JRG's picture
JRG - Sat, 2019/08/31 - 20:51

I am trying to join a FreeNAS system to a Turnkey DC. I have managed to have it connect but the idmap backend won't and I suspect it has something to do with the requirement for tls/ssl. I'm not sure exactly how I would configure that for Turnkey. Can someone please point me in the right direction? 

Forum: 
Support
Jeremy Davis's picture

Jeremy Davis - Mon, 2019/09/02 - 01:31

I have no experience with FreeNAS works, nor how it works, so I'm not sure how much help I can give.

And TBH, I'm not even 100% clear by what you mean by "idmap backend". Do your mean a Samba4 AD domain? If so, then TurnKey Fileserver includes Samba4 and it's default Samba config is for "standalone" filesharing (i.e. it's not configured for domain use). So assuming that FreeNAS does provide an AD domain, then my guess is that you'll probably want to have a read of this page re joining a Samba AD domain (on the Samba wiki).

If I'm completely on the wrong track, please provide a bit more explicit info on exactly what you are trying to do.

JRG's picture

JRG - Mon, 2019/09/02 - 01:43

I am running Turnkey Domain Controller, so it actually installs as a DC and configures itself for the most part. 

So. I guess that FreeNAS requires tls or ssl. I had to make a CA (I used FreeNAS certificate management for this) and put them in /etc/samba/tls and point the smb.conf at it for it. The Turnkey required the self signed CA certificate, a self signed client certificate for the DC (using the self signed CA), and the key for the self signed client certificate. Then I was able to join the domain with the Freenas Server. There is no webmin section to change this. It looks like most of the included webmin functionality is strictly client related with samba. I had to edit the smb.conf manually and add the tls options. 

I'm not really sure where FreeNAS grabs its own client certificate for. I'm guessing it is whatever you use under system settings. After this is done: under the AD settings you just pick the CA as the certificate in order to join and "sign" for the SASL wrapping. 

This worked for me at least. 

Jeremy Davis's picture

Jeremy Davis - Mon, 2019/09/02 - 02:40

Glad to hear that you worked it out. Thanks for posting back too. I'm sure others will find the info useful! :)

PS apologies that I totally missed you were using the TurnKey DC appliance... As per my first post, for some reason I had in my head that you were using our Fileserver appliance. Doh!

JRG's picture

JRG - Mon, 2019/09/02 - 04:34

NP. Figured this might help someone in the future. The configuration for TLS isn't very intuitive in any documentation anywhere. I was using the FreeNAS server as the DC but I realized this was a bad practice  so found Turnkey DC and added a 1u low powered dual core atom to run it. I've had situations where the FreeNAS server had to go down or went down for other reasons (power outage) and this affected my ability to login to certain areas of my network. 

Add new comment