Sihnon wiki

User Tools

Site Tools

You are here: start » truenas
truenas

FreeIPA/Samba integration

This was more complicated than it probably should have been due to the IPA domain not matching the truenas host domain, I think.

  • Remove DNS for the host from freeipa if setup previously, and connect to the truenas by IP for the next steps
  • Setup FreeIPA servers for Samba, run the following on all servers: 
    dnf install ipa-server-trust-ad
ipa-adtrust-install
  • Setup TrueNAS
    • Credentials→Directory Services→Show Advanced
    • Add Kerberos Realm
      • Realm: IPA.SIHNON.NET
      • Primary KDC: pick one of the IPA servers
      • KDC/admin servers/password servers: List all the IPA servers
    • Configure Directory Services
      • Configuration type: IPA
      • Enable Service, Enable Account Cache, Enable DNS Updates
      • Timeout: 10s
      • Kerberos Realm: IPA.SIHNON.NET
      • Credential type: Kerberos User (admin, and the domain password)
      • Target Server: pick one of the IPA servers
      • TrueNAS hostname: short hostname
      • Domain: jellybean.sihnon.net (temporary hack to ensure computer objects are created using canonical hostname)
      • Base DN: dc=ipa,dc=sihnon,dc=net
      • Validate Certificates
      • For SMB, don't use defaults
        • Name: IPA
        • Domain: ipa.sihnon.net
        • Rest of the attributes at default
    • Verify the Host object, cifs/nfs service accounts, and DNS records have been created in FreeIPA with the jellybean domain
    • Disable directory services and change the domain from jellybean.sihnon.net to ipa.sihnon.net and re-enable the services
    • Restart winbind service
    • Verify that getent passwd ben shows the account

When connecting from a non-domain joined Windows, it won't prompt for credentials and will fail. Must explicitly map a drive, using IPA domain creds first. Subsequent connections to the same hostname will reuse the credentials, so not all shares need to be mapped.

ACME

For the first server, follow the below instructions.

  • Create a tsig key for nsupdate: 
    tsig-keygen -a HMAC-SHA512
  • Update the key name to truenas.
  • Distribute the key to nameservers via puppet (hiera key profile::freeipa::named::keys), and make sure bind has been restarted to pick up the change
  • Create data/system/acme datasets
  • SSH to the host as truenas_admin and run the following: 
    sudo chown truenas_admin /mnt/data/system/acme
git clone --depth 1 https://github.com/acmesh-official/acme.sh.git
  • Save the tsig key to /mnt/data/system/acme/.nsupdate.key (making sure the key name and secret match puppet)

For subsequent servers, clone the acme filesystem

For all servers:

  • Navigate to Credentials→Certificates
  • Add an ACME DNS-Authenticator
    • Name: freeipa
    • Authenticator: shell
    • Script: /mnt/data/system/acme/dns_acme.sh
    • User: root
    • Timeout: 60
    • Delay: 90
  • Add a Certificate Signing Request. Follow the wizard. LetsEncrypt doesn't use any of the subject attributes so set any values.
  • Once added, click three dots next to the CSR Create ACME certificate
    • Name: letsencrypt
    • Accept ToS
    • Directory UI: LetsEncrypt Production
    • Set Freeipa for each domain
  • Once the letsencrypt CSR appears in the list, navigate to System-General
  • Click the GUI Settings button
  • Select letsencrypt certificate under GUI SSL Certificate and save changes, confirming thr restart
truenas.txt · Last modified: by ben
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki