FreeIPA and FreeNAS LDAP Setup

[Chris Tobey]

Hi guys,

I have a functioning FreeIPA server that manages all my users and I would like to also use it for my FreeNAS CIFS shares to authenticate against.

Does anyone know what needs to be run on both servers?

Info:
FreeIPA v3.0.0-42 running on CentOS 6.6
FreeNAS 9.2.1.9 (can use 9.3 if easier, was trying to get it working before dealing with certs)

I am able to successfully configure FreeNAS to FreeIPA using the LDAP service.

https://bugs.freenas.org/issues/2147

 

[dlavigne]

Were you able to figure this out?

 

[Chris Tobey]

No, not yet :(

 

[Chris Tobey]

Anyone have any idea what's needed to set this up?

I'm thinking it is something along the lines of:

>yum remove samba-common
>yum install samba4
>yum install ipa-server-trust-ad
>ipa-adtrust-install
>???

 

[Chris Tobey]

Anyone?

 

[Alvin]

I have SSH working with FreeIPA, but the CIFS service no longer starts, so we're not there yet. It's quite hard to find complete documentation on this.

 

[Israel Brewster]

From the research I have been doing, it seems at the moment this isn't possible (please, someone, prove me wrong). Even after running ipa-adtrust-install on the FreeIPA server, you still get the "SAMBA Extensions not detected" error message, and cannot authenticate against LDAP for CIFS shares. Works fine for AFP/ssh/etc, but not CIFS. There is actually a bug report/feature request for this: https://bugs.freenas.org/issues/2147 (as mentioned in the initial post), but the target version is still listed as "FUTURE" and status "investigation", so it seems to me that this is low priority for the FreeNAS team :(

 

[Howard Swope]

I am still very interested in making this work. I really like freenas, but have been exploring other options because I can't get this functioning. It looks like there is no traction on this.

 

[{mystery}{of}{time}]

I think this guy figured it out! https://lukegb.com/posts/2017-02-19-freenas-freeipa-samba-and-kerberos/

 

[lukegb]

I think this guy figured it out! https://lukegb.com/posts/2017-02-19-freenas-freeipa-samba-and-kerberos/

I got it working, but only on Corral - so there's that caveat.

 

[{mystery}{of}{time}]

I got it working, but only on Corral - so there's that caveat.

Luke,

I got it to work on FreeNas 11, just requires the correct syntax in your LDAP settings through the GUI.

Lets assume the fqdn for your ipa server is ipa01.magic.dust
The LDAP fields would be filled out with this syntax below replacing magic and dust with your domain info instead.

Hostname: ipa01.magic.dust
Base DN: dc=magic,dc=dust
Bind DN: uid=admin,cn=users,cn=accounts,dc=magic,dc=dust
Bind Password: *Enter your ipa admin password*
Enable: Check the box

Save

Now you will want to make sure you Freenas box is in the firewall trusted zone on the ipa server, aslo make sure the appropriate firewall ports are open on your freenas server. Ideally just allowing all traffic between both the Freenas and ipa server. I personally do not have Samba installed on my rig, and have not tested smb or cifs shares, but instead i'm using NFS shares exclusively, and it works great. I gave a FreeIPA user and a FreeIPA group ownership over my NFS shares, anyone in the right group gets read, write and execute access to that share.


Hope this helps.