This article explains how to configure Samba on FreeNAS to use Open Directory LDAP on OS X Server for access management of CIFS shares.
Overview
OS X Server provides a convenient way to manage user accounts and passwords on a network with its Open Directory LDAP service. See Configure FreeNAS LDAP for OS X Server Open Directory for more information on how to setup the initial binding.
Getting Samba to use Open Directory on OS X Server requires additional configuration.
The high-level process is:
- Upgrade the Samba schema on OS X
- Populate LDAP using smbldap-populate
- Add Samba passwords and group members
- Map Samba Domain to POSIX groups
- Update the CIFS service with additional properties
Background
OS X uses Kerberos and SASL for user authentication but Samba doesn’t support this without a password server.
Prior to OS X Lion it was possible to setup OS X Server as a PDC and Samba could authenticate to it as a password server but recent versions do not support this.
This leaves password database authentication (passdb) as a viable option. When FreeNAS is configured to use LDAP, it automatically configures Samba for LDAP, and specifically to use LDAP as the storage for the password database.
There are 3 problems with the password database approach:
- Open Directory on OS X server is configured to use the Samba 2 schema and not Samba 3.6+ as currently supported by FreeNAS.
- The password database will be stored in LDAP and users will have a Samba password separate from their regular account password.
- Samba uses its own groups for authentication and these have to be manually mapped to any existing groups the FreeNAS file system may be using.
This process addresses those. It’s worth mentioning a simpler option is to just not use LDAP to store the password database, but that means passwords would then be stored on the FreeNAS boot media which may be undesirable.
Upgrade Samba Schema on OS X
Obtain Samba Schema
Obtain the Open Directory schema for the version of Samba that FreeNAS uses. You can determine the version by runnig this on the FreeNAS shell:
# smbclient -V
Version 3.6.17
The schema is included in the samba source package which you can download from Samba Releases. You will find samba.schema in the examples/LDAP folder of the archive.
This file needs to be placed in the /etc/openldap/schema folder on OS X Server after backing up the existing schema file there.
Enable Samba Historical Attributes
The apple.schema file from Apple makes several references to the original Samba 2 schema. One option is to patch this schema to support the Samba 3 attributes, but it’s easier to just re-enable the Samba 2 historical section in the new samba.schema from Samba 3 to run them side by side. You can uncomment the entire section, but minimally these attributes:
- acctFlags
- pwdLastSet
- logonTime
- logoffTime
- kickoffTime
- homeDrive
- scriptPath
- profilePath
- userWorkstations
- smbHome
- rid
- primaryGroupID
Export the Samba Schema to LDIF
It’s not enough to replace the schema because it’s actually in the file system in another place, specifically /etc/openldap/slapd.d/cn=config/cn=schema/cn={5}samba.ldif. Backup this file now.
Next, stop the Open Directory process.
# sudo launchctl unload /System/Library/LaunchDaemons/org.openldap.slapd.plist
Create a temporary file called export.conf with the following:
|
1 2 3 4 5 6 7 |
include "/etc/openldap/schema/core.schema" include "/etc/openldap/schema/cosine.schema" include "/etc/openldap/schema/nis.schema" include "/etc/openldap/schema/inetorgperson.schema" include "/etc/openldap/schema/misc.schema" include "/etc/openldap/schema/samba.schema" |
This should match the entries in /etc/openldap/slapd.conf up to samba.schema. Now we use this to generate the LDIF.
# mkdir tmp
# slaptest -f export.conf -F tmp
You should have a backup of the old LDIF, so now overwrite it with the one just exported.
# sudo cp tmp/cn\=config/cn\=schema/cn\=\{5\}samba.ldif /etc/openldap/slapd.d/cn\=config/cn\=schema/cn\=\{5\}samba.ldif
Start Open Directory again.
# sudo launchctl load /System/Library/LaunchDaemons/org.openldap.slapd.plist
Do a search to verify the changes. If you don’t have an active Kerberos ticket, get one with Keychain Access / Ticket Viewer.
# ldapsearch -LLL -b cn=config | grep samba
Open Directory should now be ready to be populated with Samba data.
Populate LDAP with Samba Records
Create a FreeNAS Jail
Create a jail so we have an environment to install the tools to.
- FreeNas -> Jails -> Add Jails
- Specify a name (e.g. smbldap-tools)
- Click Advanced Mode
- Uncheck autostart since this jail won’t need to run all the time
- Uncheck vanilla so we have access to package managers
- Click OK
- Select the new jail
- Start the jail
Copy smb.conf to the Jail
Use the FreeNAS shell to copy the smb.conf file to the jail since it will be required by the tools. Don’t forget to update it if you change any important settings.
# cp /etc/local/smb.conf /mnt/pool1/jails/smbldap-tools/usr/local/etc
Get Local SID
You will need the FreeNAS SID to use later.
# net getlocalsid
SID for domain FREENAS is: S-1-5-21-3721319317-2572181732-4591207708
Install smbldap-tools
Use the FreeNAS Shell or SSH in order to switch to the new jail.
# jls
JID IP Address Hostname Path
1 - owncloud_1 /mnt/pool1/jails/owncloud_1
2 - smbldap-tools /mnt/pool1/jails/smbldap-tools
# jexec 2 /bin/tcsh
root@smbldap-tools:/ #
Now that you’re running in the jail, install the smbldap-tools.
# pkg install smbldap-tools
Configure smbldap-tools
Change to the configuration directory.
# cd /usr/local/etc/smbldap-tools
Update smbldap_bind.conf with your directory admin password.
# vi smbldap_bind.conf
slaveDN="uid=diradmin,cn=users,dc=yourdomain,dc=com"
slavePw="yourpassword"
masterDN="uid=diradmin,cn=users,dc=yourdomain,dc=com"
masterPw="yourpassword"
Update smbldap.conf with your domain information. Follow the instructions in the file.
# vi smbldap.conf
Additionally you may want to set ldapTLS="1" and verify=none or configure your certs.
Populate LDAP
With everything configured you can now populate LDAP.
# smbldap-populate
Add Samba Passwords and Group Members
If you currently have users in LDAP and you want them to be able to authenticate using Samba you need to setup their accounts with attributes from samba.schema by using smbpasswd.
# On FreeNAS (not in a jail)
# smbpasswd -a username
To add a new group:
# On the jail with smbldap-tools installed
# smbldap-groupadd -a groupname
To add a member to a group:
# smbldap-groupmod -m username groupname
To remove a member from a group:
# smbldap-groupmod -x username groupname
To create a machine account:
# smbldap-useradd -t 0 -w machinename
Map Samba Domain to POSIX Groups
Samba adds new groups to the system. You can add users to these groups or to your own that were created with smbldap-groupadd. To map these groups to existing POSIX groups created by the Server App you can use the net groupmap commands. This is useful if your folders already have an existing security hierarchy.
# net groupmap list
Domain Admins (S-1-5-21-3050504340-2134014422-1344084917-512) -> Domain Admins
Domain Users (S-1-5-21-3050504340-2134014422-1344084917-513) -> Domain Users
Domain Guests (S-1-5-21-3050504340-2134014422-1344084917-514) -> Domain Guests
Domain Computers (S-1-5-21-3050504340-2134014422-1344084917-515) -> Domain Computers
Administrators (S-1-5-32-544) -> Administrators
Account Operators (S-1-5-32-548) -> Account Operators
Print Operators (S-1-5-32-550) -> Print Operators
Backup Operators (S-1-5-32-551) -> Backup Operators
Replicators (S-1-5-32-552) -> Replicators
# net groupmap add ntgroup="Domain Users" unixgroup=myposixgroup rid=513 type=d
Successfully added group Domain Users to the mapping db as a domain group
# net groupmap list
Domain Users (S-1-5-21-3741309417-2672081632-3591007608-513) -> myposixgroup
Domain Admins (S-1-5-21-3050504340-2134014422-1344084917-512) -> Domain Admins
...
Update the CIFS Service
If you see messages in your /var/log/messages such as:
Sep 30 21:25:11 freenas smbd[46457]: check_sam_security: make_server_info_sam() failed with 'NT_STATUS_INTERNAL_DB_CORRUPTION'
Then add the following Auxiliary Parameter to the CIFS service and restart it.
ldapsam:trusted = no
Other Tools
You may find commands like the following useful for testing.
# pdbedit -Lv
# smbclient -L freenas -U username
# ldapmodify
Conclusion
Setup is a lengthy process, but now you should be ready to add CIFS shares to your FreeNAS using the account information in Open Directory on OS X Server.
Hi
I tried your instructions but when trying to install smbldap-tools i got below error, please help:
[root@freenas ~]# jexec 7 /bin/tcsh
root@smbldap-tools:/ # pkg install smbldap-tools
Updating repository catalogue
digests.txz 100% 316 0.3KB/s 0.3KB/s 00:00
packagesite.txz 100% 860 0.8KB/s 0.8KB/s 00:00
Incremental update completed, 0 packages processed:
0 packages updated, 0 removed and 0 added.
pkg: No packages matching ‘smbldap-tools’ has been found in the repositories
root@smbldap-tools:/ #
Hi Mohammad, sorry about that, the instructions above should have said to ‘uncheck’ the vanilla option when creating the jail. I’ve corrected that now.
The problem you’re seeing is most likely because pkg is not using the correct repository. Either recreate the jail, or check the contents of:
/usr/local/etc/pkg.conf
Mine looks like this:
PACKAGESITE: http://pkg.cdn.pcbsd.org//freenas/9.1-RELEASE/amd64
HTTP_MIRROR: http
PUBKEY: /usr/local/etc/pkg-pubkey.cert
PKG_CACHEDIR: /usr/local/tmp
BTW..I am using FreeNAS-9.1.1-RELEASE-x64 (a752d35)
Really great article, can’t wait to try this some time soon, thanks.
Hi i tried to follow this on OSx Mavericks & FreeNAS 9.2.1.6 but you lost me att the end.
I got as far as Populate LDAP. With some minor adjustments, like smb.conf is now smb4.conf.
The smbpasswd dose not exist.
When i have add the users and so on should i copy smb.conf back to freenas?
Please help me
The smbpasswd command is run from the root FreeNAS session (not a jail).
You do not need to copy smb.conf back to FreeNAS, it’s just so the tools in the jail can connect to the LDAP server.
Thanks Now i can loggin sweet.
A small follow up question, if i now change my password on OSx server Do i have to run the smbpasswd again?
Best Regards
Claes
Glad that worked. 🙂
Yes, I believe you will need to run smbpasswd again on password changes. I think there was a way to do this automatically, but unfortunately I don’t remember how.