Re: [Freeipa-users] FreeNAS Authenticating Againts FreeIPA
Any chance anyone knows more about this? I do see the following created for the admin user: ipaNTSecurityIdentifier: S-1-5-**-*** but ipa-adtrust-install seems to fail and not install the attribute for any of the other ~50 users. That may not help me with the sambaSID issue, but I would like to get the build-in tools working. Thanks, -Chris From: Youenn PIOLET [mailto:piole...@gmail.com] Sent: October-19-15 8:34 AM To: Chris Tobey Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeNAS Authenticating Againts FreeIPA Hi Chris, This may come from the ipa attributes added by adtrust on user/group classes. For example in 4.1.4: FreeIPA will add on each user the attribute (for ipasam.so usage): ipaNTSecurityIdentifier: S-1-5-**-*** when standard samba attributes known by samba with ldapsam.so are: sambaSID: S-1-5-**-*** I guess as the OID must be different, your CIFS will not recognise the attribute and won't be able to use it. I also guess it is the same for the password hash that may not be using the right algorithm. You can check this directly in your IPA 365directory tree, and with dirsrv logfiles. I suppose you would see FreeNAS trying to search for specific attributes in user objects that don't exist. These informations are based on deduction but I'm not confident enough to assure you this is a fact :) -- Youenn Piolet piole...@gmail.com<mailto:piole...@gmail.com> 2015-10-17 16:47 GMT+02:00 Chris Tobey mailto:tobeych...@hotmail.com>>: Hi Youenn, Thank you for the response. I am sure the issue is related to the samba attributes not existing, but I am not fully clear on how to fix it. I was trying to find out the correct steps on a CentOS system, and I think it is something like: >yum remove samba-common >yum install samba4 >yum install ipa-server-trust-ad >ipa-adtrust-install I thought the ipa-adtrust-install was supposed to add the samba attributes, but for some reason it still does not work. Does anyone have any insight in what steps I might have missed? Thanks, -Chris From: Youenn PIOLET [mailto:piole...@gmail.com<mailto:piole...@gmail.com>] Sent: October-11-15 6:49 PM To: Chris Tobey Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>; Matt . Subject: Re: [Freeipa-users] FreeNAS Authenticating Againts FreeIPA Sorry for the double post. I forgot to say that my speech is about newest versions of FreeIPA. Maybe someone here knows something about IPA 3.0 ? I'm not sure it used to work with ipasam module. But I suppose the problem is the same: you need to generate Samba schema values for your IPA users in the directory. Cheers, -- Youenn Piolet piole...@gmail.com<mailto:piole...@gmail.com> 2015-10-12 0:41 GMT+02:00 Youenn PIOLET mailto:piole...@gmail.com>>: Hi Chris, First, to be sure were on the same page: Without IPA, to make CIFS users authenticate against directory in a classic LDAP implementation, you need to extend your LDAP tree with Samba schema. The FreeNAS documentation is a bit light on this subjet and previous FreeNAS versions (stable 9.3 included) used to mess up rfc2307bis/rfc2307. I think it is fixed now, and know nothing about your 9.2 version. Wrote some messy stuff about it here: https://github.com/uZer/rootools/blob/master/ldap/integrations/ldap.integration.freenas.md To make CIFS users authenticate or FreeIPA recent versions (I only tried with 4.1), I suggest you to start by reading some of our investigations in this thread: [Freeipa-users] Ubuntu Samba Server Auth against IPA https://www.redhat.com/archives/freeipa-users/2015-August/thread.html#0 When we discuss about this in august, I've spend almost a week trying to make this integration with FreeNAS/FreeIPA work. I quit FreeNAS without fully understand why it didn't work, and moved our CIFS to a dedicated Centos server. Matt arrived with a similar situation in Ubuntu. To quickly summarize the issue, FreeNAS and Ubuntu CIFS work by default with ldapsam.so module. FreeIPA developpers have built a AD trust exchange possibility with a custom ipasam module that isn't compiled yet for Ubuntu or FreeNAS. This module gives the possibility to use IPA AD trust components (e.g. special schema in IPA's directory managing user/group NT SID) If you can't compile the module for FreeNAS / FreeBSD, you may need to extend 365directory with Samba schema. You will need to find a way to generate the new attributes when adding users or groups in FreeIPA, and a way to store password in a CIFS/NT understandable way. I don't suggest you to follow this dark path. You can also quit FreeNAS and migrate to CentOS with ipasam as I did ;) Good luck in your experimentations, I hope you will succeed! -- Youenn Piolet piole...@gmail.com<mailto:piole...@gmail.com> 2015-10-11 2:06 GMT+02:00 Chris Tobey mailto:tobeych...@hotmail.com>>: Hi Everyone,
Re: [Freeipa-users] FreeNAS Authenticating Againts FreeIPA
Hi Chris, This may come from the ipa attributes added by adtrust on user/group classes. For example in 4.1.4: FreeIPA will add on each user the attribute (for ipasam.so usage): ipaNTSecurityIdentifier: S-1-5-**-*** when standard samba attributes known by samba with ldapsam.so are: sambaSID: S-1-5-**-*** I guess as the OID must be different, your CIFS will not recognise the attribute and won't be able to use it. I also guess it is the same for the password hash that may not be using the right algorithm. You can check this directly in your IPA 365directory tree, and with dirsrv logfiles. I suppose you would see FreeNAS trying to search for specific attributes in user objects that don't exist. These informations are based on deduction but I'm not confident enough to assure you this is a fact :) -- Youenn Piolet piole...@gmail.com 2015-10-17 16:47 GMT+02:00 Chris Tobey : > Hi Youenn, > > > > Thank you for the response. > > > > I am sure the issue is related to the samba attributes not existing, but I > am not fully clear on how to fix it. > > > > I was trying to find out the correct steps on a CentOS system, and I think > it is something like: > > >yum remove samba-common > > >yum install samba4 > > >yum install ipa-server-trust-ad > > >ipa-adtrust-install > > > > I thought the ipa-adtrust-install was supposed to add the samba > attributes, but for some reason it still does not work. > > > > Does anyone have any insight in what steps I might have missed? > > > > Thanks, > > -Chris > > > > *From:* Youenn PIOLET [mailto:piole...@gmail.com] > *Sent:* October-11-15 6:49 PM > *To:* Chris Tobey > *Cc:* freeipa-users@redhat.com; Matt . > *Subject:* Re: [Freeipa-users] FreeNAS Authenticating Againts FreeIPA > > > > Sorry for the double post. > > > > I forgot to say that my speech is about newest versions of FreeIPA. > > Maybe someone here knows something about IPA 3.0 ? > > I'm not sure it used to work with ipasam module. But I suppose the problem > is the same: you need to generate Samba schema values for your IPA users in > the directory. > > > > Cheers, > > > -- > > Youenn Piolet > > piole...@gmail.com > > > > > > 2015-10-12 0:41 GMT+02:00 Youenn PIOLET : > > Hi Chris, > > > > First, to be sure were on the same page: > > Without IPA, to make CIFS users authenticate against directory in a > classic LDAP implementation, you need to extend your LDAP tree with Samba > schema. The FreeNAS documentation is a bit light on this subjet and > previous FreeNAS versions (stable 9.3 included) used to mess up > rfc2307bis/rfc2307. I think it is fixed now, and know nothing about your > 9.2 version. Wrote some messy stuff about it here: > https://github.com/uZer/rootools/blob/master/ldap/integrations/ldap.integration.freenas.md > > > > To make CIFS users authenticate or FreeIPA recent versions (I only tried > with 4.1), I suggest you to start by reading some of our investigations in > this thread: > > > > [Freeipa-users] Ubuntu Samba Server Auth against IPA > > https://www.redhat.com/archives/freeipa-users/2015-August/thread.html#0 > > > > When we discuss about this in august, I've spend almost a week trying to > make this integration with FreeNAS/FreeIPA work. I quit FreeNAS without > fully understand why it didn't work, and moved our CIFS to a dedicated > Centos server. Matt arrived with a similar situation in Ubuntu. > > > > To quickly summarize the issue, FreeNAS and Ubuntu CIFS work by default > with ldapsam.so module. FreeIPA developpers have built a AD trust exchange > possibility with a custom ipasam module that isn't compiled yet for Ubuntu > or FreeNAS. This module gives the possibility to use IPA AD trust > components (e.g. special schema in IPA's directory managing user/group > NT SID) > > > > If you can't compile the module for FreeNAS / FreeBSD, you may need to > extend 365directory with Samba schema. > > You will need to find a way to generate the new attributes when adding > users or groups in FreeIPA, and a way to store password in a CIFS/NT > understandable way. I don't suggest you to follow this dark path. > > > > You can also quit FreeNAS and migrate to CentOS with ipasam as I did ;) > > > > Good luck in your experimentations, I hope you will succeed! > > > > > -- > > Youenn Piolet > > piole...@gmail.com > > > > > > 2015-10-11 2:06 GMT+02:00 Chris Tobey : > > Hi Everyone, > > > I have a functioning FreeIPA server that manages all my users and I would > lik
Re: [Freeipa-users] FreeNAS Authenticating Againts FreeIPA
Hi Youenn, Thank you for the response. I am sure the issue is related to the samba attributes not existing, but I am not fully clear on how to fix it. I was trying to find out the correct steps on a CentOS system, and I think it is something like: >yum remove samba-common >yum install samba4 >yum install ipa-server-trust-ad >ipa-adtrust-install I thought the ipa-adtrust-install was supposed to add the samba attributes, but for some reason it still does not work. Does anyone have any insight in what steps I might have missed? Thanks, -Chris From: Youenn PIOLET [mailto:piole...@gmail.com] Sent: October-11-15 6:49 PM To: Chris Tobey Cc: freeipa-users@redhat.com; Matt . Subject: Re: [Freeipa-users] FreeNAS Authenticating Againts FreeIPA Sorry for the double post. I forgot to say that my speech is about newest versions of FreeIPA. Maybe someone here knows something about IPA 3.0 ? I'm not sure it used to work with ipasam module. But I suppose the problem is the same: you need to generate Samba schema values for your IPA users in the directory. Cheers, -- Youenn Piolet piole...@gmail.com 2015-10-12 0:41 GMT+02:00 Youenn PIOLET : Hi Chris, First, to be sure were on the same page: Without IPA, to make CIFS users authenticate against directory in a classic LDAP implementation, you need to extend your LDAP tree with Samba schema. The FreeNAS documentation is a bit light on this subjet and previous FreeNAS versions (stable 9.3 included) used to mess up rfc2307bis/rfc2307. I think it is fixed now, and know nothing about your 9.2 version. Wrote some messy stuff about it here: https://github.com/uZer/rootools/blob/master/ldap/integrations/ldap.integration.freenas.md To make CIFS users authenticate or FreeIPA recent versions (I only tried with 4.1), I suggest you to start by reading some of our investigations in this thread: [Freeipa-users] Ubuntu Samba Server Auth against IPA https://www.redhat.com/archives/freeipa-users/2015-August/thread.html#0 When we discuss about this in august, I've spend almost a week trying to make this integration with FreeNAS/FreeIPA work. I quit FreeNAS without fully understand why it didn't work, and moved our CIFS to a dedicated Centos server. Matt arrived with a similar situation in Ubuntu. To quickly summarize the issue, FreeNAS and Ubuntu CIFS work by default with ldapsam.so module. FreeIPA developpers have built a AD trust exchange possibility with a custom ipasam module that isn't compiled yet for Ubuntu or FreeNAS. This module gives the possibility to use IPA AD trust components (e.g. special schema in IPA's directory managing user/group NT SID) If you can't compile the module for FreeNAS / FreeBSD, you may need to extend 365directory with Samba schema. You will need to find a way to generate the new attributes when adding users or groups in FreeIPA, and a way to store password in a CIFS/NT understandable way. I don't suggest you to follow this dark path. You can also quit FreeNAS and migrate to CentOS with ipasam as I did ;) Good luck in your experimentations, I hope you will succeed! -- Youenn Piolet piole...@gmail.com 2015-10-11 2:06 GMT+02:00 Chris Tobey : Hi Everyone, I have a functioning FreeIPA server that manages all my users and I would like to also use it for my FreeNAS CIFS shares to authenticate against. Does anyone know what needs to be run on both servers to get this working? I believe it has something to do with Samba properties on the FreeIPA side. I had tried asking the FreeNAS forums but they were of no help (https://forums.freenas.org/index.php?threads/freeipa-and-freenas-ldap-setup.37083/). I have seen similar requests and success stories, but no actual steps on how to do it. Info: FreeIPA v3.0.0-42 running on CentOS 6.6. FreeNAS 9.2.1.9 (can use 9.3 if easier, was trying to get it working before dealing with certs). Any help is appreciated. Thanks, -Chris -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeNAS Authenticating Againts FreeIPA
Hi Chris, First, to be sure were on the same page: Without IPA, to make CIFS users authenticate against directory in a classic LDAP implementation, you need to extend your LDAP tree with Samba schema. The FreeNAS documentation is a bit light on this subjet and previous FreeNAS versions (stable 9.3 included) used to mess up rfc2307bis/rfc2307. I think it is fixed now, and know nothing about your 9.2 version. Wrote some messy stuff about it here: https://github.com/uZer/rootools/blob/master/ldap/integrations/ldap.integration.freenas.md To make CIFS users authenticate or FreeIPA recent versions (I only tried with 4.1), I suggest you to start by reading some of our investigations in this thread: [Freeipa-users] Ubuntu Samba Server Auth against IPA https://www.redhat.com/archives/freeipa-users/2015-August/thread.html#0 When we discuss about this in august, I've spend almost a week trying to make this integration with FreeNAS/FreeIPA work. I quit FreeNAS without fully understand why it didn't work, and moved our CIFS to a dedicated Centos server. Matt arrived with a similar situation in Ubuntu. To quickly summarize the issue, FreeNAS and Ubuntu CIFS work by default with ldapsam.so module. FreeIPA developpers have built a AD trust exchange possibility with a custom ipasam module that isn't compiled yet for Ubuntu or FreeNAS. This module gives the possibility to use IPA AD trust components (e.g. special schema in IPA's directory managing user/group NT SID) If you can't compile the module for FreeNAS / FreeBSD, you may need to extend 365directory with Samba schema. You will need to find a way to generate the new attributes when adding users or groups in FreeIPA, and a way to store password in a CIFS/NT understandable way. I don't suggest you to follow this dark path. You can also quit FreeNAS and migrate to CentOS with ipasam as I did ;) Good luck in your experimentations, I hope you will succeed! -- Youenn Piolet piole...@gmail.com 2015-10-11 2:06 GMT+02:00 Chris Tobey : > Hi Everyone, > > > I have a functioning FreeIPA server that manages all my users and I would > like to also use it for my FreeNAS CIFS shares to authenticate against. > > Does anyone know what needs to be run on both servers to get this working? > I believe it has something to do with Samba properties on the FreeIPA side. > > > > I had tried asking the FreeNAS forums but they were of no help ( > https://forums.freenas.org/index.php?threads/freeipa-and-freenas-ldap-setup.37083/ > ). > > > > I have seen similar requests and success stories, but no actual steps on > how to do it. > > Info: > FreeIPA v3.0.0-42 running on CentOS 6.6. > FreeNAS 9.2.1.9 (can use 9.3 if easier, was trying to get it working > before dealing with certs). > > > > Any help is appreciated. > > > > Thanks, > > -Chris > > > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeNAS Authenticating Againts FreeIPA
Sorry for the double post. I forgot to say that my speech is about newest versions of FreeIPA. Maybe someone here knows something about IPA 3.0 ? I'm not sure it used to work with ipasam module. But I suppose the problem is the same: you need to generate Samba schema values for your IPA users in the directory. Cheers, -- Youenn Piolet piole...@gmail.com 2015-10-12 0:41 GMT+02:00 Youenn PIOLET : > Hi Chris, > > First, to be sure were on the same page: > Without IPA, to make CIFS users authenticate against directory in a > classic LDAP implementation, you need to extend your LDAP tree with Samba > schema. The FreeNAS documentation is a bit light on this subjet and > previous FreeNAS versions (stable 9.3 included) used to mess up > rfc2307bis/rfc2307. I think it is fixed now, and know nothing about your > 9.2 version. Wrote some messy stuff about it here: > https://github.com/uZer/rootools/blob/master/ldap/integrations/ldap.integration.freenas.md > > To make CIFS users authenticate or FreeIPA recent versions (I only tried > with 4.1), I suggest you to start by reading some of our investigations in > this thread: > > [Freeipa-users] Ubuntu Samba Server Auth against IPA > https://www.redhat.com/archives/freeipa-users/2015-August/thread.html#0 > > When we discuss about this in august, I've spend almost a week trying to > make this integration with FreeNAS/FreeIPA work. I quit FreeNAS without > fully understand why it didn't work, and moved our CIFS to a dedicated > Centos server. Matt arrived with a similar situation in Ubuntu. > > To quickly summarize the issue, FreeNAS and Ubuntu CIFS work by default > with ldapsam.so module. FreeIPA developpers have built a AD trust exchange > possibility with a custom ipasam module that isn't compiled yet for Ubuntu > or FreeNAS. This module gives the possibility to use IPA AD trust > components (e.g. special schema in IPA's directory managing user/group > NT SID) > > If you can't compile the module for FreeNAS / FreeBSD, you may need to > extend 365directory with Samba schema. > You will need to find a way to generate the new attributes when adding > users or groups in FreeIPA, and a way to store password in a CIFS/NT > understandable way. I don't suggest you to follow this dark path. > > You can also quit FreeNAS and migrate to CentOS with ipasam as I did ;) > > Good luck in your experimentations, I hope you will succeed! > > > -- > Youenn Piolet > piole...@gmail.com > > > 2015-10-11 2:06 GMT+02:00 Chris Tobey : > >> Hi Everyone, >> >> >> I have a functioning FreeIPA server that manages all my users and I would >> like to also use it for my FreeNAS CIFS shares to authenticate against. >> >> Does anyone know what needs to be run on both servers to get this >> working? I believe it has something to do with Samba properties on the >> FreeIPA side. >> >> >> >> I had tried asking the FreeNAS forums but they were of no help ( >> https://forums.freenas.org/index.php?threads/freeipa-and-freenas-ldap-setup.37083/ >> ). >> >> >> >> I have seen similar requests and success stories, but no actual steps on >> how to do it. >> >> Info: >> FreeIPA v3.0.0-42 running on CentOS 6.6. >> FreeNAS 9.2.1.9 (can use 9.3 if easier, was trying to get it working >> before dealing with certs). >> >> >> >> Any help is appreciated. >> >> >> >> Thanks, >> >> -Chris >> >> >> >> >> >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeNAS Authenticating Againts FreeIPA
Hi Everyone, I have a functioning FreeIPA server that manages all my users and I would like to also use it for my FreeNAS CIFS shares to authenticate against. Does anyone know what needs to be run on both servers to get this working? I believe it has something to do with Samba properties on the FreeIPA side. I had tried asking the FreeNAS forums but they were of no help (https://forums.freenas.org/index.php?threads/freeipa-and-freenas-ldap-setup .37083/). I have seen similar requests and success stories, but no actual steps on how to do it. Info: FreeIPA v3.0.0-42 running on CentOS 6.6. FreeNAS 9.2.1.9 (can use 9.3 if easier, was trying to get it working before dealing with certs). Any help is appreciated. Thanks, -Chris -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project