Hi Youenn,


Thank you for the response.


I am sure the issue is related to the samba attributes not existing, but I am 
not fully clear on how to fix it.


I was trying to find out the correct steps on a CentOS system, and I think it 
is something like:

>yum remove samba-common

>yum install samba4

>yum install ipa-server-trust-ad



I thought the ipa-adtrust-install was supposed to add the samba attributes, but 
for some reason it still does not work.


Does anyone have any insight in what steps I might have missed?





From: Youenn PIOLET [mailto:piole...@gmail.com] 
Sent: October-11-15 6:49 PM
To: Chris Tobey
Cc: freeipa-users@redhat.com; Matt .
Subject: Re: [Freeipa-users] FreeNAS Authenticating Againts FreeIPA


Sorry for the double post.


I forgot to say that my speech is about newest versions of FreeIPA.

Maybe someone here knows something about IPA 3.0 ?

I'm not sure it used to work with ipasam module. But I suppose the problem is 
the same: you need to generate Samba schema values for your IPA users in the 




Youenn Piolet




2015-10-12 0:41 GMT+02:00 Youenn PIOLET <piole...@gmail.com>:

Hi Chris,


First, to be sure were on the same page:

Without IPA, to make CIFS users authenticate against directory in a classic 
LDAP implementation, you need to extend your LDAP tree with Samba schema. The 
FreeNAS documentation is a bit light on this subjet and previous FreeNAS 
versions (stable 9.3 included) used to mess up rfc2307bis/rfc2307. I think it 
is fixed now, and know nothing about your 9.2 version. Wrote some messy stuff 
about it here: 


To make CIFS users authenticate or FreeIPA recent versions (I only tried with 
4.1), I suggest you to start by reading some of our investigations in this 


[Freeipa-users] Ubuntu Samba Server Auth against IPA



When we discuss about this in august, I've spend almost a week trying to make 
this integration with FreeNAS/FreeIPA work. I quit FreeNAS without fully 
understand why it didn't work, and moved our CIFS to a dedicated Centos server. 
Matt arrived with a similar situation in Ubuntu.


To quickly summarize the issue, FreeNAS and Ubuntu CIFS work by default with 
ldapsam.so module. FreeIPA developpers have built a AD trust exchange 
possibility with a custom ipasam module that isn't compiled yet for Ubuntu or 
FreeNAS. This module gives the possibility to use IPA AD trust components (e.g. 
special schema in IPA's directory managing user/group NT SID)


If you can't compile the module for FreeNAS / FreeBSD, you may need to extend 
365directory with Samba schema.

You will need to find a way to generate the new attributes when adding users or 
groups in FreeIPA, and a way to store password in a CIFS/NT understandable way. 
I don't suggest you to follow this dark path.


You can also quit FreeNAS and migrate to CentOS with ipasam as I did ;)


Good luck in your experimentations, I hope you will succeed!



Youenn Piolet




2015-10-11 2:06 GMT+02:00 Chris Tobey <tobeych...@hotmail.com>:

Hi Everyone,

I have a functioning FreeIPA server that manages all my users and I would like 
to also use it for my FreeNAS CIFS shares to authenticate against.

Does anyone know what needs to be run on both servers to get this working? I 
believe it has something to do with Samba properties on the FreeIPA side.


I had tried asking the FreeNAS forums but they were of no help 


I have seen similar requests and success stories, but no actual steps on how to 
do it.

FreeIPA v3.0.0-42 running on CentOS 6.6.
FreeNAS (can use 9.3 if easier, was trying to get it working before 
dealing with certs).


Any help is appreciated.








Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project



Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to