FreeNAS/Univention UCS (possibility to make different pieces to work together)

[Rhaido]

Dear colleagues,

We are trying to integrate FreeNAS into the domain controlled by Univention UCS (we are testing migration from AD to UCS). Due to the existential dualism inside UCS: on the server OpenLDAP is used for Linux and Samba 4 ldap for Windows - we can either have:

(1) AD integration using "Active Directory" integration of FreeNAS (done via winbind/samba), but we loose UIDs/GIDs/Shell etc posixAccount attributes as they are stored in the OpenLDAP server, which is not queried (living on different ports), and Samba LDAP doesn't have UNIX Extentions (rfc2307) installed.
or

(2) we can have all the standard UNIX attributes correctly retrieved via LDAP directory integration which seems to use SSSD as a way to retrieve the information, but then we loose domain integration with Samba.

It's basically like having 2 pieces of one picture which are not possible to combine due to whatever reasons :D

We are thinking about 3 theoretical solutions and are asking for an advice of community regarding the ways to implement them in FreeNAS without breaking everything:

(1) I've read somewhere, that Samba can use SSSD as a winbind idmap/nss backend. Therefore /etc/nsswitch.conf should work with winbind, and winbind will query sss for attribute maping.
(2) specify additional ldap server/port for querying the standard UNIX attributes (sounds like madness though)
(3) add proper integration to AD via SSSD/Kerberos/OpenLDAP, and then omit winbind altogether (somehow). This is how the Linux stations are working with Univention UCS/AD servers.

Points (1) and (3) can be achieved, but we do not want to interfere with FreeNAS UI - it's there for the reason :D. What will be your advice regarding our problem?

Thanks for the comments and have a good day!

Mike.

 

[anodos]

You can configure the RFC2307 idmap backend in samba to speak to an arbitrary OpenLDAP server for Unix Attributes. The actual configuration details can be added as auxiliary parameters to Services->SMB.

At this point I am investigating replacing SSSD for providing LDAP integration for FreeNAS 11.3. The current FreeBSD port of SSSD is quite old (1.11.7), and porting newer versions will be a significant undertaking.

 

[Rhaido]

Oh, this looks like a good idea. Although I've spotted the auxiliary configuration for sssd, I haven't for Samba. It's not very obvious though.

Ok, thanks! I'll give it a try at least - let see, what will be the result. Thanks!

 

[anodos]

Oh, this looks like a good idea. Although I've spotted the auxiliary configuration for sssd, I haven't for Samba. It's not very obvious though.

Ok, thanks! I'll give it a try at least - let see, what will be the result. Thanks!

See this manpage for reference: https://www.samba.org/samba/docs/current/man-html/idmap_rfc2307.8.html

 

[Rhaido]

Well, was not that simple at the end of the day :D
1. Univention UCS is using start_tls and somehow SASL is not allowed on top of TLS. Still a mystery for me, but I had to put "ldap ssl = no" into auxiliary configuration of SMB service (AD integration should be temporary disabled in order to make this change).
2. Domain admin could not be authenticated by UCS openldap instance (fails with ldap_bind: Invalid credentials (49)), although GSS-SPNEGO works just fine. So, the additional user had to be created - and this somehow worked.
3. LDAP user DN password need to be stored with the command: net idmap set secret '<domain name>' <password> . How domain is named by samba should be re-trieved from /usr/local/etc/smb4.conf (grep for 'idmap config' strings)
4. Be careful, that ALL users and ALL groups are situated within User/Group bind paths. If winbind doesn't find a group for a user, or a user - it will silently fail.
5. AND most important: in order to debug all of this, check /usr/local/etc/smb4.conf, then kill all winbind instances, and start one from CLI with higher debug level: /usr/local/sbin/winbindd -F -d 5 --configfile=/usr/local/etc/smb4.conf. This way I managed to get this rfc2307 backend working.

BTW, I do beleive, that config generation for LDAP idmap backend is broken: for example, ldap_url parameter is generated without underscore, i.e. 'ldap url' - thus winbind complains that 'url is missing'

Hope these short notes will help somebody one day :)

@anodos: thanks for the tip.

 

[Kevo]

I setup my FreeNAS connection to UCS by using the AD settings in FreeNAS. Seems to work fine. You can't see the users or groups in FreeNAS, but they show up in the sharing settings as options like the local users. Haven't had any problems so far except for SMB settings don't save due to guest mapping field not verifying properly, but I think they are going to have that fixed in an upcoming update.

 

[Rhaido]

Well, our goal was and still is to maintain the UID/GIDs across all our machines including FreeNAS; we also rely on groups. The core problem with UCS is, that its samba actually recognizes the users, but fails for map them into UID/GID specified by UCS. So, we solved this problem :)

 

[mimesot]

Well, was not that simple at the end of the day :D
1. Univention UCS is using start_tls and somehow SASL is not allowed on top of TLS. Still a mystery for me, but I had to put "ldap ssl = no" into auxiliary configuration of SMB service (AD integration should be temporary disabled in order to make this change).
2. Domain admin could not be authenticated by UCS openldap instance (fails with ldap_bind: Invalid credentials (49)), although GSS-SPNEGO works just fine. So, the additional user had to be created - and this somehow worked.
3. LDAP user DN password need to be stored with the command: net idmap set secret '<domain name>' <password> . How domain is named by samba should be re-trieved from /usr/local/etc/smb4.conf (grep for 'idmap config' strings)
4. Be careful, that ALL users and ALL groups are situated within User/Group bind paths. If winbind doesn't find a group for a user, or a user - it will silently fail.
5. AND most important: in order to debug all of this, check /usr/local/etc/smb4.conf, then kill all winbind instances, and start one from CLI with higher debug level: /usr/local/sbin/winbindd -F -d 5 --configfile=/usr/local/etc/smb4.conf. This way I managed to get this rfc2307 backend working.

BTW, I do beleive, that config generation for LDAP idmap backend is broken: for example, ldap_url parameter is generated without underscore, i.e. 'ldap url' - thus winbind complains that 'url is missing'

Hope these short notes will help somebody one day :)

@anodos: thanks for the tip.

Hi,
do those tipps sstill apply with The current Freenas 11.3-U2 and Univention 4.4?
Kind regards
mimesot

 

[Kevo]

Hi,
do those tipps sstill apply with The current Freenas 11.3-U2 and Univention 4.4?
Kind regards
mimesot

Are you wanting to maintain UID/GID mappings? For our use we only really care that users can log in to the FreeNAS box with the same credentials they use elsewhere. This works find just by setting up the AD connection in FreeNAS to the UCS box. Then when you setup shares in FreeNAS you can use the users and groups that are configured in UCS. It's been a while since I set it up, but I think the only slightly tricky part was getting the certificate set up correctly for the encrypted connection. There might be another thread about that on the forum somewhere IIRC.

 

[anodos]

Are you wanting to maintain UID/GID mappings? For our use we only really care that users can log in to the FreeNAS box with the same credentials they use elsewhere. This works find just by setting up the AD connection in FreeNAS to the UCS box. Then when you setup shares in FreeNAS you can use the users and groups that are configured in UCS. It's been a while since I set it up, but I think the only slightly tricky part was getting the certificate set up correctly for the encrypted connection. There might be another thread about that on the forum somewhere IIRC.

At least in the case of Samba DCs, the encrypted connection is not a requirement in 11.3. Samba DCs require either encryption or kerberos auth (strong authentication). In 11.3 we default to using kerberos and so LDAPs is not a requirement unless the DC is configured that way.

 

[Kevo]

At least in the case of Samba DCs, the encrypted connection is not a requirement in 11.3. Samba DCs require either encryption or kerberos auth (strong authentication). In 11.3 we default to using kerberos and so LDAPs is not a requirement unless the DC is configured that way.

Good to know. I think I set it up when we were using 10.x maybe. At the time I couldn't get it to work with turning on TLS for encryption mode in the active directory settings. That may have been a UCS requirement. Not sure if it still is or not, but that's what is working for us in the current version of FreeNAS 11.

 

[mimesot]

Are you wanting to maintain UID/GID mappings? For our use we only really care that users can log in to the FreeNAS box with the same credentials they use elsewhere. This works find just by setting up the AD connection in FreeNAS to the UCS box. Then when you setup shares in FreeNAS you can use the users and groups that are configured in UCS. It's been a while since I set it up, but I think the only slightly tricky part was getting the certificate set up correctly for the encrypted connection. There might be another thread about that on the forum somewhere IIRC.

Indeed the AD connection worked without troubles. Thank you!

At least in the case of Samba DCs, the encrypted connection is not a requirement in 11.3. Samba DCs require either encryption or kerberos auth (strong authentication). In 11.3 we default to using kerberos and so LDAPs is not a requirement unless the DC is configured that way.

Thank you for that advice!

I conntinue my own experiments in this more recent thread: https://www.ixsystems.com/community...p-univention-problems-samba-attributes.83425/

Greetings
mimesot