How to integrate Active Directory with FreeBSD 10.0 using security/sssd?
What are the required steps to authenticate users from an Active Directory running on Windows Server 2012 R2 in FreeBSD 10.0 using sssd
with the AD backend with Kerberos TGT working?
Solution 1:
There are some tricky considerations to make everything works out-of-the-box. FreeBSD only supports sssd
version 1.9.6 at this moment. So there's no support for Enterprise Principal Names.
If you have a domain with non matched UPNs it will fail to login, since the Kerberos authentication will fail during the process, even with FreeBSD supporting Enterprise Principal Names with Kerberos, the sssd
cannot handle this case.
So in actual version of sssd
you are limited to have the User Principal Name within the same Domain Name, for example:
Domain Name = example.com
NetBIOS Name = EXAMPLE
User Principal Name:
[email protected] sAMAccountName: username
Knowing this we can describe the steps to successfully authenticate users from AD in FreeBSD.
1. Configure Kerberos
Create the file /etc/krb5.conf
with the following content:
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = yes
2. Install Samba 4.1 and configure it to join the Domain
Install Samba 4.1:
$ pkg install samba41
Create the file /usr/local/etc/smb4.conf
with the following content:
[global]
security = ads
realm = EXAMPLE.COM
workgroup = EXAMPLE
kerberos method = secrets and keytab
client signing = yes
client use spnego = yes
log file = /var/log/samba/%m.log
Ask for a Administrator Kerberos Ticket:
$ kinit Administrator
Then join the domain and create a keytab
$ net ads join createupn=host/[email protected] -k
$ net ads keytab create -k
3. Install the sssd package and Cyrus SASL with Kerberos support
Install required packages:
$ pkg install sssd cyrus-sasl-gssapi
Edit the file /usr/local/etc/sssd/sssd.conf
to match this settings:
[sssd]
config_file_version = 2
services = nss, pam
domains = example.com
[nss]
[pam]
[domain/example.com]
# Uncomment if you need offline logins
#cache_credentials = true
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
# Comment out if the users have the shell and home dir set on the AD side
default_shell = /bin/tcsh
fallback_homedir = /home/%u
# Uncomment and adjust if the default principal SHORTNAME$@REALM is not available
#ldap_sasl_mech = GSSAPI
#ldap_sasl_authid = [email protected]
4. Add sssd support to nsswitch.conf
Edit the file /etc/nsswitch.conf
to match this settings:
group: files sss
passwd: files sss
5. Configure PAM to allow sssd authentication and handle home directory creation
Install optional packages for home directory creation:
$ pkg install pam_mkhomedir
Modify the necessary PAM
realms to match this settings:
auth sufficient /usr/local/lib/pam_sss.so
account required /usr/local/lib/pam_sss.so ignore_unknown_user
session required /usr/local/lib/pam_mkhomedir.so mode=0700
session optional /usr/local/lib/pam_sss.so
password sufficient /usr/local/lib/pam_sss.so use_authtok
6. Switch to SASL enabled OpenLDAP Client
$ pkg remove -f openldap-client
$ pkg install openldap-sasl-client
7. Finally confirm that's everything is working
$ getent passwd <username>
Solution 2:
Which Kerberos are you using here? The built-in one or security/krb5 from MIT?
When installing sssd, it requires that security/krb5 be installed which at this moment is still considered experimental in FreeBSD. Thus this question.
I am not having any luck getting the AD users/groups when executing 'getent' commands. it might be due to the fact that the NETBIOS name differs from the domain name -i.e. in my case, the domain name is dawnsign.com and the NETBIOS name is DSP.
I configured only the pam.d login module. What other pam modules need to be edited in order for a successful authentication to take place?
Any additional info would be greatly appreciated!