[Samba] TLS questions

Rowland penny rpenny at samba.org
Mon Sep 2 11:54:59 UTC 2019 

On 02/09/2019 12:18, Andrew Walker wrote:
> On Mon, Sep 2, 2019 at 5:20 AM Rowland penny via samba 
> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
>
>     OK, I have figured this out and you do not need a certificate ;-)
>
>     Log into the Freenas web gui as root.
>
>     I used the winbind 'ad' backend, but you could probably use the 'rid'
>     backend instead.
>
>     Services -> SMB -> Configure
>
>     Workgroup: SAMDOM
>     Local Master: NO
>     Domain Logons: NO
>     Time server For Domain: NO
>
>     UNIX Extension; YES
>     Zeroconf share discovery: YES
>     Hostnames Lookups: YES
>     Allow Execute Always: YES
>     Obey Pam Restrictions: YES
>
>     Range Low: 3000
>     Range High: 7999
>
>     NOTE: the above range is for the default (*) domain
>
>     Click 'SAVE'
>
>     Directory Services -> Active Directory -> ADVANCED MODE
>
>     Click 'EDIT IDMAP' and set the DOMAIN range before doing anything else
>
>     Range Low: 10000
>     Range High: 999999
>     Schema mode: rfc2307
>
>     Click 'SAVE'
>
>     Active Directory -> ADVANCED MODE
>
>     Domain Name: samdom.example.com <http://samdom.example.com>
>     Domain Account Name: Administrator
>     Domain Account Password: xxxxxxxxxx
>
>     Encryption Mode: Off
>     Certificate: NONE
>
>     UNIX extensions: YES
>     Use Default Domain: YES
>     Allow DNS updates: YES # not sure about this, but set it anyway 
>
>     Disable Freenas updates: YES
>
>     Site Name: Default-First-Site-Name
>     Kerberos Realm: SAMDOM.EXAMPLE.COM <http://SAMDOM.EXAMPLE.COM>
>     Idmap backend: ad
>     Winbind NSS info: rfc2307
>
>     Enable
>
>     Click 'SAVE' and you should join the domain
>
>     Rowland
>
>
>  "Allow DNS updates" should be checked for most situations. When it's 
> unchecked the server doesn't do dynamic DNS updates (like when 
> "clustering=yes"). It's related to an HA product.
That makes it like most Unix domain members and wouldn't affect me, I 
use DHCP to update dns records ;-)
>
> The directory services code is being significantly rewritten for the 
> next version of FreeNAS (11.3). Most of the parameters you've 
> highlighted as unnecessary are actually being removed. If you only 
> want to use the RID backend, you typically need to only enter "Domain 
> Name", "Domain Account Name", and "Domain Account Password". Thank you 
> for highlighting the need to configure idmap ranges prior to joining 
> AD. AD site (assuming such exists) will be automatically detected and 
> workgroup is automatically detected and populated. I believe in most 
> cases the "tests" requested in the forums are to kinit and then "net 
> -d 5 -k ads join".
>
> Andrew

All fair comments, I just tested it because I couldn't understand why it 
seemed to require a certificate to join the domain, something I have 
never used.

You probably do not need to set the ranges before the join, but you 
definitely need to set them before starting Samba.

Rowland

More information about the samba mailing list