Sorry for the double post. I forgot to say that my speech is about newest versions of FreeIPA. Maybe someone here knows something about IPA 3.0 ? I'm not sure it used to work with ipasam module. But I suppose the problem is the same: you need to generate Samba schema values for your IPA users in the directory.
Cheers, -- Youenn Piolet [email protected] 2015-10-12 0:41 GMT+02:00 Youenn PIOLET <[email protected]>: > Hi Chris, > > First, to be sure were on the same page: > Without IPA, to make CIFS users authenticate against directory in a > classic LDAP implementation, you need to extend your LDAP tree with Samba > schema. The FreeNAS documentation is a bit light on this subjet and > previous FreeNAS versions (stable 9.3 included) used to mess up > rfc2307bis/rfc2307. I think it is fixed now, and know nothing about your > 9.2 version. Wrote some messy stuff about it here: > https://github.com/uZer/rootools/blob/master/ldap/integrations/ldap.integration.freenas.md > > To make CIFS users authenticate or FreeIPA recent versions (I only tried > with 4.1), I suggest you to start by reading some of our investigations in > this thread: > > [Freeipa-users] Ubuntu Samba Server Auth against IPA > https://www.redhat.com/archives/freeipa-users/2015-August/thread.html#00000 > > When we discuss about this in august, I've spend almost a week trying to > make this integration with FreeNAS/FreeIPA work. I quit FreeNAS without > fully understand why it didn't work, and moved our CIFS to a dedicated > Centos server. Matt arrived with a similar situation in Ubuntu. > > To quickly summarize the issue, FreeNAS and Ubuntu CIFS work by default > with ldapsam.so module. FreeIPA developpers have built a AD trust exchange > possibility with a custom ipasam module that isn't compiled yet for Ubuntu > or FreeNAS. This module gives the possibility to use IPA AD trust > components (e.g. special schema in IPA's directory managing user/group > NT SID) > > If you can't compile the module for FreeNAS / FreeBSD, you may need to > extend 365directory with Samba schema. > You will need to find a way to generate the new attributes when adding > users or groups in FreeIPA, and a way to store password in a CIFS/NT > understandable way. I don't suggest you to follow this dark path. > > You can also quit FreeNAS and migrate to CentOS with ipasam as I did ;) > > Good luck in your experimentations, I hope you will succeed! > > > -- > Youenn Piolet > [email protected] > > > 2015-10-11 2:06 GMT+02:00 Chris Tobey <[email protected]>: > >> Hi Everyone, >> >> >> I have a functioning FreeIPA server that manages all my users and I would >> like to also use it for my FreeNAS CIFS shares to authenticate against. >> >> Does anyone know what needs to be run on both servers to get this >> working? I believe it has something to do with Samba properties on the >> FreeIPA side. >> >> >> >> I had tried asking the FreeNAS forums but they were of no help ( >> https://forums.freenas.org/index.php?threads/freeipa-and-freenas-ldap-setup.37083/ >> ). >> >> >> >> I have seen similar requests and success stories, but no actual steps on >> how to do it. >> >> Info: >> FreeIPA v3.0.0-42 running on CentOS 6.6. >> FreeNAS 9.2.1.9 (can use 9.3 if easier, was trying to get it working >> before dealing with certs). >> >> >> >> Any help is appreciated. >> >> >> >> Thanks, >> >> -Chris >> >> >> >> >> >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
