artemstarkov
Cadet
- Joined
- Mar 28, 2020
- Messages
- 1
Hello all.
Help my Please to configurate my FreeNas.
I have a work FreeIPA server on CentOS7 /DNS/Users/groups... (Now this server usable for authentication VPN users - everything is work)
Now i want to connect samba to FreeIPA and this is hard for me :)
My conf:
Directory Services -> LDAP
here I have a problem:
if disable checkbox: Allow Anonymous Binding then -> have a ValidationError (Invalid credentials)
if enable checkbox: Allow Anonymous Binding then -> No message and LDAP is starting work :)
When i'm login on FreeNAS use login from FreeIPA -> don't work
but
when i'm create local user in FreeNAS for another password i can login to FreeNAS via SSH on my local login with password from FreeIPA
log in freeIPA server: (/var/log/krb5kdc.log)
For SMB users it's doesn't work
My conf
In IPA Server
I create a new computer / create new service / add to DNS /
create keytab
in FreeNAS
add
Directory Services -> Kerberos Keytabs -> ADD
add generated keytab
when i use:
i have a cert
but if i change port on standard port: 389 cert isn't have
when i use:
when i use:
i have information from FreeIPA
I used such sources:
https://access.redhat.com/
https://www.freeipa.org/
Configurate freeBSD FreeIPA
https://www.ixsystems.com/ - 1
https://www.ixsystems.com/ - 2
and more...
Maybe anybody have a complete information about: authentication SMB users in FreeIPA.
Maybe in youtube step by step :)
Help my Please to configurate my FreeNas.
I have a work FreeIPA server on CentOS7 /DNS/Users/groups... (Now this server usable for authentication VPN users - everything is work)
Now i want to connect samba to FreeIPA and this is hard for me :)
My conf:
Directory Services -> LDAP
Code:
hostname: ipa.server01.local BaseDN: dc=server01,dc=local BindDN: (password to admin IPA account) Samba Schema: enable
here I have a problem:
if disable checkbox: Allow Anonymous Binding then -> have a ValidationError (Invalid credentials)
if enable checkbox: Allow Anonymous Binding then -> No message and LDAP is starting work :)
When i'm login on FreeNAS use login from FreeIPA -> don't work
but
when i'm create local user in FreeNAS for another password i can login to FreeNAS via SSH on my local login with password from FreeIPA
log in freeIPA server: (/var/log/krb5kdc.log)
Code:
Mar 28 14:09:19 ipa.server01.local krb5kdc[3982](info): AS_REQ (5 etypes {18 17 16 5 23}) 10.22.171.26: ISSUE: authtime 1585400959, etypes {rep=18 tkt=18 ses=18}, astarkov@SERVER01.LOCAL for krbtgt/SERVER01.LOCAL@SERVER01.LOCAL Mar 28 14:09:19 ipa.server01.local krb5kdc[3982](info): TGS_REQ (5 etypes {18 17 16 5 23}) 10.22.171.26: ISSUE: authtime 1585400959, etypes {rep=18 tkt=18 ses=18}, astarkov@TEROPLAN.LOCAL for host/storage.server01.local@SERVER01.LOCAL
For SMB users it's doesn't work
My conf
In IPA Server
I create a new computer / create new service / add to DNS /
create keytab
Code:
ipa-getkeytab -s ipa.server01.local -p cifs/storage.server01.local -k /etc/samba/samba_cifs.keytab ipa-getkeytab -s ipa.server01.local -p nfs/storage.server01.local -k /etc/samba/samba.keytab
in FreeNAS
add
Code:
smbpasswd -w ldap-password
Directory Services -> Kerberos Keytabs -> ADD
add generated keytab
when i use:
Code:
echo "" | openssl s_client -connect ipa.server01.local:636 -prexit 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p'
i have a cert
but if i change port on standard port: 389 cert isn't have
when i use:
Code:
midclt call ldap.update '{"bindpw": ""}'
Code:
{"id": 1, "hostname": ["ipa.server01.local"], "basedn": "dc=teroplan,dc=local", "binddn": "cn=admin,dc=server01,dc=local", "bindpw": "<my-password>", "anonbind": true, "kerberos_realm": null, "kerberos_principal": "", "ssl": "OFF", "certificate": null, "validate_certificates": false, "disable_freenas_cache": false, "timeout": 20, "dns_timeout": 15, "idmap_backend": "LDAP", "has_samba_schema": true, "auxiliary_parameters": "", "schema": "RFC2307", "enable": true, "uri_list": ["ldap://ipa.server01.local:389"]}
when i use:
Code:
ldapsearch -x -H "ldap://ipa.server01.local"
i have information from FreeIPA
Code:
# admini, groups, accounts, server01.local dn: cn=admini,cn=groups,cn=accounts,dc=server01,dc=local objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ipausergroup objectClass: ipaobject objectClass: posixgroup cn: admini ipaUniqueID: 96ab115e-6e99-11ea-a3a4-566faf500002 gidNumber: 400800045 # search result search: 2 result: 0 Success # numResponses: 260 # numEntries: 259
I used such sources:
https://access.redhat.com/
https://www.freeipa.org/
Configurate freeBSD FreeIPA
https://www.ixsystems.com/ - 1
https://www.ixsystems.com/ - 2
and more...
Maybe anybody have a complete information about: authentication SMB users in FreeIPA.
Maybe in youtube step by step :)