How to kerberize CIFS?

[tigloo]

Hi,

I have created a fresh install of FreeNAS 9.10. I am using a Mac OS X environment that has a couple of Mac clients as well as one Mac OS X server that also hosts Open Directory. So far, I got FreeNAS to connect to the Open Directory server. I am now trying to kerberize CIFS in order to enable single sign-on.

I added a principal and corresponding key tab file on the Mac OS X server but I don't know where to put it on FreeNAS. In the LDAP configuration I can add a key tab file to connect to LDAP without password, but I am missing the same option in the CIFS configuration. Where do I put the key tab file for CIFS?

Any help would be appreciated.

 

[dlavigne]

Were you able to figure this out?

 

[tigloo]

No, sadly not. I've successfully kerberized Samba 3 on a Linux machine, but I don't even know where to start with Samba 4. The documentation (both Samba and FreeNAS) is not conclusive.

I am very disappointed regarding FreeNAS because Kerberos is an advertised feature (you can even configure a Kerberos realm and upload keytabs) but only LDAP has a configuration option to actually make use of that.

I've tried using the auxiliary parameters both for CIFS and AFP but haven't been successful so far.

Any help would be appreciated!

 

[mattbbpl]

Just trying to establish a baseline: Have you followed the steps here?

https://doc.freenas.org/9.3/freenas_directoryservice.html#kerberos-keytabs

 

[tigloo]

Here's my current status:

- I have configured the FreeNAS LDAP service to query the Open Directory server. I can use getent on the FreeNAS box and my LDAP users show up.
- I have configured the Kerberos realm and when I use klist on the shell, I see a ticket granting ticket. Ticket granting tickets are available on FreeNAS, the Open Directory server and the client machine.
- I have created keytab files both for CIFS and AFP on the Open Directory server and copied them to the FreeNAS box. Using kvno I can acquire tickets for these services on the FreeNAS box.

The step where I'm stuck is how to tell Samba to use the keytab file.

 

[mattbbpl]

OK, I think we're into t he PITA config options. Great....

First, I trust that you've set up NTP sync to the same server on all machines. If not, please do so.

Second, have you followed this note from the link earlier?

Note: LDAP authentication for CIFS shares will be disabled unless the LDAP directory has been configured for and populated with Samba attributes. The most popular script for performing this task is smbldap-tools and instructions for using it can be found at The Linux Samba-OpenLDAP Howto. In addition, the LDAP server must support SSL/TLS and the certificate for the LDAP server needs to be imported.

 

[tigloo]

All machines use the same NTP server. I've read that choosing UTC+2, CEST or Europe/Berlin may result in different timezone configurations but for what it's worth "date" shows exactly the same time on all involved machines.

I did not import the Samba schema to LDAP because that would mean that Samba would authenticate against LDAP, which is not what I want. With Open Directory, a user authenticates once during login and is then issued a Kerberos TGT. With that, he is able to get service-specific tickets. I want that Samba only serves users with a valid ticket and does rights checking via NSS (or eventually SSSD if I understand that service's purpose correctly on FreeBSD).

In the meantime, FreeNAS somehow stopped generating sssd.conf so I re-installed from scratch and will start to rebuild the setup to the point that I described in my previous post.

 

[mattbbpl]

"but for what it's worth "date" shows exactly the same time on all involved machines"

This is the important part regarding NTP. I believe we can safely rule that out at this point. Unfortunately, I have zero experience with NSS/SSSD on any platform, so I'll be of little use to you in that area.

 

[tigloo]

I solved it and posted a howto here: https://forums.freenas.org/index.ph...pen-directory-in-mac-os-x-environments.46493/