CIFS and LDAP/AD authenticaiton

Travis Roy

Travis Roy

Cadet
Joined
Jan 29, 2015
Messages
1
I'm trying to setup CIFS, but use LDAP or AD for authentication.

When I go to do it, it doesn't work.. The hangup seems to be the guest account. If I use local authentication, the user "nobody" is taken just fine, but if I setup LDAP or AD it says that "nobody" isn't a valid user and I can't save the CIFS settings.

The only error I'm getting is when I go to setup the CIFS settings and click save I get "The user nobody is not valid."

Build: FreeNAS-9.3-STABLE-201501241715 (64-bit)
Platform: Intel(R) Xeon(R) CPU E5405 @ 2.00GHz
Memory: 4068MB
 
Last edited:
C

cyberjock

Inactive Account
Joined
Mar 25, 2012
Messages
19,526
read the forum rules and update your post.. you provided zero information that we request when creating a thread.
 
K

Kevo

Dabbler
Joined
Jan 1, 2019
Messages
37
I've run into this same issue on 11.2U1. Went to change a thing or two in my SMB settings and I can't save due to the "user nobody is not valid" error. I am also using an AD connection to another server to pull users and groups from. I can't enter a user from the AD as the interface only has a pulldown with local users, and none of the local users appear to be valid options. I'm guessing this is some kind of interaction with the AD link. If I remember I may try and turn SMB off later and save my changes to see if that works, but I can't do that now. The changes I wanted to make are mainly for curiosity reasons, but I do have a couple of places that use FreeNAS that need the old style auth, so it would be nice to be able to actually set that and save when needed.
 
K

Kevo

Dabbler
Joined
Jan 1, 2019
Messages
37
@anodos

Any chance someone could look at this one. Seems like it might be an easy fix, but I don't see that this issue ever got any attention. I haven't verified it myself as I don't really have a test system I can fiddle with at the moment, but I'm guessing that dropping the AD connection would allow a change to be made to the SMB settings as on the system I manage with simple local accounts I have never noticed this issue.
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
Kevo said:
@anodos

Any chance someone could look at this one. Seems like it might be an easy fix, but I don't see that this issue ever got any attention. I haven't verified it myself as I don't really have a test system I can fiddle with at the moment, but I'm guessing that dropping the AD connection would allow a change to be made to the SMB settings as on the system I manage with simple local accounts I have never noticed this issue.
Click to expand...
Yeah, there's a regression in U2. I've fixed it in 11.2-stable, but you'll have to wait till U3 unless you feel adventurous enough to manually patch your server. I have one user whose server I will investigate tomorrow to see what is wrong with the manual patch job he applied and make an additional fix if needed. Sorry for the inconvenience. You should be able to use local users if you temporarily disable AD.
 
K

Kevo

Dabbler
Joined
Jan 1, 2019
Messages
37
It's not critical for my server so I can wait for the patch. Thanks for the update and the work on the fix.
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
No problem. The regression was introduced by an attempt to fix user / group validation for trusted domains in AD. Now we should be fixed for all cases.
 
R

rj_dsl

Cadet
Joined
Feb 25, 2019
Messages
8
Hello anodos..

I an having a similar problem, my freenas wont bind properly to my ldap server, because of this issue.. I can search ldap, but user cant login to shares ect.. I have a workaround running right now (Binding to the server as anonymous), but that is not a situation I want to run with for too long..

Output of my log.smbd:
Code:
[2019/02/25 16:35:45.524494,  2] ../source3/passdb/pdb_ldap_util.c:281(smbldap_search_domain_info)                                 
  smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=WORKGROUP))]                               
[2019/02/25 16:35:45.763248,  2] ../source3/lib/smbldap.c:847(smbldap_open_connection)                                             
  smbldap_open_connection: connection opened                                                                                       
[2019/02/25 16:35:45.766742,  1] ../source3/passdb/pdb_ldap_util.c:237(add_new_domain_info)                                         
  add_new_domain_info: failed to add domain dn= sambaDomainName=WORKGROUP,dc=dsl,dc=dk with: Insufficient access                   
        no write access to parent                                                                                                   
[2019/02/25 16:35:45.766799,  0] ../source3/passdb/pdb_ldap_util.c:314(smbldap_search_domain_info)                                 
  smbldap_search_domain_info: Adding domain info for WORKGROUP failed with NT_STATUS_UNSUCCESSFUL                                   
[2019/02/25 16:35:45.766826,  0] ../source3/passdb/pdb_ldap.c:6645(pdb_ldapsam_init_common)                                         
  pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it.             
[2019/02/25 16:35:45.766847,  0] ../source3/passdb/pdb_interface.c:180(make_pdb_method_name)                                       
  pdb backend ldapsam:ldap://auth.dsl.lan did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)


My LDAP setup:
freenas_ldap.png
And my SMB settings:
freenas_smb.png

I would be interested in any help you can provide.. Please let me know if you want any additional info.
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
rj_dsl said:
Hello anodos..

I an having a similar problem, my freenas won't bind properly to my ldap server, because of this issue.. I can search ldap, but user can't login to shares ect.. I have a workaround running right now (Binding to the server as anonymous), but that is not a situation I want to run with for too long..

Output of my log.smbd:
Code:
[2019/02/25 16:35:45.524494,  2] ../source3/passdb/pdb_ldap_util.c:281(smbldap_search_domain_info)                                
  smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=WORKGROUP))]                              
[2019/02/25 16:35:45.763248,  2] ../source3/lib/smbldap.c:847(smbldap_open_connection)                                            
  smbldap_open_connection: connection opened                                                                                      
[2019/02/25 16:35:45.766742,  1] ../source3/passdb/pdb_ldap_util.c:237(add_new_domain_info)                                        
  add_new_domain_info: failed to add domain dn= sambaDomainName=WORKGROUP,dc=dsl,dc=dk with: Insufficient access                  
        no write access to parent                                                                                                  
[2019/02/25 16:35:45.766799,  0] ../source3/passdb/pdb_ldap_util.c:314(smbldap_search_domain_info)                                
  smbldap_search_domain_info: Adding domain info for WORKGROUP failed with NT_STATUS_UNSUCCESSFUL                                  
[2019/02/25 16:35:45.766826,  0] ../source3/passdb/pdb_ldap.c:6645(pdb_ldapsam_init_common)                                        
  pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it.            
[2019/02/25 16:35:45.766847,  0] ../source3/passdb/pdb_interface.c:180(make_pdb_method_name)                                      
  pdb backend ldapsam:ldap://auth.dsl.lan did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)


My LDAP setup:
View attachment 28782
And my SMB settings:
View attachment 28783

I would be interested in any help you can provide.. Please let me know if you want any additional info.
Click to expand...
There is a behavior change in Samba 4.9 WRT guest user accounts that is affecting LDAP users. I'm still tracking down the exact cause and trying to fix it.
 
R

rj_dsl

Cadet
Joined
Feb 25, 2019
Messages
8
Great :) I might just roll back to 11.1u5 and wait for u3.. But good to know you guys are working on it.
 
lofwyr

lofwyr

Cadet
Joined
Feb 16, 2016
Messages
4
Actually I just hade the same issue ("user nobody is not valid") on 11.1-U7.
Toggle AD disable, change SMB Settings, toggle AD enable worked fine here as well.
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
lofwyr said:
Actually I just hade the same issue ("user nobody is not valid") on 11.1-U7.
Toggle AD disable, change SMB Settings, toggle AD enable worked fine here as well.
Click to expand...
That's not the same issue. The issue you're referencing was fixed in 11.2-U2.1, and should be fixed in 11.1-U8 when it's released (if we have another release).
 
You must log in or register to reply here.

Similar threads

C
  • Locked
CIFS and LDAP does not authenticate while AFP is working
Replies
0
Views
2K
cpzengel
C
M
  • Locked
can search LDAP through terminal, users aren't importing and can't access CIFS shares
Replies
0
Views
2K
Mike Preble
M
vainkop
  • Locked
FreeNAS 11 + samba4 AD DC - Can't contact LDAP server
Replies
5
Views
11K
EsJ
E
F
  • Locked
AD join ldap signing
Replies
4
Views
2K
dlavigne
D
PredatorVI
  • Locked
Using AD as an auth source without joining domain?
Replies
1
Views
1K
cyberjock
C
Top