SCALE: Better support for SMB without Active Directory

Jamie_Schnaitter · October 31, 2024, 2:40pm

Problem/Justification
It would be extremely useful if we could enable SMB shares using plain Kerberos auth and LDAP rather than having to join to an Active Directory domain. Samba supports this, but there is no exposure of this functionality in the TrueNAS SCALE UI. TrueNAS CORE appears to have had a field to add auxiliary parameters to the smb.conf file, but SCALE does not.

Impact
Benefits: more flexibility for diverse environments where Windows is a secondary service, not the primary service. Users will be able to create SMB shares without having to rely on either Active Directory or insecure/deprecated NTLM passwords stored locally.
Disadvantages: I can’t really think of any, and it shouldn’t be that hard to implement. At bare minimum, SCALE should allow custom additions to the Samba config in the same way that CORE does.

User Story
We operate a mixed environment, which is primarily Unix/Linux using local/LDAP auth, with some Windows systems which are joined to Active Directory. Our UID/GID number space is local to us, but Active Directory serves the whole institution and has no support for POSIX information. Since our Kerberos realm trusts the AD Realm, it should still work with plain Kerberos if the UI would allow the configuration.

If we were to join the TrueNAS systems to Active Directory instead, it would introduce a lot of complication for us and would limit us to using NFS version 4 for our Unix systems since ID mapping would then be required due to our local UID/GID number space.

original issue was: NAS-132139

awalkerix · October 31, 2024, 3:02pm

We added support for SMB + FreeIPA in 24.10. That said, you’re often limited by what your clients support WRT kerberos auth.

Jamie_Schnaitter · October 31, 2024, 5:07pm

We are not using FreeIPA, but rather we have our own OpenLDAP directory and the institution provides an MIT Keberos realm. I just tried this out on 24.10 and, while it still produces the dialog box saying that AD or local Samba auth is required, it allows the share to be created. Now I am just having issues authenticating with Kerberos even though the keytab on the truenas has a cifs SPN

awalkerix · October 31, 2024, 5:17pm

You can look at what we do for IPA for some inspiration for samba configuration changes, but I don’t really think this configuration is easily supportable. middleware/src/middlewared/middlewared/plugins/smb_/util_smbconf.py at 0551c438bbf27e08f32ec3e7126afb8f9fbea62f · truenas/middleware · GitHub

You can also look at the IPA source itself:

github.com

freeipa/freeipa/blob/master/ipaclient/install/ipa_client_samba.py

#
# Copyright (C) 2019  FreeIPA Contributors see COPYING for license
#
# Configure the Samba suite to operate as domain member in IPA domain

from __future__ import print_function

import logging
import os
import gssapi
from urllib.parse import urlsplit
from optparse import OptionParser  # pylint: disable=deprecated-module
from contextlib import contextmanager

from ipaclient import discovery
from ipaclient.install.client import (
    CLIENT_NOT_CONFIGURED,
    CLIENT_ALREADY_CONFIGURED,
)
from ipalib import api, errors

This file has been truncated. show original

Jamie_Schnaitter · October 31, 2024, 5:23pm

Looking at that code, it really shouldn’t be hard to support this because basically everything you are doing to support it with IPA would be almost the same as for plain Kerberos. The main things would be using a different path to the keytab and pulling the realm and workgroup from the SMB config rather than the IPA config. All of this information should already be available in TrueNAS since we can configure keytabs and realms on the directory services page and the workgroup is configured on the SMB services config.

Samba will already map SMB users using NSS (it requires them to be resolvable via NSS), so it really just needs to be told to use Kerberos and where to find the keytab.

awalkerix · October 31, 2024, 5:26pm

Have you actually proved this out on a non-TrueNAS samba server? There are some subtleties here when we go about generating the keytab for the cifs/spn to ensure that Samba’s secrets.tdb is also populated with correct domain info.

github.com

freeipa/freeipa/blob/e8ed1d70f7080700726b66c67181574972bcfcb7/ipaclient/install/ipa_client_samba.py#L329


      
                  api.Command.service_mod(principal, addattr=value)
              except errors.PublicError as e:
                  logger.error(
                      "Cannot update %s principal NT hash value due to an error: %s",
                      principal,
                      e,
                  )
                  raise
          
          
          def populate_samba_databases(fstore, statestore, options, domain, password):
              # First, set domain SID in Samba
              args = [paths.NET, "setdomainsid", domain["domain_sid"]]
              try:
                  ipautil.run(args)
              except ipautil.CalledProcessError as e:
                  logger.error("Cannot set domain SID in Samba. Error: %s", e)
                  raise
          
              # Next, make sure we can set machine account credentials
              # the workaround with tdbtool is temporary until 'net' utility

The required info for samba databases is returned as part of generating the cifs spn / keytab by the IPA client.

Jamie_Schnaitter · November 4, 2024, 5:06pm

Yes, I just confirmed that it works with plain MIT kerberos. This was the config that worked for me once I got my principals configured correctly:

[global]
        workgroup = WORKGROUP
        security = user
        realm = MYREALM
        kerberos method = system keytab
        client use kerberos = required
        lanman auth = no
        ntlm auth = no
        server role = standalone

        idmap config * : range = 1000 - 999999

        passdb backend = tdbsam

With that configuration, I was then able to successfully connect using the smbclient command on another linux machine after doing kinit.

awalkerix · November 4, 2024, 5:09pm

Okay. I’ll look into tweaking the smb config if we’re not a member of an IPA domain and have a keytab containing a cifs spn. Probably NET 25.04.