Red Hat Identity (FreeIPA) and Samba working in TrueNAS - what is the status and is it possible?

shpokas

Dabbler
Joined
Oct 3, 2014
Messages
32
Hi,
is it possible to get FreeIPA authentication with Samba sharing on TrueNAS 12-U1 ? I've read it was last time working well on FreeNAS 10.
There are hints in JIRA it can be done, but is there a guide maybe?

What works for me:
  • FreeIPA working for years, authenticating users, etc.
  • LDAP configured and working on TrueNAS, I can ssh to TrueNAS box with FreeIPA user, getent works and lists users and groups.
  • ipa-adtrust-install was run on FreeIPA - I needed ipaNTHash attribute for FreeRADIUS authentication - this is working fine.
What doesn't work:
  • Samba sharing with FreeIPA users - if I try to access samba share with FreeIPA user, I see "NT_STATUS_NO_SUCH_USER" error in /var/log/samba4/auth_audit.log
  • Cannot enable "Samba Schema (DEPRECATED - see help text)" - I get a message that "Remote LDAP server does not have Samba schema extensions."
    But do I really need it enabled, particularly since it is "DEPRECATED - see help text" ?

Any hints or help is much appreciated.
Thanks!

shpokas
 

Attachments

  • Screenshot 2020-12-28 at 12.05.43.png
    Screenshot 2020-12-28 at 12.05.43.png
    659.2 KB · Views: 1,388

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
Generally speaking, over SMB protocol there are two authentication methods NTLM and Kerberos. The former requires the server to have access to an NT hash (basically unsalted MD4) of user password, and there was a legacy manner in which these could be stored in a remote LDAP server's schema (Classic Domain Controller). This role has been formally deprecated as of Samba 4.13, and will basically be removed in Samba 4.14 ("domain logons" parameter will be removed). This means that even if you were to add the Samba Schema extensions, TN 12.0 would probably be the last release in which it's possible to use that functionality.... which leaves Kerberos. _If_ you upload a kerberos keytab for an account with the requisite service principals, you have "obey pam restrictions" set, winbind idmap configured for the requisite domain, and client configured to use kerberos authentication for SMB session, then it will probably work correctly (it did in a very brief smoke test where I checked it a year or two ago).
 

shpokas

Dabbler
Joined
Oct 3, 2014
Messages
32
Many thanks for your reply! Now I understand slightly better which way to go.
you upload a kerberos keytab for an account with the requisite service principals
Does service principal belong (is tied to) an account?

Anyway, this is what I did, basically I following this. Created a keytab on FreeIPA server
kinit admin​
ipa host-add truenas.fqdn​
ipa-getkeytab -p host/truenas.fqdn@REALM -k truenas.keytab​
The added keytab to FreeNAS and configured a realm.

But when I try to add Kerberos part to LDAP configuration, I get an error about invalid credentials or so it says.
Screenshot 2020-12-28 at 14.42.13.png
Error: Traceback (most recent call last): File "/usr/local/lib/python3.8/site-packages/middlewared/plugins/ldap.py", line 586, in ldap_validate ldap_has_samba_schema = True if (await self.middleware.call('ldap.get_workgroup', data)) else False File "/usr/local/lib/python3.8/site-packages/middlewared/main.py", line 1238, in call return await self._call( File "/usr/local/lib/python3.8/site-packages/middlewared/main.py", line 1195, in _call return await methodobj(*prepared_call.args) File "/usr/local/lib/python3.8/site-packages/middlewared/plugins/ldap.py", line 871, in get_workgroup if len(ret) > 1: TypeError: object of type 'NoneType' has no len() During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/local/lib/python3.8/site-packages/middlewared/main.py", line 137, in call_method result = await self.middleware._call(message['method'], serviceobj, methodobj, params, app=self, File "/usr/local/lib/python3.8/site-packages/middlewared/main.py", line 1195, in _call return await methodobj(*prepared_call.args) File "/usr/local/lib/python3.8/site-packages/middlewared/service.py", line 356, in update rv = await self.middleware._call( File "/usr/local/lib/python3.8/site-packages/middlewared/main.py", line 1195, in _call return await methodobj(*prepared_call.args) File "/usr/local/lib/python3.8/site-packages/middlewared/schema.py", line 973, in nf return await f(*args, **kwargs) File "/usr/local/lib/python3.8/site-packages/middlewared/plugins/ldap.py", line 686, in do_update await self.middleware.call('ldap.ldap_validate', new, verrors) File "/usr/local/lib/python3.8/site-packages/middlewared/main.py", line 1238, in call return await self._call( File "/usr/local/lib/python3.8/site-packages/middlewared/main.py", line 1195, in _call return await methodobj(*prepared_call.args) File "/usr/local/lib/python3.8/site-packages/middlewared/plugins/ldap.py", line 588, in ldap_validate await self.convert_ldap_err_to_verr(data, e, verrors) File "/usr/local/lib/python3.8/site-packages/middlewared/plugins/ldap.py", line 537, in convert_ldap_err_to_verr if e.extra == "INVALID_CREDENTIALS": AttributeError: 'TypeError' object has no attribute 'extra'
 

shpokas

Dabbler
Joined
Oct 3, 2014
Messages
32
I also tried the same config on Freenas 11, but there I got an error about self-signed certificate.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
Try disabling LDAP service first with the samba schema disabled. Then add your kerberos keytab to the server, then select the principal in the dropdown for LDAP, then enable.
 

shpokas

Dabbler
Joined
Oct 3, 2014
Messages
32
You'll also need to configure the kerberos realm for your FreeIPA domain.
I did as told and now I have TrueNAS LDAP directory service enabled with Kerberos attributes.
And the same error as before when I try to connect to Samba share :smile:

Do I need AD also be configured? Because these configuration options you have mentioned I can find only in AD configuration tab:
you have "obey pam restrictions" set, winbind idmap configured for the requisite domain, and client configured to use kerberos authentication for SMB session
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
Can you PM a debug to look at middleware log regarding traceback? (obey pam restrictions can be an aux parameter for SMB service). You have to correctly configure account / keytab in FreeIPA to provide SMB access (hence mention of having correct Kerberos SPN to provide SMB share access). You can look at Kerberos SPNs generated for computer accounts in AD for a template on how to configure your FreeIPA computer account's kerberos keytab.
 

shpokas

Dabbler
Joined
Oct 3, 2014
Messages
32
Now I have a working configuration which ½ consists of LDAP+Kerberos and the other ½ is Samba manual configuration from here.
Two screenshots to describe.
I can authenticate to Samba share with FreeIPA user, read and write files.
How stable is it and would it survive any TrueNAS updates? ¯\_(ツ)_/¯
 

Attachments

  • Screenshot 2020-12-28 at 22.21.36.png
    Screenshot 2020-12-28 at 22.21.36.png
    634.4 KB · Views: 1,297
  • Screenshot 2020-12-28 at 22.24.00.png
    Screenshot 2020-12-28 at 22.24.00.png
    552.5 KB · Views: 1,178

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
You're basically relying on pam_krb5 for auth. It's pretty stable. I don't expect the samba / pam integration to change any in the near term. Middleware component is using kerberos / GSSAPI for authentication so nothing non-standard here. The steps to get to this place are fiddly though and require some knowledge of underlying protocols and FreeIPA (with most of config happening off the NAS). This is the part that makes it somewhat less easy to have as an officially blessed configuration (compared to AD setup where users just provide a username / password combo and we can automatically take care of almost all config details auto-magically).
 

shpokas

Dabbler
Joined
Oct 3, 2014
Messages
32
I was naíve...
This works only with macOS client (why?) o_O
Windows client refuses to connect, client side error is
The mapped network drive could not be created because the following error has occurred: We can't sign you in with this credential because your domain isn't available. Make sure your device is connected to your organization's network and try again. If you previously signed in on this device with another credential, you can sign in with that credential.

On TrueNAS side I see
"status": "NT_STATUS_NO_LOGON_SERVERS"

Linux also refuses to connect, but for now that's less of a concern. Probably because it doesn't have a keytab? But how then macOS gets one?
$ smbclient -k //truenas.fqdn/test gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in NEG_TOKEN_INIT session setup failed: NT_STATUS_INVALID_PARAMETER

None of the clients I tried is joined to FreeIPA in any way, just a free standing PC or virtual machine.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
I was naíve...
This works only with macOS client (why?) o_O
Windows client refuses to connect, client side error is
The mapped network drive could not be created because the following error has occurred: We can't sign you in with this credential because your domain isn't available. Make sure your device is connected to your organization's network and try again. If you previously signed in on this device with another credential, you can sign in with that credential.

On TrueNAS side I see
"status": "NT_STATUS_NO_LOGON_SERVERS"

Linux also refuses to connect, but for now that's less of a concern. Probably because it doesn't have a keytab? But how then macOS gets one?
$ smbclient -k //truenas.fqdn/test gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in NEG_TOKEN_INIT session setup failed: NT_STATUS_INVALID_PARAMETER

None of the clients I tried is joined to FreeIPA in any way, just a free standing PC or virtual machine.
The clients have to kinit / have a kerberos ticket. NTLM auth isn't available in a FreeIPA environment.

Big picture, these are reasons why (unless you have a pre-existing environment), it's generally better to use AD (Linux or Windows domain controllers) than FreeIPA if you need to provide SMB access.
 
Last edited:

shpokas

Dabbler
Joined
Oct 3, 2014
Messages
32
This isn't anymore TrueNAS related question, but how does macOS work with such share?
Have to wireguard this, probably.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
I'd say that MacOS probably uses NTLM for SMB auth unless it's joined to an AD domain. You might be able to manually configure the kerberos realm, kinit, and see if the kernel SMB client picks up the ticket and uses it for auth. This is fine for a science experiment, but I wouldn't do it at $dayjob, too untested / flakey. It's better to just use AD.
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,740

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
Can you do that without Windows? Like a current Samba in a jail?
Generally, if I were to use non-windows Samba DC, I'd probably use Linux rather than the FreeBSD port (custom apt repo with latest samba in case of Debian). This is better vetted / easier to get help with from Samba mailing lists. Due to how AD works, it's probably best to have multiple DCs on separate physical hardware.
 

Phonix

Cadet
Joined
Feb 15, 2020
Messages
4
Hi,
is it possible to get FreeIPA authentication with Samba sharing on TrueNAS 12-U1 ? I've read it was last time working well on FreeNAS 10.
There are hints in JIRA it can be done, but is there a guide maybe?

What works for me:
  • FreeIPA working for years, authenticating users, etc.
  • LDAP configured and working on TrueNAS, I can ssh to TrueNAS box with FreeIPA user, getent works and lists users and groups.
  • ipa-adtrust-install was run on FreeIPA - I needed ipaNTHash attribute for FreeRADIUS authentication - this is working fine.
What doesn't work:
  • Samba sharing with FreeIPA users - if I try to access samba share with FreeIPA user, I see "NT_STATUS_NO_SUCH_USER" error in /var/log/samba4/auth_audit.log
  • Cannot enable "Samba Schema (DEPRECATED - see help text)" - I get a message that "Remote LDAP server does not have Samba schema extensions."
    But do I really need it enabled, particularly since it is "DEPRECATED - see help text" ?

Any hints or help is much appreciated.
Thanks!

shpokas
I wish I could even activate LDAP :(
All I get is debug information says middleware python script, stating something is wrong with my credentials...
I have generated new keytab files and all the settings required, still no luck.
I get the error when I activate.
I’m using CORE 12.0-U2.1, I’m curious to know since this post is older then one year.

thanks
 

shpokas

Dabbler
Joined
Oct 3, 2014
Messages
32
I gave up on initial idea about Samba, but LDAP configuration was not that demanding. All details like base dn, bind dn and such are in the first screenshot.
Can you try ldapsearch and other ldap tools? They are present in TrueNAS. Maybe that will shed some light?
 

Phonix

Cadet
Joined
Feb 15, 2020
Messages
4
I gave up on initial idea about Samba, but LDAP configuration was not that demanding. All details like base dn, bind dn and such are in the first screenshot.
Can you try ldapsearch and other ldap tools? They are present in TrueNAS. Maybe that will shed some light?
I managed to get the LDAP information using the ldapsearch command, unfortunately there is no clear information out there in regards of TrueNAS integration with freeIPA, at least I didn’t find any updated.
Like I said I tried multiple bind dn’s, admin, etc. None was working.
I have up on freeIPA, it’s a very nice concept, but I find it could be too complex sometimes to integrate with most products.
I decided to give Samba 4 server a try:
I hope it will be a good alternative to MS AD...
Is this what you have been trying before, or you have been trying to get just Samba shares to work?

thanks,
 

shpokas

Dabbler
Joined
Oct 3, 2014
Messages
32
In the beginning I wanted Samba to authenticate users from FreeIPA, but that is complicated and was not worth the effort because the Samba server would serve just a few people and having auth credentials from FreeIPA was not as strong requirement.
And yes, they needed just a few shares and getting a TrueNAS Samba server to work without FreeIPA or a Samba DC was easy enough.
With FreeIPA the effort starts to multiply when different OS'es come into play, these days everyone is BYOD'ing, and I just gave up on this whole idea.
 
Top