I am trying to connect my File Server (FreeNAS 8.0.1 / 8.2-RELEASE-p7) with my Mac OS X 10.7 Lion Directory Server’s Open Directory… I know that Mac OS X provides an LDAP service via which other servers can authenticate against, but I am having great difficulty getting FreeNAS to authenticate against the Mac OS X Open Directory.
How do I connect my FreeNAS File Server to my Mac OS X Directory Server?
After hours of googling and testing, I finally managed to get FreeNAS 8 integrated with Mac OS X Open Directory. Here’s what’s needed to make this happen:
First, make sure that Open Directory is up and running using the Server Admin application:
Note the LDAP Search Base and the Kerberos Realm.
In FreeNAS’s Web GUI, configure the LDAP service as follows:
- Hostname: your.servers.hostname.or.ip
- Base DN: Your LDAP Search base from Open Directory
- Allow Anonymous Binding: Unchecked (I had this off and bound as my
diradminuser, but that may be unnecessary…) - Root Bind DN:
uid=diradmin,then the Base DN - Root Password: The password for your Open Directory
diradminuser. Again, this may be unnecessary, I am unsure - Password Encryption:
crypt - User Suffix:
cn=users - Group Suffix:
cn=groups - Password Suffix:
cn=users - Machine Suffix:
cn=computers - Encryption Mode:
Off - Self signed certificate: empty
-
Auxiliary Parameters:
ldap_version 3 timelimit 30 bind_timelimit 30 bind_policy soft pam_ldap_attribute uidsasl-host *your.open.directory.server.ip.or.hostname* sasl-realm *YOUR.KERBEROS.REALM.FROM.FIRST.STEP*
The Auxiliary Parameters are the key, especially sasl-host and sasl-realm. Obviously, replace *your.open.directory.server.ip.or.hostname* and *YOUR.KERBEROS.REALM.FROM.FIRST.STEP* with the information from the first step (see first screen capture)
When you save changes, LDAP should start working for all services *except Samba/CIFS. Part of the struggle was how to fix Samba: after initially configuring the LDAP service on FreeNAS, I discovered that no users could connect via Samba at all, even users locally defined on the FreeNAS machine.
There were no errors in Samba’s log, just permission denied errors on the client machines. More research revealed that I had to enable the FreeNAS Samba server to authenticate against the Mac OS X Open Directory using SASL * separately* from the LDAP configuration.
It is important to note that the Mac OS X LDAP Database does not contain password data. Authentication is available only via SASL/Kerberos. Quote David Colville1 on Apple’s Forums:
Unlike some other LDAP directories, OS X doesn’t store a password inside the LDAP record – it uses an “SASL” mechanism – it queries to the “AuthenticationAuthority” attribute to advise the location where the user password can be retrieved.
The passwords are stored inside the PasswordServer (SASL Server), in CRAM-MD5, Digest-MD5, DHX, etc (see Page 50 of the Open Directory Administation Guide).
This is why the sasl-host is so important in the LDAP config.
Configure Samba to use SASL:
In the FreeNAS Web GUI, configure the CIFS service as follows:
(The CIFS configuration screen is very long, I combined the very top and the bottom for clarity)
- Authentication Model:
Local User -
Auxiliary parameters:
password server = *YOUR.KERBEROS.REALM.FROM.FIRST.STEP* client ntlmv2 auth = yes
After saving these changes, test connecting to Samba with a user defined in Open Directory and confirm that you can connect. Also, test using AFP/SSH to confirm those are also authenticating against Open Directory.
Known Issues
There are a few things I was unable to resolve:
- User home directories on the Mac OS X LDAP server take the form
/Network/Servers/some.server/some.directory/username. However FreeNAS Has no/Network/Serversdirectory. It would be very simple tomkdir -p /Network/Serversand symlink users’ home directories, however/is mounted readonly, so I cannot do that. Consequently LDAP users cannot have.AppleVolumesfiles for custom AFP shares. - Samba/CIFS can now only authenticate LDAP users. This means that any user connecting via Samba must have an antry in the LDAP database, local users won’t work anymore. This means you cannot have a home directory share, see #1.
Check more discussion of this question.
