I have three issues with FreeNAS and the lynch-pin is accounts.
1) All users (we have > 10k but there are 10's of thousands in AD) have accounts in a Windows AD and we use AD authentication via krb5 on RHEL Linux for login - without any machines being in AD. A /home NFS share, currently from RHEL and hopefully from FreeNAS, is used by all client machines and a password file is pushed to all clients to update them when new accounts are created. Trying to do this on FreeNAS failed (master,passwd gets lost with a reboot). The next step was to try and run account creation scripts on all FreeNAS servers forcing U/GIDs with random passwords (as no user should ever be able to log into the FreeNAS servers).
Trying to do that results in out of space errors after a few hundred users:
adduser: ERROR: There was an error adding user (XXYYZZ).
pwd_mkdb: /etc/spwd.db to /etc/spwd.db.tmp: No space left on device
pw: pw_mkdb(): No error: 0
but /etc is only 65% used and / is at 8%
Upon reboot all added users were lost.
But before going down that rabbit hole any more, what is the proper / easy way to do this? Accounts have to be on the FreeNAS servers because quotas are required. Nope - we don't have accounts using Kerberos - our auth. server uses radius.
2) Quotas. I assume that the easiest way is just to create a script that forces a quota for each user individually and it gets run whenever the account database on the auth. server detects a change? The quota script would be created by the auth. server and pushed to the FreeNAS box(s) for execution. By "auth. server" in this case I mean our radius server / monitoring / account creation box.
2) On RHEL we use Samba with server authentication and the password server is AD and as users are logged into Windows machines on the domain - auth. for Samba shares is automatic. However, U/GIDs within AD are not the same as our Linux system. Another IT group ran into this issue and runs their own server for their (historical) U/GIDs - while still auth'ing against the domain. This is too complex for my liking. If simple Samba shares can't be done the way I'm doing them now - then I'll just have a RHEL handle the Samba shares.
1) All users (we have > 10k but there are 10's of thousands in AD) have accounts in a Windows AD and we use AD authentication via krb5 on RHEL Linux for login - without any machines being in AD. A /home NFS share, currently from RHEL and hopefully from FreeNAS, is used by all client machines and a password file is pushed to all clients to update them when new accounts are created. Trying to do this on FreeNAS failed (master,passwd gets lost with a reboot). The next step was to try and run account creation scripts on all FreeNAS servers forcing U/GIDs with random passwords (as no user should ever be able to log into the FreeNAS servers).
Trying to do that results in out of space errors after a few hundred users:
adduser: ERROR: There was an error adding user (XXYYZZ).
pwd_mkdb: /etc/spwd.db to /etc/spwd.db.tmp: No space left on device
pw: pw_mkdb(): No error: 0
but /etc is only 65% used and / is at 8%
Upon reboot all added users were lost.
But before going down that rabbit hole any more, what is the proper / easy way to do this? Accounts have to be on the FreeNAS servers because quotas are required. Nope - we don't have accounts using Kerberos - our auth. server uses radius.
2) Quotas. I assume that the easiest way is just to create a script that forces a quota for each user individually and it gets run whenever the account database on the auth. server detects a change? The quota script would be created by the auth. server and pushed to the FreeNAS box(s) for execution. By "auth. server" in this case I mean our radius server / monitoring / account creation box.
2) On RHEL we use Samba with server authentication and the password server is AD and as users are logged into Windows machines on the domain - auth. for Samba shares is automatic. However, U/GIDs within AD are not the same as our Linux system. Another IT group ran into this issue and runs their own server for their (historical) U/GIDs - while still auth'ing against the domain. This is too complex for my liking. If simple Samba shares can't be done the way I'm doing them now - then I'll just have a RHEL handle the Samba shares.
Last edited: