Sihnon wiki

User Tools

Site Tools

You are here: start » truenas
truenas

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
truenas [2025/12/18 22:36] – [ACME] bentruenas [2025/12/19 21:55] (current) – [FreeIPA/Samba integration] ben
Line 3: Line 3:
 This was more complicated than it probably should have been due to the IPA domain not matching the truenas host domain, I think. This was more complicated than it probably should have been due to the IPA domain not matching the truenas host domain, I think.
  
 +  * Remove DNS for the host from freeipa if setup previously, and connect to the truenas by IP for the next steps
   * Setup FreeIPA servers for Samba, run the following on all servers: <code bash>   * Setup FreeIPA servers for Samba, run the following on all servers: <code bash>
 dnf install ipa-server-trust-ad dnf install ipa-server-trust-ad
Line 13: Line 14:
       * Primary KDC: pick one of the IPA servers       * Primary KDC: pick one of the IPA servers
       * KDC/admin servers/password servers: List all the IPA servers       * KDC/admin servers/password servers: List all the IPA servers
-    * Add a ''host/fqdn@IPA.SIHNON.NET'' keytab 
     * Configure Directory Services     * Configure Directory Services
       * Configuration type: IPA       * Configuration type: IPA
Line 19: Line 19:
       * Timeout: 10s       * Timeout: 10s
       * Kerberos Realm: IPA.SIHNON.NET       * Kerberos Realm: IPA.SIHNON.NET
-      * Credential type: Kerberos Principal +      * Credential type: Kerberos User (admin, and the domain password)
-      * Kerberos Principal: The host keytab uploaded previously+
       * Target Server: pick one of the IPA servers       * Target Server: pick one of the IPA servers
       * TrueNAS hostname: short hostname       * TrueNAS hostname: short hostname
-      * Domain: ipa.sihnon.net+      * Domain: jellybean.sihnon.net (temporary hack to ensure computer objects are created using canonical hostname)
       * Base DN: dc=ipa,dc=sihnon,dc=net       * Base DN: dc=ipa,dc=sihnon,dc=net
       * Validate Certificates       * Validate Certificates
Line 30: Line 29:
         * Domain: ipa.sihnon.net         * Domain: ipa.sihnon.net
         * Rest of the attributes at default         * Rest of the attributes at default
-    * Edit ''/etc/krb5.conf'': <code> +    * Verify the Host object, cifs/nfs service accounts, and DNS records have been created in FreeIPA with the jellybean domain 
-[libdefaults] +    * Disable directory services and change the domain from ''jellybean.sihnon.net'' to ''ipa.sihnon.net'' and re-enable the services
-        dns_lookup_realm = false # change from true +
-        dns_lookup_kdc = false # change from true +
- +
-[domain_realms] +
-        # Add these two lines +
-        jellybean.sihnon.net = IPA.SIHNON.NET +
-        .jellybean.sihnon.net = IPA.SIHNON.NET +
-</code>+
     * Restart ''winbind'' service     * Restart ''winbind'' service
 +    * Verify that ''getent passwd ben'' shows the account
  
 When connecting from a non-domain joined Windows, it won't prompt for credentials and will fail. Must explicitly map a drive, using IPA domain creds first. Subsequent connections to the same hostname will reuse the credentials, so not all shares need to be mapped. When connecting from a non-domain joined Windows, it won't prompt for credentials and will fail. Must explicitly map a drive, using IPA domain creds first. Subsequent connections to the same hostname will reuse the credentials, so not all shares need to be mapped.
truenas.1766097397.txt.gz · Last modified: by ben
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki