SOLVED HOWTO: FreeNAS with Open Directory in Mac OS X environments

[areis]

I have tried several scenarios. The failure point seems to be when I populate the Kerberos Realm in the LDAP settings. The open directory users only show up as a result of the “getent passwd” command when the Kerberos Realm is not populated. Everything thing else seems to work as described.

 

[tigloo]

I have tried several scenarios. The failure point seems to be when I populate the Kerberos Realm in the LDAP settings. The open directory users only show up as a result of the “getent passwd” command when the Kerberos Realm is not populated. Everything thing else seems to work as described.

I am not sure where the error is. I have checked my Kerberos config, it seems fine. I can type "kinit" on the command prompt and it acquires a TGT. I can use kgetcred to get a service tickets for CIFS.

The strange thing is that it does not refresh the TGT after expiration and it also is unable to request and validate service-specific tickets whenever I access a Samba resource. There is some strange misconfiguration that prevents it from acquiring tickets whenever it is doing so in a non-interactive way.

Any pointers to what could be wrong would be appreciated.

 

[areis]

OK. After some further research,
I destroyed

Code:

sudo slapconfig -destroyldapserver

and rebuilt my Open Directory by importing my users that I had previously exported.
The command

Code:

getent passwd

now successfully lists BOTH my system and LDAP users when the Kerberos Realm is populated

I have substituted my TrueNAS server, Kerberos Realm, and Mac server names in all of the following commands.

The Kerberos principal (e.g. cifs/freenas@SERVER.HOME.NET) is no longer listed on my Mac server when I issue the command

Code:

sudo ktutil list

I'm not sure when it was removed, but I had this all working with FreeNAS 11.3 about a month ago before I upgraded to TrueNAS 12. The subsequent command entered on my Mac server

Code:

sudo krbservicesetup -x -r SERVER.HOME.NET -a diradmin -p <admin password> cifs cifs/freenas@SERVER.HOME.NET

does not create the principal.

The server is MacOS 10.13.6. The server app is 5.6.3. I know these are old, but they are running on a 2011 Mac mini server that I can no longer update and has been running for 10 years.

Lastly, pardon my lack of knowledge. I only know enough that I got this working by using instructions. It has been working for over 7 years. Thanks for all your efforts.

 

[tigloo]

Thanks for the update! Does this mean that the entire setup is working for you now or are you stuck at a point where "getent passwd" does show you all users but you cannot access anything because the service principal is not created?

 

[areis]

It is not working and I am stuck.

Code:

getent passwd

successfully lists BOTH my system and LDAP users when the Kerberos Realm is populated

However, I am not able to create the service principal with

Code:

sudo krbservicesetup -x -r SERVER.HOME.NET -a diradmin -p <admin password> cifs cifs/freenas@SERVER.HOME.NET

 

[areis]

Code:

klist

lists ticket granting ticket for diradmin

Code:

Credentials cache: FILE:/tmp/krb5cc_0
        Principal: diradmin@SERVER.HOME.NET

  Issued                Expires               Principal
Dec 28 11:04:22 2021  Dec 29 11:04:22 2021  krbtgt/SERVER.HOME.NET@SERVER.HOME.NET
Dec 28 11:04:31 2021  Dec 29 11:04:22 2021  ldap/server.home.net@SERVER.HOME.NET

 

[kselltrum]

Hello.
I have same problem to autintificate clients from OD in truenas samba shares. AFP autintification work good.
In truenas i can see OD users, and i create and import kerberos principals.

Code:

root@test-nas1[~]# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: diradmin@TEST.COM

  Issued                Expires               Principal
Jan 30 02:13:43 2022  Jan 31 02:13:43 2022  krbtgt/TEST.COM@TEST.COM
Jan 30 02:46:34 2022  Jan 31 02:13:43 2022  cifs/test-nas1.test.com@TEST.COM

 

[kselltrum]

If i autintifacate user in samba logs i see that massages

Code:

[2022/01/30 03:45:10.128823,  2] ../../auth/kerberos/gssapi_pac.c:169(gssapi_obtain_pac_blob)
  obtaining PAC via GSSAPI gss_inquire_sec_context_by_oid (Heimdal OID) failed:  Miscellaneous failure (see text): Ticket have not authorization data of type 128

[2022/01/30 03:45:10.128883,  3] ../../auth/gensec/gensec_util.c:74(gensec_generate_session_info_pac)
  gensec_generate_session_info_pac: Unable to find PAC for user1@TEST.COM, resorting to local user lookup

[2022/01/30 03:45:10.128933,  3] ../../source3/auth/user_krb5.c:50(get_user_from_kerberos_info)
  Kerberos ticket principal name is [user1@TEST.COM]

[2022/01/30 03:45:10.574601,  3] ../../source3/auth/user_krb5.c:124(get_user_from_kerberos_info)
  get_user_from_kerberos_info: Username TEST-NAS1\user1 is invalid on this system

[2022/01/30 03:45:10.574687,  3] ../../source3/auth/auth_generic.c:223(auth3_generate_session_info_pac)
  auth3_generate_session_info_pac: Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)

[2022/01/30 03:45:10.575443,  3] ../../source3/smbd/smb2_server.c:3863(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_sesssetup.c:146

[2022/01/30 03:45:13.059178,  3] ../../source3/smbd/server_exit.c:221(exit_server_common)

Truenas version: TrueNAS-12.0-U7