Clarifications on TrueNAS Scale and LDAP integration

Golui · March 5, 2025, 9:40am

Hello all,

For the past few days I have been trying to integrate TrueNAS (24.10) with an LDAP domain. The process has been quite frustrating with little success to say the least.

I will preface this that while I am new to LDAP, my problems appear to be more on the TrueNAS side.

As for some deployment details, the LDAP server is an OpenLDAP deployment, running in a docker container under TrueNAS, using the github osixia/docker-openldap image. (Link redacted, due to new user limitations).

With that out of the way, let me get to the point:

First, is Samba authentication via LDAP still supported? I have seen references on the forums to the removal of support for NTLM, needed to facilitate this. However, the documentation still says that LDAP is supported, provided specific attributes are populated. Which of these two is correct?
I am experiencing strange issues with stale groups, users, and attributes present in the TrueNAS Credentials → User UI. This is irrespective of whether the “Disable LDAP User/Group Cache” checkbox in the Directory Services → LDAP menu is selected or not. There is no effect on this by manually clearing the sssd cache (sudo sss_cache -E). Rebooting the system works, but is inconvenient.
Not all attributes of the user seem to be settable from the LDAP data. For example, I have been unable to set the “Authorized keys” field in TrueNAS by populating the “sshPublicKey” attribute in the LDAP database. I have also been unable to set the “Allow password login”, so that the users can log in with the password for the first time and copy their ssh keys that way. Looking through the LDAP plugin for middleware, these do not appear to be used despite being pulled from the database (according to the query logged by the LDAP server).
Attempting to remap attributes (using the Auxilliary Parameters) causes an error (sssd cannot start) Specifically: map passwd homeDirectory "/mnt/pool/home_share/$uid" results in a comically long error message, since it includes previous service log. An abridged error log can be found below.

Any response/help would be appreciated, especially regarding the first point. If Samba auth does not work with OpenLDAP, then there is nothing to be done but to switch to AD or FreeIPA.

.
.
.
Mar 05 18:16:25 systemd[1]: Starting sssd.service - System Security Services Daemon...
Mar 05 18:16:25 sssd[17703]: SSSD couldn't load the configuration database [1432158325]: Error while parsing configuration file
Mar 05 18:16:25 systemd[1]: sssd.service: Main process exited, code=exited, status=4/NOPERMISSION
Mar 05 18:16:25 systemd[1]: sssd.service: Failed with result 'exit-code'.
Mar 05 18:16:25 systemd[1]: Failed to start sssd.service - System Security Services Daemon.
Mar 05 18:16:32 systemd[1]: Starting sssd.service - System Security Services Daemon...
Mar 05 18:16:32 sssd[17776]: SSSD couldn't load the configuration database [1432158325]: Error while parsing configuration file
Mar 05 18:16:32 systemd[1]: sssd.service: Main process exited, code=exited, status=4/NOPERMISSION
Mar 05 18:16:32 systemd[1]: sssd.service: Failed with result 'exit-code'.
Mar 05 18:16:32 systemd[1]: Failed to start sssd.service - System Security Services Daemon.
Mar 05 18:35:27 systemd[1]: Starting sssd.service - System Security Services Daemon...
Mar 05 18:35:27 sssd[24441]: SSSD couldn't load the configuration database [1432158325]: Error while parsing configuration file
Mar 05 18:35:27 systemd[1]: sssd.service: Main process exited, code=exited, status=4/NOPERMISSION
Mar 05 18:35:27 systemd[1]: sssd.service: Failed with result 'exit-code'.
Mar 05 18:35:27 systemd[1]: Failed to start sssd.service - System Security Services Daemon.

DjP-iX · March 5, 2025, 3:29pm

Looks like that article got overlooked, however the forum post you link from @awalkerix is correct. Microsoft deprecated NTLM upstream and one of the results of that is that Legacy Samba Schema support was removed from LDAP in TrueNAS.

This is also covered in the 24.10 Release Notes

Support for the deprecated LDAP Samba Schema is removed in 24.10. Users with both LDAP and SMB shares configured should migrate legacy Samba domains to Active Directory before upgrading to 24.10.

awalkerix · March 5, 2025, 3:40pm

We have had UI warnings about pending deprecation since TrueNAS 13 IIRC. The openldap samba schema requires storing unsalted MD4s of user passwords in the LDAP schema. Even if you lock these entries in the LDAP server, every SMB server in the NT-style domain will still have access to them because authentication happens on the SMB server rather than the LDAP server.

Golui · March 5, 2025, 3:45pm

I see. I was not using TrueNAS in that time period. It’s unfortunate that the documentation was not updated, but I understand that with a project this big things tend to get missed.

I’ll switch to one of the other solutions, then. Cheers!

awalkerix · March 5, 2025, 3:47pm

OpenLDAP is still supported. This one legacy and now deprecated method of doing SMB authentication with it has been removed. That’s not the only feature that LDAP provided and still provides.

Golui · March 5, 2025, 3:50pm

Just to make sure we are on the same page, by “SMB authentication” I am referring to the ability of a user to be able to access SMB shares, via a password present in the LDAP database. Am I misunderstanding something here?

The ability to do this is a hard requirement for this deployment.

awalkerix · March 5, 2025, 3:50pm

To clarify the timeline. In TrueNAS 13 we added DEPRECATED next to the samba schema checkbox. In 24.04 we took a step further and added a UI critical alert if the feature is enabled to indicate that the feature will be removed in the next release. In 24.10 we removed the feature.

awalkerix · March 5, 2025, 3:52pm

SMB authentication by password stored in the LDAP schema is not supported in 24.10 and any future release. OpenLDAP can provide accounts for the TrueNAS server that are used by SSH, FTP, NFS, etc and so it is still generally useful.

IamLunchbox · March 12, 2025, 1:42pm

To add to @Golui 's issues:
I can reconfirm that flushing caches / updating LDAP information from the upstream directory server is not working as expected. When some attribute is changed, e.g. the home directory, I had to enable / disable the ldap cache and enable / disable the ldap integration alltogether, to get the current information into the credential store. Fine while testing TrueNas, not too nice when shares are used in production.

Additionally, user home shares don’t work at all for me right now. The home shares are created by root, so a new user authenticating to get his share will bet a permission denied error, since his homedir belongs to root with permissions 0700.

My setup:
TrueNAS Scale 24.10 with FreeIPA Directory Server
Authentication through Kerberos