pklapperich
Cadet
- Joined
- Jan 3, 2015
- Messages
- 2
After updating from 9.2.0 to 9.3, I'm struggling to get ldap working. getent passwd shows all of my users and default group id and getent group even shows all of my groups and group ids, but all of the groups are empty. I can login with an ldap user account, but the command groups shows only the default group "Domain Users" that every user is a member of.
That is, I see from getent group:
On my linux boxes and I see something more like this:
Here's what one of the groups looks like when I use ldapsearch on ou=Groups
Obviously I sanitized the above outputs.
It seems like FreeNAS isn't parsing the memberUid entries. I didn't have to do anything special on FreeNAS 9.1.x or 9.2.0 to get this working there.
I'm not sure where all the config gets stored on FreeNAS. But here's what I could find:
sssd.conf
ldap.conf
I have Samba Schema checked, but I have samba service disabled until I get this fixed. However, if I enable samba, I get a bunch of errors like:
But that seems like something that can wait until after the LDAP groups are showing up properly on the unix side.
Edit After posting this and reviewing my post, I Google'd rfc2307bis. It seems rfc2307 is how my groups are stored, not rfc2307bis. However, adding ldap_schema = rfc2307 to Auxiliary Parameters didn't solve my problem; all my groups are still empty.
That is, I see from getent group:
Code:
Hardware:*:3002 Policies:*:10008 Research:*:3008 Software:*:3000 HR_Acct:*:1015
On my linux boxes and I see something more like this:
Code:
Hardware:*:3002:user1,user2,user3 Policies:*:10008:user1 Research:*:3008:user3,user4,user5 Software:*:3000:user3,user5 HR_Acct:*:1015:user1,user6
Here's what one of the groups looks like when I use ldapsearch on ou=Groups
Code:
# HR_Acct, Groups, domain.com dn: cn=HR_Acct,ou=Groups,dc=domain,dc=com objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping cn: HR_Acct gidNumber: 1015 sambaSID: S-1-SOME-UUID sambaGroupType: 2 displayName: HR_Acct memberUid: user1 memberUid: user6
Obviously I sanitized the above outputs.
It seems like FreeNAS isn't parsing the memberUid entries. I didn't have to do anything special on FreeNAS 9.1.x or 9.2.0 to get this working there.
I'm not sure where all the config gets stored on FreeNAS. But here's what I could find:
sssd.conf
Code:
[sssd] config_file_version = 2 full_name_format = %2$s\%1$s re_expression = (((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$)) services = nss,pam domains = LDAP0 [nss] [pam] [domain/LDAP0] description = LDAP0 enumerate = true cache_credentials = true id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_schema = rfc2307bis ldap_force_upper_case_realm = true use_fully_qualified_names = false ldap_uri = ldap://ldap0.domain.com ldap_search_base = dc=domain,dc=com ldap_user_search_base = ou=Users,dc=domain,dc=com ldap_group_search_base = ou=Groups,dc=domain,dc=com tls_reqcert = demand ldap_tls_cacert = /etc/certificates/CA/startssl_sub_class2.crt ldap_id_use_start_tls = true ldap_default_bind_dn = cn=admin,dc=domain,dc=com ldap_default_authtok_type = password ldap_default_authtok = correct horse battery staple
ldap.conf
Code:
HOST ldap0.domain.com BASE dc=domain,dc=com TLS_CACERT /etc/certificates/CA/startssl_sub_class2.crt TLS_REQCERT allow
I have Samba Schema checked, but I have samba service disabled until I get this fixed. However, if I enable samba, I get a bunch of errors like:
Code:
spike generate_smb4_conf.py: [common.pipesubr:58] Popen()ing: /usr/local/bin/net sam rights grant sid S-1-5-21-SOME-UID-1058 does not belong to our domain SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege
But that seems like something that can wait until after the LDAP groups are showing up properly on the unix side.
Edit After posting this and reviewing my post, I Google'd rfc2307bis. It seems rfc2307 is how my groups are stored, not rfc2307bis. However, adding ldap_schema = rfc2307 to Auxiliary Parameters didn't solve my problem; all my groups are still empty.
Last edited: