Chris Hoefler
Dabbler
- Joined
- Dec 18, 2013
- Messages
- 22
Hi,
I provisioned a Samba4 domain for authenticating users, and I have successfully been able to connect FreeNAS 9.2 to the domain using the Active Directory feature. It will authenticate users. However, I have a problem when users need to change their passwords (ie: their accounts expire or I create a user with --must-change-at-next-login). FreeNAS just rejects this entirely. I am posting here some results of my investigation.
The default AD configuration that uses RID for idmaps will just reject expired users. However, I need my idmaps to sync with other unix services, so I have configured winbind to use the idmap_ad backend. See my comment to this thread for details,
http://forums.freenas.org/threads/freenas-ad-not-accepting-groups.17810/
The problem with this configuration is that FreeNAS services will hang when trying to log in as an expired user. They have to be stopped and restarted to resume normal service. I tracked this down to the use of pam_winbind to authenticate users. I switched it to pam_krb5, and now logging in will just fail with an error message. But there is still no facility to change the expired password. On linux, pam_krb5 will allow you to change passwords, but on FreeNAS this is blocked in some way that I don't understand.
This is not a huge huge problem because I can provide another service to allow users to change their passwords, but I can't think of a reason why FreeNAS would block this capability. Is there one?
I provisioned a Samba4 domain for authenticating users, and I have successfully been able to connect FreeNAS 9.2 to the domain using the Active Directory feature. It will authenticate users. However, I have a problem when users need to change their passwords (ie: their accounts expire or I create a user with --must-change-at-next-login). FreeNAS just rejects this entirely. I am posting here some results of my investigation.
The default AD configuration that uses RID for idmaps will just reject expired users. However, I need my idmaps to sync with other unix services, so I have configured winbind to use the idmap_ad backend. See my comment to this thread for details,
http://forums.freenas.org/threads/freenas-ad-not-accepting-groups.17810/
The problem with this configuration is that FreeNAS services will hang when trying to log in as an expired user. They have to be stopped and restarted to resume normal service. I tracked this down to the use of pam_winbind to authenticate users. I switched it to pam_krb5, and now logging in will just fail with an error message. But there is still no facility to change the expired password. On linux, pam_krb5 will allow you to change passwords, but on FreeNAS this is blocked in some way that I don't understand.
This is not a huge huge problem because I can provide another service to allow users to change their passwords, but I can't think of a reason why FreeNAS would block this capability. Is there one?
