How to Configure FreeNAS as Centralized Authentication Server (LDAP/SMB) for Ubuntu PXE Boot Clients with Kerberos/PAM Integration


9 views

This setup requires FreeNAS to serve multiple roles:

1. Authentication Provider (LDAP/Kerberos)
2. File Server (NFS/SMB for /home)
3. PXE Boot Services (TFTP/NFS)

LDAP Server Setup:

# On FreeNAS CLI:
midclt call ldap.update '{
  "hostname": "nas.domain",
  "basedn": "dc=domain,dc=local",
  "binddn": "cn=admin,dc=domain,dc=local",
  "bindpw": "yourpassword",
  "enable": true
}'

Samba Domain Controller Alternative:

# In FreeNAS SMB service configuration:
[samba]
   server role = active directory domain controller
   workgroup = DOMAIN
   realm = DOMAIN.LOCAL
   security = ads

PAM Authentication Setup:

# Install required packages
sudo apt-get install libnss-ldap libpam-ldap nscd

# /etc/ldap.conf configuration
base dc=domain,dc=local
uri ldap://nas.domain
ldap_version 3
pam_password exop

Kerberos Integration:

# /etc/krb5.conf
[libdefaults]
    default_realm = DOMAIN.LOCAL
    dns_lookup_realm = false
    dns_lookup_kdc = true

FreeNAS Export:

# Create dataset for user homes
zfs create poolname/homes
chmod 755 /mnt/poolname/homes

# /etc/exports on FreeNAS
/mnt/poolname/homes -alldirs -maproot=root -network 192.168.1.0/24

Client Auto-mount:

# /etc/fstab entry
nas.domain:/mnt/poolname/homes /home nfs rw,hard,intr 0 0

# Verify LDAP connection
ldapsearch -x -H ldap://nas.domain -b "dc=domain,dc=local"

# Test Kerberos auth
kinit username@DOMAIN.LOCAL

# Check mounted shares
mount | grep nfs

Add these to your PXE config in FreeNAS:

LABEL ubuntu-live
  MENU LABEL Ubuntu LTSP Client
  KERNEL tftp://nas.domain/ubuntu/vmlinuz
  INITRD tftp://nas.domain/ubuntu/initrd.lz
  APPEND root=/dev/nfs boot=nfs nfsroot=nas.domain:/mnt/poolname/squashfs ip=dhcp
  • Implement TLS for LDAP (certificates in FreeNAS web UI)
  • Use FreeNAS ACLs for home directory permissions
  • Configure firewall rules for SMB/LDAP/Kerberos ports

This solution implements FreeNAS 12+ as both authentication provider and file server for diskless Ubuntu clients booting via PXE. The system leverages:

  • FreeNAS LDAP/Samba4 for centralized authentication
  • Kerberos for secure auth between clients and server
  • NFSv4 for /home directory mounting
  • Automated PXE provisioning

First, configure FreeNAS as an LDAP server:

# In FreeNAS web UI:
1. Services → Directory Services → LDAP
   - Base DN: dc=freenas,dc=local
   - Bind DN: cn=admin,dc=freenas,dc=local
   - Enable Kerberos: True
2. Services → SMB
   - Set as Domain Controller: True
   - Realm: FREENAS.LOCAL
   - Domain: FREENAS

Modify your PXE boot configuration (/mnt/tftpboot/pxelinux.cfg/default on FreeNAS):

DEFAULT ubuntu
LABEL ubuntu
  KERNEL vmlinuz
  APPEND initrd=initrd.lz root=/dev/nfs 
    nfsroot=192.168.1.10:/mnt/tank/pxeroot 
    ip=dhcp 
    krb5_server=freenas.local 
    ldap_server=freenas.local

In your Ubuntu squashfs, create /etc/krb5.conf:

[libdefaults]
  default_realm = FREENAS.LOCAL
  dns_lookup_realm = false
  dns_lookup_kdc = true

[realms]
  FREENAS.LOCAL = {
    kdc = freenas.local
    admin_server = freenas.local
  }

Configure LDAP client (/etc/ldap/ldap.conf):

BASE dc=freenas,dc=local
URI ldap://freenas.local
TLS_CACERT /etc/ssl/certs/ca-certificates.crt

Add to /etc/pam.d/common-session:

session required pam_mkhomedir.so skel=/etc/skel umask=0022

Configure automount in /etc/fstab:

freenas.local:/mnt/tank/homes /home nfs rw,hard,intr,sec=krb5 0 0

Key verification commands:

# Test Kerberos auth:
kinit username@FREENAS.LOCAL

# Verify LDAP connectivity:
ldapsearch -x -H ldap://freenas.local -b dc=freenas,dc=local

# Check NFS mounts:
showmount -e freenas.local

For user synchronization, consider adding this cron job on FreeNAS:

0 * * * * /usr/local/bin/smbldap-usermod -G wheel $(getent passwd | cut -d: -f1)