How to integrate Active Directory with FreeBSD 10.0 using security/sssd?

What are the required steps to authenticate users from an Active Directory running on Windows Server 2012 R2 in FreeBSD 10.0 using sssd with the AD backend with Kerberos TGT working?


Solution 1:

There are some tricky considerations to make everything works out-of-the-box. FreeBSD only supports sssd version 1.9.6 at this moment. So there's no support for Enterprise Principal Names.

If you have a domain with non matched UPNs it will fail to login, since the Kerberos authentication will fail during the process, even with FreeBSD supporting Enterprise Principal Names with Kerberos, the sssd cannot handle this case.

So in actual version of sssd you are limited to have the User Principal Name within the same Domain Name, for example:

Domain Name = example.com
NetBIOS Name = EXAMPLE
User Principal Name:
[email protected] sAMAccountName: username

Knowing this we can describe the steps to successfully authenticate users from AD in FreeBSD.

1. Configure Kerberos

Create the file /etc/krb5.conf with the following content:

[libdefaults]
    default_realm = EXAMPLE.COM
    dns_lookup_realm = true
    dns_lookup_kdc = true
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = yes

2. Install Samba 4.1 and configure it to join the Domain

Install Samba 4.1:

$ pkg install samba41

Create the file /usr/local/etc/smb4.conf with the following content:

[global]
    security = ads
    realm = EXAMPLE.COM
    workgroup = EXAMPLE

    kerberos method = secrets and keytab

    client signing = yes
    client use spnego = yes
    log file = /var/log/samba/%m.log

Ask for a Administrator Kerberos Ticket:

$ kinit Administrator

Then join the domain and create a keytab

$ net ads join createupn=host/[email protected] -k
$ net ads keytab create -k

3. Install the sssd package and Cyrus SASL with Kerberos support

Install required packages:

$ pkg install sssd cyrus-sasl-gssapi

Edit the file /usr/local/etc/sssd/sssd.conf to match this settings:

[sssd]
    config_file_version = 2
    services = nss, pam
    domains = example.com

[nss]

[pam]

[domain/example.com]
    # Uncomment if you need offline logins
    #cache_credentials = true

    id_provider = ad
    auth_provider = ad
    access_provider = ad
    chpass_provider = ad

    # Comment out if the users have the shell and home dir set on the AD side
    default_shell = /bin/tcsh
    fallback_homedir = /home/%u

    # Uncomment and adjust if the default principal SHORTNAME$@REALM is not available
    #ldap_sasl_mech = GSSAPI
    #ldap_sasl_authid = [email protected]

4. Add sssd support to nsswitch.conf

Edit the file /etc/nsswitch.conf to match this settings:

group: files sss
passwd: files sss

5. Configure PAM to allow sssd authentication and handle home directory creation

Install optional packages for home directory creation:

$ pkg install pam_mkhomedir

Modify the necessary PAM realms to match this settings:

auth            sufficient      /usr/local/lib/pam_sss.so
account         required        /usr/local/lib/pam_sss.so        ignore_unknown_user
session         required        /usr/local/lib/pam_mkhomedir.so  mode=0700
session         optional        /usr/local/lib/pam_sss.so
password        sufficient      /usr/local/lib/pam_sss.so        use_authtok

6. Switch to SASL enabled OpenLDAP Client

$ pkg remove -f openldap-client
$ pkg install openldap-sasl-client

7. Finally confirm that's everything is working

$ getent passwd <username>

Solution 2:

Which Kerberos are you using here? The built-in one or security/krb5 from MIT?

When installing sssd, it requires that security/krb5 be installed which at this moment is still considered experimental in FreeBSD. Thus this question.

I am not having any luck getting the AD users/groups when executing 'getent' commands. it might be due to the fact that the NETBIOS name differs from the domain name -i.e. in my case, the domain name is dawnsign.com and the NETBIOS name is DSP.

I configured only the pam.d login module. What other pam modules need to be edited in order for a successful authentication to take place?

Any additional info would be greatly appreciated!