How to use kerberos authentication without Active Directory?

Status
Not open for further replies.

AtrusQ

Cadet
Joined
Mar 3, 2015
Messages
2
Dear Forum

I've long wanted to transition my personal storage from a mere WD My Studio to a FreeNAS box. Yesterday, I finally did it. Spec as follows

MB: Supermicro X10SLH-F
CPU: i3-4160
Mem: 2x8G Crucial EEC
HDD: 4X1TB (Raidz1 for unimportant media), 3X1TB (mirror for home directory)
FreeNAS: 9.3-STABLE-201502271818

Before this, I had built my own Xen virtualization box with 8G of mem and running NetBSD-6.1. I also had my own NetBSD based "domain controller" that acts as a kerberos KDC as well as a LDAP with my own schema design (the only entries every account has are pretty much the uid, gid and homeDir. Their password authentication is handled by the KDC). So you see, I have a highly customized Kerberos + LDAP setup to serve my own LAN. I had also been running samba 3, which was too on a NetBSD virtual host, and successfully implemented kerberos authentication with the following settings in smb.conf

security = ads
kerberos method = secrets and keytab
realm = EXAMPLE.ORG (well, it was actually something else ;)

and I configured nsswitch to grab user / group information from the LDAP server. Also I put cifs/sambasrv entries into /etc/krb5.keytab on the server

My question is then, how do I realize the same setup in FreeNAS 9.3. I tried to configure the kerberos in the Kerberos Realm and Kerberos Keytab tabs (with both the host/freenas and cifs/freenas entries), but they don't seem to take effect in samba authentication. I then tried to manually edited the 'security', 'kerberos method' and 'realm' entries in /usr/local/etc/smb4.conf. This did allow my client computer to automatically get the "cifs/sambasrv@EXAMPLE.ORG" ticket from the TGT, and freenas returns a list of shares. But as soon as I choose a particular share to mount (I'm using MAC OS X), the server logs the following error (the account name is joe)

Unable to find PAC for joe@EXAMPLE.ORG, resorting to local user lookup

and Mac prompt that I don't have permission to access the share.

I should also mention that I removed my original LDAP service, and opt to use NIS, because it does not seem to be very straightforward to configure FreeNAS to use a custom LDAP installation either. The certificate list pulldown only seems to show CA certificates, and in order to import a CA certificate, I also need to provide the private key (which I'm not willing to distribute anywhere beyond my laptop). to prove that NIS is working fine, I checked the output of 'getent passwd' and 'getent group'. Both are showing the appropriate entries for joe.

Any help is greatly appreciated!! Thanks a lot!
 

AtrusQ

Cadet
Joined
Mar 3, 2015
Messages
2
Hi

Some updates on my struggles today

The "I don't have permission to access the share" was actually an unrelated issue. My share was based on /mnt/vol1/storage, which has the appropriate permissions, but my permission on /mnt/vol1 was to strict (rwx------ for root:wheel). After correcting this issue, I actually can access the share!!

Yet quite interestingly, I can only access the share by (on a Mac) going to "Go -> Connect to Server" and specify the server url as smb://sambasrv/storage. In this way, if I already have a TGT, I will get automatically connected, otherwise Mac prompt for password, and grab the TGT & cifs/sambasrv ticket automatically. However, if I go to finder, and click on the automatically discovered server on the left sidebar, the authentication will not work, with error log "NT_STATUS_NO_LOGON_SERVERS" on the server. It seems that the kerberos authentication mechanism was not used, but instead password itself was sent over.

I'm quite happy with the current situation, but would love to be able to push forward and make it all push-button automatic for my users (mainly my wife...).

Another potential improvement I would suggest is that currently there is no way in the GUI to configure the "security = ads" and such. I know that there is the "auxiliary parameters", but there is no way to remove the existing "security=user" which seems to take priority. Consequently I need to manually edit the smb4.conf and restart the server every time I restart the server or edit changes in the GUI, which frankly aren't that often. But it would be nice to expose this setting in someway.
 
D

dlavigne

Guest
Please create a feature request at bugs.freenas.org and post the issue number here.
 
Status
Not open for further replies.
Top