Authenticating SMB share via LDAP to (google.ldap.com)

[chrisnavigation]

Hi,

I've managed successfully establish a LDAP connection between FreeNAS CORE and Google Workspace Secure LDAP service (ldap.google.com).

On the Dataset ACL permissions I am able to see the Google list of users and groups.

In the Dataset ACL permissions, I have assigned a restricted profile and assigned my Google user account, and a Google group that user is a member, and ticked both boxes to Apply user and group permissions.

After creating a SMB share for the dataset, I am unable to authenticate from a client using SMB to the share using the assigned users, Google username and password.

If I go back and edit the dataset permissions, the user name is replaced with a number "529394199" and a red error message below showing "Could not find a user name for this user ID."

Not sure why this is occurring as I have tested the connection via ldapsearch and can successful "Rebuild the directory service cache" from within the LDAP directory service config.

Any ideas how I can successfully authenticate to the SMB share using the Google LDAP account?

Thanks!

 

[anodos]

Hi,

I've managed successfully establish a LDAP connection between FreeNAS CORE and Google Workspace Secure LDAP service (ldap.google.com).

On the Dataset ACL permissions I am able to see the Google list of users and groups.

In the Dataset ACL permissions, I have assigned a restricted profile and assigned my Google user account, and a Google group that user is a member, and ticked both boxes to Apply user and group permissions.

After creating a SMB share for the dataset, I am unable to authenticate from a client using SMB to the share using the assigned users, Google username and password.

If I go back and edit the dataset permissions, the user name is replaced with a number "529394199" and a red error message below showing "Could not find a user name for this user ID."

Not sure why this is occurring as I have tested the connection via ldapsearch and can successful "Rebuild the directory service cache" from within the LDAP directory service config.

Any ideas how I can successfully authenticate to the SMB share using the Google LDAP account?

Thanks!

You can't.

 

[anodos]

SMB protocol supports NTLM and Kerberos for authentication. From what I understand Google's LDAP doesn't provide this.

 

[chrisnavigation]

SMB protocol supports NTLM and Kerberos for authentication. From what I understand Google's LDAP doesn't provide this.

Thanks for your response and confirming NTLM and Kerberos is not supported.

Are there any other methods to allow our users to sign in with their Google username and password to access SMB shares?

 

[anodos]

Thanks for your response and confirming NTLM and Kerberos is not supported.

Are there any other methods to allow our users to sign in with their Google username and password to access SMB shares?

I believe google has documentation regarding this. The short answer is probably "no". You are limited by what is supported by your clients and the SMB protocol. Longer answers involve Active Directory.

 

[bshogeman]

Chromebooks have an option to use SSO as authentication method when connecting to a SMB share.
Also the Google Admin Console have an option for this:

Set Chrome policies for users or browsers - Chrome Enterprise and Education Help

For administrators who manage Chrome policies from the Google Admin console. Want to remotely sync policies across multiple ChromeOS devic

support.google.com

NTLMv2-verification is also named:

Set Chrome policies for users or browsers - Chrome Enterprise and Education Help

For administrators who manage Chrome policies from the Google Admin console. Want to remotely sync policies across multiple ChromeOS devic

support.google.com

There it says that NTLMv2-verification is default on for Android, ChromeOS and Chrome-browser for Windows, Mac and Linux.

The only method a Chromebook has for SSO (Single Sign-On) is the account where you signin with on the device itself. In case of a Chromebook this is always your google account. And in case of the Chrome-browser there you can also sign-in the browser with your google account or use GCPW (Google Credential Provider for Windows) to use your google account on whole windows so sign-in and also sso with your browser.

So Google has NTLMv2 and Kerberos at the client side. And also offers to use SSO as authentication method for accessing SMB/CIFS shares.

But what is needed on the Server side to use this? I also came to TrueNAS for solving this question.

 

[Accust]

Hi,

I've managed successfully establish a LDAP connection between FreeNAS CORE and Google Workspace Secure LDAP service (ldap.google.com).

On the Dataset ACL permissions I am able to see the Google list of users and groups.

In the Dataset ACL permissions, I have assigned a restricted profile and assigned my Google user account, and a Google group that user is a member, and ticked both boxes to Apply geometry dash lite user and group permissions.

After creating a SMB share for the dataset, I am unable to authenticate from a client using SMB to the share using the assigned users, Google username and password.

If I go back and edit the dataset permissions, the user name is replaced with a number "529394199" and a red error message below showing "Could not find a user name for this user ID."

Not sure why this is occurring as I have tested the connection via ldapsearch and can successful "Rebuild the directory service cache" from within the LDAP directory service config.

Any ideas how I can successfully authenticate to the SMB share using the Google LDAP account?

Thanks!

Check the SMB share configuration on FreeNAS to make sure it is set up correctly to allow authentication with Google Workspace Secure LDAP. This may include setting up the proper security settings, setting up the correct authentication protocols, and ensuring that the share is properly configured to allow access by the Google Workspace Secure LDAP accounts.