FreeNAS 11 + FreeIPA LDAP Authentication

[Noctalin]

Hello Freenas community,

I am new here and this question has been asked already a "few" times.
Unfortunately I have been 3 days non stop at it and just can't get it right.

The idea:

To have CIFS shares working with FreeIPA user authentication.

The steps I've taken so far:

Added cifs service to freeipa (ipa.xsorgan.local) for my freenas (freenas.xsorgan.local).
Created privilege with read ability for ipanthash and ipantsecurityidentifier
Added the privilege to Cifs service.
Added Kerberos Realm "XSORGAN.LOCAL" with KDC, Admin Server and Password Server set to "ipa.xsorgan.local"
Exported the keytab and imported it into FreeNAS.
Running ldapsearch -h ipa.xsorgan.local -Y GSSAPI uid=calin ipaNTHash on my FreeNAS returns success and the ipaNTHash so this seems correct.
Created a SMB share on FreeNAS GUI and gave it owner: calin group: calin permission and set permission type to Windows.
The Freeipa User and Groups appear in the permissions drop-down in GUI.

I recently tried importing my freeipa CA of the domain to FreeNAS and setup TLS Encryption Mode on LDAP settings of FreeNAS which didn't break anything it seems.

Here are 3 screenshots of LDAP and Samba settings in FreeNAS:

I am also a bit confused about the idmap range but I'd say the once that interests me is inside the idmap settings of LDAP?

Running net idmap check in command line of my FreeNAS I get:

Code:

root@freenas:~ # net idmap check
check database: /var/db/samba4/winbindd_idmap.tdb
Invalid USER HWM 824000001: should be 1
Invalid GROUP HWM 824000001: should be 90000003
uid hwm: 0
gid hwm: 90000002
mappings: 2
other: 3
invalid records: 0
missing links: 0
invalid links: 0
0 changes:

I am a little lost but think that I might be close to getting this to work.

Trying to access the share on Windows 10 gives me this inside samba log:

Code:

[2018/04/02 13:38:32.406926,  3] ../auth/ntlmssp/ntlmssp_server.c:454(ntlmssp_server_preauth)
  Got user=[calin] domain=[XSORGAN] workstation=[RAVEN-XS] len1=24 len2=316
[2018/04/02 13:38:32.407000,  3] ../source3/param/loadparm.c:3856(lp_load_ex)
  lp_load_ex: refreshing parameters
[2018/04/02 13:38:32.407095,  3] ../source3/param/loadparm.c:543(init_globals)
  Initialising global parameters
[2018/04/02 13:38:32.407223,  3] ../source3/param/loadparm.c:2770(lp_do_section)
  Processing section "[global]"
[2018/04/02 13:38:32.408059,  2] ../source3/param/loadparm.c:2787(lp_do_section)
  Processing section "[Calin]"
[2018/04/02 13:38:32.408291,  2] ../source3/param/loadparm.c:2787(lp_do_section)
  Processing section "[Video]"
[2018/04/02 13:38:32.408524,  3] ../source3/param/loadparm.c:1598(lp_add_ipc)
  adding IPC service
[2018/04/02 13:38:32.408557,  3] ../source3/auth/auth.c:189(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user [XSORGAN]\[calin]@[RAVEN-XS] with the new password interface
[2018/04/02 13:38:32.408579,  3] ../source3/auth/auth.c:192(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [XSORGAN]\[calin]@[RAVEN-XS]
[2018/04/02 13:38:33.466373,  3] ../source3/lib/smbldap.c:626(smbldap_start_tls)
  StartTLS issued: using a TLS connection
[2018/04/02 13:38:33.466416,  2] ../source3/lib/smbldap.c:841(smbldap_open_connection)
  smbldap_open_connection: connection opened
[2018/04/02 13:38:33.468945,  3] ../source3/lib/smbldap.c:1063(smbldap_connect_system)
  ldap_connect_system: successful connection to the LDAP server
[2018/04/02 13:38:33.470687,  3] ../source3/auth/check_samsec.c:399(check_sam_security)
  check_sam_security: Couldn't find user 'calin' in passdb.
[2018/04/02 13:38:33.470725,  2] ../source3/auth/auth.c:332(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [calin] -> [calin] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2018/04/02 13:38:33.470769,  2] ../auth/auth_log.c:760(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [XSORGAN]\[calin] at [Mon, 02 Apr 2018 13:38:33.470746 CEST] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [RAVEN-XS] remote host [ipv4:192.168.77.107:65159] mapped to [XSORGAN]\[calin]. local host [ipv4:192.168.77.207:445]
[2018/04/02 13:38:33.470815,  3] ../auth/auth_log.c:591(log_no_json)
  log_no_json: JSON auth logs not available unless compiled with jansson
[2018/04/02 13:38:33.470840,  3] ../source3/auth/auth_util.c:1626(do_map_to_guest_server_info)
  No such user calin [XSORGAN] - using guest account

Tried loging in with
XSORGAN\calin
XSORGAN.LOCAL\calin
calin@XSORGAN
calin@XSORGAN.LOCAL

All without success.

 

[dlavigne]

Were you able to resolve this?

 

[Noctalin]

Unfortunately not, I will continue trying when I have some free time.
If I can find a solution I will not hesitate to post it.
Seems like no one else managed to make this work so far?

 

[RegularJoe]

I would try it with windows 7 as well, Yes I think your ID map is too high and you may have to enable guest and anonymous. On the share and UNIX permissions you should make a test connection with it wide open to make sure that is not an issue. 99% of the enterprise is stuck on a Microsoft Windows AD domain, so you are doing something not many companies or users are doing

 

[stefanhart]

I got it working with a MIT-KDC (canonicalized service-principals) and Openldap for my kerberized NFSv4-NAS - NON-AD Env.
FN 11.1-U5.

I configured Directory Service > Kerberos {Realms, Keytabs, Settings}, and LDAP without Kerberos-Realm, Principal and Samba (--> sssd.conf, pam*, etc are generated)

Then a Task > Init/Shutdown Script, Post Init Command "cp /mnt/VOL1/.local/etc/sssd.conf.KDC /etc/local/sssd/ && mv /etc/local/sssd/sssd.conf.KDC /etc/local/sssd/sssd.conf; service sssd restart; logger "Post Init: sssd.conf adjusted"

Further Task > Init/Shutdown Script, Post Init Command "for F in kinit klist kdestroy kpasswd; do mv /usr/bin/$F /usr/bin/$F.heimdal && ln -s /usr/local/bin/$F /usr/bin/$F; done; logger "Post Init: kinit etc adjusted"

After a reboot getent, id, kinit -C .., ssh -l $NETWORKUSER is working. NFS-mounting with sec=krb5|krb5i|krb5p works perfectly.

Samba didn't work with ldapsam, winbind is core dumping. Because of time constraints I stopped.
But it would be nice someone could post a working FreeNAS smb4.conf to work with kerberized SMB/CIFS, eg smbclient -k ... - of course in a NON-AD Env.

I think the UI configuration of the directory services is to windos centralized and not universally enough.

If someone is interessted: sssd.conf

Code:

[sssd]
config_file_version = 2
full_name_format = %2$s\%1$s
re_expression = (((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))
services = nss,pam
domains = foo.de


[nss]
filter_users = root
filter_groups = root, sudo


[pam]


[domain/foo.de]
description = Openldap- and MIT-KDC-Provider on SRV-KDC

# ID
id_provider = ldap
ldap_uri = ldap://srv-kdc.foo.de
ldap_referrals = false

ldap_sasl_mech = GSSAPI
ldap_krb5_keytab = /etc/kerberos/NAS-HPMICROG8.keytab
ldap_sasl_authid = host/nas-hpmicrog8.foo.de@FOO.DE
#ldap_default_bind_dn = cn=nss-ldap,ou=Users,dc=foo,dc=de
#ldap_default_authtok_type = password
#ldap_default_authtok = wrdlbrmpft0815

ldap_id_use_start_tls = true
tls_reqcert = demand
ldap_tls_cacert = /etc/certificates/CA/SH-Root-CA.crt

ldap_search_base = dc=foo,dc=de
ldap_user_search_base = ou=Users,dc=foo,dc=de
ldap_group_search_base = ou=Groups,dc=foo,dc=de

ldap_schema = rfc2307bis

enumerate = true

min_id = 2000
max_id = 2999

override_homedir = /mnt/VOL1/home/%u

# AUTHN
auth_provider = krb5
krb5_realm = FOO.DE
krb5_server = srv-kdc.foo.de
krb5_canonicalize = true
cache_credentials = false


# CHPASS
chpass_provider = krb5
ldap_pwd_policy = mit_kerberos


# ACCESS
access_provider = ldap
ldap_access_order = filter
ldap_access_filter = (|(memberOf=cn=sysadmins-access,ou=Groups,dc=foo,dc=de)(memberOf=cn=users-access,ou=Groups,dc=foo,dc=de))

 

[Howard Swope]

I am still awaiting this feature. I was really upset when freenas 10 was discontinued because it had full freeipa support. Consequently I am stuck using the discontinued version until this is added or a I find a replacement. Although FreeNAS corral is still working like the champ.