[Freeipa-users] FreeNAS Authenticating Againts FreeIPA
Youenn PIOLET
piolet.y at gmail.com
Sun Oct 11 22:48:33 UTC 2015
Sorry for the double post.
I forgot to say that my speech is about newest versions of FreeIPA.
Maybe someone here knows something about IPA 3.0 ?
I'm not sure it used to work with ipasam module. But I suppose the problem
is the same: you need to generate Samba schema values for your IPA users in
the directory.
Cheers,
--
Youenn Piolet
piolet.y at gmail.com
2015-10-12 0:41 GMT+02:00 Youenn PIOLET <piolet.y at gmail.com>:
> Hi Chris,
>
> First, to be sure were on the same page:
> Without IPA, to make CIFS users authenticate against directory in a
> classic LDAP implementation, you need to extend your LDAP tree with Samba
> schema. The FreeNAS documentation is a bit light on this subjet and
> previous FreeNAS versions (stable 9.3 included) used to mess up
> rfc2307bis/rfc2307. I think it is fixed now, and know nothing about your
> 9.2 version. Wrote some messy stuff about it here:
> https://github.com/uZer/rootools/blob/master/ldap/integrations/ldap.integration.freenas.md
>
> To make CIFS users authenticate or FreeIPA recent versions (I only tried
> with 4.1), I suggest you to start by reading some of our investigations in
> this thread:
>
> [Freeipa-users] Ubuntu Samba Server Auth against IPA
> https://www.redhat.com/archives/freeipa-users/2015-August/thread.html#00000
>
> When we discuss about this in august, I've spend almost a week trying to
> make this integration with FreeNAS/FreeIPA work. I quit FreeNAS without
> fully understand why it didn't work, and moved our CIFS to a dedicated
> Centos server. Matt arrived with a similar situation in Ubuntu.
>
> To quickly summarize the issue, FreeNAS and Ubuntu CIFS work by default
> with ldapsam.so module. FreeIPA developpers have built a AD trust exchange
> possibility with a custom ipasam module that isn't compiled yet for Ubuntu
> or FreeNAS. This module gives the possibility to use IPA AD trust
> components (e.g. special schema in IPA's directory managing user/group
> NT SID)
>
> If you can't compile the module for FreeNAS / FreeBSD, you may need to
> extend 365directory with Samba schema.
> You will need to find a way to generate the new attributes when adding
> users or groups in FreeIPA, and a way to store password in a CIFS/NT
> understandable way. I don't suggest you to follow this dark path.
>
> You can also quit FreeNAS and migrate to CentOS with ipasam as I did ;)
>
> Good luck in your experimentations, I hope you will succeed!
>
>
> --
> Youenn Piolet
> piolet.y at gmail.com
>
>
> 2015-10-11 2:06 GMT+02:00 Chris Tobey <tobeychris at hotmail.com>:
>
>> Hi Everyone,
>>
>>
>> I have a functioning FreeIPA server that manages all my users and I would
>> like to also use it for my FreeNAS CIFS shares to authenticate against.
>>
>> Does anyone know what needs to be run on both servers to get this
>> working? I believe it has something to do with Samba properties on the
>> FreeIPA side.
>>
>>
>>
>> I had tried asking the FreeNAS forums but they were of no help (
>> https://forums.freenas.org/index.php?threads/freeipa-and-freenas-ldap-setup.37083/
>> ).
>>
>>
>>
>> I have seen similar requests and success stories, but no actual steps on
>> how to do it.
>>
>> Info:
>> FreeIPA v3.0.0-42 running on CentOS 6.6.
>> FreeNAS 9.2.1.9 (can use 9.3 if easier, was trying to get it working
>> before dealing with certs).
>>
>>
>>
>> Any help is appreciated.
>>
>>
>>
>> Thanks,
>>
>> -Chris
>>
>>
>>
>>
>>
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151012/64387aac/attachment.htm>
More information about the Freeipa-users
mailing list