FreeIPA/IdM - Stops working after updating to 24.x

jfossheim-skyfritt · December 4, 2024, 1:30pm

Hello,

We have had a working FreeIPA/IdM-setup (except for NFSv4) on our NAS both in the 22.x and 23x release series. To be able to use kerberized NFSv4 and SMB is a big deal for us.

In the old config Ldap was configured to use kerberos-realm we added manually and keytab which was fetched from FreeIPA/IdM.

After upgrading to 24.10, we can no longer authenticate against the ldap-server, via the old kerberos credentials. I have tried wiping the configuration with a new hostname, to test the new ipa-join feature with no luck, as the documented guide:

“Configuring FreeIPA” from TrueNAS Stable Version Documentation (24.10).

When following the guide, we get the following error:

[UNWILLING_TO_PERFORM]: Server is unwilling to perform: Unauthenticated binds are not allowed

When we configure eveything like we did in 22.x and 23.x we get this error:

 Error: Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/middlewared/job.py", line 488, in run
    await self.future
  File "/usr/lib/python3/dist-packages/middlewared/job.py", line 533, in __run_body
    rv = await self.method(*args)
         ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/schema/processor.py", line 49, in nf
    res = await f(*args, **kwargs)
          ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/schema/processor.py", line 179, in nf
    return await func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/plugins/ldap.py", line 681, in do_update
    await self.__start(job, ds_type)
  File "/usr/lib/python3/dist-packages/middlewared/plugins/ldap.py", line 909, in __start
    ipa_config = await self.ipa_config(ldap)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/middlewared/plugins/ldap.py", line 855, in ipa_config
    username = conf['binddn'].split(',')[0].split('=')[1]
               ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^
IndexError: list index out of range

I find the ldap-join described in the guide a bit odd and confiusing, why don’t just give an AD/ldap+kerberos/and FreeIPA config-menu.

Anyone else running a working FreeIPA-setup. Our main FreeIPA servers are running 4.12.2, and RockyLinux.

cruxes · January 15, 2025, 4:04pm

We just upgraded to 24.10.1 from 23.x and have encountered the same issue. Any progress resolving?

cruxes · January 15, 2025, 4:08pm

I’ll also mention that our working configuration was using anon binds, and we only used LDAP to allow usernames to appear rather than UID numbers in the dataset quota configuration page. After the upgrade, it was STILL working, but it broke when we needed to remove an IPA server DNS name from the LDAP configuration and add a new one. So, we suspect that something is wonky with the middleware UI?

Invariant · February 1, 2025, 10:27am

I’m also having trouble joining a FreeIPA domain. It is a different error but it also might be something wonky with the middleware.

I’ve documented my errors here:

nocsi · February 1, 2025, 6:31pm

Every update, I like to go in and configure FreeIPA LDAP for sh*ts and giggles. Usually I can get kerberos/ldap backend auth going for a few moments before I realize there’s always a random attribute or component missing. There was a period of time where they included the ipasam.so lib but never actually loaded. I’m not sure if this bug is still around but they used to have a problem where there was a hardcoded flow to automatically client-join with freeIPA every thing you reconfigured. Of course that results in an error because the truenas server is already joined and did not execute measures to leave IPA.

Anyways, the actual solution is to completely ignore what’s going on in the WebUI. That’s only for Active Directory people. If you really want to be able to do kerberized NFS/SMB and authenticate properly against FreeIPA, you’re going to have to spin up a Fedora/Rocky Linux systemd-nspawn container and pass in the ZFS device into the container.

Then you go through the routines of joining FreeIPA, load the ipasam.so lib and have access to share the entire storage pool. Anything else is just asking for iX Systems to rug pull you with bugs. On the bright side, you don’t have to worry about them implementing old features such as elastic search backed spotlight, document dedupe or any other assortment of samba features that’s come about in the past 10 years. The smb sharing attributes even worked properly:

$ zfs share -o share.smb=on pool /dataset %ushare

I’m more than happy to share the jail and samba config if it helps anyone avoid the head banging that is trying to get FreeIPA working with truenas.