First off, I got this to work with SMB. However, this enables the whole single-sign-on deal where I just try to access the share and it immediately puts me in. I'd rather have it prompt for a password for my needs.
When I try to connect by choosing the share and hitting 'connect as' and enter a username/password, it doesn't work.
All I really want is the basic LDAP-based authentication that I have working fine in 22.214.171.124. I haven't updated because I couldn't get 9.3 to work. This method IS working as I mentioned above, but really I have all my bugs worked out with an AFP setup on 126.96.36.199 and LDAP authentication and I'd much rather be able to get it working just like that. Is that possible or do we 'have' to go through this single-sign-on business?
The approach published here by tigloo is helpful (and the only working one I know of) when you want to use FreeNAS SMB shares and having OpenDirectory authentication. The default config of OpenDirectory doesn't allow users to authentication via LDAP to SMB shares because the passwords are not stored in OD as it is required. There are workarounds but this way is fine as the authentication took place before and the kerberos ticket is available on the client.
If I would just want AFP shares with normal authentication, not using the single-sign-on then it always worked for me to directly connect to the AFP share CMD +K
(not always it works through the Finder icons, that somehow as to do with way how the shares are published via Bonjour/mDNS ).
I might have had troubles when SMB and AFP shares where enabled together for the same share... but that I don't remember clearly.
I got it working. You might add a section about this to the OP because for those who don't want/need kerberos SSO this works.
So following the above guide got the SSO working fine for me, but I A) am still on afp because I have all my permissions issues and such worked out on that, and B) I need to be able to go to a machine and connect as... a different user, in situations where, for example, I need to connect as admin to some other share to get support files for a given machine.
For whatever reason, all you have to do is add all your LDAP credentials as usual, but DO NOT CHECK the 'allow anonymous binding' checkbox. I created a new OD user with it's own password so I wasn't connecting as diradmin, and voila, once I unchecked anonymous binding it works exactly as I want.
I am getting an error when trying to upload the kerberos keytab in 11.0-U3. Anyone else have this problem? Id like to be more specific, but the error is just in the GUI, no log messages. The GUI says "an error occurred" which is not incredibly helpful. On this note, the guide for this topic https://doc.freenas.org/11/directoryservice.html#ldap has a "Note" and both of the links there are broken.
I have an existing macOS Server Open Directory (OD) setup working. I'm evaluating using FreeNAS to replace my macOS-based SMB file sharing.
Thanks to this thread, I seem to have basic LDAP working, as 'getent' lists my users/groups and 'ldapwhoami' works. I can also ssh to the FreeNAS using my LDAP credentials.
But I'm very confused about how SMB+LDAP is suppose to be achieved. The docs say "LDAP authentication for SMB shares is disabled unless the LDAP directory has been configured for and populated with Samba attributes", but I don't really grok that. What are "Samba attributes"? How do I populate OD with them?
I don't need/want the 'single sign on' (SSO) that this thread (helpfully!) describes, I just want connecting to a SMB share to prompt for user/password. So I'm not sure what, if anything, in this thread applies to my situation...
and I've come to the conclusion that, unless you want the whole kerberos thing tigloo describes, trying to get Open Directory (OD) working for Samba is more trouble than it's worth. The clincher for me is that the user password has to be copied into a different place for samba, so if/when the user changes her password in OD the sysadmin has to do work to copy the password for samba.
For me, with only a couple dozen users, it's just gonna be easier to create users in FreeNAS itself.
If you want your users to enter a password, you can also create (or recreate) the users on FreeNAS. The main reason to use Kerberos is that your users can authenticate once against a central directory and then never have to re-authenticate with any other server.
I updated the instructions for FreeNAS 11.2 which now ships with Samba 4 and requires a slightly different configuration. I'm not quite sure if the idmap backend specification is needed - will test later if it can be removed.
Samba is a beast and it's really complicated to get this right.
I noticed that iXSystems included a link to this thread into the FreeNAS manual. That's a great compliment. I wish we will see "official" Open Directory support from the GUI, too!