Configure FreeNAS Samba for OS X Server Open Directory

samba

This article explains how to configure Samba on FreeNAS to use Open Directory LDAP on OS X Server for access management of CIFS shares.

Overview

OS X Server provides a convenient way to manage user accounts and passwords on a network with its Open Directory LDAP service. See Configure FreeNAS LDAP for OS X Server Open Directory for more information on how to setup the initial binding.

Getting Samba to use Open Directory on OS X Server requires additional configuration.

The high-level process is:

  1. Upgrade the Samba schema on OS X
  2. Populate LDAP using smbldap-populate
  3. Add Samba passwords and group members
  4. Map Samba Domain to POSIX groups
  5. Update the CIFS service with additional properties

Background

OS X uses Kerberos and SASL for user authentication but Samba doesn’t support this without a password server.

Prior to OS X Lion it was possible to setup OS X Server as a PDC and Samba could authenticate to it as a password server but recent versions do not support this.

This leaves password database authentication (passdb) as a viable option. When FreeNAS is configured to use LDAP, it automatically configures Samba for LDAP, and specifically to use LDAP as the storage for the password database.

There are 3 problems with the password database approach:

  1. Open Directory on OS X server is configured to use the Samba 2 schema and not Samba 3.6+ as currently supported by FreeNAS.
  2. The password database will be stored in LDAP and users will have a Samba password separate from their regular account password.
  3. Samba uses its own groups for authentication and these have to be manually mapped to any existing groups the FreeNAS file system may be using.

This process addresses those. It’s worth mentioning a simpler option is to just not use LDAP to store the password database, but that means passwords would then be stored on the FreeNAS boot media which may be undesirable.

Upgrade Samba Schema on OS X

Obtain Samba Schema

Obtain the Open Directory schema for the version of Samba that FreeNAS uses. You can determine the version by runnig this on the FreeNAS shell:

# smbclient -V
Version 3.6.17

The schema is included in the samba source package which you can download from Samba Releases. You will find samba.schema in the examples/LDAP folder of the archive.

This file needs to be placed in the /etc/openldap/schema folder on OS X Server after backing up the existing schema file there.

Enable Samba Historical Attributes

The apple.schema file from Apple makes several references to the original Samba 2 schema. One option is to patch this schema to support the Samba 3 attributes, but it’s easier to just re-enable the Samba 2 historical section in the new samba.schema from Samba 3 to run them side by side. You can uncomment the entire section, but minimally these attributes:

  • acctFlags
  • pwdLastSet
  • logonTime
  • logoffTime
  • kickoffTime
  • homeDrive
  • scriptPath
  • profilePath
  • userWorkstations
  • smbHome
  • rid
  • primaryGroupID

Export the Samba Schema to LDIF

It’s not enough to replace the schema because it’s actually in the file system in another place, specifically /etc/openldap/slapd.d/cn=config/cn=schema/cn={5}samba.ldif. Backup this file now.

Next, stop the Open Directory process.

# sudo launchctl unload /System/Library/LaunchDaemons/org.openldap.slapd.plist

Create a temporary file called export.conf with the following:

This should match the entries in /etc/openldap/slapd.conf up to samba.schema. Now we use this to generate the LDIF.

# mkdir tmp
# slaptest -f export.conf -F tmp

You should have a backup of the old LDIF, so now overwrite it with the one just exported.

# sudo cp tmp/cn\=config/cn\=schema/cn\=\{5\}samba.ldif /etc/openldap/slapd.d/cn\=config/cn\=schema/cn\=\{5\}samba.ldif

Start Open Directory again.

# sudo launchctl load /System/Library/LaunchDaemons/org.openldap.slapd.plist

Do a search to verify the changes. If you don’t have an active Kerberos ticket, get one with Keychain Access / Ticket Viewer.

# ldapsearch -LLL -b cn=config | grep samba

Open Directory should now be ready to be populated with Samba data.

Populate LDAP with Samba Records

Create a FreeNAS Jail

Create a jail so we have an environment to install the tools to.

  • FreeNas -> Jails -> Add Jails
  • Specify a name (e.g. smbldap-tools)
  • Click Advanced Mode
  • Uncheck autostart since this jail won’t need to run all the time
  • Uncheck vanilla so we have access to package managers
  • Click OK
  • Select the new jail
  • Start the jail

Copy smb.conf to the Jail

Use the FreeNAS shell to copy the smb.conf file to the jail since it will be required by the tools. Don’t forget to update it if you change any important settings.

# cp /etc/local/smb.conf /mnt/pool1/jails/smbldap-tools/usr/local/etc

Get Local SID

You will need the FreeNAS SID to use later.

# net getlocalsid                                               
SID for domain FREENAS is: S-1-5-21-3721319317-2572181732-4591207708

Install smbldap-tools

Use the FreeNAS Shell or SSH in order to switch to the new jail.

# jls
   JID  IP Address      Hostname                      Path
     1  -               owncloud_1                    /mnt/pool1/jails/owncloud_1
     2  -               smbldap-tools                 /mnt/pool1/jails/smbldap-tools

# jexec 2 /bin/tcsh
root@smbldap-tools:/ #

Now that you’re running in the jail, install the smbldap-tools.

# pkg install smbldap-tools

Configure smbldap-tools

Change to the configuration directory.

# cd /usr/local/etc/smbldap-tools

Update smbldap_bind.conf with your directory admin password.

# vi smbldap_bind.conf

slaveDN="uid=diradmin,cn=users,dc=yourdomain,dc=com"
slavePw="yourpassword"
masterDN="uid=diradmin,cn=users,dc=yourdomain,dc=com"
masterPw="yourpassword"

Update smbldap.conf with your domain information. Follow the instructions in the file.

# vi smbldap.conf

Additionally you may want to set ldapTLS="1" and verify=none or configure your certs.

Populate LDAP

With everything configured you can now populate LDAP.

# smbldap-populate

Add Samba Passwords and Group Members

If you currently have users in LDAP and you want them to be able to authenticate using Samba you need to setup their accounts with attributes from samba.schema by using smbpasswd.

# On FreeNAS (not in a jail)
# smbpasswd -a username

To add a new group:

# On the jail with smbldap-tools installed
# smbldap-groupadd -a groupname

To add a member to a group:

# smbldap-groupmod -m username groupname

To remove a member from a group:

# smbldap-groupmod -x username groupname

To create a machine account:

# smbldap-useradd -t 0 -w machinename

Map Samba Domain to POSIX Groups

Samba adds new groups to the system. You can add users to these groups or to your own that were created with smbldap-groupadd. To map these groups to existing POSIX groups created by the Server App you can use the net groupmap commands. This is useful if your folders already have an existing security hierarchy.

# net groupmap list
Domain Admins (S-1-5-21-3050504340-2134014422-1344084917-512) -> Domain Admins
Domain Users (S-1-5-21-3050504340-2134014422-1344084917-513) -> Domain Users
Domain Guests (S-1-5-21-3050504340-2134014422-1344084917-514) -> Domain Guests
Domain Computers (S-1-5-21-3050504340-2134014422-1344084917-515) -> Domain Computers
Administrators (S-1-5-32-544) -> Administrators
Account Operators (S-1-5-32-548) -> Account Operators
Print Operators (S-1-5-32-550) -> Print Operators
Backup Operators (S-1-5-32-551) -> Backup Operators
Replicators (S-1-5-32-552) -> Replicators

# net groupmap add ntgroup="Domain Users" unixgroup=myposixgroup rid=513 type=d
Successfully added group Domain Users to the mapping db as a domain group

# net groupmap list
Domain Users (S-1-5-21-3741309417-2672081632-3591007608-513) -> myposixgroup
Domain Admins (S-1-5-21-3050504340-2134014422-1344084917-512) -> Domain Admins
...

Update the CIFS Service

If you see messages in your /var/log/messages such as:

Sep 30 21:25:11 freenas smbd[46457]:   check_sam_security: make_server_info_sam() failed with 'NT_STATUS_INTERNAL_DB_CORRUPTION'

Then add the following Auxiliary Parameter to the CIFS service and restart it.

ldapsam:trusted = no

Other Tools

You may find commands like the following useful for testing.

# pdbedit -Lv

# smbclient -L freenas -U username

# ldapmodify

Conclusion

Setup is a lengthy process, but now you should be ready to add CIFS shares to your FreeNAS using the account information in Open Directory on OS X Server.

Tags: , , ,

About Aaron

Aaron is the founder of Spicy Pixel and works in the technology industry on nifty projects that he likes to write about. The contents of this website represent personal opinion and not necessarily those of his employers or sponsors.