FreeNAS LDAP with FreeIPA

[Howard Swope]

I am trying to get my FreeNAS to create SMB shares which authenticate against FreeIPA (Redhat Identity Management on Centos7). I have SAMBA installed on FreeIPA box. From the FreeNAS box running getent passwd shows my created users. I can successfully access AFP shares and can successfully SSH into the FreeNAS box with user credentials that are on the FreeIPA box. But I can't seem to connect to the SMB shares. I have been tweaking the LDAP parameters for a long while now with no success. I am just ignorantly throwing darts at this problem. Can someone help me increase my understanding? My log.smbd reads:

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 14.0px Monaco; color: #f5f5f5; background-color: #000000} span.s1 {font-variant-ligatures: no-common-ligatures}

Got user=[test] domain=[HMS3] workstation=[MACBOOKPRO-FDF9] len1=24 len2=230

[2016/12/22 11:15:20.973850, 3] ../source3/param/loadparm.c:3743(lp_load_ex)

lp_load_ex: refreshing parameters

[2016/12/22 11:15:20.973918, 3] ../source3/param/loadparm.c:544(init_globals)

Initialising global parameters

[2016/12/22 11:15:20.974044, 3] ../source3/param/loadparm.c:2672(lp_do_section)

Processing section "[global]"

[2016/12/22 11:15:20.974969, 2] ../source3/param/loadparm.c:2689(lp_do_section)

Processing section "[home]"

[2016/12/22 11:15:20.975245, 3] ../source3/param/loadparm.c:1589(lp_add_ipc)

adding IPC service

[2016/12/22 11:15:20.975283, 3] ../source3/auth/auth.c:178(auth_check_ntlm_password)

check_ntlm_password: Checking password for unmapped user [HMS3]\[test]@[MACBOOKPRO-FDF9] with the new password interface

[2016/12/22 11:15:20.975310, 3] ../source3/auth/auth.c:181(auth_check_ntlm_password)

check_ntlm_password: mapped user is: [HMS3]\[test]@[MACBOOKPRO-FDF9]

[2016/12/22 11:15:21.052850, 3] ../source3/auth/check_samsec.c:400(check_sam_security)

check_sam_security: Couldn't find user 'test' in passdb.

[2016/12/22 11:15:21.052922, 3] ../source3/auth/auth_winbind.c:60(check_winbind_security)

check_winbind_security: Not using winbind, requested domain [HMS3] was for this SAM.

[2016/12/22 11:15:21.052948, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password)

check_ntlm_password: Authentication for user [test] -> [test] FAILED with error NT_STATUS_NO_SUCH_USER

[2016/12/22 11:15:21.053001, 3] ../source3/auth/auth_util.c:1602(do_map_to_guest_server_info)

No such user test [HMS3] - using guest account

[2016/12/22 11:15:21.055477, 0] ../libcli/smb/smb2_signing.c:171(smb2_signing_check_pdu)

Bad SMB2 signature for message

[2016/12/22 11:15:21.055540, 0] ../lib/util/util.c:559(dump_data)

[0000] F0 8B A1 8F 54 87 9C 0C D0 DD EB A2 03 E2 36 9C ....T... ......6.

[2016/12/22 11:15:21.055578, 0] ../lib/util/util.c:559(dump_data)

[0000] C3 0E D9 E3 D6 45 3F 62 7E B9 19 6B D1 C2 03 3E .....E?b ~..k...>

[2016/12/22 11:15:21.055613, 3] ../source3/smbd/smb2_server.c:3098(smbd_smb2_request_error_ex)

smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_server.c:2406

[2016/12/22 11:15:21.061976, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)

Got NTLMSSP neg_flags=0x62888215

[2016/12/22 11:15:21.064688, 3] ../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)

Got user=[test] domain=[HMS3] workstation=[MACBOOKPRO-FDF9] len1=24 len2=230

[2016/12/22 11:15:21.064738, 3] ../source3/param/loadparm.c:3743(lp_load_ex)

lp_load_ex: refreshing parameters

[2016/12/22 11:15:21.064809, 3] ../source3/param/loadparm.c:544(init_globals)

Initialising global parameters

[2016/12/22 11:15:21.064920, 3] ../source3/param/loadparm.c:2672(lp_do_section)

Processing section "[global]"

[2016/12/22 11:15:21.065843, 2] ../source3/param/loadparm.c:2689(lp_do_section)

Processing section "[home]"

[2016/12/22 11:15:21.066114, 3] ../source3/param/loadparm.c:1589(lp_add_ipc)

adding IPC service

[2016/12/22 11:15:21.066166, 3] ../source3/auth/auth.c:178(auth_check_ntlm_password)

check_ntlm_password: Checking password for unmapped user [HMS3]\[test]@[MACBOOKPRO-FDF9] with the new password interface

[2016/12/22 11:15:21.066188, 3] ../source3/auth/auth.c:181(auth_check_ntlm_password)

check_ntlm_password: mapped user is: [HMS3]\[test]@[MACBOOKPRO-FDF9]

[2016/12/22 11:15:21.067706, 3] ../source3/auth/check_samsec.c:400(check_sam_security)

check_sam_security: Couldn't find user 'test' in passdb.

[2016/12/22 11:15:21.067786, 3] ../source3/auth/auth_winbind.c:60(check_winbind_security)

check_winbind_security: Not using winbind, requested domain [HMS3] was for this SAM.

[2016/12/22 11:15:21.067813, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password)

check_ntlm_password: Authentication for user [test] -> [test] FAILED with error NT_STATUS_NO_SUCH_USER

[2016/12/22 11:15:21.067837, 3] ../source3/auth/auth_util.c:1602(do_map_to_guest_server_info)

No such user test [HMS3] - using guest account

[2016/12/22 11:15:21.070280, 0] ../libcli/smb/smb2_signing.c:171(smb2_signing_check_pdu)

Bad SMB2 signature for message

[2016/12/22 11:15:21.070346, 0] ../lib/util/util.c:559(dump_data)

[0000] 88 EF 7E 78 B2 E9 A5 02 FC 6E B6 C3 6C 8D F4 BE ..~x.... .n..l...

[2016/12/22 11:15:21.070377, 0] ../lib/util/util.c:559(dump_data)

[0000] 84 15 64 6C 56 BB A6 FA E1 E0 C9 4C 92 5D C7 7F ..dlV... ...L.]..

[2016/12/22 11:15:21.070412, 3] ../source3/smbd/smb2_server.c:3098(smbd_smb2_request_error_ex)

smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_server.c:2406

[2016/12/22 11:16:12.888715, 2] ../source3/smbd/process.c:2875(deadtime_fn)

Closing idle connection

[2016/12/22 11:16:12.888921, 3] ../source3/smbd/server.c:154(msg_exit_server)

got a SHUTDOWN message

[2016/12/22 11:16:12.889191, 3] ../source3/smbd/server_exit.c:246(exit_server_common)

Server exit (normal exit)

 

[dlavigne]

Were you able to figure this out?

 

[Howard Swope]

No I still haven't solved this. There just isn't much material out there on this subject. I did find a long thread regarding freenas and freeipa and at the end the resolution was to give up and not do it. I did however find someone who has had success with freebsd as a freeipa client [https://forums.freebsd.org/threads/46526/]. So it looks like it is possible. But in this thread there was a lot of custom things done. I don't know how I would apply it to freenas. Part of the reason that freenas is appealing is that I have access to powerful services without having to spend all my time mired in unix config. But both those articles were older. I have to imagine progress has been made here. I am just not finding it.

 

[xenu]

I gave it a try today but without much success. I managed to connect to a CIFS share using my FreeIPA credentials with a windows 10 client and it showed the correct uid/gid in smb.log. but for some reason could not connect it using 'mount.cifs' from a CentOS 7.3 client (user not found in freenas smb log).
I used information found here: http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA and all kinds of smb.conf settings.

Successful login using freeipa credentials connecting from windows 10 client:

[2017/01/03 14:59:59.187445, 2] ../lib/util/modules.c:196(do_smb_load_module)
Module 'ldapsam' loaded
[2017/01/03 14:59:59.187524, 2] ../source3/passdb/pdb_ldap_util.c:280(smbldap_search_domain_info)
smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=FREENAS01))]
[2017/01/03 14:59:59.214631, 2] ../source3/lib/smbldap.c:794(smbldap_open_connection)
smbldap_open_connection: connection opened
[2017/01/03 14:59:59.244225, 1] ../source3/smbd/files.c:218(file_init_global)
file_init_global: Information only: requested 469802 open files, 59392 are available.
[2017/01/03 14:59:59.245974, 0] ../lib/util/become_daemon.c:124(daemon_ready)
STATUS=daemon 'smbd' finished starting up and ready to serve connections
[2017/01/03 14:59:59.246084, 2] ../source3/smbd/server.c:1125(smbd_parent_loop)
waiting for connections
[2017/01/03 14:59:59.491709, 0] ../source3/lib/util_sock.c:876(matchname)
matchname: host name/name mismatch: 10.0.80.2 != (NULL)
[2017/01/03 14:59:59.491743, 0] ../source3/lib/util_sock.c:1055(get_remote_hostname)
matchname failed on 10.0.80.2
[2017/01/03 14:59:59.752743, 2] ../source3/param/loadparm.c:2689(lp_do_section)
Processing section "[backup_windows]"
[2017/01/03 14:59:59.752995, 2] ../source3/param/loadparm.c:2689(lp_do_section)
Processing section "[db]"
[2017/01/03 14:59:59.767374, 2] ../source3/lib/smbldap.c:794(smbldap_open_connection)
smbldap_open_connection: connection opened
[2017/01/03 14:59:59.807235, 2] ../lib/util/modules.c:196(do_smb_load_module)
Module 'aio_pthread' loaded
[2017/01/03 14:59:59.807605, 2] ../lib/util/modules.c:196(do_smb_load_module)
Module 'zfsacl' loaded
[2017/01/03 14:59:59.814834, 2] ../lib/util/modules.c:196(do_smb_load_module)
Module 'zfs_space' loaded
[2017/01/03 14:59:59.815051, 2] ../source3/smbd/service.c:872(make_connection_snum)
10.0.80.2 (ipv4:10.0.80.2:45447) connect to service backup_windows initially as user example_user (uid=1234567890, gid=1234567890) (pid 1587)


Unsuccessful attempt to 'mount.cifs freenas01.ipa.example.com:/mnt/tank/test /mnt/freenas/test -o username=example_user@IPA.EXAMPLE.COM' from centos client:

[2017/01/03 14:22:41.907212, 2] ../source3/param/loadparm.c:2689(lp_do_section)
Processing section "[backup_windows]"
[2017/01/03 14:22:41.907476, 2] ../source3/param/loadparm.c:2689(lp_do_section)
Processing section "[db]"
[2017/01/03 14:22:42.064088, 1] ../auth/credentials/credentials_secrets.c:396(cli_credentials_set_machine_account_db_ctx)
Could not find machine account in secrets database: Failed to fetch machine account password for IPA from both secrets.ldb (Could not find entry to match filter: '(&(flatname=IPA)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: (null)) and from /var/db/samba4/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
[2017/01/03 14:22:42.064134, 0] ../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
connect_to_domain_password_server: unable to open the domain client session to machine DC01.IPA.EXAMPLE.COM. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
[2017/01/03 14:22:42.079219, 1] ../auth/credentials/credentials_secrets.c:396(cli_credentials_set_machine_account_db_ctx)
Could not find machine account in secrets database: Failed to fetch machine account password for IPA from both secrets.ldb (Could not find entry to match filter: '(&(flatname=IPA)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: (null)) and from /var/db/samba4/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
[2017/01/03 14:22:42.079250, 0] ../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
connect_to_domain_password_server: unable to open the domain client session to machine DC01.IPA.EXAMPLE.COM. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
[2017/01/03 14:22:42.092482, 1] ../auth/credentials/credentials_secrets.c:396(cli_credentials_set_machine_account_db_ctx)
Could not find machine account in secrets database: Failed to fetch machine account password for IPA from both secrets.ldb (Could not find entry to match filter: '(&(flatname=IPA)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: (null)) and from /var/db/samba4/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
[2017/01/03 14:22:42.092510, 0] ../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
connect_to_domain_password_server: unable to open the domain client session to machine DC01.IPA.EXAMPLE.COM. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
[2017/01/03 14:22:42.092536, 0] ../source3/auth/auth_domain.c:184(domain_client_validate)
domain_client_validate: Domain password server not available.
[2017/01/03 14:22:42.092552, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [example_user@IPA.EXAMPLE.COM] -> [example_user@IPA.EXAMPLE.COM] FAILED with error NT_STATUS_NO_LOGON_SERVERS


 

[{mystery}{of}{time}]

I think this guy figured it out! https://lukegb.com/posts/2017-02-19-freenas-freeipa-samba-and-kerberos/

 

[wevuk]

I think this guy figured it out! https://lukegb.com/posts/2017-02-19-freenas-freeipa-samba-and-kerberos/

Unfortunately, I'm trying to implement this on FN11 and... it appears there is no CLI. Stumped again.

 

[{mystery}{of}{time}]

I got it to work, just requires the correct syntax in your LDAP settings through the GUI.

Lets assume the fqdn for your ipa server is ipa01.magic.dust
The LDAP fields would be filled out with this syntax below replacing magic and dust with your domain info instead.

Hostname: ipa01.magic.dust
Base DN: dc=magic,dc=dust
Bind DN: uid=admin,cn=users,cn=accounts,dc=magic,dc=dust
Bind Password: *Enter your ipa admin password*
Enable: Check the box

Save

Now you will want to make sure you Freenas box is in the firewall trusted zone on the ipa server, aslo make sure the appropriate firewall ports are open on your freenas server. Ideally just allowing all traffic between both the Freenas and ipa server. I personally do not have Samba installed on my rig, and have not tested smb or cifs shares, but instead i'm using NFS shares exclusively, and it works great. I gave a FreeIPA user and a FreeIPA group ownership over my NFS shares, anyone in the right group gets read, write and execute access to that share.


Hope this helps.

 

[{mystery}{of}{time}]

Unfortunately, I'm trying to implement this on FN11 and... it appears there is no CLI. Stumped again.

I got it to work, just requires the correct syntax in your LDAP settings through the GUI.

Lets assume the fqdn for your ipa server is ipa01.magic.dust
The LDAP fields would be filled out with this syntax below replacing magic and dust with your domain info instead.

Hostname: ipa01.magic.dust
Base DN: dc=magic,dc=dust
Bind DN: uid=admin,cn=users,cn=accounts,dc=magic,dc=dust
Bind Password: *Enter your ipa admin password*
Enable: Check the box

Save

Now you will want to make sure you Freenas box is in the firewall trusted zone on the ipa server, aslo make sure the appropriate firewall ports are open on your freenas server. Ideally just allowing all traffic between both the Freenas and ipa server. I personally do not have Samba installed on my rig, and have not tested smb or cifs shares, but instead i'm using NFS shares exclusively, and it works great. I gave a FreeIPA user and a FreeIPA group ownership over my NFS shares, anyone in the right group gets read, write and execute access to that share.


Hope this helps!