I have long wanted to play a bit with LDAP, and got it working once on a Raspberry PI. When it finally worked, my SD card got corrupted and I lost all my hard work.
I decided to play with FreeIPA, as it takes all the complexity of setting up LDAP and its security away from the user. I am really impressed by how easy was to setup FreeIPA and to use for authenticate users on other systems.
I’ve now succesfully managed to use FreeIPA to provide user directory for both FreeNAS and Nextcloud, though I will wait a bit to use it as my main source for authentication as it will take a bit of time to migrate my local users on those services to my directory ones.
I was surprised by the lack of guidance on how to use FreeIPA with FreeNAS, so I decided to write what I learned here after reading some forums and trying some stuff.
Before starting, it might be helpful to set your nameserver on FreeNAS to the one provided by FreeIPA.
Start here, so you get things working.
Configure the Kerberos Realm
- Click on
Directory Services, then then choose
- Click on
- Type your REALM.
- I clicked on
Advanced Modeand entered the kdc and Admin server, which basically are my FreeIPA server address.
- Save it
Configure the Kerberos keytabs:
- On your FreeIPA server (or on a client that has been enrolled and has the
ipaset of commands), type:
$ ipa host-add <yourfreenas> # Enter your FreeNAS FQDN here
- Get the keytab file to install on your FreeNAS:
$ ipa-getkeytab -p host/yourfreenas -k freenas.keytab -e aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 # you don't really need the -e and the encryption, but I used it as it worked better with some services
- Now, on your FreeNAS, go to
Kerberos keytabsand click on
- Upload the file you just created
Configure the Kerberos Settings
I am not sure if this is necessary, but I configured it anyway:
- Go to
libdefaults Auxiliary parameters, write this:
default_realm = YOURREALM # ex. MYREALM.LOCAL dns_lookup_kdc = true allow_weak_crypto = true
Good? Good. Now the real stuff:
- Click on
Directory Servicesand choose (guess what)
hostname, type the address of your FreeIPA server
Base DN, write what usually is your realm’s DN:
dc=myrealm,dc=local, for example
- Follow the documentation under “System Accounts” at FreeIPA’s LDAP how-to
- If you followed the previous step, you might have ended up with a biding user like this:
uid=bidinguser,cn=sysaccounts,cn=etc,dc=myrealm,dc=local. Copy that under
Bind DNon your FreeNAS
- Enter the bind password as created following the steps above.
Kerberos realm, choose the realm you created
Kerberos principal, choose the host corresponding to the keytab you created
- Check on
- Click on
- Adjust the Range low and Range high values. This is important because the default values won’t reach the default range on FreeIPA. Be aware not to choose a range between 900000000 and 1000000000. The default values on FreeNAS are 20000 and 900000000, but these fall below the default values of FreeIPA. If you are using FreeIPA’s default range, choose 1000000001 and 2000000000.
- You might want to repeat your User DN (same as the “Biding DN”), but it works for me without that.
- You also might want to enter the URL, something like
That’s it. Things might be working for you now!
A few notes:
- Your directory users do not show up on your main list of users under
Accounts, but they will show up whenever you have the option to choose a user.
- Watch out for a little
iicon on the top-right of your FreeNAS web interface - it shows the status of your connection to directory services.
id <someuserfromldap>on the shell to see if you are retrieving users.
Things I didn’t manage to get to work
I still haven’t managed to make NFSv4 work with FreeNAS and this setup. I am basically finding the same problems described on this forum post.
Using FreeIPA is great, and I wish I had tried it before. Having setup Nextcloud, FreeNAS, a mail server based on Postfix+Dovecot, Bitwarden, etc, it would have helped me extremly when it comes to centralize user information.
Also, as I experiment a lot with some VM’s, it would have helped me to mount my home directory on new servers, so that I could skip copying files.
My next step is to create a replica of FreeIPA and start migrating the systems I use to it, so that user management might become easier.
Let me know if this guide helped you!