with:

As this takes place in a test environment I was not afraid to just give most any combination a shot.

Variable Current Value Comment
Encryption Mode ON Appears to be the SSL Option
Validate Certificates ON Tried in ON & OFF
Verbose Loging ON Hoping to troubleshoot through logs
Allow Trusted Domains OFF Tried in ON & OFF
Use Default Domain OFF Tried in ON & OFF
Allow DNS Updates ON Tried in ON & OFF
Disable FreeNAS Cache ON Tried in ON & OFF
Sitename [EMPTY]
Kerberos Realm example.com Tried in filled & empty
Kerberos Principal [EMPTY]
AD Timeout 600 Increasing Timeout didn’t help
DNS Timeout 100 Increasing Timeout didn’t help
idmap backend AD Tried AD & LDAP
Winbind NSS info SFU Tried SFU,SFU20 & RFC2307
SASL wrapping SIGN
Enable ON

Joining the domain does not seem to be an issue as other clients with different OS can join flawlessly.

#2

It’s been a while since I connected our Freenas server to UCS, but I think the thing that got me back then was I needed to import the Univention server’s certificate into Freenas.

I think there is probably more info on this on the Freenas forums. I’m pretty sure that’s where I found out I needed to do that.

Also, my initial connection was back with Freenas 10 I think, so my settings have been migrated forward over time so it may be slightly different now.

1 Like
#3

Hey Kevo,

Thank you for your contribution! Unfortunately importing the Cert appears to be the only thing that went smoothly in any attempt. I will look further into the matter but so far the only progress I made reading through the FreeNAS Forum is that:
midclt call activedirectory.config | jq
can be used to see the actual config.

I’ll get back to work on the machine Monday afternoon an report my findings.

#4

I had no problem to join 2 freenas Systems 11.3-U3.1 to UCS 4.4-4 613

and i had nothing to to import (cert) only entered domain name, administrator (domain) and password of domain admin
image
I can see the domain groups and users in the user selection dop down menue for SMB ACL selection and use them - also the freenas systems where added to DNS and Domain succesfully

rg
Christian

1 Like
#5

I think I recently read that importing the certificate is no longer necessary. I’m not sure when that change came about, but I think it might have been 11.3.

1 Like
#6

Hey Christian, thanks for your Input!

That’s the first thing I tried, because I was used to it working that easily with my previous windows DC. Do you by any chance have the possibility to share the short readout of the activedirectory.config [without domain/user and password of course] as to compare how the correct config for your immediate success looks? I am hoping that copying some of that should fix the problem.

The corresponding command should be: midclt call activedirectory.config | jq

Thank you in advance, Nicolas

#7

Perhaps that’s where my mistake lies. I remembered from an older setup that setting up FreeNAS with an AD wasn’t without it’s caveats and immediately looked for the corresponding “How-To” which made use of the Cert and so on.

#8

here we go:

{
“id”: 1,
“domainname”: “INTERN.CKC-IT.AT”,
“bindname”: “administrator”,
“bindpw”: “”,
“ssl”: “OFF”,
“certificate”: null,
“validate_certificates”: true,
“verbose_logging”: false,
“allow_trusted_doms”: false,
“use_default_domain”: false,
“allow_dns_updates”: true,
“disable_freenas_cache”: false,
“site”: “Default-First-Site-Name”,
“kerberos_realm”: 1,
“kerberos_principal”: “FREENAS1$@INTERN.CKC-IT.AT”,
“createcomputer”: “”,
“timeout”: 60,
“dns_timeout”: 10,
“idmap_backend”: “RID”,
“nss_info”: null,
“ldap_sasl_wrapping”: “SIGN”,
“enable”: true,
“netbiosname”: “freenas1”,
“netbiosalias”: []
}

1 Like
#9

Did you set the host name and Domain Name (DNS) and the right DNS Server (AD Domain DNS-server) in the Global Configuration section under Network settings on your truenas/freenas in front of domain join ?

thats all i did

rg
Christian

1 Like
#10

I most certainly did. I generally(when possible) always do that on setup and checked it again before joining. I even had enough self doubt by now, to I check twice if I managed to miss-type 10.0.2.2 .

Thank you very much for your config, I’ll report back tomorrow or Monday, depending on when I get my hands on the machine again.

Kind regards Nicolas

#11

Thanks to your configuration I was able to get my machine up and running!
I unfortunately had to reset NAS though: The “half-joined” state of the AD appeared to have bricked the entire Directory Services.
I will follow up later today with a full post on how to join, when the basic joining failed.

1 Like
#12

Solution: For some reason that is likely on FreeNAS‘s side, just joining a UCS Active Directory in the basic mode does not always work reliably. Here are the steps that I found to be necessary to successfully join FreeNAS into a UCS AD.

Preparation: I strongly suggest to back up your configuration before you proceed, as a failed joining attempt might brick the FreeNAS’s Directory Services, an issue in my brief experience easiest resolved by rolling back to the previous config.

0.[Recommended] System → General → Save Config

1.Network → Global Configuration
1.a Set Hostname to your preferred hostname e.g. “freenas”.
1.b Set Domain to your domain e.g. “example.com”.
1.c Set Nameserver 1 to your DC’s IP.
Expected Results: Your FreeNAS’s FQDN = something resembling freenas.example.com.
You can ping your DC with e.g. “ping example.com

2.System → NTP
2.a Set Your preferred or sole NTP to either your DC’s IP, or another DC-synchronous NTP.

Expected Results: Both FreeNAS and DC share the same time.

3.Directory Services → Active Directory
3.a Trying the simple Joining: Enter the following information into the corresponding fields if present: domain e.g. example.com; user e.g. nasconnector or administrator; the corresponding password to your chosen domain user e.g. P4ssw0rd.
3.b Press Save and be patient, the process of joining a Directory might take 1-10 minutes and should under no circumstances be aborted. A semi-joined Active Directory might brick your FreeNAS’s Directory Services.
3.c You should now be part of the domain. If so inclined you can toggle on the Encryption under Advanced settings after your Joining is done. The following steps are of no interest to you, if you managed to join successfully.

IF Joining the domain failed:

4.System → General → Upload Config
4.a Here you will need to Upload your previously downloaded configuration to reset your FreeNAS to its previous state.
4.b Follow steps 1 and 2, ensure that all expected results are being accomplished.

5.Directory Services → Active Directory → Advanced Mode
5.a Fill in the corresponding information regarding Domain Name, Domain Account Name and Domain Account Password.
5.b Set the following options if not already set:

Variable Value Comment
Encryption Mode OFF Can be switched to ON after the initial joining is complete.
Certificate [EMPTY]
Validate Certificates YES (Checked)
Verbose logging NO (Unchecked) Can be changed to YES for further troubleshooting.
Allow Trusted Domains NO (Unchecked)
Use Default Domain NO (Unchecked)
Allow DNS Updates YES (Checked)
Disable FreeNAS Cache YES (Checked) Can (usually) be switched to ON after the initial joining is complete.
Site Name Default-First-Site-Name Should be standard.
Kerberos Realm EMPTY
Kerberos Principal EMPTY
Computer Account OU EMPTY If empty, the FreeNAS should join as a Member Server in the UCS AD.
AD Timeout 60 Should be standard, can be changed to preference.
DNS Timeout 10 Should be standard, can be changed to preference.
Idmap RID Should be standard.
Winbind NSS Info Empty Should be standard.
SASL wrapping SIGN
Enable YES (Checked)
Netbios Name Something resembling your machine e.g. freenas
NetBIOS alias Empty

5.c Press Save and be patient, the process of joining a Directory might take 1-10 minutes and should under no circumstances be aborted. A semi-joined Active Directory might brick your FreeNAS’s Directory Services.
5.d You should now be a member of the UCS’s Active Directory. If necessary you can now set the post setup settings like FreeNAS Cache and SSL.

6.If this failed, check that FreeNAS actually saved your AD-configuration using the “midclt call activedirectory.config | jq” command in the shell.

Your Config should look something like this :

{
“id”: 1,
“domainname”: “EXAMPLE.COM”, #Here_your_domain
“bindname”: “nasconnector”, #Here_the_domain_user
“bindpw”: “P4ssw0rd”, #Here_the_doamin_users_password
“ssl”: “OFF”, #Possibly_change_after_initial_connection
“certificate”: null,
“validate_certificates”: true,
“verbose_logging”: false,
“allow_trusted_doms”: false,
“use_default_domain”: false,
“allow_dns_updates”: true,
“disable_freenas_cache”: true, #Possibly_change_after_initial_connection
“site”: “Default-First-Site-Name”,
“kerberos_realm”: 1,
“kerberos_principal”: “”,#Empty_in_my_setup
“createcomputer”: “”,#If_empty_UCS-Computergroup=Member\Server
“timeout”: 60,
“dns_timeout”: 10,
“idmap_backend”: “RID”,
“nss_info”: null,
“ldap_sasl_wrapping”: “SIGN”,
“enable”: true,
“netbiosname”: “freenas”,
“netbiosalias”: []
}

Should you still have trouble, I’d recommend checking if your architecture requires special exceptions and perhaps follow up on this thread.

Mastodon