Anyone using Red Hat Identity, Free IPA with FreeNAS 11

Howard Swope

Dabbler
Joined
Nov 19, 2015
Messages
26
Just checking in to see if there has been any traction with this. Free IPA support was working in FreeNAS 10 (which I am still using). I obviously want to move to 11, but need it work with my security. Thanks for any information on this issue.
 

Redcoat

MVP
Joined
Feb 18, 2014
Messages
2,924

Howard Swope

Dabbler
Joined
Nov 19, 2015
Messages
26
Thanks for the response. I may need to try to spin up a version in a vm and see if I can get it to work again. But it was just so easy in FreeNAS 10, I was hoping similar support would eventually find its way to 11:
freenas-ipa.png
 

xenu

Dabbler
Joined
Nov 12, 2015
Messages
43
I have FreeIPA setup at home to work with my FreeNAS 11.3 install. I just configured "Directory Services" -> "LDAP", "Kerberos Realms" and "Kerberos Keytabs". I use it for kerberized NFSv4 shares.
 

Howard Swope

Dabbler
Joined
Nov 19, 2015
Messages
26
Thanks for the info... I am using SMB shares as they seem the most versatile in my mixed environment. I am able to secure them for individual freeIPA users with FreeNAS 10, but was never able to get it to work on 9 and have not tried on 11. I played around with setting up NFS shares a while ago, but could never get them to play well in mac and windows or secure them for individuals. But it certainly could be from my ignorance regarding NFS.
 

KrisBee

Wizard
Joined
Mar 20, 2017
Messages
1,288
I have FreeIPA setup at home to work with my FreeNAS 11.3 install. I just configured "Directory Services" -> "LDAP", "Kerberos Realms" and "Kerberos Keytabs". I use it for kerberized NFSv4 shares.

@xenu I wonder if you could give some more detail about this. For instance, is your FreeNAS 11.3 host actually enrolled on your FreeIPA sever and listed by a "ipa host-find" after a "kinit admin" ? Aren't you also using your FreeIP server for the FreeNAS dns and ntp to get kerberos to work with FreeNAS NFSv4 shares?
 

xenu

Dabbler
Joined
Nov 12, 2015
Messages
43
@KrisBee I manually added my freenas to FreeIPA as a host, created a certificate through FreeIPA, DNS entry and keytabs for the host and nfs service principal.
I then added those certificates (host and FreeIPA CA) and keytabs to FreeNAS. It shows as 'enrolled' in the FreeIPA host list and ipa host-find shows:
Code:
$ ipa host-find | grep freenas01
Host name: freenas01.ipa.mydomain.de
Operating system: FreeBSD (FreeNAS)
Certificate: ...
Subject: CN=freenas01.ipa.mydomain.de,O=IPA.MYDOMAIN.DE
...more cert info...
Principal alias: host/freenas01.ipa.mydomain.de@IPA.MYDOMAIN.DE
Groups allowed to retrieve keytab: admins

And I use my FreeIPA server as NTP and DNS for my FreeNAS as you mentioned.

@Howard Swope Last time I wanted to try Windows 10 NFS support was exclusive to their Enterprise version and I only had a Pro license. From what I have read it is now supported with Windows 10 Pro.
 

KrisBee

Wizard
Joined
Mar 20, 2017
Messages
1,288
@xenu Thanks for the extra input. I used centos7 about a year ago to setup a FreeIPA server, a separate fileserver and centos7 dekstop client at home all as virtual machines just to get an idea of what FreeIPA was about. The desktop client had an autmounted home directory via kerberized NFS. But I never got as far as trying to enroll a FreeNAS to complete the exercise. Perhaps its time to I tried to get this to work.
 

admoin

Cadet
Joined
Feb 5, 2020
Messages
2
I have FreeIPA setup at home to work with my FreeNAS 11.3 install. I just configured "Directory Services" -> "LDAP", "Kerberos Realms" and "Kerberos Keytabs". I use it for kerberized NFSv4 shares.
Hi! Do you have a tutorial for this? Or maybe a website. I'm also started with a new FreeIPA Server. I'm trying a lot, but good info-stuff is rare to find. :/
I need some further education. ;)
Thanks for advices
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
Hi,
me too
since the update on the 11.3 (and the replacement of sssd) i lost the support of the freeipa(server el7)/krb/ldap nfsv4 .

the ticket on the subject : https://jira.ixsystems.com/browse/NAS-100037
Replacing SSSD shouldn't have impacted behavior in this way (and SSSD needed to be replaced - the port is basically unmaintained and porting the latest version is a significant undertaking). Test with 11.3-U1 and if you still have issues, PM me a debug and I will investigate whether there's a residual issue with processing kerberos keytabs. This is not to say that FreeIPA is formally supported in the LDAP plugin, but I can see whether there's a show-stopping bug there.
 

KrisBee

Wizard
Joined
Mar 20, 2017
Messages
1,288
I'm not an IT specialist, but with the hints from @xenu was able get FreeNAS 11.2-U7 and a centos7 based ips-server to provide a kerberised NFSv4 service to linux clients.

But a fresh install of FreeNAS 11.3-U1 it is a different story. With a FreeNAS config which looks like it might be correct, clients cannot mount nfs shares with sec=krb5.

ipa CA , ipa generated host cert/key for FreeNAS and host/nfs service tabs have been added and LDAP config appears to enable without error:

Code:
root@fn113u1[~]# ktutil --keytab=/etc/krb5.keytab list

/etc/krb5.keytab:

Vno  Type                     Principal                             Aliases
  1  aes256-cts-hmac-sha1-96  host/fn113u1.mynet.local@MYNET.LOCAL 
  1  aes128-cts-hmac-sha1-96  host/fn113u1.mynet.local@MYNET.LOCAL 
  1  aes256-cts-hmac-sha1-96  nfs/fn113u1.mynet.local@MYNET.LOCAL   
  1  aes128-cts-hmac-sha1-96  nfs/fn113u1.mynet.local@MYNET.LOCAL   
root@fn11-3u1[~]# klist
klist: No ticket file: /tmp/krb5cc_0
root@fn113u1[~]# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: host/fn113u1.mynet.local@MYNET.LOCAL

  Issued                Expires               Principal
Feb 27 10:42:53 2020  Feb 28 10:42:53 2020  krbtgt/MYNET.LOCAL@MYNET.LOCAL
Feb 27 10:42:53 2020  Feb 28 10:42:53 2020  ldap/centos7ipa.mynet.local@MYNET.LOCAL
root@fn11-3u1[~]# getent passwd cburge
cburge:*:347800001:347800001:chris burge:/home/cburge:
root@fn113u1[~]# getent group cburge
cburge:*:347800001
root@fn11-3u1[~]# getent group admins
admins:*:347800000:admin
root@fn113u1[~]#


On a re-boot of FreeNAS the console has multiple nslcd errors :

Code:
Feb 27 11:20:45 fn113u1 nslcd[981]: GSSAPI Error:  Miscellaneous failure (see text) or directory (open(/tmp/krb5cc_0): No such file or directory)
Feb 27 11:20:45 fn113u1 nslcd[981]: [00834d] <group(all)> failed to bind to LDAP server ldap://centos7ipa.mynet.local:389: Local error: SASL(-1): generic failure: GSSAPI Error:  Miscellaneous failure (see text) or directory (open(/tmp/krb5cc_0): No such file or directory): No such file or directory
Feb 27 11:20:45 fn113u1 nslcd[981]: [00834d] <group(all)> no available LDAP server found, sleeping 1 seconds


?
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
I'm not an IT specialist, but with the hints from @xenu was able get FreeNAS 11.2-U7 and a centos7 based ips-server to provide a kerberised NFSv4 service to linux clients.

But a fresh install of FreeNAS 11.3-U1 it is a different story. With a FreeNAS config which looks like it might be correct, clients cannot mount nfs shares with sec=krb5.

ipa CA , ipa generated host cert/key for FreeNAS and host/nfs service tabs have been added and LDAP config appears to enable without error:

Code:
root@fn113u1[~]# ktutil --keytab=/etc/krb5.keytab list

/etc/krb5.keytab:

Vno  Type                     Principal                             Aliases
  1  aes256-cts-hmac-sha1-96  host/fn113u1.mynet.local@MYNET.LOCAL
  1  aes128-cts-hmac-sha1-96  host/fn113u1.mynet.local@MYNET.LOCAL
  1  aes256-cts-hmac-sha1-96  nfs/fn113u1.mynet.local@MYNET.LOCAL  
  1  aes128-cts-hmac-sha1-96  nfs/fn113u1.mynet.local@MYNET.LOCAL  
root@fn11-3u1[~]# klist
klist: No ticket file: /tmp/krb5cc_0
root@fn113u1[~]# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: host/fn113u1.mynet.local@MYNET.LOCAL

  Issued                Expires               Principal
Feb 27 10:42:53 2020  Feb 28 10:42:53 2020  krbtgt/MYNET.LOCAL@MYNET.LOCAL
Feb 27 10:42:53 2020  Feb 28 10:42:53 2020  ldap/centos7ipa.mynet.local@MYNET.LOCAL
root@fn11-3u1[~]# getent passwd cburge
cburge:*:347800001:347800001:chris burge:/home/cburge:
root@fn113u1[~]# getent group cburge
cburge:*:347800001
root@fn11-3u1[~]# getent group admins
admins:*:347800000:admin
root@fn113u1[~]#


On a re-boot of FreeNAS the console has multiple nslcd errors :

Code:
Feb 27 11:20:45 fn113u1 nslcd[981]: GSSAPI Error:  Miscellaneous failure (see text) or directory (open(/tmp/krb5cc_0): No such file or directory)
Feb 27 11:20:45 fn113u1 nslcd[981]: [00834d] <group(all)> failed to bind to LDAP server ldap://centos7ipa.mynet.local:389: Local error: SASL(-1): generic failure: GSSAPI Error:  Miscellaneous failure (see text) or directory (open(/tmp/krb5cc_0): No such file or directory): No such file or directory
Feb 27 11:20:45 fn113u1 nslcd[981]: [00834d] <group(all)> no available LDAP server found, sleeping 1 seconds


?
After the reboot, what does klist show? Do you have a kerberos ticket?
 

KrisBee

Wizard
Joined
Mar 20, 2017
Messages
1,288
Oddly they seem to remain with the same value pre-reboot, but there are no winbind processes running:

Code:
root@fn113u1[~]# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: host/fn113u1.mynet.local@MYNET.LOCAL

  Issued                Expires               Principal
Feb 27 11:21:01 2020  Feb 28 11:21:00 2020  krbtgt/MYNET.LOCAL@MYNET.LOCAL
Feb 27 11:21:02 2020  Feb 28 11:21:00 2020  ldap/centos7ipa.mynet.local@MYNET.LOCAL
root@fn113u1[~]# getent passwd cburge
cburge:*:347800001:347800001:chris burge:/home/cburge:
root@fn113u1[~]
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
Oddly they seem to remain with the same value pre-reboot, but there are no winbind processes running:

Code:
root@fn113u1[~]# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: host/fn113u1.mynet.local@MYNET.LOCAL

  Issued                Expires               Principal
Feb 27 11:21:01 2020  Feb 28 11:21:00 2020  krbtgt/MYNET.LOCAL@MYNET.LOCAL
Feb 27 11:21:02 2020  Feb 28 11:21:00 2020  ldap/centos7ipa.mynet.local@MYNET.LOCAL
root@fn113u1[~]# getent passwd cburge
cburge:*:347800001:347800001:chris burge:/home/cburge:
root@fn113u1[~]
Winbind will not be running unless SMB is actually enabled. You can use kerberized NFSv4 without running smbd / winbindd.
 

KrisBee

Wizard
Joined
Mar 20, 2017
Messages
1,288
My error re:SMB, forgot to check "on boot" , but the end result is the same error messages.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
My error re:SMB, forgot to check "on boot" , but the end result is the same error messages.
Feb 27 11:20:45 fn113u1 nslcd[981]: [00834d] <group(all)> failed to bind to LDAP server ldap://centos7ipa.mynet.local:389: Local error: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text) or directory (open(/tmp/krb5cc_0): No such file or directory): No such file or directory
^^^
This typically just means that you don't have a kerberos ticket. Does the error persist if you manually run service nslcd onerestart?
 

KrisBee

Wizard
Joined
Mar 20, 2017
Messages
1,288
A "service nslcd onerestart" does not produce any additional errors and klist shows FreeNAS system had tickets :

Code:
root@fn113u1[~]# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: host/fn113u1.mynet.local@MYNET.LOCAL

  Issued                Expires               Principal
Feb 27 15:46:13 2020  Feb 28 15:46:13 2020  krbtgt/MYNET.LOCAL@MYNET.LOCAL
Feb 27 15:46:13 2020  Feb 28 15:46:13 2020  ldap/centos7ipa.mynet.local@MYNET.LOCAL
root@fn113u1[~]#
 
Last edited:
Top