[SoftNAS KB]: Integrate SoftNAS with Active Directory prior to Version 3


Integration of SoftNAS into Active Directory enables domain users to more securely share files and data in a corporate environment.  Authentication is managed by Active Directory (AD) via Kerberos.  Kerberos tickets are issued to users authenticated to AD.  When a user accesses a CIFS share managed by SoftNAS, the ticket is then verified with AD to ensure it is authentic and valid before allowing access to the shares.  Windowsuser ID's and groups (e.g., Domain Users) are transparently and dynamically mapped from AD into SoftNAS and Linux, making access seamless for Windows users.
When integrated into a domain environment, SoftNAS becomes another member server of the domain - like any other Windows server joined to the domain.
Authorization and granular access controls are available to manage the level of access available to various users and user groups.


The following sections detail how to configure SoftNAS for integration with Active Directory and how to troubleshoot and resolve common issues that can arise during AD integration.


On Linux, Samba is used to provide access to CIFS for access from Windows-based systems.  Samba uses a program called "winbind", which binds Windows authentication and identities (e.g., AD users and groups) with Linux, and automatically maps Windows users and groups to Linux users and groups.
Please use the following process to integrate Active Directory with SoftNAS and Linux with Samba:

Adding Domain Controllers as DNS Server for SoftNAS

In order to integrate AD with the SoftNAS Linux operating system, the first step is enabling the SoftNAS Linux system to resolve host names into IP addresses for the Active Directory controller, DNS server(s) and the SoftNAS Linux system itself (so you can use host names instead of IP addresses in the following steps).
You need to verify that your hostname and DNS are set up correctly:
1.  To do so,  in the Left Navigation Pane, navigate to General System Settings -> Networking > Network Configuration > Hostname and DNS client and Host Addresses.
2.  The DNS for SoftNAS, when integrated within an Active Directory environment, should be the domain controllers (like any other member server in the domain).
Begin by configuring your hostname and DNS client lookup for the SoftNAS server.  Note that the Hosts file is configured to be used first for name resolution.  In our examples, we use a domain name "SOFTNAS.local" and our domain controller and DNS is on the local data center network.  Our example host name is "SOFTNASTEST".

3. Press the "Save" button to save the changes.  The following screen with reappear:

4. Choose the "Host Addresses" menu item and add host table entries
In the following example, the IP address of the Active Directory controller is, so its FQDN is entered (WIN-00B96QSOC44).SOFTNAS.local, along with the "realm" name "SOFTNAS.LOCAL" in lower-case, upper-case and just the domain name "SOFTNAS".  The next entry maps the IP address of the SoftNAS Linux host's IP address to FQDN "softnastest.softnasdev.local", "softnastest" and "SOFTNASTEST".

To create each host table entry, click on the "Add a new host address" link, then fill in the form that appears, then press "Create":

5. Repeat for both the Active Directory and SoftNAS host entries so your final host table looks similar to this:

5. Restart the network system to ensure the new DNS resolution rules are in effect.
NOTE: Anytime you change the DNS or network settings, be sure to either issue a  service network restart command as the root user or reboot SoftNAS with a sync; sync; reboot sequence to restart the network subsystem so the new settings will take effect.
6. Verify the host mappings work correctly from a command line (on the SoftNAS host via SSH or a console)
You may also want to verify that your host entries are correct by pinging them with "ping" commands that confirm each mapping is correct.  This is important because if these host name lookups are incorrect, other steps which follow will fail, so take a minute to verify the host mappings are working as expected for best results.
If you prefer to do this verification via the StorageCenter UI, you can use the following screen to do so.  To reach the Command Shell screen, choose Settings > General System Settings, which will open a new window with access to the full Webmin console, then choose Others > Command Shell.
Be sure to specify the "count" of pings using the "-c 4" switch (or the command will run indefinitely and not return)

Configuring Kerberos to Connect to Active Directory

1.  Log on to SoftNAS StorageCenter.
2.  In the Left Navigation Pane, select the Settings > Identity and Access Control > Kerberos option (under the Settings section).

The Kerberos Configuration panel will be displayed.
3.  Enter the the full AD server name in upper case in the Realm text entry box; e.g., YOURDOMAIN.COM, MYDOMAIN.LOCAL.
4.  Click the Update Configuration button.

Verifying Kerberos is working

In the above example, SOFTNAS.LOCAL is the full domain name.  Log in to a command shell using SSH, SoftNAS Console (VMware/Hyper-V) or use the Command Shell (see above example).
Issue the following commands:
"kinit" is used to log in as the AD administrator.  Note that for best results use the actual domain administrator, not a user with domain admin rights.
    [root@softnas]# kinit -p administrator
    Password for administrator@SOFTNAS.LOCAL:
Next, list the Kerberos ticket, which proves you successfully logged into AD.
    [root@softnas]# klist
You should see something like:
    Ticket cache: FILE:/tmp/krb5cc_0
    Default principal: administrator@SOFTNAS.LOCAL
    Valid starting     Expires            Service principal
    01/21/13 17:26:12  01/22/13 03:26:20  krbtgt/SOFTNAS.LOCAL@SOFTNAS.LOCAL
            renew until 01/22/13 17:26:12    

Editing Samba Windows Networking Options settings with SoftNAS GUI

1.  Log on to SoftNAS StorageCenter.
2.  In the Left Navigation Pane, select the CIFS option under the Storage section.
The CIFS Shares panel will be displayed. From here, you can configure and manage CIFS sharing.

3.  Click the Windows Networking icon in the Global Configuration section.

4.  Enter your short domain name (e.g., SOFTNAS) in the Workgroup field.
5.  Enter the NetBIOS name of your SoftNAS Server (how it will show up under Windows Networking) in the Server Name text entry box.
6.  Select the Active Directory option from the Security drop down list.
7.  Enter the FQDN of your domain controller; e.g., dc01.softnas.local in the Password Server text entry box.
8.  Click the Save button.

Configuring Winbind with SoftNAS GUI

1.  Log on to SoftNAS StorageCenter.
2.  In the Left Navigation Pane, select the CIFS option under the Storage section.
The CIFS Shares panel will be displayed. From here, you can configure and manage CIFS sharing.

3. Click the Winbind Options icon in the Global Configuration section.

4.  Enter the full domain name of your Windows domain; e.g., SOFTNAS.LOCAL, MYDOMAIN.COM, etc in the Kerberos Realm on Domain Server text entry box.
5.  Enter the range as 10000-30000 in the Range of UIDs for Windows Users text entry box. Using this numeric range, the mapping of Windows user ID's to Linux UID's occurs dynamically.
6.  Similary enter the range as 10000-30000 in the Range of UIDs for Windows Groups text entry box for mapping of groups.
7.  Click the Save button.

Editing the /etc/samba/smb.conf File

1.  Navigate to nano or vi editor as root user.
2.  Open the /etc/samba/smb.conf file.
3. Delete these 2 lines:
winbind trusted domains only = yes
winbind use default domain = yes
4.  Add these 2 lines:
winbind enum users = yes
winbind enum groups = yes

Restarting Services and Joining the Active Directory domain

You need to restart samba, winbind, then connect softnas to domain and restart the services again.
[root@softnas] # service winbind restart
[root@softnas] # service smb restart
[root@softnas] # service nmb restart
Then join the AD domain:
[root@softnas] # net ads join -U administrator
When you run the net ads join -U administrator command, make certain the administrator's user name is exactly the same  (it is case-senstive) and that the password matches exactly as entered in step 3 under Active Directory Integration above.
Then restart the services again.
[root@softnas] # service winbind restart
[root@softnas] # service smb restart
[root@softnas] # service nmb restart

Verifying "winbind" Displays All Users and Groups

Use the "wbinfo" command to confirm that you are able to list the AD users and groups:
[root@softnas] wbinfo -u
[root@softnas] wbinfo -g
SOFTNAS\domain computers
SOFTNAS\domain controllers
SOFTNAS\schema admins
SOFTNAS\enterprise admins
SOFTNAS\cert publishers
SOFTNAS\domain admins
SOFTNAS\domain users
SOFTNAS\domain guests
SOFTNAS\group policy creator owners
SOFTNAS\ras and ias servers
SOFTNAS\allowed rodc password replication group
SOFTNAS\denied rodc password replication group
SOFTNAS\read-only domain controllers
SOFTNAS\enterprise read-only domain controllers

Additional Information for Troubleshooting

For information on creating a CIFS Share and integrating it with AD, see:
Creating CIFS Share

Useful Commands

The following commands are useful when troubleshooting Active Directory integration issues.
# kinit -p administrator
Verify that Kerberos (winbind) is able to authenticate to the configured Active Directory domain (enter a domain admin account and password).
# net ads leave -U administrator   (or an account w/ domain admin prrivs)
Remove SoftNAS as a member of the domain.
# net ads join -U administrator
Join SoftNAS as a member of the domain.
# wbinfo -u
Display a list of Windows users that will be mapped as valid Linux users.
# wbinfo -g
Display a list of Windows groups that will be mapped as valid Linux groups.
# wbinfo -t
Verify that the workstation trust account created when the Samba server is added to the Windows NT domain is working

Log Files

Should you run into issues with AD integration, there are a number of log files in the /var/log/samba folder.  You can increase the logging level with the "log level = 3" (up to 9), which provides standard Samba logging level control.
Also, remember to check your AD / domain controller's event logs if you find yourself troubleshooting AD integration issues, so you can see what is taking place from the AD perspective on your domain controller.

Domain Name Services

As with any network services, be sure DNS on your domain controller is configured with the SoftNAS node's IP address and name.  Also, please ensure SoftNAS network interface is configured to use the domain controller(s) as its authoritative DNS server.

Kerberos and Server Times

Kerberos tickets are issued with a timestamp and expiration.  Therefore, it is important that SoftNAS is properly time synchronized with the AD / domain controller.  If your domain controller is your authoritative NTP server, then configure SoftNAS time server to point to the domain controller.  If you use an external NTP server, make sure SoftNAS time is synchronized to the same source as your domain controller, so you don't experience any significant time drift between SoftNAS and your DC's time source.

Example Configuration Files

The following configuration files are properly formatted and valid, should you need to verify and/or troubleshoot configurations as you customize integration with your particular Active Directory environment (it's helpful to have a known working example as a reference point).


log file = /var/log/samba/log.%m
load printers = no
idmap gid = 10000-30000
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes
encrypt passwords = yes
realm = SOFTNASDEV.LOCAL <==== This is your long domain name; e.g., MYDOMAIN.COM, ADOMAIN.LOCAL, etc.
password server = WIN-00B96QS0C44.SOFTNASDEV.local <==== this is the DNS name of your AD / domain controller
template shell = /bin/bash
netbios name = SOFTNAS2 # <=== this is the name of your SoftNAS node in NetBIOS
server string = Samba Server Version %v
idmap uid = 10000-30000
workgroup = SOFTNASDEV <==== this is the short domain name
os level = 1
security = ads <======== must be set to ads, since in the default 3.4.4 is shipped with tis option set to AUTO
max log size = 50
winbind separator = \
log level = 3
domain master = no
local master = no
preferred master = no
client use spnego = yes
client ntlmv2 auth = yes
comment = Shared volume
writeable = yes
browseable = yes
read only = no
path = /naspool1/vol01
valid users = "rbraddy" <=== use only the user name(s) here (not fully-qualified DOMAIN\username) or AD groups; e.g., "Domain Users", "Domain Admins"
Here are the other config files, in case you need working examples.
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
default_realm = SOFTNASDEV.LOCAL
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
kdc = WIN-00B96QS0C44.SOFTNASDEV.local
admin_server = WIN-00B96QS0C44.SOFTNASDEV.local
default_domain = SOFTNASDEV.LOCAL
.softnasdev.local = SOFTNASDEV.LOCAL
softnasdev.local = SOFTNASDEV.LOCAL
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
passwd: files winbind
shadow: files
group: files winbind
#hosts: db files nisplus nis dns
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files dns
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus

Common errors

Host is not configured as a member server
root@rlazsn01:/etc/samba# net ads join -U administrator@SOFTNAS.LOCAL
Host is not configured as a member server.
Invalid configuration. Exiting....
Failed to join domain: This operation is only allowed for the PDC of the domain.

This error results from the configuration parameter security being set to AUTO in /etc/samba/smb.conf