Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

Howto: integrate Linux (Ubuntu) with $HOME on FreeNAS via Active Directory

Western Digital Drives - The Preferred Drives of FreeNAS and TrueNAS CORE
Status
Not open for further replies.

UdoB

Member
Joined
Dec 6, 2014
Messages
33
July 2016:
  • FreeNAS 9.10 is up and runnning with Active Directory configured and working fine
  • This post explains how to connect another computer using sssd and pam_mount - not how to setup AD.
    Specifically this is for Ubuntu Xenial 16.04 64bit. Other variants of Ubuntu/Debian might work also, this depends mainly on package availability
  • of course you need to adjust your computer names and especially the IP address settings
To have clean and documented pre-conditions I start descibing the installation of the client's OS:

Preparing a VM
'This is mostly just for reference, every "normal" computer should do. I am using ESXi Version 6.0 (free). Other tools will work the same way. Create a new VM:
  • Guest: Ubuntu Linux (64bit)
  • Single NIC VMXNET 3 connected to the same LAN as FreeNAS is
  • CdRom Image ubuntu-16.04-server-amd64.iso
Network
As I want explicit manual settings I chose "Configure network manually" during installation time
  • IP Address: 10.1.110.122/16
  • Gateway: 10.1.12.254
  • Nameserver address: 10.1.110.11 # this MUST be the FreeNAS server, not your Router!
  • Hostname: xenial
  • Domain name: SRV.LAN # this MUST be the corresponding setting from FreeNAS
Irreleavant for now but important information for later use: the FreeNAS server is known as
Code:
host fn
fn.SRV.LAN has address 10.1.110.11


Software
During installation i chose ''only'' the default "standard system utilities" plus "OpenSSH server"

First boot
After first boot the DNS server was not configured correctly. Test it with something like "ping google.com". Verify the content of /etc/network/interfaces to contain something like
Code:
# The primary network interface
auto ens160
iface ens160 inet static
  address 10.1.110.122
  netmask 255.255.0.0
  network 10.1.0.0
  broadcast 10.1.255.255
  gateway 10.1.12.254
  # dns-* options are implemented by the resolvconf package, if installed
  dns-nameservers 10.1.110.11
  dns-search SRV.LAN
  dns-domain SRV.LAN


Inside the VM
Everything is done client-side via ssh. My usual workflow is: log in a the user created during installation. Then become root via sudo -i. I usually do install some tools like byobu, screen, htop and so on - this is not documented here.

Working as root eliminates the usual sudo prefix. All following commands are entered as root. It is important to have the lastest updates installed, so run
Code:
apt-get update && apt-get dist-upgrade

at least one time. Now a reboot is probably necessary.

Kerberos
Code:
apt-get install msktutil smbclient cifs-utils krb5-user sssd-ad libnss-sss libpam-sss libpam-mount


Shrink down /etc/krb5.conf to a minimum; use any editor for this:
Code:
[libdefaults]
  default_realm = SRV.LAN
  rdns = no
  dns_lookup_kdc = true
  dns_lookup_realm = false

(While this should not be necessary, and actually the following test does succesfully work without this, I've had problems with the default version of that file on the long run. Ymmv.)

Test it. This must work immediately. Do not continue if it does not work:
Code:
kinit Administrator
Password for Administrator@SRV.LAN:
Warning: Your password will expire in 616 days on Sun 25 Mar 2018 05:59:09 PM CEST

klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@SRV.LAN

Valid starting  Expires  Service principal
07/17/2016 09:05:27  07/17/2016 19:05:27  krbtgt/SRV.LAN@SRV.LAN
   renew until 07/18/2016 09:05:24


Keytab
((
Sidenote, hidden bug: I was used to add "--verbose" for mktutil. For Xenial 64bit this would result in
...
*** stack smashing detected ***: msktutil terminated
))


Create a new keytab file to be used by sssd. This one is valid for xenial and also for xenial.srv.lan:
Code:
msktutil -N -c -b 'CN=COMPUTERS' -s HOST/xenial.srv.lan -k xenial.keytab --computer-name XENIAL --upn XENIAL$ --server fn.srv.lan --user-creds-only
No computer account for XENIAL found, creating a new one.
Error: Another computer account (CN=XENIAL,CN=Computers,DC=srv,DC=lan) has the principal host/xenial.srv.lan
Error: ldap_add_principal failed
Waiting for account replication (0 seconds past)
Waiting for account replication (5 seconds past)
Waiting for account replication (10 seconds past)
Waiting for account replication (15 seconds past)
...
^C    # stop execution manually by pressing Control-C. To be investigated...

Additionally add short version with hostname only instead of fqdn:
Code:
msktutil -N -c -b 'CN=COMPUTERS' -s HOST/xenial  -k xenial.keytab --computer-name XENIAL --upn XENIAL$ --server fn.srv.lan --user-creds-only


Move the keytab:
Code:
mv xenial.keytab /etc/sssd/


Fill /etc/sssd/sssd.conf with
Code:
[sssd]
services = nss, pam
config_file_version = 2
domains = srv.lan
debug_level = 4

[nss]
entry_negative_timeout = 0
debug_level = 5

[pam]
debug_level = 5

[domain/srv.lan]
debug_level = 10
enumerate = false
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
dyndns_update = false
ad_hostname = fn.srv.lan
ad_server = fn.srv.lan

ad_domain = srv.lan
ldap_schema = ad
ldap_id_mapping = true
fallback_homedir = /home/%u
default_shell = /bin/bash
ldap_sasl_mech = gssapi
ldap_sasl_authid = XENIAL$
krb5_keytab = /etc/sssd/xenial.keytab

ldap_krb5_init_creds = true


That file must not stay world readable:
Code:
chmod 600 /etc/sssd/sssd.conf


Start the service:
Code:
service sssd start


Test name resolution:
Code:
id Administrator
uid=804400500(administrator) gid=804400513(domain users) groups=804400513(domain users),804400512(domain admins),804400520(group policy creator owners),804400518(schema admins),804400572(denied rodc password replication group),804400519(enterprise admins)


Mounting shares
My goal is to have user specific mount actions. Especially I want to have $HOME itself mounted this way. Edit /etc/security/pam_mount.conf.xml

Code:
  <!-- Volume definitions -->

<volume user="*"  fstype="cifs" server="10.1.110.11" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)"  options="sec=ntlm,nodev,nosuid" />
<volume user="*" sgrp="domain users" fstype="cifs" server="10.1.110.11" path="download"  mountpoint="/home/%(DOMAIN_USER)/SRV/download"  options="sec=ntlm,nodev,nosuid" />


If everything went will this will work immediately. Under some unclear circumstances I had to reboot to make this work. Test to access this machine from another computer by ssh as a user u1:
Code:
~$ ssh u1@10.1.110.122 "pwd; mount | grep home/u1' '"
u1@10.1.110.122's password:
/home/u1
//10.1.110.11/u1 on /home/u1 type cifs (rw,nosuid,nodev,relatime,vers=1.0,sec=ntlm,cache=strict,username=u1,uid=804401105,forceuid,gid=804400513,forcegid,addr=10.1.110.11,unix,posixpaths,serverino,mapposix,acl,rsize=61440,wsize=65536,actimeo=1)


Have fun
Udo
 
Status
Not open for further replies.
Top