How do I connect my FreeNAS File Server to my Mac OS X Directory Server?
Solution 1:
After hours of googling and testing, I finally managed to get FreeNAS 8 integrated with Mac OS X Open Directory. Here's what's needed to make this happen:
First, make sure that Open Directory is up and running using the Server Admin application:
Note the LDAP Search Base and the Kerberos Realm.
In FreeNAS's Web GUI, configure the LDAP service as follows:
- Hostname: your.servers.hostname.or.ip
- Base DN: Your LDAP Search base from Open Directory
-
Allow Anonymous Binding: Unchecked (I had this off and bound as my
diradmin
user, but that may be unnecessary...) -
Root Bind DN:
uid=diradmin,
then the Base DN -
Root Password: The password for your Open Directory
diradmin
user. Again, this may be unnecessary, I am unsure -
Password Encryption:
crypt
-
User Suffix:
cn=users
-
Group Suffix:
cn=groups
-
Password Suffix:
cn=users
-
Machine Suffix:
cn=computers
-
Encryption Mode:
Off
- Self signed certificate: empty
-
Auxiliary Parameters:
ldap_version 3 timelimit 30 bind_timelimit 30 bind_policy soft pam_ldap_attribute uid sasl-host *your.open.directory.server.ip.or.hostname* sasl-realm *YOUR.KERBEROS.REALM.FROM.FIRST.STEP*
The Auxiliary Parameters are the key, especially sasl-host
and sasl-realm
. Obviously, replace *your.open.directory.server.ip.or.hostname*
and *YOUR.KERBEROS.REALM.FROM.FIRST.STEP*
with the information from the first step (see first screen capture)
When you save changes, LDAP should start working for all services except Samba/CIFS. Part of the struggle was how to fix Samba: after initially configuring the LDAP service on FreeNAS, I discovered that no users could connect via Samba at all, even users locally defined on the FreeNAS machine.
There were no errors in Samba's log, just permission denied errors on the client machines. More research revealed that I had to enable the FreeNAS Samba server to authenticate against the Mac OS X Open Directory using SASL separately from the LDAP configuration.
It is important to note that the Mac OS X LDAP Database does not contain password data. Authentication is available only via SASL/Kerberos. Quote David Colville1 on Apple's Forums:
Unlike some other LDAP directories, OS X doesn't store a password inside the LDAP record - it uses an "SASL" mechanism - it queries to the "AuthenticationAuthority" attribute to advise the location where the user password can be retrieved.
The passwords are stored inside the PasswordServer (SASL Server), in CRAM-MD5, Digest-MD5, DHX, etc (see Page 50 of the Open Directory Administation Guide).
This is why the sasl-host
is so important in the LDAP config.
Configure Samba to use SASL:
UPDATE 2012-12-31: This is no longer working for me. I have been trying for hours to determine why and have so far been unable to.
In the FreeNAS Web GUI, configure the CIFS service as follows:
(The CIFS configuration screen is very long, I combined the very top and the bottom for clarity)
-
Authentication Model:
Local User
-
Auxiliary parameters:
password server = *YOUR.KERBEROS.REALM.FROM.FIRST.STEP* client ntlmv2 auth = yes
After saving these changes, test connecting to Samba with a user defined in Open Directory and confirm that you can connect. Also, test using AFP/SSH to confirm those are also authenticating against Open Directory.
Known Issues
There are a few things I was unable to resolve:
-
User home directories on the Mac OS X LDAP server take the form
/Network/Servers/some.server/some.directory/username
. However FreeNAS Has no/Network/Servers
directory. It would be very simple tomkdir -p /Network/Servers
and symlink users' home directories, however/
is mounted readonly, so I cannot do that. Consequently LDAP users cannot have.AppleVolumes
files for custom AFP shares.UPDATE 2012-12-31: I discovered that Mac OS X will permit home directories in the form
/mnt/somewhere/someuser
, allowing the Mac OS X user's home directory to match the FreeNAS file system, solving this issue. - Samba/CIFS can now only authenticate LDAP users. This means that any user connecting via Samba must have an antry in the LDAP database, local users won't work anymore. This means you cannot have a home directory share, see #1.