Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

SOLVED HOWTO: FreeNAS with Open Directory in Mac OS X environments

Joined
Jun 9, 2015
Messages
4
Thanks
1
#22
OK, a few more questions.

First off, I got this to work with SMB. However, this enables the whole single-sign-on deal where I just try to access the share and it immediately puts me in. I'd rather have it prompt for a password for my needs.
When I try to connect by choosing the share and hitting 'connect as' and enter a username/password, it doesn't work.
All I really want is the basic LDAP-based authentication that I have working fine in 9.2.1.9. I haven't updated because I couldn't get 9.3 to work. This method IS working as I mentioned above, but really I have all my bugs worked out with an AFP setup on 9.2.1.9 and LDAP authentication and I'd much rather be able to get it working just like that. Is that possible or do we 'have' to go through this single-sign-on business?
 
Joined
Mar 12, 2017
Messages
22
Thanks
4
#23
The approach published here by tigloo is helpful (and the only working one I know of) when you want to use FreeNAS SMB shares and having OpenDirectory authentication. The default config of OpenDirectory doesn't allow users to authentication via LDAP to SMB shares because the passwords are not stored in OD as it is required. There are workarounds but this way is fine as the authentication took place before and the kerberos ticket is available on the client.

If I would just want AFP shares with normal authentication, not using the single-sign-on then it always worked for me to directly connect to the AFP share CMD +K
Code:
afp://tank/my_afp_share
(not always it works through the Finder icons, that somehow as to do with way how the shares are published via Bonjour/mDNS ).

I might have had troubles when SMB and AFP shares where enabled together for the same share... but that I don't remember clearly.
 
Joined
Jun 9, 2015
Messages
4
Thanks
1
#24
I got it working. You might add a section about this to the OP because for those who don't want/need kerberos SSO this works.

So following the above guide got the SSO working fine for me, but I A) am still on afp because I have all my permissions issues and such worked out on that, and B) I need to be able to go to a machine and connect as... a different user, in situations where, for example, I need to connect as admin to some other share to get support files for a given machine.

For whatever reason, all you have to do is add all your LDAP credentials as usual, but DO NOT CHECK the 'allow anonymous binding' checkbox. I created a new OD user with it's own password so I wasn't connecting as diradmin, and voila, once I unchecked anonymous binding it works exactly as I want.
 
Joined
Mar 16, 2016
Messages
78
Thanks
8
#25
I am getting an error when trying to upload the kerberos keytab in 11.0-U3. Anyone else have this problem? Id like to be more specific, but the error is just in the GUI, no log messages. The GUI says "an error occurred" which is not incredibly helpful. On this note, the guide for this topic https://doc.freenas.org/11/directoryservice.html#ldap has a "Note" and both of the links there are broken.
 
Last edited:

seanm

FreeNAS Experienced
Joined
Jun 11, 2018
Messages
205
Thanks
20
#27
I have an existing macOS Server Open Directory (OD) setup working. I'm evaluating using FreeNAS to replace my macOS-based SMB file sharing.

Thanks to this thread, I seem to have basic LDAP working, as 'getent' lists my users/groups and 'ldapwhoami' works. I can also ssh to the FreeNAS using my LDAP credentials.

But I'm very confused about how SMB+LDAP is suppose to be achieved. The docs say "LDAP authentication for SMB shares is disabled unless the LDAP directory has been configured for and populated with Samba attributes", but I don't really grok that. What are "Samba attributes"? How do I populate OD with them?

I don't need/want the 'single sign on' (SSO) that this thread (helpfully!) describes, I just want connecting to a SMB share to prompt for user/password. So I'm not sure what, if anything, in this thread applies to my situation...
 

seanm

FreeNAS Experienced
Joined
Jun 11, 2018
Messages
205
Thanks
20
#28
After doing more searching, I found this other very useful blog post:

http://aarononeal.info/configure-freenas-samba-for-os-x-server-open-directory/

and I've come to the conclusion that, unless you want the whole kerberos thing tigloo describes, trying to get Open Directory (OD) working for Samba is more trouble than it's worth. The clincher for me is that the user password has to be copied into a different place for samba, so if/when the user changes her password in OD the sysadmin has to do work to copy the password for samba.

For me, with only a couple dozen users, it's just gonna be easier to create users in FreeNAS itself. :(
 
Joined
Aug 23, 2016
Messages
47
Thanks
8
#29
For me, with only a couple dozen users, it's just gonna be easier to create users in FreeNAS itself. :(
If you want your users to enter a password, you can also create (or recreate) the users on FreeNAS. The main reason to use Kerberos is that your users can authenticate once against a central directory and then never have to re-authenticate with any other server.
 
Joined
Aug 23, 2016
Messages
47
Thanks
8
#30
I updated the instructions for FreeNAS 11.2 which now ships with Samba 4 and requires a slightly different configuration. I'm not quite sure if the idmap backend specification is needed - will test later if it can be removed.

Samba is a beast and it's really complicated to get this right.

I noticed that iXSystems included a link to this thread into the FreeNAS manual. That's a great compliment. I wish we will see "official" Open Directory support from the GUI, too!
 
Joined
May 31, 2019
Messages
2
Thanks
0
#31
I was also having issues with krbservicesetup not working (it would complain about creating the principle with an error '2100').

I found this response on the Apple forums that helped. The gist of it:

You can use dscl simply if you wish to add a computer (called myhost for the sake of argument, with a couple of attributes set also):

$ dscl -u diradminuser -P adminpasswd /LDAPv3/127.0.0.1 -create /Computers/myhost.domain \
ENetAddress FF:00:AE:23:71:A4 IPAddress 192.168.1.37

and you will then automatically get all the service principals automatically configured for you:

$ sudo ktutil list | grep myhost | grep aes256
1 aes256-cts-hmac-sha1-96 host/myhost.domain@realm
1 aes256-cts-hmac-sha1-96 afpserver/myhost.domain@realm
1 aes256-cts-hmac-sha1-96 cifs/myhost.domain@realm
(....)
I then used kadmin to tweak the settings as mentioned in tigloo's tutorial.
Unfortunately, I was unable to export the principle into a keytab (-- = the domain):

Code:
vmac01:~ root# ktutil list | grep freenas | grep cifs
  1  aes256-cts-hmac-sha1-96  cifs/sdfreenasmpro.--@VMAC01.--                                                
  1  aes128-cts-hmac-sha1-96  cifs/sdfreenasmpro.--@VMAC01.--                                                
  1  des3-cbc-sha1            cifs/sdfreenasmpro.--@VMAC01.--

vmac01:~ root# kadmin -l
kadmin> ext_keytab --keytab=cifs_freenas.keytab cifs/sdfreenasmpro.--@VMAC01.--
kadmin: ext cifs/sdfreenasmpro.--@VMAC01.--: Principal does not exist


It's odd that it "does not exist" when there are definitely more than one. Perhaps someone who has gotten krbservicesetup to work can do a ktutil list and we'll see what it's done for encryption.

All this being said, kinit, kgetcred, and klist on the FreeNAS server do work:

Code:
root@sdfreenasmpro:/var/log # klist

Credentials cache: FILE:/tmp/krb5cc_0
        Principal: diradmin@VMAC01.--

  Issued                Expires               Principal
May 31 09:49:15 2019  Jun  1 09:49:16 2019  krbtgt/VMAC01.--@VMAC01.--
May 31 09:49:19 2019  Jun  1 09:49:16 2019  cifs/sdfreenasmpro.--@VMAC01.--


I've stopped at this point (AFP sharing should be enough for my needs), but hope to finish to get CIFS up and running at some point down the road.
 
Joined
Aug 23, 2016
Messages
47
Thanks
8
#32
Did you make sure to allow exporting the principal?

Code:
sudo kadmin -l
kadmin> modify --attributes=-disallow-svr cifs/freenas@SERVER.HOME.NET


Note the minus sign in "-disallow-svr". Otherwise the principal cannot be exported. I had lots of strange effects with Apple's Kerberos implementation though - if you cannot fix it, delete and recreate the principal. That usually fixes it.
 
Joined
May 31, 2019
Messages
2
Thanks
0
#33
Did you make sure to allow exporting the principal?

Code:
sudo kadmin -l
kadmin> modify --attributes=-disallow-svr cifs/freenas@SERVER.HOME.NET


Note the minus sign in "-disallow-svr". Otherwise the principal cannot be exported. I had lots of strange effects with Apple's Kerberos implementation though - if you cannot fix it, delete and recreate the principal. That usually fixes it.
Same error on 'disallow' as 'export'... Principal does not exist, even though it shows up under ktutil list.
 
Joined
Aug 23, 2016
Messages
47
Thanks
8
#34
Can you try to delete them and recreate from scratch? Ideally using krbservicesetup. I know I ran into this once, too, but it's been a while and the only thing that I remember about it was that recreating all principals fixed it. Apple's documentation is sparse. It's a little bit like poking a black box.

Edit:
Can you elaborate the format of your principals? You wrote that "--" equals the domain. Why is the principal of the format "cifs/sdfreenasmpro.--@VMAC01.--" and not "cifs/sdfreenasmpro@VMAC01.--"? Is your realm setup correctly?
 
Joined
Jul 16, 2019
Messages
1
Thanks
0
#35
I have attempted to go through your how-to several times. I have tried fresh installs of FreeNAS, and I am using a fresh install of High Sierra and Server 5.6.3. I am using FreeNAS version 11.2-U5. This does not work for me at all. The FreeNAS software does not bind to Open Directory. When I attempt to enable LDAP, I see the word 'info' in red lettering.

Apart from it not working, a couple of things puzzle me about this how-to:

1. Why would "Allow Anonymous Binding" be checked if a bind password (the password of the diradmin account) is included?
2. Your provided command for creating the Kerberos Principal seems to be incorrect or incomplete, as it yields a ">", which indicates it is seeking other attributes before it can continue
 
Joined
Aug 23, 2016
Messages
47
Thanks
8
#36
I have attempted to go through your how-to several times. I have tried fresh installs of FreeNAS, and I am using a fresh install of High Sierra and Server 5.6.3. I am using FreeNAS version 11.2-U5. This does not work for me at all. The FreeNAS software does not bind to Open Directory. When I attempt to enable LDAP, I see the word 'info' in red lettering.
Do you see any messages in the console or any hints on what the problem is?

The latest that I verified the instructions with is Mojave and 11.2-U2. I'm running 11.2-U5 now, too, the setup survived the upgrades.

1. Why would "Allow Anonymous Binding" be checked if a bind password (the password of the diradmin account) is included?
Quite frankly, I have no idea. I have hundreds of different approaches and variants until I got this to work. I assume it is or was a bug on either FreeNAS' or Apple's side. If it's fixed and it works without the password (or vice versa), all the better.

2. Your provided command for creating the Kerberos Principal seems to be incorrect or incomplete, as it yields a ">", which indicates it is seeking other attributes before it can continue
Can you paste your complete shell command and output here? Do you have any special characters in your password that require escaping?
 
Top