I am currently working on a project that involves user authentication from a Docker (running inside the TrueNAS) container to the user accounts on TrueNAS SCALE. My goal is to have authenticate the users inside the Dockerized application against the existing TrueNAS SCALE users, rather than maintaining a separate authentication system inside the container.
Best security practices when allowing a container to authenticate users from the host system (TrueNAS)?
I would really appreciate any guidance, tutorials, or documentation that could point me in the right direction.
I don’t believe it’s possible, so the “best security practices” don’t exist. The best arrangement I could think of similar to this would be to join the NAS to an AD domain, and use that AD controller as the authentication provider for your app.
Hey dan, I believe that its possible, From what I understand is that, TrueNAS Scale maintains a database of SQLite3 to maintain the users, hashes and all the configuration of the system. That’s one way to find for the database and authenticate the user by querying with the db. But I think there must be other way a straightforward approach to authenticate the users from the docker containerization.
SCALE doesn’t query the DB for authentication. The DB is used to write the passwd, group, shadow, and sudo configuration files. Containers do not have access to the TrueNAS DB (for good reason) and do not have access to the host’s shadow file (also for good reason). There are no plans to copy local account configuration from host to containers.
That’s what I’m trying to understand, how does TrueNAS Scale authenticate users on the backend, whether it’s for SSH or other services? Since TrueNAS is open-source, there must be a way for developers to implement or customize alternative authentication methods.
As I said above, I believe you’re incorrect. To the best of my knowledge, no version of TrueNAS currently supports, or ever has supported, acting as an identity/authentication/authorization provider for any other application. Whether you’re able to hack something like this into different NAS software you might build based on TrueNAS would depend on your skill and perseverance, but TrueNAS itself doesn’t support any such thing.
Pretty much the standard way to handle authentication in Linux and FreeBSD is through PAM modules. Local user authentication is managed through pam_unix.
That said, as Dan mentioned, we are not and have no plans of becoming an identity provider. If you want a single source of truth for containers and host regarding credentials, you should use AD or LDAP (but don’t put the identity provider in a container or VM on TrueNAS).
If you wanted to roll your own hackish config, you can probably insert local user accounts from TrueNAS into the passwd, shadow, and group files in the container. Just read / become familiar with how account management works in Linux, and read all relevant manpages.
I can’t recall anything like that. Currently UI/API authentication via directory services is one several product differentiators between Community / Enterprise.
Remember a NAS is different from, for instance, a desktop computer. We have to be able to use the accounts for file sharing protocols.
For example, SMB protocol authentication is currently either via NTLMv2 or Kerberos.
We can do NTLM for local accounts because at time of account creation we have access to the plain-text password and can generate an NT hash from it for SMB authentication (NOTE: this is why you have to re-enter your password when changing from a non-SMB account to an SMB account).
When we’re joined to AD we can do NTLMv2 and Kerberos authentication by passing through the auth request to the Windows Domain Controller.
If someone creates a snazzy new authentication schema, for example “wilbur protocol”, developers can create a PAM module in which a Linux client speaks to a wilbur protocol server and authenticates clients. They could even create an NSS module so that the wilbur protocol server’s accounts appear in TrueNAS. This works great for desktop logins, but is not so useful for a NAS because clients don’t support “wilbur protocol” for SMB or NFS authentication. We could implement wilbur protocol in TrueNAS, but it would be basically useless for how people want to use accounts.
