Dear colleagues,
We are trying to integrate FreeNAS into the domain controlled by Univention UCS (we are testing migration from AD to UCS). Due to the existential dualism inside UCS: on the server OpenLDAP is used for Linux and Samba 4 ldap for Windows - we can either have:
(1) AD integration using "Active Directory" integration of FreeNAS (done via winbind/samba), but we loose UIDs/GIDs/Shell etc posixAccount attributes as they are stored in the OpenLDAP server, which is not queried (living on different ports), and Samba LDAP doesn't have UNIX Extentions (rfc2307) installed.
or
(2) we can have all the standard UNIX attributes correctly retrieved via LDAP directory integration which seems to use SSSD as a way to retrieve the information, but then we loose domain integration with Samba.
It's basically like having 2 pieces of one picture which are not possible to combine due to whatever reasons :D
We are thinking about 3 theoretical solutions and are asking for an advice of community regarding the ways to implement them in FreeNAS without breaking everything:
(1) I've read somewhere, that Samba can use SSSD as a winbind idmap/nss backend. Therefore /etc/nsswitch.conf should work with winbind, and winbind will query sss for attribute maping.
(2) specify additional ldap server/port for querying the standard UNIX attributes (sounds like madness though)
(3) add proper integration to AD via SSSD/Kerberos/OpenLDAP, and then omit winbind altogether (somehow). This is how the Linux stations are working with Univention UCS/AD servers.
Points (1) and (3) can be achieved, but we do not want to interfere with FreeNAS UI - it's there for the reason :D. What will be your advice regarding our problem?
Thanks for the comments and have a good day!
Mike.
We are trying to integrate FreeNAS into the domain controlled by Univention UCS (we are testing migration from AD to UCS). Due to the existential dualism inside UCS: on the server OpenLDAP is used for Linux and Samba 4 ldap for Windows - we can either have:
(1) AD integration using "Active Directory" integration of FreeNAS (done via winbind/samba), but we loose UIDs/GIDs/Shell etc posixAccount attributes as they are stored in the OpenLDAP server, which is not queried (living on different ports), and Samba LDAP doesn't have UNIX Extentions (rfc2307) installed.
or
(2) we can have all the standard UNIX attributes correctly retrieved via LDAP directory integration which seems to use SSSD as a way to retrieve the information, but then we loose domain integration with Samba.
It's basically like having 2 pieces of one picture which are not possible to combine due to whatever reasons :D
We are thinking about 3 theoretical solutions and are asking for an advice of community regarding the ways to implement them in FreeNAS without breaking everything:
(1) I've read somewhere, that Samba can use SSSD as a winbind idmap/nss backend. Therefore /etc/nsswitch.conf should work with winbind, and winbind will query sss for attribute maping.
(2) specify additional ldap server/port for querying the standard UNIX attributes (sounds like madness though)
(3) add proper integration to AD via SSSD/Kerberos/OpenLDAP, and then omit winbind altogether (somehow). This is how the Linux stations are working with Univention UCS/AD servers.
Points (1) and (3) can be achieved, but we do not want to interfere with FreeNAS UI - it's there for the reason :D. What will be your advice regarding our problem?
Thanks for the comments and have a good day!
Mike.