Kerberos, CIFS, AFP and NFS

[DataMover]

Hi,

I am on the current stable train and just wondering, if anybody could post a step-by-step guide for

- integrating AFP and Kerberos
- integrating NFS and Kerberos

Environment: FreeNAS is the one and only Domain Controller (Role: Active Directory Domain Controller). User authentication and CIFS is working great - from Windows PCs and Mac (OS X 10.10)

My focus is on OS X. My Mac is still asking for username and password instead of using Kerberos, if I try to connect through AFP.

NFS will only succeed, when no krb* security is set at all. Otherwise will throw a permission denied.

Kind regards
C.

 

[cyberjock]

What errors are you getting on the FreeNAS side? Without something more to go on, there's no where to go to start trying to diagnose the issue.

 

[DataMover]

What errors are you getting on the FreeNAS side? Without something more to go on, there's no where to go to start trying to diagnose the issue.

Sorry, should have said: I can't see any errors on the FreeNAS side. Maybe it's just me doing the wrong steps (following the FreeNAS 9.3 documentation) or setting wrong values in FreeNAS's dialog boxes.

What I've done:

- set up FreeNAS box (let's name it "nas"), updated to latest current stable (no more updates available by now)
- configured it as a Samba4 AD Domain Controller using Samba's internal DNS:

Realm: MYDOMAIN.NET
Domain: MYDOMAIN
Server Role: active directory domain controller
Domain Forest Level: 2008_R2
Kerberos Realm: ----
​

- created a user JohnDoe

- set up a CIFS share:

Browsable to Network Clients and Allow Guest Access are set, everything else not
VFS Objects selected: aio_pthread, streams_xattr (although this must have happened automatically, not done by me)​

- set up AFP service:

have not changed anything, just switched on the service​

- set up an AFP share:

only No Stats and AFP3 Unix Privs selected
​

- set folder permissions on the folders used for the shares

- joined my MacBook (OS X 10.10.2) to the Domain and logged on using JohnDoe (which has never been created manually on the Mac)

​

What happens:

- authentication succeeds, for I can log on with JohnDoe's Domain credentials
- verified, that there is a TGT after log on
- verified, that the my Mac exists as an object in Samba4 AD on FreeNAS
- listed SPNs of nas$ (my FreeNAS machine) from it's AD
- verified DNS entries for the FreeNAS box and my Mac in Sambas internal DNS

With only CIFS sharing enabled, AFP service disabled (and logged on as JohnDoe):
- accessing server nas from Finder's sidebar succeeds and shows list of CIFS shares; connected as switches to JohnDoe
- accessing CIFS share on nas from finder's sidebar succeeds without any further credentials to enter
- can see a CIFS service ticket then via klist
- can see successful Kerberos authentication on FreeNAS in /var/log/samba4/log.samba

With CIFS and AFP sharing enabled:
- accessing server nas from Finder's sidebar shows nothing; connected as says not connected
- after clicking on connect as and entering my password (Username is already filled in), I can see the AFP share and access it
- I don't see any Kerberos service ticket
- var/log/samba4/log.samba shows that NTLM has been used instead of Kerberos

Let's put NFS on hold for now, as going step-by-step is more advisable.

I strongly recommend to show, how it should work, including all settings in all involved configurations screen of FreeNAS's GUI, for

- my setup is not very special
- I have no special requirements for now
- all in all it is a plain vanilla configuration

But if you recommend to diagnose my setup before, please guide me to where I can find necessary logs an d configuration files.
BTW: talking about config files - can someone tell me where the SPN for FreeNAS/Sambas CIFS service/shares comes from, as it is not listed as an SPN for the server's object in AD.

Kind regards

 

[dlavigne]

Were you able to figure this out?

 

[DataMover]

Were you able to figure this out?

I'm afraid not (yet). But I see the same effect on my Mac mini, which is running OS X 10.10 Server.

The Mac mini is also bound to Active Directory on samba (on FreeNAS) and I can see that this OS X has added SPNs to AD by itself (vs. manually by me):

cifs/mini.mydomain.net
afpserver/mini.mydomain.net

BTW: this is more than FreeNAS is doing. FreeNAS will not add SPNs if I enable AFP or NFS service, which is (IMHO) kind of a bug (for SPNs are crucial to kerberos).

But in the end, even on the Mac mini, only CIFS/SMB will use kerberos. Trying to access the AFP share prompts me with the "enter credentials" box and uses NTLM afterwards. This all seems strange.

 

[dlavigne]

FreeNAS will not add SPNs if I enable AFP or NFS service, which is (IMHO) kind of a bug (for SPNs are crucial to kerberos). But in the end, even on the Mac mini, only CIFS/SMB will use kerberos. Trying to access the AFP share prompts me with the "enter credentials" box and uses NTLM afterwards. This all seems strange.

Please create a bug report at bugs.freenas.org and post the issue number here.

 

[Arthur Morales Sampaio]

Did you every get this to work? I am experiencing the same situation with FreeNAS and NFSv4 share with the sec=krb5 option. Whenever I activate the secure feature and run the following command in the CLIENT:

mount -t nfs4 -o sec=krb5 IP:/mount_dir /mount_local

The response is only a Permission Denied error.

I would like to know if there is any way that I can enable a more verbosity option in FreeNAS just so it would give me a better insight on what's going on.

 

[SweetAndLow]

Did you kinit? Can you klist? You can probably check the krb5 logs.

Sent from my Nexus 5X using Tapatalk

 

[DataMover]

In the meantime I've changed some things and do not have the need for NFS and AFP anymore. Even Apple favors SMB over AFP and I have some Windows machines running. So, SMB is my (only) route to go - and Kerberos is working like a charm with SMB (CIFS) shares.

 

[Arthur Morales Sampaio]

Did you kinit? Can you klist? You can probably check the krb5 logs.

Sent from my Nexus 5X using Tapatalk

SweetAndLow, thank you for your time.

Yes can kinit and klist tickets from both the NFS server machine (FreeNAS) and the client. In the client I can even log in with freeipa credentials.

In the meantime I've changed some things and do not have the need for NFS and AFP anymore. Even Apple favors SMB over AFP and I have some Windows machines running. So, SMB is my (only) route to go - and Kerberos is working like a charm with SMB (CIFS) shares.

I am still having problem with the NFSv4. If you are saying that SMB is a succesful scenario I will give it a try. Would it be okay if I asked you for the exact steps that you followed to get the SMB shared working on your Linux machines? This is a very important and urgent matter for me and I hope I am not bothering too much. But I would sincerely appreciate if you could share the steps you went through to get it to work.

@SweetAndLow Yes, I can kinit and klist and the client machines can login correctly using FreeIPA users.

Another questions that I have is, within the client linux machines I can't run any ldapsearch command. It just says can't connect to LDAP server. My guess would be because the FreeIPA server encrypts access to the LDAP? Is this necessary for this to work and enforce permissions? Or just having kerberos users being able to login in the system would be enough to authenticate mounts?

Anyway, the end goal for me is to be able to automount home directories for the users, enforce ACLs just so only the owner can access it's files and ultimately have them be able to access the same home directory from different machines.

Is this possible using FreeNAS (9.10) + FreeIPA(4)? Is that what you have @DataMover ?

 

[DataMover]

I am really sorry, but have to tell you: I am using SMB from Mac and Windows only. Also I am not using FreeIPA. I am a Windows guy at work and brought most of it home: running Windows Server with Active Directory.FreeNAS (9.19) is now only a member Server of my Domain.

Sorry, that I can't help you and: no, you don't bother me at all ;-)