Hello All,
I have a FreeNAS 8.0.2 box with LDAP configured.
I also have AFP shares that are working properly when authenticating local users.
I CAN get user and group info from the LDAP server, verified by output of . . .
getent passwd
getent group
I have configured permission on shared folders to be owned and read/write accessible by users in the LDAP directory.
I cannot successfully browse AFP shares due to some failure in the LDAP interaction (I think). I do get a different response in Apple's Finder when I intentionally enter the wrong password for the username. FreeNAS knows that the password is wrong and shows that in logs. When the password is correct, FreeNAS logs that I've authenticated successfully, but I can't brows the files. Finder reports "Connection Failed".
Intentionally enter wrong password: (FreeNAS logs)
pam_ldap: error trying to bind as user "mail=joenobody@mydomain.org,ou=Users,domainName=mydomain.org,o=domains,dc=mydomain,dc=co" (Invalid credentials)
Dec 29 06:48:14 kat afpd[9305]: AFP statistics: 0.51 KB read, 0.38 KB written
Please take a look and let me know why this isn't working.
My OpenLDAP server shows this in the logs when I attempt to authenticate (with the correct password) over AFP to a shared folder
***********
conn=1014 fd=14 ACCEPT from IP=10.2.2.11:42915 (IP=0.0.0.0:389)
conn=1014 op=0 BIND dn="cn=Manager,dc=mydomain,dc=co" method=128
conn=1014 op=0 BIND dn="cn=Manager,dc=mydomain,dc=co" mech=SIMPLE ssf=0
conn=1014 op=0 RESULT tag=97 err=0 text=
conn=1014 op=1 SRCH base="ou=Users,domainName=mydomain.org,o=domains,dc=mydomain,dc=co" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=joenobody))"
conn=1014 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire loginClass
conn=1014 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1014 op=2 SRCH base="ou=Users,domainName=mydomain.org,o=domains,dc=mydomain,dc=co" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=joenobody))"
conn=1014 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire loginClass
conn=1014 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1015 fd=17 ACCEPT from IP=10.2.2.11:46289 (IP=0.0.0.0:389)
conn=1015 op=0 BIND dn="cn=Manager,dc=mydomain,dc=co" method=128
conn=1015 op=0 BIND dn="cn=Manager,dc=mydomain,dc=co" mech=SIMPLE ssf=0
conn=1015 op=0 RESULT tag=97 err=0 text=
conn=1015 op=1 SRCH base="ou=Users,domainName=mydomain.org,o=domains,dc=mydomain,dc=co" scope=2 deref=0 filter="(uid=joenobody)"
conn=1015 op=1 SRCH attr=host authorizedService shadowExpire shadowFlag shadowInactive shadowLastChange shadowMax shadowMin shadowWarning uidNumber
conn=1015 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1015 op=2 BIND anonymous mech=implicit ssf=0
conn=1015 op=2 BIND dn="cn=Manager,dc=mydomain,dc=co" method=128
conn=1015 op=2 BIND dn="cn=Manager,dc=mydomain,dc=co" mech=SIMPLE ssf=0
conn=1015 op=2 RESULT tag=97 err=0 text=
conn=1015 op=3 BIND anonymous mech=implicit ssf=0
conn=1015 op=3 BIND dn="mail=joenobody@mydomain.org,ou=Users,domainName=mydomain.org,o=domains,dc=mydomain,dc=co" method=128
conn=1015 op=3 BIND dn="mail=joenobody@mydomain.org,ou=Users,domainName=mydomain.org,o=domains,dc=mydomain,dc=co" mech=SIMPLE ssf=0
conn=1015 op=3 RESULT tag=97 err=0 text=
conn=1015 op=4 BIND anonymous mech=implicit ssf=0
conn=1015 op=4 BIND dn="cn=Manager,dc=mydomain,dc=co" method=128
conn=1015 op=4 BIND dn="cn=Manager,dc=mydomain,dc=co" mech=SIMPLE ssf=0
conn=1015 op=4 RESULT tag=97 err=0 text=
conn=1014 op=3 SRCH base="ou=Users,domainName=mydomain.org,o=domains,dc=mydomain,dc=co" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=joenobody))"
conn=1014 op=3 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire loginClass
conn=1014 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1014 op=4 SRCH base="ou=Users,domainName=mydomain.org,o=domains,dc=mydomain,dc=co" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=joenobody))"
conn=1014 op=4 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire loginClass
conn=1014 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1014 op=5 SRCH base="ou=Groups,domainName=mydomain.org,o=domains,dc=mydomain,dc=co" scope=2 deref=0 filter="(&(objectClass=posixGroup))"
conn=1014 op=5 SRCH attr=cn userPassword memberUid uniqueMember gidNumber
conn=1014 op=5 SEARCH RESULT tag=101 err=0 nentries=4 text=
conn=1014 op=6 UNBIND
conn=1014 fd=14 closed
conn=1016 fd=14 ACCEPT from IP=10.2.2.11:26988 (IP=0.0.0.0:389)
conn=1016 op=0 BIND dn="" method=128
conn=1016 op=0 RESULT tag=97 err=48 text=anonymous bind disallowed
conn=1016 op=1 UNBIND
conn=1016 fd=14 closed
conn=1017 fd=14 ACCEPT from IP=10.2.2.11:27131 (IP=0.0.0.0:389)
conn=1017 op=0 BIND dn="" method=128
conn=1017 op=0 RESULT tag=97 err=48 text=anonymous bind disallowed
conn=1017 op=1 UNBIND
conn=1017 fd=14 closed
************
My FreeNAS server logs for the same event look like this . . .
Dec 29 06:48:57 kat afpd[9306]: AFP3.3 Login by joenobody
Dec 29 06:48:57 kat afpd[9306]: nss_ldap: could not search LDAP server - Server is unavailable
Dec 29 06:48:57 kat afpd[9306]: nss_ldap: could not search LDAP server - Server is unavailable
Dec 29 06:49:21 kat afpd[9306]: AFP logout by joenobody
Dec 29 06:49:21 kat afpd[9306]: dsi_stream_read: len:0, unexpected EOF
Dec 29 06:49:21 kat afpd[9306]: afp_over_dsi: client logged out, terminating DSI session
Dec 29 06:49:21 kat afpd[9306]: AFP statistics: 0.59 KB read, 0.44 KB written
Output from freenas-debug -l attached. Attached file was edited for privacy.
Nevermind. Forum limit of 19Kb (???? why) for attached text files. It's pasted below.
+--------------------------------------------------------------------------------+
+ FreeNAS-8.0.2-RELEASE-amd64 (8288) +
+--------------------------------------------------------------------------------+
Operating system type: FreeBSD
Operating system release: 8.2-RELEASE-p3
Operating system revision: 199506
Kernel version: FreeBSD 8.2-RELEASE-p3 #7: Fri Sep 30 12:51:49 PDT 2011
jpaetzel@servant.iXsystems.com:/b/sf_freenas_build/obj.amd64/b/sf_freenas_build/FreeBSD/src/sys/FREENAS.amd64
Hostname: kat.mydomain.org
Name of kernel file booted: /boot/kernel/kernel
+--------------------------------------------------------------------------------+
+ LDAP Status +
+--------------------------------------------------------------------------------+
LDAP is ENABLED
+--------------------------------------------------------------------------------+
+ LDAP Settings +
+--------------------------------------------------------------------------------+
HOSTNAME: directory.mydomain.org
BASEDN: dc=mydomain,dc=co
PWENCRYPTION: clear
ANONBIND: 0
SSL: off
MACHINESUFFIX:
GROUPSUFFIX: ou=Groups,domainName=mydomain.org,o=domains
USERSUFFIX: ou=Users,domainName=mydomain.org,o=domains
PASSWORDSUFFIX:
ROOTBASEDN: cn=Manager,dc=mydomain,dc=co
+--------------------------------------------------------------------------------+
+ /etc/nsswitch.conf +
+--------------------------------------------------------------------------------+
group: files ldap
hosts: files dns
networks: files
passwd: files ldap
shells: files
services: files
protocols: files
rpc: files
+--------------------------------------------------------------------------------+
+ /etc/pam.d +
+--------------------------------------------------------------------------------+
+--------------------------------------------------------------------------------+
+ /etc/pam.d/atrun +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/atrun,v 1.1 2007/06/15 12:02:16 yar Exp $
#
# PAM configuration for the "atrun" service
#
# Note well: enabling pam_nologin for atrun will currently result
# in jobs discarded, not just delayed, during a no-login period.
#account required pam_nologin.so
account required pam_unix.so
+--------------------------------------------------------------------------------+
+ /etc/pam.d/cron +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/cron,v 1.1 2007/06/17 17:25:52 yar Exp $
#
# PAM configuration for the "cron" service
#
# account
account required pam_nologin.so
account required pam_unix.so
+--------------------------------------------------------------------------------+
+ /etc/pam.d/ftp +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/ftpd,v 1.20 2009/10/05 09:28:54 des Exp $
#
# PAM configuration for the "ftpd" service
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_nologin.so
account sufficient /usr/local/lib/pam_ldap.so ignore_authinfo_unavail
account required pam_unix.so
# session
session required pam_permit.so
session required /usr/local/lib/pam_mkhomedir.so
+--------------------------------------------------------------------------------+
+ /etc/pam.d/ftpd +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/ftpd,v 1.20 2009/10/05 09:28:54 des Exp $
#
# PAM configuration for the "ftpd" service
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_nologin.so
account sufficient /usr/local/lib/pam_ldap.so ignore_authinfo_unavail
account required pam_unix.so
# session
session required pam_permit.so
session required /usr/local/lib/pam_mkhomedir.so
+--------------------------------------------------------------------------------+
+ /etc/pam.d/imap +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/imap,v 1.7 2007/06/15 11:33:13 yar Exp $
#
# PAM configuration for the "imap" service
#
# auth
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
#account required pam_nologin.so
account required pam_unix.so
+--------------------------------------------------------------------------------+
+ /etc/pam.d/kde +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/kde,v 1.9 2009/10/05 09:28:54 des Exp $
#
# PAM configuration for the "kde" service
#
# auth
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_nologin.so
account required pam_unix.so
# session
#session optional pam_ssh.so want_agent
session required pam_permit.so
+--------------------------------------------------------------------------------+
+ /etc/pam.d/login +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/login,v 1.17 2007/06/10 18:57:20 yar Exp $
#
# PAM configuration for the "login" service
#
# auth
auth sufficient pam_self.so no_warn
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass
auth include system
# account
account requisite pam_securetty.so
account required pam_nologin.so
account sufficient /usr/local/lib/pam_ldap.so ignore_authinfo_unavail
account include system
# session
session include system
# password
password include system
+--------------------------------------------------------------------------------+
+ /etc/pam.d/netatalk +
+--------------------------------------------------------------------------------+
#
# PAM configuration for the "netatalk" service
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_nologin.so
account sufficient /usr/local/lib/pam_ldap.so ignore_authinfo_unavail
account required pam_unix.so
# session
session required pam_permit.so
session required /usr/local/lib/pam_mkhomedir.so
# password
password sufficient /usr/local/lib/pam_ldap.so try_first_pass
password required pam_unix.so no_warn try_first_pass
+--------------------------------------------------------------------------------+
+ /etc/pam.d/other +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/other,v 1.13 2009/10/05 09:28:54 des Exp $
#
# PAM configuration for the "other" service
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_nologin.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so want_agent
session required pam_permit.so
# password
password required pam_permit.so
+--------------------------------------------------------------------------------+
+ /etc/pam.d/passwd +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/passwd,v 1.3 2003/04/24 12:22:42 des Exp $
#
# PAM configuration for the "passwd" service
#
# passwd(1) does not use the auth, account or session services.
# password
#password requisite pam_passwdqc.so enforce=users
password required pam_unix.so no_warn try_first_pass nullok
+--------------------------------------------------------------------------------+
+ /etc/pam.d/pop3 +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/pop3,v 1.7 2007/06/15 11:33:13 yar Exp $
#
# PAM configuration for the "pop3" service
#
# auth
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
#account required pam_nologin.so
account required pam_unix.so
+--------------------------------------------------------------------------------+
+ /etc/pam.d/rsh +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/rsh,v 1.6 2007/06/10 18:57:20 yar Exp $
#
# PAM configuration for the "rsh" service
#
# auth
auth required pam_rhosts.so no_warn
# account
account required pam_nologin.so
account required pam_unix.so
# session
session required pam_permit.so
# password
password required pam_deny.so
+--------------------------------------------------------------------------------+
+ /etc/pam.d/sshd +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/sshd,v 1.18 2009/10/05 09:28:54 des Exp $
#
# PAM configuration for the "sshd" service
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_nologin.so
account required pam_login_access.so
account sufficient /usr/local/lib/pam_ldap.so ignore_authinfo_unavail
account required pam_unix.so
# session
#session optional pam_ssh.so want_agent
session required pam_permit.so
session required /usr/local/lib/pam_mkhomedir.so
# password
password sufficient /usr/local/lib/pam_ldap.so try_first_pass
password required pam_unix.so no_warn try_first_pass
+--------------------------------------------------------------------------------+
+ /etc/pam.d/su +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/su,v 1.16 2003/07/09 18:40:49 des Exp $
#
# PAM configuration for the "su" service
#
# auth
auth sufficient pam_rootok.so no_warn
auth sufficient pam_self.so no_warn
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass
auth requisite pam_group.so no_warn group=wheel root_only fail_safe
auth include system
# account
account include system
# session
session required pam_permit.so
session required /usr/local/lib/pam_mkhomedir.so
+--------------------------------------------------------------------------------+
+ /etc/pam.d/system +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/system,v 1.3 2009/10/05 09:28:54 des Exp $
#
# System-wide defaults
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass nullok
# account
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so want_agent
session required pam_lastlog.so no_fail
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
+--------------------------------------------------------------------------------+
+ /etc/pam.d/telnetd +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/telnetd,v 1.10 2009/10/05 09:28:54 des Exp $
#
# PAM configuration for the "telnetd" service
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so want_agent
session required pam_lastlog.so no_fail
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
+--------------------------------------------------------------------------------+
+ /etc/pam.d/xdm +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/xdm,v 1.12 2009/10/05 09:28:54 des Exp $
#
# PAM configuration for the "xdm" service
#
# auth
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_unix.so
# session
#session required pam_ssh.so want_agent
session required pam_lastlog.so no_fail
# password
password required pam_deny.so
+--------------------------------------------------------------------------------+
+ /etc/resolv.conf +
+--------------------------------------------------------------------------------+
search mydomain.org
nameserver 10.2.2.1
+--------------------------------------------------------------------------------+
+ /etc/hosts +
+--------------------------------------------------------------------------------+
# $FreeBSD: src/etc/hosts,v 1.16.34.1.2.1 2009/10/25 01:10:29 kensmith Exp $
#
# Host Database
#
# This file should contain the addresses and aliases for local hosts that
# share this file. Replace 'my.domain' below with the domainname of your
# machine.
#
# In the presence of the domain name service or NIS, this file may
# not be consulted at all; see /etc/nsswitch.conf for the resolution order.
#
#
::1 localhost localhost.my.domain freenas freenas.local
127.0.0.1 localhost localhost.my.domain freenas freenas.local
#
# Imaginary network.
#10.0.0.2 myname.my.domain myname
#10.0.0.3 myfriend.my.domain myfriend
#
# According to RFC 1918, you can use the following IP networks for
# private nets which will never be connected to the Internet:
#
# 10.0.0.0 - 10.255.255.255
# 172.16.0.0 - 172.31.255.255
# 192.168.0.0 - 192.168.255.255
#
# In case you want to be able to connect to the Internet, you need
# real official assigned numbers. Do not try to invent your own network
# numbers but instead get one from your network provider (if any) or
# from your regional registry (ARIN, APNIC, LACNIC, RIPE NCC, or AfriNIC.)
#
127.0.0.1 kat.mydomain.org
+--------------------------------------------------------------------------------+
+ ifconfig -a +
+--------------------------------------------------------------------------------+
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC>
ether 00:25:90:52:8c:56
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC>
ether 00:25:90:52:8c:56
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3<RXCSUM,TXCSUM>
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
lagg0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC>
ether 00:25:90:52:8c:56
inet 10.2.2.11 netmask 0xffffff00 broadcast 10.2.2.255
media: Ethernet autoselect
status: active
laggproto lacp
laggport: em0 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
laggport: em1 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
+--------------------------------------------------------------------------------+
+ /usr/local/etc/smb.conf +
+--------------------------------------------------------------------------------+
[global]
encrypt passwords = yes
dns proxy = no
strict locking = no
read raw = yes
write raw = yes
oplocks = yes
max xmit = 65535
deadtime = 15
display charset = LOCALE
max log size = 10
syslog only = yes
syslog = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
smb passwd file = /var/etc/private/smbpasswd
private dir = /var/etc/private
getwd cache = yes
guest account = anybody
map to guest = Bad Password
guest ok = yes
guest only = yes
netbios name = freenas
workgroup = MSHOME
server string = FreeNAS Server
use sendfile = yes
large readwrite = no
store dos attributes = yes
local master = yes
time server = yes
null passwords = yes
security = user
passdb backend = ldapsam:ldap://directory.mydomain.org
ldap admin dn = cn=Manager,dc=mydomain,dc=co
ldap suffix = dc=mydomain,dc=co
ldap user suffix = ou=Users,domainName=mydomain.org,o=domains
ldap group suffix = ou=Groups,domainName=mydomain.org,o=domains
ldap ssl = off
ldap replication sleep = 1000
ldap passwd sync = yes
#ldap debug level = 1
#ldap debug threshold = 1
ldapsam:trusted = yes
idmap uid = 10000-39999
idmap gid = 10000-39999
create mask = 0666
create mask = 0666
directory mask = 0777
client ntlmv2 auth = yes
dos charset = CP437
unix charset = UTF-8
log level = 1
aio read size = 1
aio write size = 1
[tank]
path = /mnt/tank10/shared
printable = no
veto files = /.snap/.windows/
writeable = yes
browseable = yes
inherit owner = no
inherit permissions = no
vfs objects = zfsacl shadow_copy2
shadow: snapdir = .zfs/snapshot
shadow: sort = desc
shadow: localtime = yes
shadow: format = auto-%Y%m%d.%H%M-2w
guest account = anybody
guest ok = yes
inherit acls = Yes
map archive = No
map readonly = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = yes
+--------------------------------------------------------------------------------+
+ /usr/local/etc/openldap/ldap.conf +
+--------------------------------------------------------------------------------+
HOST directory.mydomain.org
BASE dc=mydomain,dc=co
+--------------------------------------------------------------------------------+
+ /usr/local/etc/nss_ldap.conf +
+--------------------------------------------------------------------------------+
host directory.mydomain.org
base dc=mydomain,dc=co
rootbinddn cn=Manager,dc=mydomain,dc=co
pam_password clear
nss_base_passwd ou=Users,domainName=mydomain.org,o=domains,dc=mydomain,dc=co
nss_base_group ou=Groups,domainName=mydomain.org,o=domains,dc=mydomain,dc=co
nss_override_attribute_value loginShell /bin/sh
ldap_version 3
timelimit 30
bind_timelimit 30
bind_policy soft
pam_ldap_attribute uid
+--------------------------------------------------------------------------------+
+ LDAP Users and Groups +
+--------------------------------------------------------------------------------+
+--------------------------------------------------------------------------------+
+ Users +
+--------------------------------------------------------------------------------+
root:$1$Am3tSS/f$O6AkMqM5FzptU084emF7r0:0:0:FreeNAS root:/root:/bin/csh
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:2:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
avahi:*:200:200:avahi user:/nonexistant:/usr/sbin/nologin
messagebus:*:201:201:messagebus user:/nonexistant:/usr/sbin/nologin
ftp:*:14:14::/nonexistent:/bin/csh
anybody:$1$qzFjzzZH$tSItXXqRiUt7ySHW5ob.V.:1500:20:Anybody:/mnt/v10/shared:/bin/csh
di:$1$lB3ESGAt$cfLmF69xRhArbL8Xn2ogs1:1501:1501:Dharma INC:/mnt/tank10/shared:/bin/csh
ajdh:$1$dlDXzWUg$W0mJ9zRy5YeByh5Dsy.JO/:1503:1501:AJ-DH:/nonexistent:/bin/csh
joenobody:*:1001:1001:Joe:/var/vmail/vmail1/mydomain.org/a/n/u/joenobody-2011.10.28.01.24.58/:/bin/sh
<Note:>
<one LDAP user shown above, rest deleted for privacy>
+--------------------------------------------------------------------------------+
+ Groups +
+--------------------------------------------------------------------------------+
wheel:*:0
daemon:*:1
kmem:*:2
sys:*:3
tty:*:4
operator:*:5
mail:*:6
bin:*:7
news:*:8
man:*:9
games:*:13
ftp:*:14
staff:*:20
sshd:*:22
smmsp:*:25
mailnull:*:26
guest:*:31
bind:*:53
proxy:*:62
authpf:*:63
_pflogd:*:64
_dhcp:*:65
uucp:*:66
dialer:*:68
network:*:69
audit:*:77
www:*:80
nogroup:*:65533
nobody:*:65534
avahi:*:200
messagebus:*:201
ka_admin:*:1501
<deleted for privacy>
+--------------------------------------------------------------------------------+
+ /var/tmp/.cache/.ldap/.ldap/.local/.users/.cache.db +
+--------------------------------------------------------------------------------+
Thu Dec 29 07:09:55 2011 Local time
53162 Btree magic number
9 Btree version number
Little-endian Byte order
Flags
2 Minimum keys per-page
16384 Underlying database page size
4079 Overflow key/data size
1 Number of levels in the tree
8 Number of unique keys in the tree
8 Number of data items in the tree
0 Number of tree internal pages
0 Number of bytes free in tree internal pages (0% ff)
1 Number of tree leaf pages
14814 Number of bytes free in tree leaf pages (9% ff)
0 Number of tree duplicate pages
0 Number of bytes free in tree duplicate pages (0% ff)
0 Number of tree overflow pages
0 Number of bytes free in tree overflow pages (0% ff)
0 Number of empty pages
0 Number of pages on the free list
+--------------------------------------------------------------------------------+
+ /var/tmp/.cache/.ldap/.ldap/.local/.users/.cache.db +
+--------------------------------------------------------------------------------+
Thu Dec 29 07:09:55 2011 Local time
53162 Btree magic number
9 Btree version number
Little-endian Byte order
Flags
2 Minimum keys per-page
16384 Underlying database page size
4079 Overflow key/data size
1 Number of levels in the tree
8 Number of unique keys in the tree
8 Number of data items in the tree
0 Number of tree internal pages
0 Number of bytes free in tree internal pages (0% ff)
1 Number of tree leaf pages
14814 Number of bytes free in tree leaf pages (9% ff)
0 Number of tree duplicate pages
0 Number of bytes free in tree duplicate pages (0% ff)
0 Number of tree overflow pages
0 Number of bytes free in tree overflow pages (0% ff)
0 Number of empty pages
0 Number of pages on the free list
+--------------------------------------------------------------------------------+
+ /var/tmp/.cache/.ldap/.ldap/.users/.cache.db +
+--------------------------------------------------------------------------------+
Thu Dec 29 07:09:55 2011 Local time
53162 Btree magic number
9 Btree version number
Little-endian Byte order
Flags
2 Minimum keys per-page
16384 Underlying database page size
4079 Overflow key/data size
1 Number of levels in the tree
17 Number of unique keys in the tree
17 Number of data items in the tree
0 Number of tree internal pages
0 Number of bytes free in tree internal pages (0% ff)
1 Number of tree leaf pages
12206 Number of bytes free in tree leaf pages (25% ff)
0 Number of tree duplicate pages
0 Number of bytes free in tree duplicate pages (0% ff)
0 Number of tree overflow pages
0 Number of bytes free in tree overflow pages (0% ff)
0 Number of empty pages
0 Number of pages on the free list
+--------------------------------------------------------------------------------+
+ /var/tmp/.cache/.ldap/.ldap/.groups/.cache.db +
+--------------------------------------------------------------------------------+
Thu Dec 29 07:09:55 2011 Local time
53162 Btree magic number
9 Btree version number
Little-endian Byte order
Flags
2 Minimum keys per-page
16384 Underlying database page size
4079 Overflow key/data size
1 Number of levels in the tree
4 Number of unique keys in the tree
4 Number of data items in the tree
0 Number of tree internal pages
0 Number of bytes free in tree internal pages (0% ff)
1 Number of tree leaf pages
15542 Number of bytes free in tree leaf pages (5% ff)
0 Number of tree duplicate pages
0 Number of bytes free in tree duplicate pages (0% ff)
0 Number of tree overflow pages
0 Number of bytes free in tree overflow pages (0% ff)
0 Number of empty pages
0 Number of pages on the free list
+--------------------------------------------------------------------------------+
+ User and Group cache dump +
+--------------------------------------------------------------------------------+
I have a FreeNAS 8.0.2 box with LDAP configured.
I also have AFP shares that are working properly when authenticating local users.
I CAN get user and group info from the LDAP server, verified by output of . . .
getent passwd
getent group
I have configured permission on shared folders to be owned and read/write accessible by users in the LDAP directory.
I cannot successfully browse AFP shares due to some failure in the LDAP interaction (I think). I do get a different response in Apple's Finder when I intentionally enter the wrong password for the username. FreeNAS knows that the password is wrong and shows that in logs. When the password is correct, FreeNAS logs that I've authenticated successfully, but I can't brows the files. Finder reports "Connection Failed".
Intentionally enter wrong password: (FreeNAS logs)
pam_ldap: error trying to bind as user "mail=joenobody@mydomain.org,ou=Users,domainName=mydomain.org,o=domains,dc=mydomain,dc=co" (Invalid credentials)
Dec 29 06:48:14 kat afpd[9305]: AFP statistics: 0.51 KB read, 0.38 KB written
Please take a look and let me know why this isn't working.
My OpenLDAP server shows this in the logs when I attempt to authenticate (with the correct password) over AFP to a shared folder
***********
conn=1014 fd=14 ACCEPT from IP=10.2.2.11:42915 (IP=0.0.0.0:389)
conn=1014 op=0 BIND dn="cn=Manager,dc=mydomain,dc=co" method=128
conn=1014 op=0 BIND dn="cn=Manager,dc=mydomain,dc=co" mech=SIMPLE ssf=0
conn=1014 op=0 RESULT tag=97 err=0 text=
conn=1014 op=1 SRCH base="ou=Users,domainName=mydomain.org,o=domains,dc=mydomain,dc=co" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=joenobody))"
conn=1014 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire loginClass
conn=1014 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1014 op=2 SRCH base="ou=Users,domainName=mydomain.org,o=domains,dc=mydomain,dc=co" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=joenobody))"
conn=1014 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire loginClass
conn=1014 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1015 fd=17 ACCEPT from IP=10.2.2.11:46289 (IP=0.0.0.0:389)
conn=1015 op=0 BIND dn="cn=Manager,dc=mydomain,dc=co" method=128
conn=1015 op=0 BIND dn="cn=Manager,dc=mydomain,dc=co" mech=SIMPLE ssf=0
conn=1015 op=0 RESULT tag=97 err=0 text=
conn=1015 op=1 SRCH base="ou=Users,domainName=mydomain.org,o=domains,dc=mydomain,dc=co" scope=2 deref=0 filter="(uid=joenobody)"
conn=1015 op=1 SRCH attr=host authorizedService shadowExpire shadowFlag shadowInactive shadowLastChange shadowMax shadowMin shadowWarning uidNumber
conn=1015 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1015 op=2 BIND anonymous mech=implicit ssf=0
conn=1015 op=2 BIND dn="cn=Manager,dc=mydomain,dc=co" method=128
conn=1015 op=2 BIND dn="cn=Manager,dc=mydomain,dc=co" mech=SIMPLE ssf=0
conn=1015 op=2 RESULT tag=97 err=0 text=
conn=1015 op=3 BIND anonymous mech=implicit ssf=0
conn=1015 op=3 BIND dn="mail=joenobody@mydomain.org,ou=Users,domainName=mydomain.org,o=domains,dc=mydomain,dc=co" method=128
conn=1015 op=3 BIND dn="mail=joenobody@mydomain.org,ou=Users,domainName=mydomain.org,o=domains,dc=mydomain,dc=co" mech=SIMPLE ssf=0
conn=1015 op=3 RESULT tag=97 err=0 text=
conn=1015 op=4 BIND anonymous mech=implicit ssf=0
conn=1015 op=4 BIND dn="cn=Manager,dc=mydomain,dc=co" method=128
conn=1015 op=4 BIND dn="cn=Manager,dc=mydomain,dc=co" mech=SIMPLE ssf=0
conn=1015 op=4 RESULT tag=97 err=0 text=
conn=1014 op=3 SRCH base="ou=Users,domainName=mydomain.org,o=domains,dc=mydomain,dc=co" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=joenobody))"
conn=1014 op=3 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire loginClass
conn=1014 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1014 op=4 SRCH base="ou=Users,domainName=mydomain.org,o=domains,dc=mydomain,dc=co" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=joenobody))"
conn=1014 op=4 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire loginClass
conn=1014 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1014 op=5 SRCH base="ou=Groups,domainName=mydomain.org,o=domains,dc=mydomain,dc=co" scope=2 deref=0 filter="(&(objectClass=posixGroup))"
conn=1014 op=5 SRCH attr=cn userPassword memberUid uniqueMember gidNumber
conn=1014 op=5 SEARCH RESULT tag=101 err=0 nentries=4 text=
conn=1014 op=6 UNBIND
conn=1014 fd=14 closed
conn=1016 fd=14 ACCEPT from IP=10.2.2.11:26988 (IP=0.0.0.0:389)
conn=1016 op=0 BIND dn="" method=128
conn=1016 op=0 RESULT tag=97 err=48 text=anonymous bind disallowed
conn=1016 op=1 UNBIND
conn=1016 fd=14 closed
conn=1017 fd=14 ACCEPT from IP=10.2.2.11:27131 (IP=0.0.0.0:389)
conn=1017 op=0 BIND dn="" method=128
conn=1017 op=0 RESULT tag=97 err=48 text=anonymous bind disallowed
conn=1017 op=1 UNBIND
conn=1017 fd=14 closed
************
My FreeNAS server logs for the same event look like this . . .
Dec 29 06:48:57 kat afpd[9306]: AFP3.3 Login by joenobody
Dec 29 06:48:57 kat afpd[9306]: nss_ldap: could not search LDAP server - Server is unavailable
Dec 29 06:48:57 kat afpd[9306]: nss_ldap: could not search LDAP server - Server is unavailable
Dec 29 06:49:21 kat afpd[9306]: AFP logout by joenobody
Dec 29 06:49:21 kat afpd[9306]: dsi_stream_read: len:0, unexpected EOF
Dec 29 06:49:21 kat afpd[9306]: afp_over_dsi: client logged out, terminating DSI session
Dec 29 06:49:21 kat afpd[9306]: AFP statistics: 0.59 KB read, 0.44 KB written
Output from freenas-debug -l attached. Attached file was edited for privacy.
Nevermind. Forum limit of 19Kb (???? why) for attached text files. It's pasted below.
+--------------------------------------------------------------------------------+
+ FreeNAS-8.0.2-RELEASE-amd64 (8288) +
+--------------------------------------------------------------------------------+
Operating system type: FreeBSD
Operating system release: 8.2-RELEASE-p3
Operating system revision: 199506
Kernel version: FreeBSD 8.2-RELEASE-p3 #7: Fri Sep 30 12:51:49 PDT 2011
jpaetzel@servant.iXsystems.com:/b/sf_freenas_build/obj.amd64/b/sf_freenas_build/FreeBSD/src/sys/FREENAS.amd64
Hostname: kat.mydomain.org
Name of kernel file booted: /boot/kernel/kernel
+--------------------------------------------------------------------------------+
+ LDAP Status +
+--------------------------------------------------------------------------------+
LDAP is ENABLED
+--------------------------------------------------------------------------------+
+ LDAP Settings +
+--------------------------------------------------------------------------------+
HOSTNAME: directory.mydomain.org
BASEDN: dc=mydomain,dc=co
PWENCRYPTION: clear
ANONBIND: 0
SSL: off
MACHINESUFFIX:
GROUPSUFFIX: ou=Groups,domainName=mydomain.org,o=domains
USERSUFFIX: ou=Users,domainName=mydomain.org,o=domains
PASSWORDSUFFIX:
ROOTBASEDN: cn=Manager,dc=mydomain,dc=co
+--------------------------------------------------------------------------------+
+ /etc/nsswitch.conf +
+--------------------------------------------------------------------------------+
group: files ldap
hosts: files dns
networks: files
passwd: files ldap
shells: files
services: files
protocols: files
rpc: files
+--------------------------------------------------------------------------------+
+ /etc/pam.d +
+--------------------------------------------------------------------------------+
+--------------------------------------------------------------------------------+
+ /etc/pam.d/atrun +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/atrun,v 1.1 2007/06/15 12:02:16 yar Exp $
#
# PAM configuration for the "atrun" service
#
# Note well: enabling pam_nologin for atrun will currently result
# in jobs discarded, not just delayed, during a no-login period.
#account required pam_nologin.so
account required pam_unix.so
+--------------------------------------------------------------------------------+
+ /etc/pam.d/cron +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/cron,v 1.1 2007/06/17 17:25:52 yar Exp $
#
# PAM configuration for the "cron" service
#
# account
account required pam_nologin.so
account required pam_unix.so
+--------------------------------------------------------------------------------+
+ /etc/pam.d/ftp +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/ftpd,v 1.20 2009/10/05 09:28:54 des Exp $
#
# PAM configuration for the "ftpd" service
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_nologin.so
account sufficient /usr/local/lib/pam_ldap.so ignore_authinfo_unavail
account required pam_unix.so
# session
session required pam_permit.so
session required /usr/local/lib/pam_mkhomedir.so
+--------------------------------------------------------------------------------+
+ /etc/pam.d/ftpd +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/ftpd,v 1.20 2009/10/05 09:28:54 des Exp $
#
# PAM configuration for the "ftpd" service
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_nologin.so
account sufficient /usr/local/lib/pam_ldap.so ignore_authinfo_unavail
account required pam_unix.so
# session
session required pam_permit.so
session required /usr/local/lib/pam_mkhomedir.so
+--------------------------------------------------------------------------------+
+ /etc/pam.d/imap +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/imap,v 1.7 2007/06/15 11:33:13 yar Exp $
#
# PAM configuration for the "imap" service
#
# auth
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
#account required pam_nologin.so
account required pam_unix.so
+--------------------------------------------------------------------------------+
+ /etc/pam.d/kde +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/kde,v 1.9 2009/10/05 09:28:54 des Exp $
#
# PAM configuration for the "kde" service
#
# auth
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_nologin.so
account required pam_unix.so
# session
#session optional pam_ssh.so want_agent
session required pam_permit.so
+--------------------------------------------------------------------------------+
+ /etc/pam.d/login +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/login,v 1.17 2007/06/10 18:57:20 yar Exp $
#
# PAM configuration for the "login" service
#
# auth
auth sufficient pam_self.so no_warn
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass
auth include system
# account
account requisite pam_securetty.so
account required pam_nologin.so
account sufficient /usr/local/lib/pam_ldap.so ignore_authinfo_unavail
account include system
# session
session include system
# password
password include system
+--------------------------------------------------------------------------------+
+ /etc/pam.d/netatalk +
+--------------------------------------------------------------------------------+
#
# PAM configuration for the "netatalk" service
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_nologin.so
account sufficient /usr/local/lib/pam_ldap.so ignore_authinfo_unavail
account required pam_unix.so
# session
session required pam_permit.so
session required /usr/local/lib/pam_mkhomedir.so
# password
password sufficient /usr/local/lib/pam_ldap.so try_first_pass
password required pam_unix.so no_warn try_first_pass
+--------------------------------------------------------------------------------+
+ /etc/pam.d/other +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/other,v 1.13 2009/10/05 09:28:54 des Exp $
#
# PAM configuration for the "other" service
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_nologin.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so want_agent
session required pam_permit.so
# password
password required pam_permit.so
+--------------------------------------------------------------------------------+
+ /etc/pam.d/passwd +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/passwd,v 1.3 2003/04/24 12:22:42 des Exp $
#
# PAM configuration for the "passwd" service
#
# passwd(1) does not use the auth, account or session services.
# password
#password requisite pam_passwdqc.so enforce=users
password required pam_unix.so no_warn try_first_pass nullok
+--------------------------------------------------------------------------------+
+ /etc/pam.d/pop3 +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/pop3,v 1.7 2007/06/15 11:33:13 yar Exp $
#
# PAM configuration for the "pop3" service
#
# auth
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
#account required pam_nologin.so
account required pam_unix.so
+--------------------------------------------------------------------------------+
+ /etc/pam.d/rsh +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/rsh,v 1.6 2007/06/10 18:57:20 yar Exp $
#
# PAM configuration for the "rsh" service
#
# auth
auth required pam_rhosts.so no_warn
# account
account required pam_nologin.so
account required pam_unix.so
# session
session required pam_permit.so
# password
password required pam_deny.so
+--------------------------------------------------------------------------------+
+ /etc/pam.d/sshd +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/sshd,v 1.18 2009/10/05 09:28:54 des Exp $
#
# PAM configuration for the "sshd" service
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_nologin.so
account required pam_login_access.so
account sufficient /usr/local/lib/pam_ldap.so ignore_authinfo_unavail
account required pam_unix.so
# session
#session optional pam_ssh.so want_agent
session required pam_permit.so
session required /usr/local/lib/pam_mkhomedir.so
# password
password sufficient /usr/local/lib/pam_ldap.so try_first_pass
password required pam_unix.so no_warn try_first_pass
+--------------------------------------------------------------------------------+
+ /etc/pam.d/su +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/su,v 1.16 2003/07/09 18:40:49 des Exp $
#
# PAM configuration for the "su" service
#
# auth
auth sufficient pam_rootok.so no_warn
auth sufficient pam_self.so no_warn
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass
auth requisite pam_group.so no_warn group=wheel root_only fail_safe
auth include system
# account
account include system
# session
session required pam_permit.so
session required /usr/local/lib/pam_mkhomedir.so
+--------------------------------------------------------------------------------+
+ /etc/pam.d/system +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/system,v 1.3 2009/10/05 09:28:54 des Exp $
#
# System-wide defaults
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass nullok
# account
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so want_agent
session required pam_lastlog.so no_fail
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
+--------------------------------------------------------------------------------+
+ /etc/pam.d/telnetd +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/telnetd,v 1.10 2009/10/05 09:28:54 des Exp $
#
# PAM configuration for the "telnetd" service
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
# session
#session optional pam_ssh.so want_agent
session required pam_lastlog.so no_fail
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
+--------------------------------------------------------------------------------+
+ /etc/pam.d/xdm +
+--------------------------------------------------------------------------------+
#
# $FreeBSD: src/etc/pam.d/xdm,v 1.12 2009/10/05 09:28:54 des Exp $
#
# PAM configuration for the "xdm" service
#
# auth
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_unix.so
# session
#session required pam_ssh.so want_agent
session required pam_lastlog.so no_fail
# password
password required pam_deny.so
+--------------------------------------------------------------------------------+
+ /etc/resolv.conf +
+--------------------------------------------------------------------------------+
search mydomain.org
nameserver 10.2.2.1
+--------------------------------------------------------------------------------+
+ /etc/hosts +
+--------------------------------------------------------------------------------+
# $FreeBSD: src/etc/hosts,v 1.16.34.1.2.1 2009/10/25 01:10:29 kensmith Exp $
#
# Host Database
#
# This file should contain the addresses and aliases for local hosts that
# share this file. Replace 'my.domain' below with the domainname of your
# machine.
#
# In the presence of the domain name service or NIS, this file may
# not be consulted at all; see /etc/nsswitch.conf for the resolution order.
#
#
::1 localhost localhost.my.domain freenas freenas.local
127.0.0.1 localhost localhost.my.domain freenas freenas.local
#
# Imaginary network.
#10.0.0.2 myname.my.domain myname
#10.0.0.3 myfriend.my.domain myfriend
#
# According to RFC 1918, you can use the following IP networks for
# private nets which will never be connected to the Internet:
#
# 10.0.0.0 - 10.255.255.255
# 172.16.0.0 - 172.31.255.255
# 192.168.0.0 - 192.168.255.255
#
# In case you want to be able to connect to the Internet, you need
# real official assigned numbers. Do not try to invent your own network
# numbers but instead get one from your network provider (if any) or
# from your regional registry (ARIN, APNIC, LACNIC, RIPE NCC, or AfriNIC.)
#
127.0.0.1 kat.mydomain.org
+--------------------------------------------------------------------------------+
+ ifconfig -a +
+--------------------------------------------------------------------------------+
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC>
ether 00:25:90:52:8c:56
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC>
ether 00:25:90:52:8c:56
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3<RXCSUM,TXCSUM>
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
lagg0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC>
ether 00:25:90:52:8c:56
inet 10.2.2.11 netmask 0xffffff00 broadcast 10.2.2.255
media: Ethernet autoselect
status: active
laggproto lacp
laggport: em0 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
laggport: em1 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
+--------------------------------------------------------------------------------+
+ /usr/local/etc/smb.conf +
+--------------------------------------------------------------------------------+
[global]
encrypt passwords = yes
dns proxy = no
strict locking = no
read raw = yes
write raw = yes
oplocks = yes
max xmit = 65535
deadtime = 15
display charset = LOCALE
max log size = 10
syslog only = yes
syslog = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
smb passwd file = /var/etc/private/smbpasswd
private dir = /var/etc/private
getwd cache = yes
guest account = anybody
map to guest = Bad Password
guest ok = yes
guest only = yes
netbios name = freenas
workgroup = MSHOME
server string = FreeNAS Server
use sendfile = yes
large readwrite = no
store dos attributes = yes
local master = yes
time server = yes
null passwords = yes
security = user
passdb backend = ldapsam:ldap://directory.mydomain.org
ldap admin dn = cn=Manager,dc=mydomain,dc=co
ldap suffix = dc=mydomain,dc=co
ldap user suffix = ou=Users,domainName=mydomain.org,o=domains
ldap group suffix = ou=Groups,domainName=mydomain.org,o=domains
ldap ssl = off
ldap replication sleep = 1000
ldap passwd sync = yes
#ldap debug level = 1
#ldap debug threshold = 1
ldapsam:trusted = yes
idmap uid = 10000-39999
idmap gid = 10000-39999
create mask = 0666
create mask = 0666
directory mask = 0777
client ntlmv2 auth = yes
dos charset = CP437
unix charset = UTF-8
log level = 1
aio read size = 1
aio write size = 1
[tank]
path = /mnt/tank10/shared
printable = no
veto files = /.snap/.windows/
writeable = yes
browseable = yes
inherit owner = no
inherit permissions = no
vfs objects = zfsacl shadow_copy2
shadow: snapdir = .zfs/snapshot
shadow: sort = desc
shadow: localtime = yes
shadow: format = auto-%Y%m%d.%H%M-2w
guest account = anybody
guest ok = yes
inherit acls = Yes
map archive = No
map readonly = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = yes
+--------------------------------------------------------------------------------+
+ /usr/local/etc/openldap/ldap.conf +
+--------------------------------------------------------------------------------+
HOST directory.mydomain.org
BASE dc=mydomain,dc=co
+--------------------------------------------------------------------------------+
+ /usr/local/etc/nss_ldap.conf +
+--------------------------------------------------------------------------------+
host directory.mydomain.org
base dc=mydomain,dc=co
rootbinddn cn=Manager,dc=mydomain,dc=co
pam_password clear
nss_base_passwd ou=Users,domainName=mydomain.org,o=domains,dc=mydomain,dc=co
nss_base_group ou=Groups,domainName=mydomain.org,o=domains,dc=mydomain,dc=co
nss_override_attribute_value loginShell /bin/sh
ldap_version 3
timelimit 30
bind_timelimit 30
bind_policy soft
pam_ldap_attribute uid
+--------------------------------------------------------------------------------+
+ LDAP Users and Groups +
+--------------------------------------------------------------------------------+
+--------------------------------------------------------------------------------+
+ Users +
+--------------------------------------------------------------------------------+
root:$1$Am3tSS/f$O6AkMqM5FzptU084emF7r0:0:0:FreeNAS root:/root:/bin/csh
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:2:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
avahi:*:200:200:avahi user:/nonexistant:/usr/sbin/nologin
messagebus:*:201:201:messagebus user:/nonexistant:/usr/sbin/nologin
ftp:*:14:14::/nonexistent:/bin/csh
anybody:$1$qzFjzzZH$tSItXXqRiUt7ySHW5ob.V.:1500:20:Anybody:/mnt/v10/shared:/bin/csh
di:$1$lB3ESGAt$cfLmF69xRhArbL8Xn2ogs1:1501:1501:Dharma INC:/mnt/tank10/shared:/bin/csh
ajdh:$1$dlDXzWUg$W0mJ9zRy5YeByh5Dsy.JO/:1503:1501:AJ-DH:/nonexistent:/bin/csh
joenobody:*:1001:1001:Joe:/var/vmail/vmail1/mydomain.org/a/n/u/joenobody-2011.10.28.01.24.58/:/bin/sh
<Note:>
<one LDAP user shown above, rest deleted for privacy>
+--------------------------------------------------------------------------------+
+ Groups +
+--------------------------------------------------------------------------------+
wheel:*:0
daemon:*:1
kmem:*:2
sys:*:3
tty:*:4
operator:*:5
mail:*:6
bin:*:7
news:*:8
man:*:9
games:*:13
ftp:*:14
staff:*:20
sshd:*:22
smmsp:*:25
mailnull:*:26
guest:*:31
bind:*:53
proxy:*:62
authpf:*:63
_pflogd:*:64
_dhcp:*:65
uucp:*:66
dialer:*:68
network:*:69
audit:*:77
www:*:80
nogroup:*:65533
nobody:*:65534
avahi:*:200
messagebus:*:201
ka_admin:*:1501
<deleted for privacy>
+--------------------------------------------------------------------------------+
+ /var/tmp/.cache/.ldap/.ldap/.local/.users/.cache.db +
+--------------------------------------------------------------------------------+
Thu Dec 29 07:09:55 2011 Local time
53162 Btree magic number
9 Btree version number
Little-endian Byte order
Flags
2 Minimum keys per-page
16384 Underlying database page size
4079 Overflow key/data size
1 Number of levels in the tree
8 Number of unique keys in the tree
8 Number of data items in the tree
0 Number of tree internal pages
0 Number of bytes free in tree internal pages (0% ff)
1 Number of tree leaf pages
14814 Number of bytes free in tree leaf pages (9% ff)
0 Number of tree duplicate pages
0 Number of bytes free in tree duplicate pages (0% ff)
0 Number of tree overflow pages
0 Number of bytes free in tree overflow pages (0% ff)
0 Number of empty pages
0 Number of pages on the free list
+--------------------------------------------------------------------------------+
+ /var/tmp/.cache/.ldap/.ldap/.local/.users/.cache.db +
+--------------------------------------------------------------------------------+
Thu Dec 29 07:09:55 2011 Local time
53162 Btree magic number
9 Btree version number
Little-endian Byte order
Flags
2 Minimum keys per-page
16384 Underlying database page size
4079 Overflow key/data size
1 Number of levels in the tree
8 Number of unique keys in the tree
8 Number of data items in the tree
0 Number of tree internal pages
0 Number of bytes free in tree internal pages (0% ff)
1 Number of tree leaf pages
14814 Number of bytes free in tree leaf pages (9% ff)
0 Number of tree duplicate pages
0 Number of bytes free in tree duplicate pages (0% ff)
0 Number of tree overflow pages
0 Number of bytes free in tree overflow pages (0% ff)
0 Number of empty pages
0 Number of pages on the free list
+--------------------------------------------------------------------------------+
+ /var/tmp/.cache/.ldap/.ldap/.users/.cache.db +
+--------------------------------------------------------------------------------+
Thu Dec 29 07:09:55 2011 Local time
53162 Btree magic number
9 Btree version number
Little-endian Byte order
Flags
2 Minimum keys per-page
16384 Underlying database page size
4079 Overflow key/data size
1 Number of levels in the tree
17 Number of unique keys in the tree
17 Number of data items in the tree
0 Number of tree internal pages
0 Number of bytes free in tree internal pages (0% ff)
1 Number of tree leaf pages
12206 Number of bytes free in tree leaf pages (25% ff)
0 Number of tree duplicate pages
0 Number of bytes free in tree duplicate pages (0% ff)
0 Number of tree overflow pages
0 Number of bytes free in tree overflow pages (0% ff)
0 Number of empty pages
0 Number of pages on the free list
+--------------------------------------------------------------------------------+
+ /var/tmp/.cache/.ldap/.ldap/.groups/.cache.db +
+--------------------------------------------------------------------------------+
Thu Dec 29 07:09:55 2011 Local time
53162 Btree magic number
9 Btree version number
Little-endian Byte order
Flags
2 Minimum keys per-page
16384 Underlying database page size
4079 Overflow key/data size
1 Number of levels in the tree
4 Number of unique keys in the tree
4 Number of data items in the tree
0 Number of tree internal pages
0 Number of bytes free in tree internal pages (0% ff)
1 Number of tree leaf pages
15542 Number of bytes free in tree leaf pages (5% ff)
0 Number of tree duplicate pages
0 Number of bytes free in tree duplicate pages (0% ff)
0 Number of tree overflow pages
0 Number of bytes free in tree overflow pages (0% ff)
0 Number of empty pages
0 Number of pages on the free list
+--------------------------------------------------------------------------------+
+ User and Group cache dump +
+--------------------------------------------------------------------------------+
