Differences

This shows you the differences between two versions of the page.

--- truenas [2025/12/12 22:11] – created ben
+++ truenas [2025/12/19 21:55] (current) – [FreeIPA/Samba integration] ben
@@ Line 3: / Line 3: @@
 This was more complicated than it probably should have been due to the IPA domain not matching the truenas host domain, I think.
+  * Remove DNS for the host from freeipa if setup previously, and connect to the truenas by IP for the next steps
   * Setup FreeIPA servers for Samba, run the following on all servers: <code bash>
 dnf install ipa-server-trust-ad
@@ Line 13: / Line 14: @@
       * Primary KDC: pick one of the IPA servers
       * KDC/admin servers/password servers: List all the IPA servers
-    * Add a ''host/fqdn@IPA.SIHNON.NET'' keytab
     * Configure Directory Services
       * Configuration type: IPA
@@ Line 19: / Line 19: @@
       * Timeout: 10s
       * Kerberos Realm: IPA.SIHNON.NET
-      * Credential type: Kerberos Principal
+      * Credential type: Kerberos User (admin, and the domain password)
-      * Kerberos Principal: The host keytab uploaded previously
       * Target Server: pick one of the IPA servers
       * TrueNAS hostname: short hostname
-      * Domain: ipa.sihnon.net
+      * Domain: jellybean.sihnon.net (temporary hack to ensure computer objects are created using canonical hostname)
       * Base DN: dc=ipa,dc=sihnon,dc=net
       * Validate Certificates
@@ Line 30: / Line 29: @@
         * Domain: ipa.sihnon.net
         * Rest of the attributes at default
-    * Edit ''/etc/krb5.conf'': <code>
+    * Verify the Host object, cifs/nfs service accounts, and DNS records have been created in FreeIPA with the jellybean domain
-[libdefaults]
+    * Disable directory services and change the domain from ''jellybean.sihnon.net'' to ''ipa.sihnon.net'' and re-enable the services
-        dns_lookup_realm = false # change from true
-        dns_lookup_kdc = false # change from true
-[domain_realms]
-        # Add these two lines
-        jellybean.sihnon.net = IPA.SIHNON.NET
-        .jellybean.sihnon.net = IPA.SIHNON.NET
-</code>
     * Restart ''winbind'' service
+    * Verify that ''getent passwd ben'' shows the account
 When connecting from a non-domain joined Windows, it won't prompt for credentials and will fail. Must explicitly map a drive, using IPA domain creds first. Subsequent connections to the same hostname will reuse the credentials, so not all shares need to be mapped.
+====== ACME ======
+For the first server, follow the below instructions.
+  * Create a tsig key for nsupdate: <code bash>
+tsig-keygen -a HMAC-SHA512
+</code>
+  * Update the key name to ''truenas.''
+  * Distribute the key to nameservers via puppet (hiera key ''profile::freeipa::named::keys''), and make sure bind has been restarted to pick up the change
+  * Create ''data/system/acme'' datasets
+  * SSH to the host as ''truenas_admin'' and run the following: <code bash>
+sudo chown truenas_admin /mnt/data/system/acme
+git clone --depth 1 https://github.com/acmesh-official/acme.sh.git
+</code>
+  * Save the tsig key to ''/mnt/data/system/acme/.nsupdate.key'' (making sure the key name and secret match puppet)
+  *
+For subsequent servers, clone the ''acme'' filesystem
+For all servers:
+  * Navigate to ''Credentials->Certificates''
+  * Add an ''ACME DNS-Authenticator''
+    * Name: freeipa
+    * Authenticator: shell
+    * Script: ''/mnt/data/system/acme/dns_acme.sh''
+    * User: ''root''
+    * Timeout: 60
+    * Delay: 90
+  * Add a ''Certificate Signing Request''. Follow the wizard. LetsEncrypt doesn't use any of the subject attributes so set any values.
+  * Once added, click three dots next to the CSR ''Create ACME certificate''
+    * Name: letsencrypt
+    * Accept ToS
+    * Directory UI: LetsEncrypt Production
+    * Set Freeipa for each domain
+  * Once the ''letsencrypt'' CSR appears in the list, navigate to ''System-General''
+  * Click the GUI ''Settings'' button
+  * Select ''letsencrypt'' certificate under ''GUI SSL Certificate'' and save changes, confirming thr restart