Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#398 freenas and active directory (AD) - lost settings

v0.686
open
Volker
7
2012-10-28
2008-07-10
No

in smb.conf:
realm = WORKGROUP.LOCAL
security = ads
use kerberos keytab = yes
winbind expand groups = 1
winbind normalize names = yes
winbind offline logon = yes
winbind refresh tickets = yes
winbind replacement character = +

in sshd_config:

ChallengeResponseAuthentication yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

Discussion

  • Volker
    Volker
    2008-07-11

    Logged In: YES
    user_id=1598685
    Originator: NO

    Hi,

    i think you modified the files by hand. If this is true, the behaviour that you'll loose your settings is normal. This is because FreeNAS creates the config files for most of the services on the fly when the rc.d scripts are executed.
    To add your additional CIFS attributes use the CIFS/SMB WebGUI to add them at the bottom of the site under 'Auxiliary parameters'.

    For SSH i've modified the rc.d script. Please see http://freenas.svn.sourceforge.net/viewvc/freenas?view=rev&revision=3579

    With the next nightly build for 0.69 with revision >= 3579 it is possible to add additional parameters to sshd_config. To do that you have to modify the /conf/config.xml file by hand via WebGUI 'Advanced: Edit File'. You have to modify the sshd section as following:

    <sshd>
    <port>22</port>
    <passwordauthentication/>
    <pubkeyauthentication/>
    <permitrootlogin/>
    <enable/>
    <private-key/>
    <auxparam>GSSAPIAuthentication yes</auxparam> <---- Additional parameter
    <auxparam>GSSAPICleanupCredentials yes</auxparam> <---- Additional parameter
    </sshd>

    Regards
    Volker

     
  • Logged In: YES
    user_id=1302173
    Originator: YES

    J have not problem :) . J add my Freenas to AD. J not modified by hand config files. :)

    it is bug because in GUI (Services/CIFS):
    is only - domain/users/anonymous - if you use AD here is "ads" (security = ads)

     
  • Logged In: YES
    user_id=1302173
    Originator: YES

    J have not problem :) . J add my Freenas to AD. J not modified by hand config files. :)

    it is bug because in GUI (Services/CIFS):
    is only - domain/users/anonymous - if you use AD here is "ads" (security = ads)

     
  • Volker
    Volker
    2008-07-12

    Logged In: YES
    user_id=1598685
    Originator: NO

    Sorry, but i don't understand what you're problem is, so can you please describe it more detailed. Do you want 'ADS' to be added? Did you modified the scripts to your needs?

    Regards
    Volker

     
  • Logged In: YES
    user_id=1302173
    Originator: YES

    </mounts>
    <samba>
        <netbiosname>freenas1</netbiosname>
        <workgroup>DOMAIN</workgroup>
        ...
        <security>domain</security>
    

    ...
    <winssrv>xxx.xxx.xxx.xxx</winssrv>
    ...
    <auxparam>security = ads</auxparam>
    <auxparam>acl check permissions = Yes</auxparam>
    <auxparam>acl compatibility = Auto</auxparam>
    <auxparam>acl group control = Yes</auxparam>
    <auxparam>acl map full control = Yes</auxparam>
    <auxparam>admin users = @DOMAIN+admins</auxparam>
    <auxparam>create mode = 600</auxparam>
    <auxparam>directory mode = 770</auxparam>
    <auxparam>directory security mask = 0777</auxparam>
    <auxparam>fstype = NTFS</auxparam>
    <auxparam>guest ok = no</auxparam>
    <auxparam>hide dot files = yes</auxparam>
    <auxparam>nt acl support = yes</auxparam>
    <auxparam>password server = * </auxparam>
    <auxparam>public = no</auxparam>
    <auxparam>realm = DOMAIN.LAN</auxparam>
    <auxparam>security mask = 0777</auxparam>
    <auxparam>use kerberos keytab = yes</auxparam>
    <auxparam>valid users = @DOMAIN+users</auxparam>
    <auxparam>winbind normalize names = yes</auxparam>
    <auxparam>winbind offline logon = yes</auxparam>
    <auxparam>winbind refresh tickets = yes</auxparam>
    <auxparam>winbind separator = +</auxparam>
    </samba>

    <ad>
        <admin_name>aminuser</admin_name>
        <admin_pass>it is not good idea store password for domain admins. It is use one time, when join serwer to AD</admin_pass>
    

    ..
    <enable/>
    </ad>