Hi Youenn,

 

Thank you for the response.

 

I am sure the issue is related to the samba attributes not existing, but I am 
not fully clear on how to fix it.

 

I was trying to find out the correct steps on a CentOS system, and I think it 
is something like:

>yum remove samba-common

>yum install samba4

>yum install ipa-server-trust-ad

>ipa-adtrust-install

 

I thought the ipa-adtrust-install was supposed to add the samba attributes, but 
for some reason it still does not work.

 

Does anyone have any insight in what steps I might have missed?

 

Thanks,

-Chris

 

From: Youenn PIOLET [mailto:piole...@gmail.com] 
Sent: October-11-15 6:49 PM
To: Chris Tobey
Cc: freeipa-users@redhat.com; Matt .
Subject: Re: [Freeipa-users] FreeNAS Authenticating Againts FreeIPA

 

Sorry for the double post.

 

I forgot to say that my speech is about newest versions of FreeIPA.

Maybe someone here knows something about IPA 3.0 ?

I'm not sure it used to work with ipasam module. But I suppose the problem is 
the same: you need to generate Samba schema values for your IPA users in the 
directory.

 

Cheers,




--

Youenn Piolet

piole...@gmail.com

 

 

2015-10-12 0:41 GMT+02:00 Youenn PIOLET <piole...@gmail.com>:

Hi Chris,

 

First, to be sure were on the same page:

Without IPA, to make CIFS users authenticate against directory in a classic 
LDAP implementation, you need to extend your LDAP tree with Samba schema. The 
FreeNAS documentation is a bit light on this subjet and previous FreeNAS 
versions (stable 9.3 included) used to mess up rfc2307bis/rfc2307. I think it 
is fixed now, and know nothing about your 9.2 version. Wrote some messy stuff 
about it here: 
https://github.com/uZer/rootools/blob/master/ldap/integrations/ldap.integration.freenas.md

 

To make CIFS users authenticate or FreeIPA recent versions (I only tried with 
4.1), I suggest you to start by reading some of our investigations in this 
thread:

 

[Freeipa-users] Ubuntu Samba Server Auth against IPA

https://www.redhat.com/archives/freeipa-users/2015-August/thread.html#00000

 

When we discuss about this in august, I've spend almost a week trying to make 
this integration with FreeNAS/FreeIPA work. I quit FreeNAS without fully 
understand why it didn't work, and moved our CIFS to a dedicated Centos server. 
Matt arrived with a similar situation in Ubuntu.

 

To quickly summarize the issue, FreeNAS and Ubuntu CIFS work by default with 
ldapsam.so module. FreeIPA developpers have built a AD trust exchange 
possibility with a custom ipasam module that isn't compiled yet for Ubuntu or 
FreeNAS. This module gives the possibility to use IPA AD trust components (e.g. 
special schema in IPA's directory managing user/group NT SID)

 

If you can't compile the module for FreeNAS / FreeBSD, you may need to extend 
365directory with Samba schema.

You will need to find a way to generate the new attributes when adding users or 
groups in FreeIPA, and a way to store password in a CIFS/NT understandable way. 
I don't suggest you to follow this dark path.

 

You can also quit FreeNAS and migrate to CentOS with ipasam as I did ;)

 

Good luck in your experimentations, I hope you will succeed!

 




--

Youenn Piolet

piole...@gmail.com

 

 

2015-10-11 2:06 GMT+02:00 Chris Tobey <tobeych...@hotmail.com>:

Hi Everyone,


I have a functioning FreeIPA server that manages all my users and I would like 
to also use it for my FreeNAS CIFS shares to authenticate against.

Does anyone know what needs to be run on both servers to get this working? I 
believe it has something to do with Samba properties on the FreeIPA side.

 

I had tried asking the FreeNAS forums but they were of no help 
(https://forums.freenas.org/index.php?threads/freeipa-and-freenas-ldap-setup.37083/).

 

I have seen similar requests and success stories, but no actual steps on how to 
do it.

Info: 
FreeIPA v3.0.0-42 running on CentOS 6.6.
FreeNAS 9.2.1.9 (can use 9.3 if easier, was trying to get it working before 
dealing with certs).

 

Any help is appreciated.

 

Thanks,

-Chris

 

 

 

 

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

 

 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to