[Samba] TLS questions

Andrew Walker walker.aj325 at gmail.com
Mon Sep 2 11:18:44 UTC 2019

On Mon, Sep 2, 2019 at 5:20 AM Rowland penny via samba <
samba at lists.samba.org> wrote:

> OK, I have figured this out and you do not need a certificate ;-)
> Log into the Freenas web gui as root.
> I used the winbind 'ad' backend, but you could probably use the 'rid'
> backend instead.
> Services -> SMB -> Configure
> Workgroup: SAMDOM
> Local Master: NO
> Domain Logons: NO
> Time server For Domain: NO
> UNIX Extension; YES
> Zeroconf share discovery: YES
> Hostnames Lookups: YES
> Allow Execute Always: YES
> Obey Pam Restrictions: YES
> Range Low: 3000
> Range High: 7999
> NOTE: the above range is for the default (*) domain
> Click 'SAVE'
> Directory Services -> Active Directory -> ADVANCED MODE
> Click 'EDIT IDMAP' and set the DOMAIN range before doing anything else
> Range Low: 10000
> Range High: 999999
> Schema mode: rfc2307
> Click 'SAVE'
> Active Directory -> ADVANCED MODE
> Domain Name: samdom.example.com
> Domain Account Name: Administrator
> Domain Account Password: xxxxxxxxxx
> Encryption Mode: Off
> Certificate: NONE
> UNIX extensions: YES
> Use Default Domain: YES
> Allow DNS updates: YES # not sure about this, but set it anyway

Disable Freenas updates: YES
> Site Name: Default-First-Site-Name
> Kerberos Realm: SAMDOM.EXAMPLE.COM
> Idmap backend: ad
> Winbind NSS info: rfc2307
> Enable
> Click 'SAVE' and you should join the domain
> Rowland

 "Allow DNS updates" should be checked for most situations. When it's
unchecked the server doesn't do dynamic DNS updates (like when
"clustering=yes"). It's related to an HA product.

The directory services code is being significantly rewritten for the next
version of FreeNAS (11.3). Most of the parameters you've highlighted as
unnecessary are actually being removed. If you only want to use the RID
backend, you typically need to only enter "Domain Name", "Domain Account
Name", and "Domain Account Password". Thank you for highlighting the need
to configure idmap ranges prior to joining AD. AD site (assuming such
exists) will be automatically detected and workgroup is automatically
detected and populated. I believe in most cases the "tests" requested in
the forums are to kinit and then "net -d 5 -k ads join".


More information about the samba mailing list