Howto: integrate Linux (Ubuntu) with $HOME on FreeNAS via Active Directory

Not open for further replies.


Dec 6, 2014
July 2016:
  • FreeNAS 9.10 is up and runnning with Active Directory configured and working fine
  • This post explains how to connect another computer using sssd and pam_mount - not how to setup AD.
    Specifically this is for Ubuntu Xenial 16.04 64bit. Other variants of Ubuntu/Debian might work also, this depends mainly on package availability
  • of course you need to adjust your computer names and especially the IP address settings
To have clean and documented pre-conditions I start descibing the installation of the client's OS:

Preparing a VM
'This is mostly just for reference, every "normal" computer should do. I am using ESXi Version 6.0 (free). Other tools will work the same way. Create a new VM:
  • Guest: Ubuntu Linux (64bit)
  • Single NIC VMXNET 3 connected to the same LAN as FreeNAS is
  • CdRom Image ubuntu-16.04-server-amd64.iso
As I want explicit manual settings I chose "Configure network manually" during installation time
  • IP Address:
  • Gateway:
  • Nameserver address: # this MUST be the FreeNAS server, not your Router!
  • Hostname: xenial
  • Domain name: SRV.LAN # this MUST be the corresponding setting from FreeNAS
Irreleavant for now but important information for later use: the FreeNAS server is known as
host fn
fn.SRV.LAN has address

During installation i chose ''only'' the default "standard system utilities" plus "OpenSSH server"

First boot
After first boot the DNS server was not configured correctly. Test it with something like "ping". Verify the content of /etc/network/interfaces to contain something like
# The primary network interface
auto ens160
iface ens160 inet static
  # dns-* options are implemented by the resolvconf package, if installed
  dns-search SRV.LAN
  dns-domain SRV.LAN

Inside the VM
Everything is done client-side via ssh. My usual workflow is: log in a the user created during installation. Then become root via sudo -i. I usually do install some tools like byobu, screen, htop and so on - this is not documented here.

Working as root eliminates the usual sudo prefix. All following commands are entered as root. It is important to have the lastest updates installed, so run
apt-get update && apt-get dist-upgrade

at least one time. Now a reboot is probably necessary.

apt-get install msktutil smbclient cifs-utils krb5-user sssd-ad libnss-sss libpam-sss libpam-mount

Shrink down /etc/krb5.conf to a minimum; use any editor for this:
  default_realm = SRV.LAN
  rdns = no
  dns_lookup_kdc = true
  dns_lookup_realm = false

(While this should not be necessary, and actually the following test does succesfully work without this, I've had problems with the default version of that file on the long run. Ymmv.)

Test it. This must work immediately. Do not continue if it does not work:
kinit Administrator
Password for Administrator@SRV.LAN:
Warning: Your password will expire in 616 days on Sun 25 Mar 2018 05:59:09 PM CEST

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@SRV.LAN

Valid starting  Expires  Service principal
07/17/2016 09:05:27  07/17/2016 19:05:27  krbtgt/SRV.LAN@SRV.LAN
   renew until 07/18/2016 09:05:24

Sidenote, hidden bug: I was used to add "--verbose" for mktutil. For Xenial 64bit this would result in
*** stack smashing detected ***: msktutil terminated

Create a new keytab file to be used by sssd. This one is valid for xenial and also for xenial.srv.lan:
msktutil -N -c -b 'CN=COMPUTERS' -s HOST/xenial.srv.lan -k xenial.keytab --computer-name XENIAL --upn XENIAL$ --server fn.srv.lan --user-creds-only
No computer account for XENIAL found, creating a new one.
Error: Another computer account (CN=XENIAL,CN=Computers,DC=srv,DC=lan) has the principal host/xenial.srv.lan
Error: ldap_add_principal failed
Waiting for account replication (0 seconds past)
Waiting for account replication (5 seconds past)
Waiting for account replication (10 seconds past)
Waiting for account replication (15 seconds past)
^C    # stop execution manually by pressing Control-C. To be investigated...

Additionally add short version with hostname only instead of fqdn:
msktutil -N -c -b 'CN=COMPUTERS' -s HOST/xenial  -k xenial.keytab --computer-name XENIAL --upn XENIAL$ --server fn.srv.lan --user-creds-only

Move the keytab:
mv xenial.keytab /etc/sssd/

Fill /etc/sssd/sssd.conf with
services = nss, pam
config_file_version = 2
domains = srv.lan
debug_level = 4

entry_negative_timeout = 0
debug_level = 5

debug_level = 5

debug_level = 10
enumerate = false
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
dyndns_update = false
ad_hostname = fn.srv.lan
ad_server = fn.srv.lan

ad_domain = srv.lan
ldap_schema = ad
ldap_id_mapping = true
fallback_homedir = /home/%u
default_shell = /bin/bash
ldap_sasl_mech = gssapi
ldap_sasl_authid = XENIAL$
krb5_keytab = /etc/sssd/xenial.keytab

ldap_krb5_init_creds = true

That file must not stay world readable:
chmod 600 /etc/sssd/sssd.conf

Start the service:
service sssd start

Test name resolution:
id Administrator
uid=804400500(administrator) gid=804400513(domain users) groups=804400513(domain users),804400512(domain admins),804400520(group policy creator owners),804400518(schema admins),804400572(denied rodc password replication group),804400519(enterprise admins)

Mounting shares
My goal is to have user specific mount actions. Especially I want to have $HOME itself mounted this way. Edit /etc/security/pam_mount.conf.xml

  <!-- Volume definitions -->

<volume user="*"  fstype="cifs" server="" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)"  options="sec=ntlm,nodev,nosuid" />
<volume user="*" sgrp="domain users" fstype="cifs" server="" path="download"  mountpoint="/home/%(DOMAIN_USER)/SRV/download"  options="sec=ntlm,nodev,nosuid" />

If everything went will this will work immediately. Under some unclear circumstances I had to reboot to make this work. Test to access this machine from another computer by ssh as a user u1:
~$ ssh u1@ "pwd; mount | grep home/u1' '"
u1@'s password:
// on /home/u1 type cifs (rw,nosuid,nodev,relatime,vers=1.0,sec=ntlm,cache=strict,username=u1,uid=804401105,forceuid,gid=804400513,forcegid,addr=,unix,posixpaths,serverino,mapposix,acl,rsize=61440,wsize=65536,actimeo=1)

Have fun
Not open for further replies.