To resolve a FreeNAS unit not joining a domain properly despite using proper credentials.
- A unit running FreeNAS
- An active directory domain
- An AD account with administrative privileges
On the FreeNAS installation that is having difficulty joining the domain, ensure that all variables are set properly.
Double check all network settings, if necessary, ensure the domain controller is in the gateway address list.
Confirm domain join credentials. It’s necessary for the account used to join the domain to be a domain administrator.
If an error while joining the domain is shown, such as:
80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580, Invalid credentials
Follow these steps to attempt a domain join:
- In the FreeNAS Shell, enter:
- sqlite3 /data/freenas-v1.db “update directoryservice_activedirectory set ad_enable=1;”
- echo $?
– This should return a value of 0.
- start the following services:
service ix-kerberos start
service ix-nsswitch start
service ix-kinit start
service ix-kinit status
- echo $?
- klist should list a kerberos ticket
After this, run the following commands followed by echo. Echo should return a 0.
- python /usr/local/www/freenasUI/middleware/notifier.py start cifs
- service ix-activedirectory start
- service ix-activedirectory status
- echo $?
- python /usr/local/www/freenasUI/middleware/notifier.py restart cifs
- service ix-pam start
- service ix-cache start &
While running this set of commands, it should notate that a domain join as occurred. To verify this, use getent passwd or getent group to list all domain users or groups.
Under a dataset or pool’s permissions, the group or users should also be selectable.
If the join still fails, make sure to add the FreeNAS unit under the Unmanaged Computers OU.
Double check domain account credentials. Re-enter them if necessary.
Check with AD Admin to ensure the account being used has sufficiently elevated privileges for a full domain join.