AtrusQ
Cadet
- Joined
- Mar 3, 2015
- Messages
- 2
Dear Forum
I've long wanted to transition my personal storage from a mere WD My Studio to a FreeNAS box. Yesterday, I finally did it. Spec as follows
MB: Supermicro X10SLH-F
CPU: i3-4160
Mem: 2x8G Crucial EEC
HDD: 4X1TB (Raidz1 for unimportant media), 3X1TB (mirror for home directory)
FreeNAS: 9.3-STABLE-201502271818
Before this, I had built my own Xen virtualization box with 8G of mem and running NetBSD-6.1. I also had my own NetBSD based "domain controller" that acts as a kerberos KDC as well as a LDAP with my own schema design (the only entries every account has are pretty much the uid, gid and homeDir. Their password authentication is handled by the KDC). So you see, I have a highly customized Kerberos + LDAP setup to serve my own LAN. I had also been running samba 3, which was too on a NetBSD virtual host, and successfully implemented kerberos authentication with the following settings in smb.conf
security = ads
kerberos method = secrets and keytab
realm = EXAMPLE.ORG (well, it was actually something else ;)
and I configured nsswitch to grab user / group information from the LDAP server. Also I put cifs/sambasrv entries into /etc/krb5.keytab on the server
My question is then, how do I realize the same setup in FreeNAS 9.3. I tried to configure the kerberos in the Kerberos Realm and Kerberos Keytab tabs (with both the host/freenas and cifs/freenas entries), but they don't seem to take effect in samba authentication. I then tried to manually edited the 'security', 'kerberos method' and 'realm' entries in /usr/local/etc/smb4.conf. This did allow my client computer to automatically get the "cifs/sambasrv@EXAMPLE.ORG" ticket from the TGT, and freenas returns a list of shares. But as soon as I choose a particular share to mount (I'm using MAC OS X), the server logs the following error (the account name is joe)
Unable to find PAC for joe@EXAMPLE.ORG, resorting to local user lookup
and Mac prompt that I don't have permission to access the share.
I should also mention that I removed my original LDAP service, and opt to use NIS, because it does not seem to be very straightforward to configure FreeNAS to use a custom LDAP installation either. The certificate list pulldown only seems to show CA certificates, and in order to import a CA certificate, I also need to provide the private key (which I'm not willing to distribute anywhere beyond my laptop). to prove that NIS is working fine, I checked the output of 'getent passwd' and 'getent group'. Both are showing the appropriate entries for joe.
Any help is greatly appreciated!! Thanks a lot!
I've long wanted to transition my personal storage from a mere WD My Studio to a FreeNAS box. Yesterday, I finally did it. Spec as follows
MB: Supermicro X10SLH-F
CPU: i3-4160
Mem: 2x8G Crucial EEC
HDD: 4X1TB (Raidz1 for unimportant media), 3X1TB (mirror for home directory)
FreeNAS: 9.3-STABLE-201502271818
Before this, I had built my own Xen virtualization box with 8G of mem and running NetBSD-6.1. I also had my own NetBSD based "domain controller" that acts as a kerberos KDC as well as a LDAP with my own schema design (the only entries every account has are pretty much the uid, gid and homeDir. Their password authentication is handled by the KDC). So you see, I have a highly customized Kerberos + LDAP setup to serve my own LAN. I had also been running samba 3, which was too on a NetBSD virtual host, and successfully implemented kerberos authentication with the following settings in smb.conf
security = ads
kerberos method = secrets and keytab
realm = EXAMPLE.ORG (well, it was actually something else ;)
and I configured nsswitch to grab user / group information from the LDAP server. Also I put cifs/sambasrv entries into /etc/krb5.keytab on the server
My question is then, how do I realize the same setup in FreeNAS 9.3. I tried to configure the kerberos in the Kerberos Realm and Kerberos Keytab tabs (with both the host/freenas and cifs/freenas entries), but they don't seem to take effect in samba authentication. I then tried to manually edited the 'security', 'kerberos method' and 'realm' entries in /usr/local/etc/smb4.conf. This did allow my client computer to automatically get the "cifs/sambasrv@EXAMPLE.ORG" ticket from the TGT, and freenas returns a list of shares. But as soon as I choose a particular share to mount (I'm using MAC OS X), the server logs the following error (the account name is joe)
Unable to find PAC for joe@EXAMPLE.ORG, resorting to local user lookup
and Mac prompt that I don't have permission to access the share.
I should also mention that I removed my original LDAP service, and opt to use NIS, because it does not seem to be very straightforward to configure FreeNAS to use a custom LDAP installation either. The certificate list pulldown only seems to show CA certificates, and in order to import a CA certificate, I also need to provide the private key (which I'm not willing to distribute anywhere beyond my laptop). to prove that NIS is working fine, I checked the output of 'getent passwd' and 'getent group'. Both are showing the appropriate entries for joe.
Any help is greatly appreciated!! Thanks a lot!