Using Kerberos Keytabs

[Elegant]

Hi guys,

I'm trying to use Kerberos keytabs to join via AD but I'm unsure how exactly the process is meant to work.

Thus far, I've created my user with join privileges (JoinExample is the user) and created my keytabs using the following lines:

Code:

samba-tool spn add krbtgt/EXAMPLE.COM JoinExample
samba-tool spn add cifs/FreeNAS.example.com JoinExample
samba-tool spn add ldap/FreeNAS.example.com JoinExample
samba-tool domain exportkeytab krbtgt-freenas.keytab --principal=krbtgt/EXAMPLE.COM
samba-tool domain exportkeytab cifs-freenas.keytab --principal=cifs/FreeNAS.example.com
samba-tool domain exportkeytab ldap-freenas.keytab --principal=ldap/FreeNAS.example.com

Next, I imported them in the appropriate tab and checked /etc/krb5.keytab (they appeared). I'm not sure what the remaining steps are to complete this process but I could definitely use some insight. Thanks!

 

[UdoB]

I'm trying to use Kerberos keytabs to join via AD but I'm unsure how exactly the process is meant to work.

Perhaps my just posted thread might help: https://forums.freenas.org/index.ph...h-home-on-freenas-via-active-directory.44768/

Best regards

 

[Elegant]

While this gives me a better way of exporting the keytab (thanks!) I can't seem to grasp how this all works given the web interface. I import the keytab and I still have to provide my credentials? Am I suppose to select a a Kerberos Principal in the dropdown menu (gives an error)? Something just feels amiss to me. I actually have an easier time joining my Ubuntu systems to my AD through Kerberos than I do FreeNAS currently.

Modifying your guide a bit, this would generate the keytab:

Code:

msktutil -N -c -b 'CN=COMPUTERS' -s HOST/FreeNAS -k xenial.keytab --computer-name FreeNAS --upn HOST/FreeNAS --server dc01.example.com --user-creds-only

I think I'm missing that HOST should also be CIFS and LDAP though. This is one of those things I'm unsure on though as I'm unfamiliar with FreeNAS and Kerberos.

 

[UdoB]

I think I'm missing that HOST should also be CIFS and LDAP though.

What I documented was client-side only and completely on the command line of that client. In my understanding (and I may be wrong) principals like "servicename/hostname" are only required for servers.

In my case I used the FreeNAS web interface to configure services "CIFS" and "Domain Controller" some time ago. You will need to read the manual to set it up...

As far as I can remember I never saw the terms "Kerberos" or "Principals" during doing so. That's by design: from a high level view Kerberos is just an "implementation detail" and a FreeNAS user setting up Active Directory should not be required to handle those bits manually.

Best regards