CMD +K
afp://tank/my_afp_share
For me, with only a couple dozen users, it's just gonna be easier to create users in FreeNAS itself. :(
You can use dscl simply if you wish to add a computer (called myhost for the sake of argument, with a couple of attributes set also):
$ dscl -u diradminuser -P adminpasswd /LDAPv3/127.0.0.1 -create /Computers/myhost.domain \
ENetAddress FF:00:AE:23:71:A4 IPAddress 192.168.1.37
and you will then automatically get all the service principals automatically configured for you:
$ sudo ktutil list | grep myhost | grep aes256
1 aes256-cts-hmac-sha1-96 host/myhost.domain@realm
1 aes256-cts-hmac-sha1-96 afpserver/myhost.domain@realm
1 aes256-cts-hmac-sha1-96 cifs/myhost.domain@realm
(....)
vmac01:~ root# ktutil list | grep freenas | grep cifs 1 aes256-cts-hmac-sha1-96 cifs/sdfreenasmpro.--@VMAC01.-- 1 aes128-cts-hmac-sha1-96 cifs/sdfreenasmpro.--@VMAC01.-- 1 des3-cbc-sha1 cifs/sdfreenasmpro.--@VMAC01.-- vmac01:~ root# kadmin -l kadmin> ext_keytab --keytab=cifs_freenas.keytab cifs/sdfreenasmpro.--@VMAC01.-- kadmin: ext cifs/sdfreenasmpro.--@VMAC01.--: Principal does not exist
root@sdfreenasmpro:/var/log # klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: diradmin@VMAC01.-- Issued Expires Principal May 31 09:49:15 2019 Jun 1 09:49:16 2019 krbtgt/VMAC01.--@VMAC01.-- May 31 09:49:19 2019 Jun 1 09:49:16 2019 cifs/sdfreenasmpro.--@VMAC01.--
sudo kadmin -l kadmin> modify --attributes=-disallow-svr cifs/freenas@SERVER.HOME.NET
Did you make sure to allow exporting the principal?
Code:sudo kadmin -l kadmin> modify --attributes=-disallow-svr cifs/freenas@SERVER.HOME.NET
Note the minus sign in "-disallow-svr". Otherwise the principal cannot be exported. I had lots of strange effects with Apple's Kerberos implementation though - if you cannot fix it, delete and recreate the principal. That usually fixes it.
I have attempted to go through your how-to several times. I have tried fresh installs of FreeNAS, and I am using a fresh install of High Sierra and Server 5.6.3. I am using FreeNAS version 11.2-U5. This does not work for me at all. The FreeNAS software does not bind to Open Directory. When I attempt to enable LDAP, I see the word 'info' in red lettering.
1. Why would "Allow Anonymous Binding" be checked if a bind password (the password of the diradmin account) is included?
2. Your provided command for creating the Kerberos Principal seems to be incorrect or incomplete, as it yields a ">", which indicates it is seeking other attributes before it can continue
Any updates on getting this to work for FreeNAS 11.3?