How can I get FreeNAS to work with LDAP authentication?

ldap samba openldap truenas

13,238

To find the cause of this issue, I first started Samba in interactive mode with a higher debug level to see any messages in the output that could help:

/usr/local/sbin/smbd --interactive --debuglevel=3

Now I got more helpful output than before:

check_ntlm_password:  Checking password for unmapped user [WORKGROUP]\[osalzburg]@[LDAP] with the new password interface
check_ntlm_password:  mapped user is: [FREENAS]\[osalzburg]@[LDAP]
init_sam_from_ldap: Entry found for user: osalzburg
Primary group S-1-5-21-1400563477-347728745-2499486669-512 for user osalzburg is a UNKNOWN and not a domain group
Forcing Primary Group to 'Domain Users' for osalzburg
The primary group domain sid(S-1-5-21-1134279832-878937066-538846017-513) does not match the domain sid(S-1-5-21-1400563477-347728745-2499486669) for osalzburg(S-1-5-21-1400563477-347728745-2499486669-3002)
check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL'
check_ntlm_password:  Authentication for user [osalzburg] -> [osalzburg] FAILED with error NT_STATUS_UNSUCCESSFUL
error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) NT_STATUS_UNSUCCESSFUL
Server exit (failed to receive smb request)
Terminated: 15

The key here is the part:

The primary group domain sid
  (S-1-5-21-1134279832-878937066-538846017-513) does not match the domain sid
  (S-1-5-21-1400563477-347728745-2499486669) for osalzburg(S-1-5-21-1400563477-347728745-2499486669-3002)

To resolve the mismatch, I changed the sambaSID of my FREENAS sambaDomainName entry to S-1-5-21-1400563477-347728745-2499486669 as suggested in this bug report comment.

I'm not sure where exactly I messed up my setup, but running Samba with debug output was key to finding the cause of the problem.

13,238

halra

Never forget: :w !sudo tee % Save a file in vim when you neglected to open the file with sudo but already made changes you don't want to lose. Ctrl+X,* Evaluate globbing on your current input on the bash command line. postfix flush Pump out the postfix queue on your backup MX after you've fixed the issue with your primary MX. git tag -l | xargs -n 1 git push --delete origin; git tag | xargs git tag -d Delete all tags from a git repo - remotely and locally. sudo apt-get purge $(for tag in "linux-image" "linux-headers"; do dpkg-query -W -f'${Package}\n' "$tag-[0-9]*.[0-9]*.[0-9]*" | sort -V | awk 'index($0,c){exit} //' c=$(uname -r | cut -d- -f1,2); done) Delete old kernels https://signup.microsoft.com/productkeystart Register new Office 365 product keys for an existing tenant.

Updated on September 18, 2022

Comments

halra over 1 year
I'm trying to set up a FreeNAS 9.1.1 server with CIFS shares with LDAP authentication.

I've set up an OpenLDAP server, populated it with smbldap-populate, added a user account for myself and configured the LDAP client on the FreeNAS to utilize the directory. It seems to me like FreeNAS can retrieve the users and groups fine, as the getent passwd and getent group output lists the entities that I've set up on my OpenLDAP server.

So far so good. I've now created a new ZFS volume and set it up to be owned by my LDAP user account and the Domain Admins group.

When I now try to use the share, by issuing net use \\freenas\zfs0-share on my Windows command line, I get the following result:
```
System error 59 has occured.
An unexpected network error occurred.
```
In my FreeNAS console, I get the following output:
```
freenas smbd: auth/check_samsec.c:491(check_sam_security)
check_sam_security: make_server_info_sam() failed with NT_STATUS_UNSUCCESSFUL
```
What does this error indicate and how can I resolve it?