I am trying to connect my File Server (FreeNAS 8.0.1 / 8.2-RELEASE-p7) with my Mac OS X 10.7 Lion Directory Server's Open Directory… I know that Mac OS X provides an LDAP service via which other servers can authenticate against, but I am having great difficulty getting FreeNAS to authenticate against the Mac OS X Open Directory.
How do I connect my FreeNAS File Server to my Mac OS X Directory Server?
Best Answer
After hours of googling and testing, I finally managed to get FreeNAS 8 integrated with Mac OS X Open Directory. Here's what's needed to make this happen:
First, make sure that Open Directory is up and running using the Server Admin application:
Note the LDAP Search Base and the Kerberos Realm.
In FreeNAS's Web GUI, configure the LDAP service as follows:
diradmin
user, but that may be unnecessary...)uid=diradmin,
then the Base DNdiradmin
user. Again, this may be unnecessary, I am unsurecrypt
cn=users
cn=groups
cn=users
cn=computers
Off
Auxiliary Parameters:
The Auxiliary Parameters are the key, especially
sasl-host
andsasl-realm
. Obviously, replace*your.open.directory.server.ip.or.hostname*
and*YOUR.KERBEROS.REALM.FROM.FIRST.STEP*
with the information from the first step (see first screen capture)When you save changes, LDAP should start working for all services except Samba/CIFS. Part of the struggle was how to fix Samba: after initially configuring the LDAP service on FreeNAS, I discovered that no users could connect via Samba at all, even users locally defined on the FreeNAS machine.
There were no errors in Samba's log, just permission denied errors on the client machines. More research revealed that I had to enable the FreeNAS Samba server to authenticate against the Mac OS X Open Directory using SASL separately from the LDAP configuration.
It is important to note that the Mac OS X LDAP Database does not contain password data. Authentication is available only via SASL/Kerberos. Quote David Colville1 on Apple's Forums:
This is why the
sasl-host
is so important in the LDAP config.Configure Samba to use SASL:
UPDATE 2012-12-31: This is no longer working for me. I have been trying for hours to determine why and have so far been unable to.
In the FreeNAS Web GUI, configure the CIFS service as follows:
(The CIFS configuration screen is very long, I combined the very top and the bottom for clarity)
Local User
Auxiliary parameters:
After saving these changes, test connecting to Samba with a user defined in Open Directory and confirm that you can connect. Also, test using AFP/SSH to confirm those are also authenticating against Open Directory.
Known Issues
There are a few things I was unable to resolve:
User home directories on the Mac OS X LDAP server take the form
/Network/Servers/some.server/some.directory/username
. However FreeNAS Has no/Network/Servers
directory. It would be very simple tomkdir -p /Network/Servers
and symlink users' home directories, however/
is mounted readonly, so I cannot do that. Consequently LDAP users cannot have.AppleVolumes
files for custom AFP shares.UPDATE 2012-12-31: I discovered that Mac OS X will permit home directories in the form
/mnt/somewhere/someuser
, allowing the Mac OS X user's home directory to match the FreeNAS file system, solving this issue.