Cannot authenticate to OpenDirectory

[Simon Pierre Desrosiers]

Hello all,

I have configured a freenas (FreeNAS-11.1-U4) system to authenticate to an openDirectory (
10.11.6
). Configuration seems to be not that bad since I can retrieve the list of my users and the list of groups comming from my ldap server using getent passwd Using ldapsearch and ldapwhoami, I can actually verify my password and it works :

Code:

root@delos:~ # ldapwhoami -vvv -D "uid=legros,cn=users,dc=myserver,dc=mydomain,dc=com" -W -H ldap://myserver:389 -x
ldap_initialize( ldap://laposte:389/??base )
Enter LDAP Password: 
dn:uid=legros,cn=users,dc=myserver,dc=mydomain,dc=com
Result: Success (0)
root@delos:~ # ldapwhoami -vvv -D "uid=legros,cn=users,dc=myserver,dc=mydomain,dc=com" -W  -x
ldap_initialize( <DEFAULT> )
Enter LDAP Password: 
dn:uid=legros,cn=users,dc=myserver,dc=mydomain,dc=com
Result: Success (0)
root@delos:~ # 

But I cannot login to afp nor to smb nor to ssh, or su on the freenas. Nothing gets logged on the freenas or the ldap server.

If I run tcpdump, I can see that the freenas tries to authenticate to the ldap server, some answer is comming back, but I can still not mount the shares. I do have shares define to a directory for which permission have been set to a domain user.

From here, any help would be appreciated.

One last thing, the enable check box will not get checked. But nsswitch.conf seems correctly updated with ldap entries at group and passwd.

 

[Simon Pierre Desrosiers]

Anyone ?

 

[RegularJoe]

well SMB(samba) has issues with OpenLDAP backend on samba4 and higher. FreeNAS 11.1-u4 is on Samba 4.7. You may want to try something more simple like NFS on your FreeNAS box and verify that you can get that to work. I believe by default logging on FreeNAS is set very low so your going to have to figure out how to increase the logging. I am new to this part and will be doing a similar project for a place that is all Mac.

 

[Simon Pierre Desrosiers]

That is not a good news for my plan to phase out macosx server and replace some services that it offers with freenas.

I have run more tests. I have been able to activate (enable) ldap. Both with or without samba support. Without, you get a very clear message that you will not be able to use ldap to login into smb. For that, one has to use "ldap backend = fruit" as the documentation states fleetingly. Also, no "kerberos realm should be selected".

Problem is, with samba support, the smb service will not even start. The smbd4.conf file actually disappears as soon as the ldap conf kicks in. In either case (with or without samba option), nor afp, nor su will accept to login an ldap user. Yet, I can still get the expected results with getent passwd.

To answer one of your question/comment, you can start smbd server by hand: /usr/local/sbin/smbd -S -F --debuglevel=3. It will log a lot of things at the console. debuglevel=3 is as hight as you should go according to the man page, more than three is only masochistic.

 

[RegularJoe]

FreeNAS is a NAS appliance and for some of the complex stuff you have to just spin up a jail, install webmin and samba4.x in that jail. That is what I am going to have to do and then have the FreeNAS samba join that Active Directory domain. If there is a setting you need and the gui does not have it your custom setting is going to get stomped on every change.

The other thing that I saw, I might be wrong on this but if you use local users and groups for samba it appears at least on 9.3 that any change to group membership or users causes samba to hup. This is perfectly fine for a single user home NAS, for the enterprise that is a huge NO-NO.

Good to see someone else having to replace MacServer with something better. I have another thread as we have a developer that wants NFS4 and for performance I want to use AFP for the Mac users. SMB for the net admins and it department so we can get users files back from the snapshots that are integrated with the samba share.

Sounds promising and I hope all the stars line up. ;)

 

[Simon Pierre Desrosiers]

I cannot believe that I would have to spin up a jail to do normal stuff. Especially since there is a section for ldap settings. If I have to do that, why go the freenas way . I might as well go the freebsd way all the way ; I am actually going freebsd way for everything but file server. If I cannot make the freenas work, it will be freebsd (if I can make the ldap/smb thing work).

I did love my mac setup. I am giving up as Apple decided not to move forward with server. But, my mac was actually a lot more easier to setup and with zfs for mac, I was very happy sysadmin.

 

[RegularJoe]

the HUP thing might be gone in FN11, I have not tested that.

iocage jails can :
boot up or reboot in 1 second
have access to all your ram and cpu, or limit them to less if you want
have newer or older software than FreeNAS runs x86 or x64
in the future run native docker without a Linux bhyve VM!

FreeNAS gives us a nice gui for :
allows us to use a 3 way mirror, never worry about a LUN going dark and restoring it from tape
ZFS replication is simple to configure and setup to another volume or host
short and long SMART self tests with email alerts
scrubs of the ZFS file system with email alerts
lets us limit the space used by a TimeMachine backup volume
easy to expand a ZFS data set, larger disks or more stripes
graph how much bandwidth the network cards and disk are delivering
minio(s3 compatible bucket - replicated data) server built in(broken in 11.1)
NetData reporting
snapshots integrated with VMware(very nice)
snapshots integrated with samba/windows to get previous version for our users without going to tape(trying to get this to work on lower level AFP and NFS data sets)

 

[tigloo]

This may be really late for an answer but wanted to let you know that I've figured it out for Samba 4. I deliberately stuck to Samba 3 until the upgrade to 11.2 also forced an upgrade to Samba 4. It's possible to load the Open Directory users via nslcd and then set the authentication mode to "user":

https://www.ixsystems.com/community...pen-directory-in-mac-os-x-environments.46493/