Update 5/31/2018: Please skip to end of thread for how I solved this on-going problem I had been having for several months
Hi,
I'm new to the thread and fairly new to FreeBSD, plus I'm coming over from FreeNAS, so please bare with me (I understand the animosity). I'll try to include as much relevant info as I can to make this as pain-free as possible:
I have a FreeNAS zpool I've imported into a FreeBSD 11.1-RELEASE VM running on ESXi 6.5. FreeNAS 11u2 was what I was using, which is based on FreeBSD 10.3-STABLE.
I have Windows Server 2016 Core AD with all my user info. FreeNAS was joined to my domain (just a small home network, nothing complicated) and my ZFS volume has file permissions with domain users owning files and directories in their shares.
FreeBSD is has an A-name entry in DNS server and is properly responding, including reverse-lookup. FreeBSD is synchronized with my DC for NTP.
Here's an example of
As you can see, ownership of Avery and homes shares are now uid and gid numbers, rather than the domain users they used to belong to and display, e.g. DOMAIN\user. I'm not sure if that's particularly relevant, but it concerns me.
samba46-4.6.6 has been installed (all packages installed using pkg). My smb4.conf file is extrapolated from my old FreeNAS VM.
Here's where I'm at so far:
I seem to be able to join the domain without issue, e.g.
I seem to be able to get a kerberos ticket without issue, e.g.
I can connect to \\FREENAS and see the shares, but don't seem to be able to connect to \\FREENAS.DOMAIN.COM, which is odd because I used to be able to
I cannot access the fileshares with either DOMAIN\user or root - I've tried
I do not see domain users or groups when using
Let's start with my smb4.conf (I have commented out several lines for testing):
Here's my /etc/krb5.conf:
Here's /etc/pam.d/login:
Does anyone know what might be going on here? I'd really like to get this working.
Thanks!
-Avery
Hi,
I'm new to the thread and fairly new to FreeBSD, plus I'm coming over from FreeNAS, so please bare with me (I understand the animosity). I'll try to include as much relevant info as I can to make this as pain-free as possible:
I have a FreeNAS zpool I've imported into a FreeBSD 11.1-RELEASE VM running on ESXi 6.5. FreeNAS 11u2 was what I was using, which is based on FreeBSD 10.3-STABLE.
I have Windows Server 2016 Core AD with all my user info. FreeNAS was joined to my domain (just a small home network, nothing complicated) and my ZFS volume has file permissions with domain users owning files and directories in their shares.
FreeBSD is has an A-name entry in DNS server and is properly responding, including reverse-lookup. FreeBSD is synchronized with my DC for NTP.
Here's an example of
ls
currently at /tank/:
Code:
...
drwxrwxr-x+ 21 21105 20513 32 Aug 2 14:24 Avery
drwxrwxr-x+ 2 root wheel 4 Jul 19 14:11 TestShare
drwxrwxr-x+ 4 20500 20513 5 Aug 2 14:00 homes
drwxr-xr-x 8 root wheel 9 Sep 19 18:44 jails
drwxr-xr-x 2 root 1000 5 Jul 19 10:52 samba
...
As you can see, ownership of Avery and homes shares are now uid and gid numbers, rather than the domain users they used to belong to and display, e.g. DOMAIN\user. I'm not sure if that's particularly relevant, but it concerns me.
samba46-4.6.6 has been installed (all packages installed using pkg). My smb4.conf file is extrapolated from my old FreeNAS VM.
Here's where I'm at so far:
I seem to be able to join the domain without issue, e.g.
# net ads join -U user@domain%password
I seem to be able to get a kerberos ticket without issue, e.g.
# kinit user@domain.com
testparm
does not complain about anything in my smb4.confI can connect to \\FREENAS and see the shares, but don't seem to be able to connect to \\FREENAS.DOMAIN.COM, which is odd because I used to be able to
# wbinfo -u
and wbinfo -g
shows me domain users and groups as expectedI cannot access the fileshares with either DOMAIN\user or root - I've tried
chown -R root:wheel
of /tank/TestShare to test it outI do not see domain users or groups when using
getent passwd
or getent group
respectivelyLet's start with my smb4.conf (I have commented out several lines for testing):
Code:
[global]
dos charset = CP437
multicast dns register = No
realm = DOMAIN.COM
server string = FreeBSD Server
workgroup = DOMAIN
wins server = dc01.domain.com
domain master = No
lm announce = Yes
local master = No
preferred master = No
nsupdate command = /usr/local/bin/samba-nsupdate -g
client ldap sasl wrapping = plain
logging = file
max log size = 51200
kernel change notify = No
panic action = /usr/local/libexec/samba/samba-backtrace
disable spoolss = Yes
load printers = No
printcap name = /dev/null
server min protocol = SMB2
allow trusted domains = No
map untrusted to domain = Yes
map to guest = Bad User
obey pam restrictions = Yes
security = ADS
server role = member server
deadtime = 15
hostname lookups = Yes
max open files = 234812
template homedir = /tank/homes/%D/%U
template shell = /bin/sh
winbind cache time = 7200
winbind enum groups = Yes
winbind enum users = Yes
winbind offline logon = Yes
winbind refresh tickets = Yes
dns proxy = No
idmap config happy: range = 20000-90000000
idmap config happy: backend = rid
idmap config *: range = 90000001-100000000
idmap config * : backend = tdb
store dos attributes = Yes
strict locking = No
directory name cache size = 0
dos filemode = Yes
acl allow execute always = Yes
ea support = Yes
create mask = 0666
directory mask = 0777
[Avery]
path = "/tank/Avery"
veto files = /.snapshot/.windows/.mac/.zfs/
read only = No
; vfs objects = zfs_space zfsacl streams_xattr aio_pthread
; zfsacl:acesort = dontcare
; nfs4:chown = true
; nfs4:acedup = merge
; nfs4:mode = special
[TestShare]
path = "/tank/TestShare"
veto files = /.snapshot/.windows/.mac/.zfs/
read only = No
; vfs objects = zfs_space zfsacl streams_xattr aio_pthread
; zfsacl:acesort = dontcare
; nfs4:chown = true
; nfs4:acedup = merge
; nfs4:mode = special
[homes]
comment = Home Directories
path = "/tank/homes/%D/%U"
veto files = /.snapshot/.windows/.mac/.zfs/
read only = No
valid users = %D\%U
vfs objects = zfs_space zfsacl streams_xattr aio_pthread
zfsacl:acesort = dontcare
nfs4:chown = true
nfs4:acedup = merge
nfs4:mode = special
Code:
[libdefaults]
default_realm = DOMAIN.COM
[domain_realms]
.happy.hut = DOMAIN.COM
Here's /etc/pam.d/login:
Code:
# auth
auth sufficient pam_self.so no_warn
auth include system
auth sufficient /usr/local/lib/pam_winbind.so
# account
account requisite pam_securetty.so
account required pam_nologin.so
account include system
account sufficient /usr/local/lib/pam_winbind.so
# session
session include system
# password
password include system
Does anyone know what might be going on here? I'd really like to get this working.
Thanks!
-Avery
Last edited: