Uploaded image for project: 'FreeNAS / TrueNAS'
  1. FreeNAS / TrueNAS
  2. NAS-102827

Improve Active Directory section of Guide




      Several updates / fixes. Original indicates the original text in the 11.2-U5 documentation. New indicates a rough sketch of new text. My comments are enclosed in brackets [].

      Original: "Add a DNS record for the FreeNAS system on the Windows server and verify that the hostname can be pinged from the DC"

      New: "During domain join DNS records for the FreeNAS server's bind ips specified under Services-> SMB will be automatically added to the Active Directory DNS if "Allow DNS updates" is checked under Directory Services->Active Directory (the default). Otherwise, DNS records must be manually added to the Active Directory DNS.


      Original: "The time on the FreeNAS server and ADDC cannot be out of sync by more than a few minutes".

      New: "The time on the FreeNAS server and the AD DC cannot be out of sync by more than 5 minutes in a default Active Directory environment". [in 11.3 an alert will be generated if the time drifts more than 3 minutes] 

      [In 11.3 the server with the PDC emulator FSMO role in AD will be automatically added as the preferred NTP server during the domain join process].

      [Steps related to configuring FreeNAS as a member server to an AD domain that is hosted on a FreeNAS server _should_ be removed for the 11.3 guide]


      Original: UNIX extensions - [<insert words>]
      New: deprecated feature to use SSSD to retrieve RFC2307 extensions from an Active Directory domain. Support for this feature should now be enabled by using the "ad" idmap backend.


      Original: Allow Trusted Domains  - [<insert words>]

      New:  [expand note to add] If enabled, idmap ranges and a backend for each trusted domain _should_ be configured for each trusted domain in the environment.


      Original: Disable FreeNAS Cache - [<insert words>]

      New: [Clarify that this only affects the user / group cache in the webui] When disabled (checked), Active Directory users and groups will not be visible in GUI dropdowns and aut-completion, but may still be manually entered.


      Original: Site Name

      New: In an AD environment, sites represent the physical topology of the network. This field is automatically populated during the domain join process if an AD site is configured for the subnet in which the FreeNAS server is located. Normally, it _should not_ be modified. [In 11.2 it stays blank if a site is not detected in 11.3 it default appears as the string "Default-First-Site-Name"]


      Original: Netbios Name

      New: [append] The netbios name is used as the name for the computer object generated in Active Directory


      Original: Selecting the wrong backend [idmap backends] will break AD integration

      New: After changing idmap backends, the winbind resolver cache should be refreshed by sending SIGHUP to the parent winbindd process [this happens automatically in 11.3]. The parent process can be discovered by running the command "service samba_server status" from an SSH session. SIGHUP can be sent by running the command "kill -HUP <pid>".


      Original: [RFC2307 backend]

      New: IDs for AD users are stored as RFC2307 ldap schema extensions. This module can either look up the IDs in the AD LDAP servers or an external (non-AD) LDAP server.


      Original: [rebuild directory service cache]

      New: This buttom rebuilds the GUI cache. [users would have to send a SIGHUP to winbindd to force the newly-added user to appear immediately, but this can generate increased load in a busy AD environment].


      Original: To manually check that a specificied user can authenticate, enter "net ads join -U username"
      New: [don't do that] smbclient //<SHARE> -U DOMAIN\\username. Domains can be viewed by running command "wbinfo -m"


      Original: Create bug report at "bug.ixsystems.com"

      New: point to jira


      Troubleshooting steps [does not apply to 11.3]:
      sqlite3 /data/freenas-v1.db "UPDATE directoryservice_activedirectory SET ad_enable=1"

      service ix-hostname start

      service ix-kerberos start

      service ix-kinit start

      klist [should see kerberos ticket]

      service ix-pre-samba start

      net -k -d 5 ads join [this generates verbose output of the domain join]

      service samba_server restart

      service ix-nsswitch start

      service ix-pam start

      service ix-cache start





            tim Tim Moore
            awalker Andrew Walker
            0 Vote for this issue
            2 Start watching this issue



                Summary Panel