[Samba] TLS questions
rpenny at samba.org
Mon Sep 2 11:54:59 UTC 2019
On 02/09/2019 12:18, Andrew Walker wrote:
> On Mon, Sep 2, 2019 at 5:20 AM Rowland penny via samba
> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
> OK, I have figured this out and you do not need a certificate ;-)
> Log into the Freenas web gui as root.
> I used the winbind 'ad' backend, but you could probably use the 'rid'
> backend instead.
> Services -> SMB -> Configure
> Workgroup: SAMDOM
> Local Master: NO
> Domain Logons: NO
> Time server For Domain: NO
> UNIX Extension; YES
> Zeroconf share discovery: YES
> Hostnames Lookups: YES
> Allow Execute Always: YES
> Obey Pam Restrictions: YES
> Range Low: 3000
> Range High: 7999
> NOTE: the above range is for the default (*) domain
> Click 'SAVE'
> Directory Services -> Active Directory -> ADVANCED MODE
> Click 'EDIT IDMAP' and set the DOMAIN range before doing anything else
> Range Low: 10000
> Range High: 999999
> Schema mode: rfc2307
> Click 'SAVE'
> Active Directory -> ADVANCED MODE
> Domain Name: samdom.example.com <http://samdom.example.com>
> Domain Account Name: Administrator
> Domain Account Password: xxxxxxxxxx
> Encryption Mode: Off
> Certificate: NONE
> UNIX extensions: YES
> Use Default Domain: YES
> Allow DNS updates: YES # not sure about this, but set it anyway
> Disable Freenas updates: YES
> Site Name: Default-First-Site-Name
> Kerberos Realm: SAMDOM.EXAMPLE.COM <http://SAMDOM.EXAMPLE.COM>
> Idmap backend: ad
> Winbind NSS info: rfc2307
> Click 'SAVE' and you should join the domain
> "Allow DNS updates" should be checked for most situations. When it's
> unchecked the server doesn't do dynamic DNS updates (like when
> "clustering=yes"). It's related to an HA product.
That makes it like most Unix domain members and wouldn't affect me, I
use DHCP to update dns records ;-)
> The directory services code is being significantly rewritten for the
> next version of FreeNAS (11.3). Most of the parameters you've
> highlighted as unnecessary are actually being removed. If you only
> want to use the RID backend, you typically need to only enter "Domain
> Name", "Domain Account Name", and "Domain Account Password". Thank you
> for highlighting the need to configure idmap ranges prior to joining
> AD. AD site (assuming such exists) will be automatically detected and
> workgroup is automatically detected and populated. I believe in most
> cases the "tests" requested in the forums are to kinit and then "net
> -d 5 -k ads join".
All fair comments, I just tested it because I couldn't understand why it
seemed to require a certificate to join the domain, something I have
You probably do not need to set the ranges before the join, but you
definitely need to set them before starting Samba.
More information about the samba