Is there a FreeNAS 9.3 AD (Active Directory) guide anywhere?

[IonutZ]

Unfortunately, like many others I'm having issues in setting up Samba / Cifs with AD in latest (FreeNAS 9.3).

I just upgraded from 9.2.1.7 where it worked fine. Now after hours spent configurating I have yet to figure out how to make it work.

Following the guide, I've gotten it to the point where the following commands work:

wbinfo -u

wbinfo -g

wbinfo -t

It would appear that I can connect to AD, but none of the getenv commands include the AD users and groups...

Anyone else encounter this? Also what idmap are you using? If you could share with me your smb4.conf file with me of a working config, I would REALLY appreciate it.

Thank you,

IonutZ

 

[IonutZ]

https://www.reddit.com/r/freenas/comments/302tmo/cifs_user_access_domain_auth_on_freenas_93_doesnt/

Fixed after I followed what it said above. Make sure your idmap is set to rid and your CIFS idmap ranges coincide with the AD idmap ranges!

 

[anodos]

https://www.reddit.com/r/freenas/comments/302tmo/cifs_user_access_domain_auth_on_freenas_93_doesnt/

Fixed after I followed what it said above. Make sure your idmap is set to rid and your CIFS idmap ranges coincide with the AD idmap ranges!

Actually, the idmap ranges shouldn't overlap. The 9.2.1.x -> 9.3 upgrade tends to set the idmap backend to 'ad', which 'breaks' AD integration for most users. Setting the backend to 'rid' fixes it.

 

[IonutZ]

Can you explain why they shouldn't overlap? Also is there a working configuration with 'ad'?

 

[anodos]

Can you explain why they shouldn't overlap?

The various idmap methods in samba are, in the big picture, ways to match Windows SIDs with Unix UID/GID. If you have two overlapping idmap ranges you run the risk of having SID / UID / GID conflicts.
https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html [overview of idmap]
http://www.novell.com/support/kb/doc.php?id=7007006 [pros and cons of different idmap methods]

Also is there a working configuration with 'ad'?

"The idmap_ad plugin provides a way for Winbind to read id mappings from an AD server that uses RFC2307/SFU schema extensions. This module implements only the "idmap" API, and is READONLY. Mappings must be provided in advance by the administrator by adding the uidNumber attributes for users and gidNumber attributes for groups in the AD. Winbind will only map users that have a uidNumber and whose primary group have a gidNumber attribute set. It is however recommended that all groups in use have gidNumber attributes assigned, otherwise they are not working.

Currently, the ad backend does not work as the the default idmap backend, but one has to configure it separately for each domain for which one wants to use it, using disjoint ranges. One usually needs to configure a writeable default idmap range, using for example the tdb or ldap backend, in order to be able to map the BUILTIN sids and possibly other trusted domains. The writeable default config is also needed in order to be able to create group mappings. This catch-all default idmap configuration should have a range that is disjoint from any explicitly configured domain with idmap backend ad."
https://www.samba.org/samba/docs/man/manpages/idmap_ad.8.html
tl;dr - you need to do additional config on your AD domain controller.

 

[IonutZ]

Thank you very much dude! So now, I still don't understand the overlapping. Both CIFS and AD's idmap ranges refer to the UID/GIDs of the users and the groups in AD. If they both refer to the same thing, why would the fact that they overlap matter?

 

[anodos]

Thank you very much dude! So now, I still don't understand the overlapping. Both CIFS and AD's idmap ranges refer to the UID/GIDs of the users and the groups in AD.

They don't refer to the same thing. The one in the CIFS config generates the following in /etc/local/smb4.conf:

Code:

idmap config *: backend = tdb
idmap config *: range = 90000001-100000000

This is the range that the 'builtin' users and local users/groups will be mapped to.

The one under AD generates the following in /etc/local/smb4.conf:

Code:

idmap config <domain>: backend = rid
idmap config <domain>: range = 20000-90000000

This is for your domain users and groups.

For one more datapoint about these not overlapping, see the bolded text here: https://wiki.samba.org/index.php/Idmap_config_rid

As is typical, reddit is incorrect. The best sources for samba information are the Samba Wiki and the Samba mailing lists.

 

[IonutZ]

Thank you that makes a lot more sense now. Wish I would've known that to begin with ...