#398 freenas and active directory (AD) - lost settings

[Michal Panasiewicz]

in smb.conf:
realm = WORKGROUP.LOCAL
security = ads
use kerberos keytab = yes
winbind expand groups = 1
winbind normalize names = yes
winbind offline logon = yes
winbind refresh tickets = yes
winbind replacement character = +

in sshd_config:

ChallengeResponseAuthentication yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

[Volker]

Logged In: YES
user_id=1598685
Originator: NO

Hi,

i think you modified the files by hand. If this is true, the behaviour that you'll loose your settings is normal. This is because FreeNAS creates the config files for most of the services on the fly when the rc.d scripts are executed.
To add your additional CIFS attributes use the CIFS/SMB WebGUI to add them at the bottom of the site under 'Auxiliary parameters'.

For SSH i've modified the rc.d script. Please see http://freenas.svn.sourceforge.net/viewvc/freenas?view=rev&revision=3579

With the next nightly build for 0.69 with revision >= 3579 it is possible to add additional parameters to sshd_config. To do that you have to modify the /conf/config.xml file by hand via WebGUI 'Advanced: Edit File'. You have to modify the sshd section as following:

<sshd>
<port>22</port>
<passwordauthentication/>
<pubkeyauthentication/>
<permitrootlogin/>
<enable/>
<private-key/>
<auxparam>GSSAPIAuthentication yes</auxparam> <---- Additional parameter
<auxparam>GSSAPICleanupCredentials yes</auxparam> <---- Additional parameter
</sshd>

Regards
Volker

[Michal Panasiewicz]

Logged In: YES
user_id=1302173
Originator: YES

J have not problem :) . J add my Freenas to AD. J not modified by hand config files. :)

it is bug because in GUI (Services/CIFS):
is only - domain/users/anonymous - if you use AD here is "ads" (security = ads)

[Michal Panasiewicz]

Logged In: YES
user_id=1302173
Originator: YES

J have not problem :) . J add my Freenas to AD. J not modified by hand config files. :)

it is bug because in GUI (Services/CIFS):
is only - domain/users/anonymous - if you use AD here is "ads" (security = ads)

[Volker]

Logged In: YES
user_id=1598685
Originator: NO

Sorry, but i don't understand what you're problem is, so can you please describe it more detailed. Do you want 'ADS' to be added? Did you modified the scripts to your needs?

Regards
Volker

[Michal Panasiewicz]

Logged In: YES
user_id=1302173
Originator: YES

</mounts>
<samba>
    <netbiosname>freenas1</netbiosname>
    <workgroup>DOMAIN</workgroup>
    ...
    <security>domain</security>

...
<winssrv>xxx.xxx.xxx.xxx</winssrv>
...
<auxparam>security = ads</auxparam>
<auxparam>acl check permissions = Yes</auxparam>
<auxparam>acl compatibility = Auto</auxparam>
<auxparam>acl group control = Yes</auxparam>
<auxparam>acl map full control = Yes</auxparam>
<auxparam>admin users = @DOMAIN+admins</auxparam>
<auxparam>create mode = 600</auxparam>
<auxparam>directory mode = 770</auxparam>
<auxparam>directory security mask = 0777</auxparam>
<auxparam>fstype = NTFS</auxparam>
<auxparam>guest ok = no</auxparam>
<auxparam>hide dot files = yes</auxparam>
<auxparam>nt acl support = yes</auxparam>
<auxparam>password server = * </auxparam>
<auxparam>public = no</auxparam>
<auxparam>realm = DOMAIN.LAN</auxparam>
<auxparam>security mask = 0777</auxparam>
<auxparam>use kerberos keytab = yes</auxparam>
<auxparam>valid users = @DOMAIN+users</auxparam>
<auxparam>winbind normalize names = yes</auxparam>
<auxparam>winbind offline logon = yes</auxparam>
<auxparam>winbind refresh tickets = yes</auxparam>
<auxparam>winbind separator = +</auxparam>
</samba>

<ad>
    <admin_name>aminuser</admin_name>
    <admin_pass>it is not good idea store password for domain admins. It is use one time, when join serwer to AD</admin_pass>

..
<enable/>
</ad>