Active Directory
Active Directory (AD) is a service for sharing resources in a Windows network. AD can be configured on a Windows server that is running Windows Server 2000 or higher or on a Unix-like operating system that is running Samba version 4. Since AD provides authentication and authorization services for the users in a network, you do not have to recreate these user accounts on the FreeNAS® system. Instead, configure the Active Directory service so that it can import the account information and imported users can be authorized to access the CIFS shares on the FreeNAS® system.
NOTE: many bug fixes and improvements have been made to Active Directory support within FreeNAS®. If you are not running the latest release version of FreeNAS®, it is strongly recommended that you upgrade before attempting Active Directory integration.
Before configuring the Active Directory service, ensure name resolution is properly configured by pinging the domain name of the Active Directory domain controller from Shell on the FreeNAS® system. If the ping fails, check the DNS server and default gateway settings in Network → Global Configuration on the FreeNAS® system.
Next, add a DNS record for the FreeNAS® system on the Windows server and verify that you can ping the hostname of the FreeNAS® system from the domain controller.
Active Directory relies on Kerberos, which is a time sensitive protocol. This means that the time on both the FreeNAS® system and the Active Directory Domain Controller can not be out of sync by more than a few minutes. The best way to ensure that the same time is running on both systems is to configure both systems to:
- use the same NTP server (set in System → NTP Servers on the FreeNAS® system)
- have the same timezone
- be set to either localtime or universal time at the BIOS level
Figure 8.2a shows the Active Directory Configuration screen and Table 8.2a describes the configurable options. Some settings are only available in Advanced Mode. To see these settings, either click the Advanced Mode button or configure the system to always display these settings by checking the box “Show advanced fields by default” in System → Settings → Advanced.
Figure 8.2a: Configuring Active Directory
Table 8.2a: Active Directory Configuration Options
| Setting | Value | Description |
| Domain Name | string | name of Active Directory domain (e.g. example.com) or child domain (e.g. sales.example.com) |
| NetBIOS Name | string | hostname of FreeNAS® system |
| Workgroup Name | string | name of Windows server's workgroup (for older Microsoft clients) |
| Administrator Name | string | name of the Active Directory administrator account |
| Administrator Password | string | password for the Active Directory administrator account |
| Verbose logging | checkbox | if checked, logs attempts to join the domain to /var/log/messages |
| UNIX extensions | checkbox | only check this box if the AD server has been explicitly configured to map permissions for UNIX users; checking this box provides persistent UIDs and GUIDs, otherwise, users/groups get mapped to the UID/GUID range configured in Samba |
| Allow Trusted Domains | checkbox | should only be enabled if network has active domain/forest trusts and you need to manage files on multiple domains; use with caution as it will generate more winbindd traffic, slowing down the ability to filter through user/group information |
| Use default domain | checkbox | when unchecked, the domain name is prepended to the username; if Allow Trusted Domains is checked and multiple domains use the same usernames, uncheck this box to prevent name collisions |
| Domain Controller | string | can be used to specify hostname of domain controller to use |
| Global Catalog Server | string | can be used to specify hostname of global catalog server to use |
| Kerberos Server | string | can be used to specify hostname of kerberos server to use |
| Kerberos Password Server | string | can be used to specify hostname of kerberos password server to use |
| AD timeout | integer | in seconds, increase if the AD service does not start after connecting to the domain |
| DNS timeout | integer | in seconds, increase if AD DNS queries timeout |
NOTE: Active Directory places restrictions on which characters are allowed in Domain and NetBIOS names. If you are having problems connecting to the realm, verify that your settings do not include any disallowed characters. Also, the Administrator Password cannot contain the $ character. If a $ exists in the domain administrator's password, kinit will report a "Password Incorrect" error and ldap_bind will report an "Invalid credentials (49)" error.
Once you have configured the Active Directory service, start it in Services → Control Services. It may take a few minutes for the Active Directory information to be populated to the FreeNAS® system. Once populated, the AD users and groups will be available in the drop-down menus of the permissions screen of a volume/dataset. For performance reasons, every available user may not show in the listing. However, it will autocomplete all applicable users if you start typing in a username.
You can verify which Active Directory users and groups have been imported to the FreeNAS® system by using these commands within the FreeNAS® Shell:
wbinfo -u (to view users) wbinfo -g (to view groups)
In addition, wbinfo -t will test the connection and, if successful, will give a message similar to:
checking the trust secret for domain YOURDOMAIN via RPC calls succeeded
To manually check that a specified user can authenticate:
net ads join -S dcname -U username
If no users or groups are listed in the output of those commands, these commands will provide more troubleshooting information:
getent passwd
getent group
Troubleshooting Tips
If you are running AD in a 2003/2008 mixed domain, see this forum post for instructions on how to prevent the secure channel key from becoming corrupt.
Active Directory uses DNS to determine the location of the domain controllers and global catalog servers in the network. Use the host -t srv _ldap._tcp.domainname.com command to determine the network's SRV records and, if necessary, change the weight and/or priority of the SRV record to reflect the fastest server. More information about SRV records can be found in the Technet article How DNS Support for Active Directory Works.
The realm that is used depends upon the priority in the SRV DNS record, meaning that DNS can override your Active Directory settings. If you are unable to connect to the correct realm, check the SRV records on the DNS server. This article describes how to configure KDC discovery over DNS and provides some examples of records with differing priorities.
If the cache becomes out of sync due to an AD server being taken off and back online, resync the cache using System → Settings → Advanced → Rebuild LDAP/AD Cache.
An expired password for the administrator account will cause kinit to fail so ensure that the password is still valid.
