SSH Login with Kerberos Keys using FreeIPA as the IdM

tikenn

Cadet
Joined
Nov 10, 2020
Messages
6
I recently set up a FreeIPA system on CentOS 8 to provide identity management for my TrueNAS server using Kerberos as the authentication protocol and LDAP for directory management. However, while the LDAP setup with kerberos works, I have been unsuccessful in logging into the server with SSH using my kerberos tickets. My Basic setup is below:
  • FreeIPA (version: 4.8.4)
    • REALM: ANAX.ODONATA.LOCALDOMAIN
    • KDC: anax.odonata.localdomain
    • Admin Server: anax.odonata.localdomain
    • Password Server: anax.odonata.localdomain
  • TrueNAS (version: TrueNAS-12.0-RELEASE)
    • Domain: vestalis.odonata.localdomain
I have created two kerberos principals in FreeIPA to identify the TrueNAS host and ldap service respectively and generated their keytabs on the FreeIPA server (anax.odonata.localdomain):
Then, under Directory Services in TrueNAS, I set up the Kerberos realm and uploaded the resulting keytabs. I will skip the LDAP configurations as they are working; however, regarding the SSH configuration, I checked the box "Allow Kerberos Authentication". Finally, when performing the following steps to SSH into the server, I get the resulting log.

Code:
kinit tikenn
ssh -K vestalis.odonata.localdomain -p 6498 -vvv


Code:
OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f  31 Mar 2020
debug1: Reading configuration data /home/tikenn/.ssh/config
debug1: /home/tikenn/.ssh/config line 199: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolving "vestalis.odonata.localdomain" port 6498
debug2: ssh_connect_direct
debug1: Connecting to vestalis.odonata.localdomain [192.168.2.7] port 6498.
debug1: Connection established.
debug1: identity file /home/tikenn/.ssh/id_rsa type -1
debug1: identity file /home/tikenn/.ssh/id_rsa-cert type -1
debug1: identity file /home/tikenn/.ssh/id_dsa type -1
debug1: identity file /home/tikenn/.ssh/id_dsa-cert type -1
debug1: identity file /home/tikenn/.ssh/id_ecdsa type -1
debug1: identity file /home/tikenn/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/tikenn/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/tikenn/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/tikenn/.ssh/id_ed25519 type -1
debug1: identity file /home/tikenn/.ssh/id_ed25519-cert type -1
debug1: identity file /home/tikenn/.ssh/id_ed25519_sk type -1
debug1: identity file /home/tikenn/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/tikenn/.ssh/id_xmss type -1
debug1: identity file /home/tikenn/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.2-hpn14v15
debug1: match: OpenSSH_8.2-hpn14v15 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to vestalis.odonata.localdomain:6498 as 'tikenn'
debug3: put_host_port: [vestalis.odonata.localdomain]:6498
debug3: hostkeys_foreach: reading file "/home/tikenn/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/tikenn/.ssh/known_hosts:36
debug3: load_hostkeys: loaded 1 keys from [vestalis.odonata.localdomain]:6498
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:rnhULXrQf+tvt9uQf9Sqy+DC2FfOpMZWENaHP9qjODg
debug3: put_host_port: [192.168.2.7]:6498
debug3: put_host_port: [vestalis.odonata.localdomain]:6498
debug3: hostkeys_foreach: reading file "/home/tikenn/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/tikenn/.ssh/known_hosts:36
debug3: load_hostkeys: loaded 1 keys from [vestalis.odonata.localdomain]:6498
debug3: hostkeys_foreach: reading file "/home/tikenn/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/tikenn/.ssh/known_hosts:37
debug3: load_hostkeys: loaded 1 keys from [192.168.2.7]:6498
debug1: Host '[vestalis.odonata.localdomain]:6498' is known and matches the ECDSA host key.
debug1: Found key in /home/tikenn/.ssh/known_hosts:36
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/tikenn/.ssh/id_rsa
debug1: Will attempt key: /home/tikenn/.ssh/id_dsa
debug1: Will attempt key: /home/tikenn/.ssh/id_ecdsa
debug1: Will attempt key: /home/tikenn/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/tikenn/.ssh/id_ed25519
debug1: Will attempt key: /home/tikenn/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/tikenn/.ssh/id_xmss
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-with-mic
debug3: start over, passed a different list publickey,gssapi-with-mic
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug3: send packet: type 50
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-with-mic
debug3: send packet: type 50
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-with-mic
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/tikenn/.ssh/id_rsa
debug3: no such identity: /home/tikenn/.ssh/id_rsa: No such file or directory
debug1: Trying private key: /home/tikenn/.ssh/id_dsa
debug3: no such identity: /home/tikenn/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/tikenn/.ssh/id_ecdsa
debug3: no such identity: /home/tikenn/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/tikenn/.ssh/id_ecdsa_sk
debug3: no such identity: /home/tikenn/.ssh/id_ecdsa_sk: No such file or directory
debug1: Trying private key: /home/tikenn/.ssh/id_ed25519
debug3: no such identity: /home/tikenn/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: /home/tikenn/.ssh/id_ed25519_sk
debug3: no such identity: /home/tikenn/.ssh/id_ed25519_sk: No such file or directory
debug1: Trying private key: /home/tikenn/.ssh/id_xmss
debug3: no such identity: /home/tikenn/.ssh/id_xmss: No such file or directory
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
tikenn@vestalis.odonata.localdomain: Permission denied (publickey,gssapi-with-mic).


Although the SSH response suggests that the credentials are incorrect, I can use the exact same method to log in to other servers on the network (albiet not TrueNAS servers). I attempted to enforce [libdefaults] in the Kerberos Settings on TrueNAS similar to my other servers by adding in config parameters to the Libdefaults Auxiliary Parameters section in TrueNAS:

Code:
default_etypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_etypes_des = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_realm = ANAX.ODONATA.LOCALDOMAIN
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = true


Sadly, I have still not been able to get a successful SSH and was wondering if someone had any suggestions. I would be more than happy to provide any additional information and apologies upfront if something is missing as I am new to FreeIPA and its integration with TrueNAS.
 

tikenn

Cadet
Joined
Nov 10, 2020
Messages
6
Well... I was able to solve this, but, sadly, the method used does not provide a clear answer to the original problem. I rebuilt the FreeIPA IdM from ground up (for another reason) and re-created all of the users. Then, several days after rebuilding, I attempted to log into my TrueNAS with kerberos credentials. It just worked. I suspect one of two things (or both): something was messed up with the original installation of FreeIPA, or the user credentials had not fully propagated from the IdM to TrueNAS (a recurring problem that sporadically occurs with other servers interacting with FreeIPA).
 

Troublegum

Cadet
Joined
Jun 17, 2021
Messages
4
I will skip the LDAP configurations as they are working

Hello tikenn, can I ask about your LDAP configuration please? I'm trying the same thing and when I edit the LDAP configuration, open the advanced settings and select the kerberos realm and kerberos keytab (which one- the host or ldap) - I cannot save the result because of "'str' object has no attribute '__name__'".

Can you please post your complete config? Thanks.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
Hello tikenn, can I ask about your LDAP configuration please? I'm trying the same thing and when I edit the LDAP configuration, open the advanced settings and select the kerberos realm and kerberos keytab (which one- the host or ldap) - I cannot save the result because of "'str' object has no attribute '__name__'".

Can you please post your complete config? Thanks.
What version of TrueNAS are you using?
 

Troublegum

Cadet
Joined
Jun 17, 2021
Messages
4
Freeipa on Centos 8
IP: 10.88.88.3/24
Hostname: freeipa.testlab.betazed.net

TrueNAS Core 12.0-U4
IP: 10.88.88.17/24
Hostname: truenas-core.testlab.betazed.net


Add host to ipa-server
Code:
[admin@freeipa ~]$ ipa host-add truenas-core.testlab.betazed.net --ip-address=10.88.88.17
---------------------------------------------
Added host "truenas-core.testlab.betazed.net"
---------------------------------------------
  Host name: truenas-core.testlab.betazed.net
  Principal name: host/truenas-core.testlab.betazed.net@TESTLAB.BETAZED.NET
  Principal alias: host/truenas-core.testlab.betazed.net@TESTLAB.BETAZED.NET
  Password: False
  Keytab: False
  Managed by: truenas-core.testlab.betazed.net


Code:
[admin@freeipa ~]$ ipa-getkeytab -p host/truenas-core.testlab.betazed.net@TESTLAB.BETAZED.NET -k truenas-core.keytab
Keytab successfully retrieved and stored in: truenas-core.keytab


TrueNAS Kerberos Realm Settings:
Code:
Realm = TESTLAB.BETAZED.NET
KDC = freeipa.testlab.betazed.net
Admin Server = freeipa.testlab.betazed.net
Password Server = freeipa.testlab.betazed.net


TrueNAS Kerberos Keytab Settings:
Code:
Name = host/truenas-core.testlab.betazed.net@TESTLAB.BETAZED.NET
file = truenas-core.keytab


TrueNAS LDAP Settings
Code:
Hostname = freeipa.testlab.betazed.net
Base DN = dc=testlab,dc=betazed,dc=net
Bind DN = uid=admin,cn=users,cn=accounts,dc=testlab,dc=betazed,dc=net
Bind Password = **********
Enable = true


TrueNAS LDAP Settings - Advanced Settings
Code:
Kerberos Realm = TESTLAB.BETAZED.NET
Kerberos Principal = host/truenas-core.testlab.betazed.net@TESTLAB.BETAZED.NET
Encryption Mode = START_TLS
Certificate = ---
Validate Certificates = false
LDAP Timeout = 10
DNS Timeout = 10
Samba Schema (Deprecated) = false
Auxiliary Parameters = 
Schema = RFC2307


Test in TrueNAS shell
Code:
root@truenas-core[~]# id admin
uid=10000(admin) gid=10000(admins) groups=10000(admins)

root@truenas-core[~]# id nam
uid=10001(nam) gid=10001(nam) groups=10001(nam),10000(admins)


SSH into TrueNAS does work when I use a client that is enrolled in freeipa
and has a valid kerberos ticket. :)
Code:
[nam@freeipa ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_10001
Default principal: nam@TESTLAB.BETAZED.NET

Valid starting       Expires              Service principal
16.06.2021 22:02:38  17.06.2021 22:02:34  krbtgt/TESTLAB.BETAZED.NET@TESTLAB.BETAZED.NET
16.06.2021 22:03:13  17.06.2021 22:02:34  HTTP/freeipa.testlab.betazed.net@TESTLAB.BETAZED.NET
16.06.2021 22:13:40  17.06.2021 22:02:34  ldap/freeipa.testlab.betazed.net@TESTLAB.BETAZED.NET
17.06.2021 19:57:45  17.06.2021 22:02:34  host/truenas-core.testlab.betazed.net@TESTLAB.BETAZED.NET


Code:
[nam@freeipa ~]$ ssh nam@truenas-core.testlab.betazed.net -v
OpenSSH_8.0p1, OpenSSL 1.1.1g FIPS  21 Apr 2020
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/04-ipa.conf
debug1: Executing command: 'true'
debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Reading configuration data /etc/ssh/ssh_config.d/04-ipa.conf
debug1: Executing command: 'true'
debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 22 truenas-core.testlab.betazed.net
debug1: identity file /home/nam/.ssh/id_rsa type -1
debug1: identity file /home/nam/.ssh/id_rsa-cert type -1
debug1: identity file /home/nam/.ssh/id_dsa type -1
debug1: identity file /home/nam/.ssh/id_dsa-cert type -1
debug1: identity file /home/nam/.ssh/id_ecdsa type -1
debug1: identity file /home/nam/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/nam/.ssh/id_ed25519 type -1
debug1: identity file /home/nam/.ssh/id_ed25519-cert type -1
debug1: identity file /home/nam/.ssh/id_xmss type -1
debug1: identity file /home/nam/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.0
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.4-hpn14v15
debug1: match: OpenSSH_8.4-hpn14v15 pat OpenSSH* compat 0x04000000
debug1: Authenticating to truenas-core.testlab.betazed.net:22 as 'nam'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: kex: curve25519-sha256 need=32 dh_need=32
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:mAYzSmo2MyVZ3AGtYXjN0TPfMn2qMXCiI5fZp5PYk8M
debug1: Host 'truenas-core.testlab.betazed.net' is known and matches the ECDSA host key.
debug1: Found key in /home/nam/.ssh/known_hosts:1
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: /home/nam/.ssh/id_rsa 
debug1: Will attempt key: /home/nam/.ssh/id_dsa 
debug1: Will attempt key: /home/nam/.ssh/id_ecdsa 
debug1: Will attempt key: /home/nam/.ssh/id_ed25519 
debug1: Will attempt key: /home/nam/.ssh/id_xmss 
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Authentication succeeded (gssapi-with-mic).
Authenticated to truenas-core.testlab.betazed.net (via proxy).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: proc
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending environment.
debug1: Sending env LC_MEASUREMENT = de_DE.UTF-8
debug1: Sending env LC_PAPER = de_DE.UTF-8
debug1: Sending env LC_MONETARY = de_DE.UTF-8
debug1: Sending env LANG = en_US.UTF-8
debug1: Sending env LC_NAME = de_DE.UTF-8
debug1: Sending env LC_ADDRESS = de_DE.UTF-8
debug1: Sending env LC_NUMERIC = de_DE.UTF-8
debug1: Sending env LC_TELEPHONE = de_DE.UTF-8
debug1: Sending env LC_IDENTIFICATION = de_DE.UTF-8
debug1: Sending env LC_TIME = de_DE.UTF-8
Last login: Thu Jun 17 19:59:31 2021 from 10.88.88.3
FreeBSD 12.2-RELEASE-p6 df578562304(HEAD) TRUENAS 

    TrueNAS (c) 2009-2021, iXsystems, Inc.
    All rights reserved.
    TrueNAS code is released under the modified BSD license with some
    files copyrighted by (c) iXsystems, Inc.

    For more information, documentation, help or support, go here:
    http://truenas.com
Welcome to TrueNAS
truenas-core% 



So I guess that error message in the gui threw me off, but core functionality seems to be working.

I'm new to freeipa/ldap/kerberos. Is there something I should check to see if everything works as expected?
What functionality regarding nfs or smb is to be expected?

Thanks for the help.
 

Troublegum

Cadet
Joined
Jun 17, 2021
Messages
4
Added screenshot with error message in GUI. The error appears as soon as I select
Kerberos Realm and Kerberos Principal in the advanced settings.
 

Attachments

  • Bildschirmfoto von 2021-06-17 19-51-02.png
    Bildschirmfoto von 2021-06-17 19-51-02.png
    91.8 KB · Views: 328

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
Okay. Probably related to trying to use start_tls + gssapi simultanesouly. Exception isn't being translated properly. Disable start_tls, we will do a sealed gssapi bind.
 

Troublegum

Cadet
Joined
Jun 17, 2021
Messages
4
Thank you, disableing encryption allowed for saving the settings without an error message.

The desired LDAP functionality seems to be working for me. I can ssh into truenas with freeipa accounts when I get a kerberos ticket.
It doesn't use the ssh public keys stored in freeipa. Next on my list to try out is nfs4 with kerberos.
 
Top