How to get TN Core to act as an LDAPS client?

[Niels Erik]

What I would like to achieve is to use existing OpenLdap server to provide authentication to my Samba server on the TrueNas Core host
I have looked at the following:

1. Let SAMBA on TrueNas Core host use LDAP
2. Let SAMBA on TrueNas Core host use MIT Kerberos server in a jail. like FreeIPA
3. Move samba server inside a jail (in norder to be free to edit config files)
4. Looking at Docker, and migration to Scale.

1: Let SAMBA on TrueNas Core host use LDAP
I run a number of jails with Mailserver, NextCloud, bind, OpenLdap, reverse proxy etc.
I can get PAM, SSSD, NSS, SASL to interface with LDAP inside jails without problems.
But I can't get the only service that i run outside the jails (SAMBA file server) to use LDAP(S).

I know how to use ldapsearch, and getent inside jails.
I use certificates signed by a public CA (LetsEncrypt) but the TrueNas system itself does not face the internet. (My DNS provider does not support ACME, I have made my homemade solution to move certificates from internet facing reverse proxy to internal jails)
Since both the jails and the host is a kind of FreeBSD, i would like the most to generate a /usr/local/etc/ldap.conf with the LetsEncrypt CA via. the UI.

I have looked at this:

12. Directory Services — FreeNAS®11.3-U5 User Guide Table of Contents

www.ixsystems.com

Filled out Base, and Bind DN. Password, check enable.

7. System — FreeNAS®11.3-U5 User Guide Table of Contents

www.ixsystems.com

Imported LetsEncrypt CA.

Nothing happens, the list of users does not get populated as with 'getent passwd' in a jail.

The normal ldap configuration files does not exist on the system, like those:

# /usr/local/etc/openldap/ldap.conf is used by LDAPSEACH
# /usr/local/etc/ldap.conf is used by PAM
# /usr/local/etc/nss_ldap.conf is used by NSS
TLS_CACERT /usr/local/etc/ssl/acme/ca-root.pem

2: Let SAMBA on TrueNas Core host use MIT Kerberos server in a jail. like FreeIPA
I have tried to reverse engineer a FreeIPA docker image (MIT Kerberos, Dogtag, Bind, Apache GUI + a lot more), to recreate it in a jail.
I have not got far with this, I have a basic kerberos up and running with DNS settings, but without integration with LDAP.
The FreeIPA docker image in itself i a pain in the but... Tried to run it on WSL2, Ubuntu, Redhat, but there is a regression problem..

3: Move samba server inside a jail (in norder to be free to edit config files)
Another rabbit hole...
I kind of have zfs working in a jail... Except that i first ran into this:

Access .zfs snapshot from inside a jail

Hello, I have set snapshot folder visibility to yes on a data set. I then scheduled a periodic snapshot task to run on my dataset. I have then created a jail and mounted the dataset as a mount inside the jail. I then fire up the jail's ssh and navigate to the .zfs/snapshot folder and cannot...

www.truenas.com

Curiously, after I've created a new snapshot and do an ls -al /path/to/dataset/.zfs/snapshot (just ls does not help) from the base OS, I can access the new snapshot from jail.

Then I tried to get samba up and running then I ran into this..

Unfortunately iocage does not have an option to allow mount fdescfs. And according to this comment by Kris Moore, there is no plans in foreseeable future. I guess, I have to move to generic jails instead of iocage then.

I have been contemplating editing iocage to support the missing property in the config.json.

 

[Patrick M. Hausen]

Nothing happens, the list of users does not get populated as with 'getent passwd' in a jail.

If you configure LDAP(S) as a directory service on the TrueNAS host that won't propagate into a jail. Each jail is an independent complete FreeBSD host.

You wrote you got it working inside jails. So the host part should work just the same for host based services. But only for them. What is your LDAP? Active Directory?

 

[Niels Erik]

If you configure LDAP(S) as a directory service on the TrueNAS host that won't propagate into a jail. Each jail is an independent complete FreeBSD host.

You wrote you got it working inside jails. So the host part should work just the same for host based services. But only for them. What is your LDAP? Active Directory?

The difference between jail and host is that we are not supposed to edit the configuration files on the host, and they are auto generated/overwritten at startup anyway.

I see TN as a method to run jails and ZFS, all the rest is going on inside the jails. Preferable TN should not know any thing about users (Only admin account)

One benefit with this is it makes it possible to spin a snapshot jails up on the backup server if the primary is dead. (ZFS move into iocage/jails)

The OpenLDAP runs inside a jail (Using internetOrgPerson, and posixAccount, I have not inported any Samba LDIF), I also use LDAP for auth on a Linux laptop.

My problem is that SAMBA (on host) user ID's is not aligned with LDAP.

I know how to configure a jail as a LDAP client (by editing files), but i can't find out how to get the UI to generate the same configuration files on the host.

 

[Patrick M. Hausen]

The difference between jail and host is that we are not supposed to edit the configuration files on the host, and they are auto generated/overwritten at startup anyway.

I know

My question is why doesn't putting the connection parametes in Directory Services > LDAP just work?

I see TN as a method to run jails and ZFS, all the rest is going on inside the jails. Preferable TN should not know any thing about users (Only admin account)

That's a perfectly valid and good approach.

My problem is that SAMBA (on host) user ID's is not aligned with LDAP.

Again configuring an LDAP directory in the UI should "just work" and do all that for you. Why try to mess with the configuration files? I'll give it a shot in a VM later ... all my existing TN CORE systems at work are Active Directory connected already and that is working as it should:

Code:

$ ssh truenas-ka
Last login: Thu Apr 27 14:08:00 2023 from 217.29.46.69
[...]
Welcome to TrueNAS
ry93@truenas-ka:~ $ id
uid=100001128(ry93) gid=100000514(domänen-benutzer) groups=100000514(domänen-benutzer),90000001(BUILTIN\administrators),90000002(BUILTIN\users),100000513(domänen-admins),100000573(abgelehnte rodc-kennwortreplikationsgruppe),100001128(ry93),100002666(certsvc_dcom_access),100002684(team-mops),100002685(gesellschafter),100002688(vpn-users),100002712(mitarbeiter),100002782(atlassian-admins),100002797(atlassian-users),100002826(crowd-administrators),100002837(ox-users),100002843(owncloud-users),100002863(service-desk-users),100004134(adsyncadmins),100004144(ms365-users)

 

[Patrick M. Hausen]

Results: initial authentication and query submission work fine and query can be triggered by e.g. pw user show -a. TrueNAS is asking for any objects of objectClass=posixAccount. Since I do not have any in my Microsoft AD, the result set is empty.

Which brings us to the question which kind of directory and schema you are using. If it's an MS AD, then simply make TrueNAS an AD member instead of using plain LDAP. If it's OpenLDAP or anything else you need to adhere to RFC 2703 and all user objects need to be of objectClass=posixAccount apparently.

HTH,
Patrick