UdoB
Dabbler
- Joined
- Dec 6, 2014
- Messages
- 39
July 2016:
Preparing a VM
'This is mostly just for reference, every "normal" computer should do. I am using ESXi Version 6.0 (free). Other tools will work the same way. Create a new VM:
As I want explicit manual settings I chose "Configure network manually" during installation time
Software
During installation i chose ''only'' the default "standard system utilities" plus "OpenSSH server"
First boot
After first boot the DNS server was not configured correctly. Test it with something like "ping google.com". Verify the content of /etc/network/interfaces to contain something like
Inside the VM
Everything is done client-side via ssh. My usual workflow is: log in a the user created during installation. Then become root via sudo -i. I usually do install some tools like byobu, screen, htop and so on - this is not documented here.
Working as root eliminates the usual sudo prefix. All following commands are entered as root. It is important to have the lastest updates installed, so run
at least one time. Now a reboot is probably necessary.
Kerberos
Shrink down /etc/krb5.conf to a minimum; use any editor for this:
(While this should not be necessary, and actually the following test does succesfully work without this, I've had problems with the default version of that file on the long run. Ymmv.)
Test it. This must work immediately. Do not continue if it does not work:
Keytab
((
Sidenote, hidden bug: I was used to add "--verbose" for mktutil. For Xenial 64bit this would result in
...
*** stack smashing detected ***: msktutil terminated
))
Create a new keytab file to be used by sssd. This one is valid for xenial and also for xenial.srv.lan:
Additionally add short version with hostname only instead of fqdn:
Move the keytab:
Fill /etc/sssd/sssd.conf with
That file must not stay world readable:
Start the service:
Test name resolution:
Mounting shares
My goal is to have user specific mount actions. Especially I want to have $HOME itself mounted this way. Edit /etc/security/pam_mount.conf.xml
If everything went will this will work immediately. Under some unclear circumstances I had to reboot to make this work. Test to access this machine from another computer by ssh as a user u1:
Have fun
Udo
- FreeNAS 9.10 is up and runnning with Active Directory configured and working fine
- This post explains how to connect another computer using sssd and pam_mount - not how to setup AD.
Specifically this is for Ubuntu Xenial 16.04 64bit. Other variants of Ubuntu/Debian might work also, this depends mainly on package availability
- of course you need to adjust your computer names and especially the IP address settings
Preparing a VM
'This is mostly just for reference, every "normal" computer should do. I am using ESXi Version 6.0 (free). Other tools will work the same way. Create a new VM:
- Guest: Ubuntu Linux (64bit)
- Single NIC VMXNET 3 connected to the same LAN as FreeNAS is
- CdRom Image ubuntu-16.04-server-amd64.iso
As I want explicit manual settings I chose "Configure network manually" during installation time
- IP Address: 10.1.110.122/16
- Gateway: 10.1.12.254
- Nameserver address: 10.1.110.11 # this MUST be the FreeNAS server, not your Router!
- Hostname: xenial
- Domain name: SRV.LAN # this MUST be the corresponding setting from FreeNAS
Code:
host fn fn.SRV.LAN has address 10.1.110.11
Software
During installation i chose ''only'' the default "standard system utilities" plus "OpenSSH server"
First boot
After first boot the DNS server was not configured correctly. Test it with something like "ping google.com". Verify the content of /etc/network/interfaces to contain something like
Code:
# The primary network interface auto ens160 iface ens160 inet static address 10.1.110.122 netmask 255.255.0.0 network 10.1.0.0 broadcast 10.1.255.255 gateway 10.1.12.254 # dns-* options are implemented by the resolvconf package, if installed dns-nameservers 10.1.110.11 dns-search SRV.LAN dns-domain SRV.LAN
Inside the VM
Everything is done client-side via ssh. My usual workflow is: log in a the user created during installation. Then become root via sudo -i. I usually do install some tools like byobu, screen, htop and so on - this is not documented here.
Working as root eliminates the usual sudo prefix. All following commands are entered as root. It is important to have the lastest updates installed, so run
Code:
apt-get update && apt-get dist-upgrade
at least one time. Now a reboot is probably necessary.
Kerberos
Code:
apt-get install msktutil smbclient cifs-utils krb5-user sssd-ad libnss-sss libpam-sss libpam-mount
Shrink down /etc/krb5.conf to a minimum; use any editor for this:
Code:
[libdefaults] default_realm = SRV.LAN rdns = no dns_lookup_kdc = true dns_lookup_realm = false
(While this should not be necessary, and actually the following test does succesfully work without this, I've had problems with the default version of that file on the long run. Ymmv.)
Test it. This must work immediately. Do not continue if it does not work:
Code:
kinit Administrator Password for Administrator@SRV.LAN: Warning: Your password will expire in 616 days on Sun 25 Mar 2018 05:59:09 PM CEST klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator@SRV.LAN Valid starting Expires Service principal 07/17/2016 09:05:27 07/17/2016 19:05:27 krbtgt/SRV.LAN@SRV.LAN renew until 07/18/2016 09:05:24
Keytab
((
Sidenote, hidden bug: I was used to add "--verbose" for mktutil. For Xenial 64bit this would result in
...
*** stack smashing detected ***: msktutil terminated
))
Create a new keytab file to be used by sssd. This one is valid for xenial and also for xenial.srv.lan:
Code:
msktutil -N -c -b 'CN=COMPUTERS' -s HOST/xenial.srv.lan -k xenial.keytab --computer-name XENIAL --upn XENIAL$ --server fn.srv.lan --user-creds-only No computer account for XENIAL found, creating a new one. Error: Another computer account (CN=XENIAL,CN=Computers,DC=srv,DC=lan) has the principal host/xenial.srv.lan Error: ldap_add_principal failed Waiting for account replication (0 seconds past) Waiting for account replication (5 seconds past) Waiting for account replication (10 seconds past) Waiting for account replication (15 seconds past) ... ^C # stop execution manually by pressing Control-C. To be investigated...
Additionally add short version with hostname only instead of fqdn:
Code:
msktutil -N -c -b 'CN=COMPUTERS' -s HOST/xenial -k xenial.keytab --computer-name XENIAL --upn XENIAL$ --server fn.srv.lan --user-creds-only
Move the keytab:
Code:
mv xenial.keytab /etc/sssd/
Fill /etc/sssd/sssd.conf with
Code:
[sssd] services = nss, pam config_file_version = 2 domains = srv.lan debug_level = 4 [nss] entry_negative_timeout = 0 debug_level = 5 [pam] debug_level = 5 [domain/srv.lan] debug_level = 10 enumerate = false id_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad dyndns_update = false ad_hostname = fn.srv.lan ad_server = fn.srv.lan ad_domain = srv.lan ldap_schema = ad ldap_id_mapping = true fallback_homedir = /home/%u default_shell = /bin/bash ldap_sasl_mech = gssapi ldap_sasl_authid = XENIAL$ krb5_keytab = /etc/sssd/xenial.keytab ldap_krb5_init_creds = true
That file must not stay world readable:
Code:
chmod 600 /etc/sssd/sssd.conf
Start the service:
Code:
service sssd start
Test name resolution:
Code:
id Administrator uid=804400500(administrator) gid=804400513(domain users) groups=804400513(domain users),804400512(domain admins),804400520(group policy creator owners),804400518(schema admins),804400572(denied rodc password replication group),804400519(enterprise admins)
Mounting shares
My goal is to have user specific mount actions. Especially I want to have $HOME itself mounted this way. Edit /etc/security/pam_mount.conf.xml
Code:
<!-- Volume definitions --> <volume user="*" fstype="cifs" server="10.1.110.11" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="sec=ntlm,nodev,nosuid" /> <volume user="*" sgrp="domain users" fstype="cifs" server="10.1.110.11" path="download" mountpoint="/home/%(DOMAIN_USER)/SRV/download" options="sec=ntlm,nodev,nosuid" />
If everything went will this will work immediately. Under some unclear circumstances I had to reboot to make this work. Test to access this machine from another computer by ssh as a user u1:
Code:
~$ ssh u1@10.1.110.122 "pwd; mount | grep home/u1' '" u1@10.1.110.122's password: /home/u1 //10.1.110.11/u1 on /home/u1 type cifs (rw,nosuid,nodev,relatime,vers=1.0,sec=ntlm,cache=strict,username=u1,uid=804401105,forceuid,gid=804400513,forcegid,addr=10.1.110.11,unix,posixpaths,serverino,mapposix,acl,rsize=61440,wsize=65536,actimeo=1)
Have fun
Udo