Enabling UNIX Permissions in AD causes Network Users to fail Auth

[ian351c]

Hello all,

I have set up a test environment with the most recent 9.3-STABLE and a separate SAMBA 4.2 AD Domain Controller. It all seems to be working fine, right up until I enable "UNIX Extensions" in my AD config on my test NAS. This causes all of my AD users to fail authentication when using local services (SSH, FTP, etc.) but using CIFS still works.

With UNIX Extensions enabled, I see these messages in /var/log/messages:

Code:

Jun 30 19:19:35 nastest proftpd: Request to sssd failed. Connection refused
Jun 30 19:19:48 nastest sshd[33198]: Request to sssd failed. Connection refused

I can make the error go away by disabling UNIX Permissions in the AD config, but I'd like to keep it if possible to specify a shell/home dir for AD users. This allows me to deny SSH/FTP access to the NAS to selected AD accounts (while permitting access to others). If there's an easier way to do that that doesn't involve creating local users and/or groups, that would work too.

Thanks!

 

[dlavigne]

Has the AD server been explicitly configured to map permissions for UNIX users?

 

[ian351c]

I believe so. I can edit the UNIX attributes of the users and groups using the appropriate Windows user management tool from a Windows computer joined to the Samba domain. I can also see these attributes in an LDAP browser.

 

[dlavigne]

Please create a bug report at bugs.freenas.org and post the issue number here. If you use the Support tab to create the bug report, it will automatically include your config in the debug file (note you still need to have a login account at bugs.freenas.org before using this tab).

 

[ian351c]

Bug 10417

https://bugs.freenas.org/issues/10417

 

[ian351c]

It looks like a lot of the AD stuff is "in active development" (i.e. broken for now). This is something I'd like to eventually get working for my environment, but my hair isn't on fire. If I can help with testing, please let me know. Or if I just need to wait, that's fine too.