LDAP Integration with Samba

tikenn

Cadet
Joined
Nov 10, 2020
Messages
6
I have now unsuccessfully attempted for several days to get TrueNAS to use LDAP for authentication of my samba shares. I have a FreeIPA system setup with LDAP and have added in the samba schema with ipa-adtrust-install. As far as I am aware, this command should add all of the necessary Samba parameters to the LDAP schema; however, checking the box "Samba Schema" under the LDAP directory service in TrueNAS continues to return "Remote LDAP server does not have Samba schema extensions." upon saving. Would appreciate any assistance provided. Thanks in advance!
 

tikenn

Cadet
Joined
Nov 10, 2020
Messages
6
I was just wondering if anyone had any thoughts on this conundrum?
 

just_insane

Cadet
Joined
May 8, 2016
Messages
4
Did you ever find a resolution to this issue? Also trying to setup TrueNAS with FreeIPA and SMB.

I have my user's syncing (as far as I can tell), but they aren't able to authenticate at all.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
SMB authentication using the samba schema will soon be deprecated (Samba 4.14). You can try generating an account in FreeIPA for the TrueNAS with requisite kerberos configuration (kerberos SPN for cifs principal), export a keytab, import via the GUI, and then configure LDAP to use that keytab for FreeIPA. This will configure pam_krb5, and samba can be configured to "obey pam restrictions". There are quite a few additional steps needed, but I was able to follow this sort of procedure to use a kerberos ticket with smbclient to connect to the SMB share in a FreeIPA environment. It's far from being a supported configuration, and it will require that all clients use kerberos for authentication.
 

just_insane

Cadet
Joined
May 8, 2016
Messages
4
Wow, that’s not great at all.

Does no one else use SMB with LDAP auth? I don’t get why that would be depreciated.
 

tikenn

Cadet
Joined
Nov 10, 2020
Messages
6
Did you ever find a resolution to this issue? Also trying to setup TrueNAS with FreeIPA and SMB.

I have my user's syncing (as far as I can tell), but they aren't able to authenticate at all.

Unfortunately, I did not find a solution that allowed authentication to the SMB share using FreeIPA users. I also didn't want to undertake the monumental task of kerberizing all of my infrastructure as this is a home environment and would require kerberizing personal laptop and desktop clients. The admittedly somewhat hacky solution that I came to as a result was manually mirroring any users from FreeIPA on TrueNAS that needed access to the SMB shares.
 

just_insane

Cadet
Joined
May 8, 2016
Messages
4
Yea, it sounds like doing that manually is the best option, I'm just going to disable LDAP and manually copy over the usernames and uid/gids
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
Unfortunately, I did not find a solution that allowed authentication to the SMB share using FreeIPA users. I also didn't want to undertake the monumental task of kerberizing all of my infrastructure as this is a home environment and would require kerberizing personal laptop and desktop clients. The admittedly somewhat hacky solution that I came to as a result was manually mirroring any users from FreeIPA on TrueNAS that needed access to the SMB shares.
Another option that might be worth investigating is creating a cross-realm trust between FreeIPA and an AD instance. In this case TrueNAS could be joined to AD and "enable trusted domains" checked. An idmap range would have to be created for the FreeIPA domain. I'm not familiar enough with FreeIPA to say conclusively whether NTLMv2 auth could be made to work in this case. Theoretically, the DC could make a netlogon connection to FreeIPA and pass through auth requests to it, but if not you're still stuck with kerberos auth.
 

just_insane

Cadet
Joined
May 8, 2016
Messages
4
One thing I don’t get, is apparently you are supposed to be able to add samba extensions to FreeIPA with the “ipa-adtrust-install” command, but it doesn’t seem to have done anything.

my understanding is that TrueNAS SMB + LDAP works if there are samba extensions in the LDAP domain perhttps://www.truenas.com/docs/hub/initial-setup/security/directory-services/ldap/

Is that incorrect, or is it just not supported by FreeIPA?
 

tikenn

Cadet
Joined
Nov 10, 2020
Messages
6
Another option that might be worth investigating is creating a cross-realm trust between FreeIPA and an AD instance. In this case TrueNAS could be joined to AD and "enable trusted domains" checked. An idmap range would have to be created for the FreeIPA domain. I'm not familiar enough with FreeIPA to say conclusively whether NTLMv2 auth could be made to work in this case. Theoretically, the DC could make a netlogon connection to FreeIPA and pass through auth requests to it, but if not you're still stuck with kerberos auth.

I think this is a fantastic solution as integration with AD is relatively big feature touted by FreeIPA, and it is probably the way to go in a more formal setup. I would pursue something like this if I could find a free implementation of AD as I probably couldn't afford the licensing fees of a formal AD setup.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
I think this is a fantastic solution as integration with AD is relatively big feature touted by FreeIPA, and it is probably the way to go in a more formal setup. I would pursue something like this if I could find a free implementation of AD as I probably couldn't afford the licensing fees of a formal AD setup.
Samba project has a free and open source domain controller.
 

itw

Dabbler
Joined
Aug 31, 2011
Messages
48
Is this why my LDAP-Backed SMB broke when I went from 12.0-U3 to 12.0-U3.1?

Time Machine was working great. Now it just instantly fails authentication even though TrueNAS is definitely getting the uids, etc from FreeIPA/LDAP.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
Is this why my LDAP-Backed SMB broke when I went from 12.0-U3 to 12.0-U3.1?

Time Machine was working great. Now it just instantly fails authentication even though TrueNAS is definitely getting the uids, etc from FreeIPA/LDAP.
No. U3.1 was a security release.
 

itw

Dabbler
Joined
Aug 31, 2011
Messages
48
OK That's what it looked like to me too. Guess fixing it is moot at this point anyway. Thanks.
 
Top