Hi Youenn,
Thank you for the response. I am sure the issue is related to the samba attributes not existing, but I am not fully clear on how to fix it. I was trying to find out the correct steps on a CentOS system, and I think it is something like: >yum remove samba-common >yum install samba4 >yum install ipa-server-trust-ad >ipa-adtrust-install I thought the ipa-adtrust-install was supposed to add the samba attributes, but for some reason it still does not work. Does anyone have any insight in what steps I might have missed? Thanks, -Chris From: Youenn PIOLET [mailto:[email protected]] Sent: October-11-15 6:49 PM To: Chris Tobey Cc: [email protected]; Matt . Subject: Re: [Freeipa-users] FreeNAS Authenticating Againts FreeIPA Sorry for the double post. I forgot to say that my speech is about newest versions of FreeIPA. Maybe someone here knows something about IPA 3.0 ? I'm not sure it used to work with ipasam module. But I suppose the problem is the same: you need to generate Samba schema values for your IPA users in the directory. Cheers, -- Youenn Piolet [email protected] 2015-10-12 0:41 GMT+02:00 Youenn PIOLET <[email protected]>: Hi Chris, First, to be sure were on the same page: Without IPA, to make CIFS users authenticate against directory in a classic LDAP implementation, you need to extend your LDAP tree with Samba schema. The FreeNAS documentation is a bit light on this subjet and previous FreeNAS versions (stable 9.3 included) used to mess up rfc2307bis/rfc2307. I think it is fixed now, and know nothing about your 9.2 version. Wrote some messy stuff about it here: https://github.com/uZer/rootools/blob/master/ldap/integrations/ldap.integration.freenas.md To make CIFS users authenticate or FreeIPA recent versions (I only tried with 4.1), I suggest you to start by reading some of our investigations in this thread: [Freeipa-users] Ubuntu Samba Server Auth against IPA https://www.redhat.com/archives/freeipa-users/2015-August/thread.html#00000 When we discuss about this in august, I've spend almost a week trying to make this integration with FreeNAS/FreeIPA work. I quit FreeNAS without fully understand why it didn't work, and moved our CIFS to a dedicated Centos server. Matt arrived with a similar situation in Ubuntu. To quickly summarize the issue, FreeNAS and Ubuntu CIFS work by default with ldapsam.so module. FreeIPA developpers have built a AD trust exchange possibility with a custom ipasam module that isn't compiled yet for Ubuntu or FreeNAS. This module gives the possibility to use IPA AD trust components (e.g. special schema in IPA's directory managing user/group NT SID) If you can't compile the module for FreeNAS / FreeBSD, you may need to extend 365directory with Samba schema. You will need to find a way to generate the new attributes when adding users or groups in FreeIPA, and a way to store password in a CIFS/NT understandable way. I don't suggest you to follow this dark path. You can also quit FreeNAS and migrate to CentOS with ipasam as I did ;) Good luck in your experimentations, I hope you will succeed! -- Youenn Piolet [email protected] 2015-10-11 2:06 GMT+02:00 Chris Tobey <[email protected]>: Hi Everyone, I have a functioning FreeIPA server that manages all my users and I would like to also use it for my FreeNAS CIFS shares to authenticate against. Does anyone know what needs to be run on both servers to get this working? I believe it has something to do with Samba properties on the FreeIPA side. I had tried asking the FreeNAS forums but they were of no help (https://forums.freenas.org/index.php?threads/freeipa-and-freenas-ldap-setup.37083/). I have seen similar requests and success stories, but no actual steps on how to do it. Info: FreeIPA v3.0.0-42 running on CentOS 6.6. FreeNAS 9.2.1.9 (can use 9.3 if easier, was trying to get it working before dealing with certs). Any help is appreciated. Thanks, -Chris -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
