Authentication users FreeIPA to SMB - smb://share FreeNAS

artemstarkov

Cadet
Joined
Mar 28, 2020
Messages
1
Hello all.
Help my Please to configurate my FreeNas.
I have a work FreeIPA server on CentOS7 /DNS/Users/groups... (Now this server usable for authentication VPN users - everything is work)
Now i want to connect samba to FreeIPA and this is hard for me :)

My conf:
Directory Services -> LDAP
Code:
hostname: ipa.server01.local
BaseDN: dc=server01,dc=local
BindDN: (password to admin IPA account)
Samba Schema: enable


Zrzut ekranu 2020-03-28 o 14.23.12.png

here I have a problem:
if disable checkbox: Allow Anonymous Binding then -> have a ValidationError (Invalid credentials)
Zrzut ekranu 2020-03-28 o 14.23.32.png

if enable checkbox: Allow Anonymous Binding then -> No message and LDAP is starting work :)

When i'm login on FreeNAS use login from FreeIPA -> don't work
but
when i'm create local user in FreeNAS for another password i can login to FreeNAS via SSH on my local login with password from FreeIPA

log in freeIPA server: (/var/log/krb5kdc.log)
Code:
Mar 28 14:09:19 ipa.server01.local krb5kdc[3982](info): AS_REQ (5 etypes {18 17 16 5 23}) 10.22.171.26: ISSUE: authtime 1585400959, etypes {rep=18 tkt=18 ses=18}, astarkov@SERVER01.LOCAL for krbtgt/SERVER01.LOCAL@SERVER01.LOCAL
Mar 28 14:09:19 ipa.server01.local krb5kdc[3982](info): TGS_REQ (5 etypes {18 17 16 5 23}) 10.22.171.26: ISSUE: authtime 1585400959, etypes {rep=18 tkt=18 ses=18}, astarkov@TEROPLAN.LOCAL for host/storage.server01.local@SERVER01.LOCAL


For SMB users it's doesn't work

My conf

In IPA Server
I create a new computer / create new service / add to DNS /
create keytab
Code:
ipa-getkeytab -s ipa.server01.local -p cifs/storage.server01.local -k /etc/samba/samba_cifs.keytab
ipa-getkeytab -s ipa.server01.local -p nfs/storage.server01.local -k /etc/samba/samba.keytab


in FreeNAS
add
Code:
smbpasswd -w ldap-password

Directory Services -> Kerberos Keytabs -> ADD
add generated keytab

when i use:
Code:
echo "" | openssl s_client -connect ipa.server01.local:636 -prexit 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p'

i have a cert
but if i change port on standard port: 389 cert isn't have

when i use:
Code:
midclt call ldap.update '{"bindpw": ""}'

Code:
{"id": 1, "hostname": ["ipa.server01.local"], "basedn": "dc=teroplan,dc=local", "binddn": "cn=admin,dc=server01,dc=local", "bindpw": "<my-password>", "anonbind": true, "kerberos_realm": null, "kerberos_principal": "", "ssl": "OFF", "certificate": null, "validate_certificates": false, "disable_freenas_cache": false, "timeout": 20, "dns_timeout": 15, "idmap_backend": "LDAP", "has_samba_schema": true, "auxiliary_parameters": "", "schema": "RFC2307", "enable": true, "uri_list": ["ldap://ipa.server01.local:389"]}


when i use:
Code:
ldapsearch -x -H "ldap://ipa.server01.local"


i have information from FreeIPA
Code:
# admini, groups, accounts, server01.local
dn: cn=admini,cn=groups,cn=accounts,dc=server01,dc=local
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: posixgroup
cn: admini
ipaUniqueID: 96ab115e-6e99-11ea-a3a4-566faf500002
gidNumber: 400800045
# search result
search: 2
result: 0 Success
# numResponses: 260
# numEntries: 259


I used such sources:
https://access.redhat.com/
https://www.freeipa.org/
Configurate freeBSD FreeIPA
https://www.ixsystems.com/ - 1
https://www.ixsystems.com/ - 2
and more...

Maybe anybody have a complete information about: authentication SMB users in FreeIPA.
Maybe in youtube step by step :)
 

Attachments

  • Zrzut ekranu 2020-03-28 o 14.18.10.png
    Zrzut ekranu 2020-03-28 o 14.18.10.png
    91.9 KB · Views: 342
Top