SOLVED HOWTO: FreeNAS with Open Directory in Mac OS X environments

Ben Evans

Cadet
Joined
Jun 9, 2015
Messages
4
OK, a few more questions.

First off, I got this to work with SMB. However, this enables the whole single-sign-on deal where I just try to access the share and it immediately puts me in. I'd rather have it prompt for a password for my needs.
When I try to connect by choosing the share and hitting 'connect as' and enter a username/password, it doesn't work.
All I really want is the basic LDAP-based authentication that I have working fine in 9.2.1.9. I haven't updated because I couldn't get 9.3 to work. This method IS working as I mentioned above, but really I have all my bugs worked out with an AFP setup on 9.2.1.9 and LDAP authentication and I'd much rather be able to get it working just like that. Is that possible or do we 'have' to go through this single-sign-on business?
 

blacs30

Dabbler
Joined
Mar 12, 2017
Messages
22
The approach published here by tigloo is helpful (and the only working one I know of) when you want to use FreeNAS SMB shares and having OpenDirectory authentication. The default config of OpenDirectory doesn't allow users to authentication via LDAP to SMB shares because the passwords are not stored in OD as it is required. There are workarounds but this way is fine as the authentication took place before and the kerberos ticket is available on the client.

If I would just want AFP shares with normal authentication, not using the single-sign-on then it always worked for me to directly connect to the AFP share CMD +K
Code:
afp://tank/my_afp_share
(not always it works through the Finder icons, that somehow as to do with way how the shares are published via Bonjour/mDNS ).

I might have had troubles when SMB and AFP shares where enabled together for the same share... but that I don't remember clearly.
 

Ben Evans

Cadet
Joined
Jun 9, 2015
Messages
4
I got it working. You might add a section about this to the OP because for those who don't want/need kerberos SSO this works.

So following the above guide got the SSO working fine for me, but I A) am still on afp because I have all my permissions issues and such worked out on that, and B) I need to be able to go to a machine and connect as... a different user, in situations where, for example, I need to connect as admin to some other share to get support files for a given machine.

For whatever reason, all you have to do is add all your LDAP credentials as usual, but DO NOT CHECK the 'allow anonymous binding' checkbox. I created a new OD user with it's own password so I wasn't connecting as diradmin, and voila, once I unchecked anonymous binding it works exactly as I want.
 

dkusek

Explorer
Joined
Mar 16, 2016
Messages
78
I am getting an error when trying to upload the kerberos keytab in 11.0-U3. Anyone else have this problem? Id like to be more specific, but the error is just in the GUI, no log messages. The GUI says "an error occurred" which is not incredibly helpful. On this note, the guide for this topic https://doc.freenas.org/11/directoryservice.html#ldap has a "Note" and both of the links there are broken.
 
Last edited:

seanm

Guru
Joined
Jun 11, 2018
Messages
570
I have an existing macOS Server Open Directory (OD) setup working. I'm evaluating using FreeNAS to replace my macOS-based SMB file sharing.

Thanks to this thread, I seem to have basic LDAP working, as 'getent' lists my users/groups and 'ldapwhoami' works. I can also ssh to the FreeNAS using my LDAP credentials.

But I'm very confused about how SMB+LDAP is suppose to be achieved. The docs say "LDAP authentication for SMB shares is disabled unless the LDAP directory has been configured for and populated with Samba attributes", but I don't really grok that. What are "Samba attributes"? How do I populate OD with them?

I don't need/want the 'single sign on' (SSO) that this thread (helpfully!) describes, I just want connecting to a SMB share to prompt for user/password. So I'm not sure what, if anything, in this thread applies to my situation...
 

seanm

Guru
Joined
Jun 11, 2018
Messages
570
After doing more searching, I found this other very useful blog post:

http://aarononeal.info/configure-freenas-samba-for-os-x-server-open-directory/

and I've come to the conclusion that, unless you want the whole kerberos thing tigloo describes, trying to get Open Directory (OD) working for Samba is more trouble than it's worth. The clincher for me is that the user password has to be copied into a different place for samba, so if/when the user changes her password in OD the sysadmin has to do work to copy the password for samba.

For me, with only a couple dozen users, it's just gonna be easier to create users in FreeNAS itself. :(
 

tigloo

Explorer
Joined
Aug 23, 2016
Messages
53
For me, with only a couple dozen users, it's just gonna be easier to create users in FreeNAS itself. :(

If you want your users to enter a password, you can also create (or recreate) the users on FreeNAS. The main reason to use Kerberos is that your users can authenticate once against a central directory and then never have to re-authenticate with any other server.
 

tigloo

Explorer
Joined
Aug 23, 2016
Messages
53
I updated the instructions for FreeNAS 11.2 which now ships with Samba 4 and requires a slightly different configuration. I'm not quite sure if the idmap backend specification is needed - will test later if it can be removed.

Samba is a beast and it's really complicated to get this right.

I noticed that iXSystems included a link to this thread into the FreeNAS manual. That's a great compliment. I wish we will see "official" Open Directory support from the GUI, too!
 

SirBryan

Cadet
Joined
May 31, 2019
Messages
2
I was also having issues with krbservicesetup not working (it would complain about creating the principle with an error '2100').

I found this response on the Apple forums that helped. The gist of it:

You can use dscl simply if you wish to add a computer (called myhost for the sake of argument, with a couple of attributes set also):

$ dscl -u diradminuser -P adminpasswd /LDAPv3/127.0.0.1 -create /Computers/myhost.domain \
ENetAddress FF:00:AE:23:71:A4 IPAddress 192.168.1.37

and you will then automatically get all the service principals automatically configured for you:

$ sudo ktutil list | grep myhost | grep aes256
1 aes256-cts-hmac-sha1-96 host/myhost.domain@realm
1 aes256-cts-hmac-sha1-96 afpserver/myhost.domain@realm
1 aes256-cts-hmac-sha1-96 cifs/myhost.domain@realm
(....)

I then used kadmin to tweak the settings as mentioned in tigloo's tutorial.
Unfortunately, I was unable to export the principle into a keytab (-- = the domain):

Code:
vmac01:~ root# ktutil list | grep freenas | grep cifs
  1  aes256-cts-hmac-sha1-96  cifs/sdfreenasmpro.--@VMAC01.--                                                
  1  aes128-cts-hmac-sha1-96  cifs/sdfreenasmpro.--@VMAC01.--                                                
  1  des3-cbc-sha1            cifs/sdfreenasmpro.--@VMAC01.--

vmac01:~ root# kadmin -l
kadmin> ext_keytab --keytab=cifs_freenas.keytab cifs/sdfreenasmpro.--@VMAC01.--
kadmin: ext cifs/sdfreenasmpro.--@VMAC01.--: Principal does not exist


It's odd that it "does not exist" when there are definitely more than one. Perhaps someone who has gotten krbservicesetup to work can do a ktutil list and we'll see what it's done for encryption.

All this being said, kinit, kgetcred, and klist on the FreeNAS server do work:

Code:
root@sdfreenasmpro:/var/log # klist

Credentials cache: FILE:/tmp/krb5cc_0
        Principal: diradmin@VMAC01.--

  Issued                Expires               Principal
May 31 09:49:15 2019  Jun  1 09:49:16 2019  krbtgt/VMAC01.--@VMAC01.--
May 31 09:49:19 2019  Jun  1 09:49:16 2019  cifs/sdfreenasmpro.--@VMAC01.--


I've stopped at this point (AFP sharing should be enough for my needs), but hope to finish to get CIFS up and running at some point down the road.
 

tigloo

Explorer
Joined
Aug 23, 2016
Messages
53
Did you make sure to allow exporting the principal?

Code:
sudo kadmin -l
kadmin> modify --attributes=-disallow-svr cifs/freenas@SERVER.HOME.NET


Note the minus sign in "-disallow-svr". Otherwise the principal cannot be exported. I had lots of strange effects with Apple's Kerberos implementation though - if you cannot fix it, delete and recreate the principal. That usually fixes it.
 

SirBryan

Cadet
Joined
May 31, 2019
Messages
2
Did you make sure to allow exporting the principal?

Code:
sudo kadmin -l
kadmin> modify --attributes=-disallow-svr cifs/freenas@SERVER.HOME.NET


Note the minus sign in "-disallow-svr". Otherwise the principal cannot be exported. I had lots of strange effects with Apple's Kerberos implementation though - if you cannot fix it, delete and recreate the principal. That usually fixes it.

Same error on 'disallow' as 'export'... Principal does not exist, even though it shows up under ktutil list.
 

tigloo

Explorer
Joined
Aug 23, 2016
Messages
53
Can you try to delete them and recreate from scratch? Ideally using krbservicesetup. I know I ran into this once, too, but it's been a while and the only thing that I remember about it was that recreating all principals fixed it. Apple's documentation is sparse. It's a little bit like poking a black box.

Edit:
Can you elaborate the format of your principals? You wrote that "--" equals the domain. Why is the principal of the format "cifs/sdfreenasmpro.--@VMAC01.--" and not "cifs/sdfreenasmpro@VMAC01.--"? Is your realm setup correctly?
 
Joined
Jul 16, 2019
Messages
1
I have attempted to go through your how-to several times. I have tried fresh installs of FreeNAS, and I am using a fresh install of High Sierra and Server 5.6.3. I am using FreeNAS version 11.2-U5. This does not work for me at all. The FreeNAS software does not bind to Open Directory. When I attempt to enable LDAP, I see the word 'info' in red lettering.

Apart from it not working, a couple of things puzzle me about this how-to:

1. Why would "Allow Anonymous Binding" be checked if a bind password (the password of the diradmin account) is included?
2. Your provided command for creating the Kerberos Principal seems to be incorrect or incomplete, as it yields a ">", which indicates it is seeking other attributes before it can continue
 

tigloo

Explorer
Joined
Aug 23, 2016
Messages
53
I have attempted to go through your how-to several times. I have tried fresh installs of FreeNAS, and I am using a fresh install of High Sierra and Server 5.6.3. I am using FreeNAS version 11.2-U5. This does not work for me at all. The FreeNAS software does not bind to Open Directory. When I attempt to enable LDAP, I see the word 'info' in red lettering.

Do you see any messages in the console or any hints on what the problem is?

The latest that I verified the instructions with is Mojave and 11.2-U2. I'm running 11.2-U5 now, too, the setup survived the upgrades.

1. Why would "Allow Anonymous Binding" be checked if a bind password (the password of the diradmin account) is included?

Quite frankly, I have no idea. I have hundreds of different approaches and variants until I got this to work. I assume it is or was a bug on either FreeNAS' or Apple's side. If it's fixed and it works without the password (or vice versa), all the better.

2. Your provided command for creating the Kerberos Principal seems to be incorrect or incomplete, as it yields a ">", which indicates it is seeking other attributes before it can continue

Can you paste your complete shell command and output here? Do you have any special characters in your password that require escaping?
 

areis

Dabbler
Joined
May 1, 2014
Messages
33
Any updates on getting this to work for FreeNAS 11.3?
 

tigloo

Explorer
Joined
Aug 23, 2016
Messages
53
Any updates on getting this to work for FreeNAS 11.3?

I have updated the thread for FreeNAS' current version 11.3-U4.1. I'm not quite sure when the current changes were introduced (I'm usually not the quickest to upgrade) but the usual things happened: keytab file got deleted and some settings got shifted around.

You can re-run through the instructions above and the setup should be working again.
 

areis

Dabbler
Joined
May 1, 2014
Messages
33
Any updates on getting this to work for TrueNAS-12.0-U6.1?
 

tigloo

Explorer
Joined
Aug 23, 2016
Messages
53
Not yet, since I upgraded to TrueNAS 12 the method above has pretty much stopped working for me as well. I've tried to troubleshoot it but couldn't get it to work again. Kerberos has stopped issuing tickets, even if I retrieve the TGT manually I cannot get it to work.

Even though ixSystems links to this thread in their manual, they haven't supported an Open Directory integration. If any of their Kerberos specialists would be willing to help troubleshoot, I'd be glad to update the instructions. I have a testing environment here to work with.
 
Top