I’ve used FreeNAS for years, but only used local accounts. I’m now working on configuring a new TrueNAS Scale server to use LDAP via an OpenLDAP server running on Ubuntu. The Ubuntu server is working and I’m able to connect to it via phpldapadmin and create groups and users. I’ve also seemingly got TrueNAS Scale connected to it via Credentials → Directory Services and it says the LDAP status is “Healthy”. The shares are setup as SMB in TrueNAS.
When I try to directly connect to a user’s account on macOS → “Connect to Server” or “Map Network Drive” on Windows 11, I enter the username and password, but the connection is rejected. On my old FreeNAS server running with local accounts, all I had to enter was username and password. Is there something else I need to do for TrueNAS that uses LDAP? (Right now, I’m not configuring the whole computer to use Directory Services, I’m only trying to connect to shares directly)
I’m very new to this setup and hopeful it’ll work, so any help or pointers are appreciated.
A plain OpenLDAP server is insufficient to provide authentication for SMB protocol. You could in theory use the legacy samba schema extensions, but support for this is being removed in Electric Eel. Using AD (Samba or Microsoft) is a better option.
No problem. AD is generally the best way to provide identity services since it supports strong authentication out of box (eventually MS will deprecate NTLM variants).
If you don’t want to deal with running your own LDAP, I’ve been successful with Jumpcloud on a couple of installs. In addition to the LDAP, I use it used for centralized account management across multiple VMs. They have a 10-user freebie if you want to give it a go. Feel free to DM me if you go that way. We could then continue the conversation publicly so others can learn from it
interesting. I am using an SMB share on a TrueNAS connected to JC LDAP. The SMB LDAP extensions are turned off. Granted, this is a naive setup, as I only have one Windows system, and the rest are Linux.
I assume I need 1-2 machines running just Samba AD and DC backed by JC for user account info?
I don’t know particulars of your setup. There are basically two supported mechanisms for SMB authentication: NTLM (provided by the LDAP schema extensions) or Kerberos.
Last time I checked it only suppoted NTLM authentication via samba schema. This is no longer a supported configuration on TrueNAS due to the security issues it poses. The TrueNAS server has to have access to NT hashes in order to make the legacy support work (which are basically unsalted MD4s). This is generally unacceptable in a modern world.
NTLM auth works when joined to AD because the TrueNAS server passes along the auth request to the DC. This is not the case with legacy samba schema + OpenLDAP.
If I need to place this in a new thread, please let me know, but it is a continuation of my original question from where I moved to a Samba AD solution.
I now have a Samba Domain Controller running on Ubuntu 24.04. It is running well and I can connect Windows machines to it successfully. I would like to connect TrueNas to it, but when I go to Credentials->Directory Services and configure AD and then click “Save” things seem to get stuck on “Save” where the button is greyed out, but nothing happens. The blue progress meter shows very quickly, but the screen stays on that AD config screen and “Save” stays greyed out. The information I’m putting in, like the domain name and credentials, are indeed correct.
Is there a place where AD connection errors are logged? I can’t find any in /var/log/