I'm having a lot of issues with FreeBSD 10.3
I'm finding the binary packages are fairly useless. I've had to build nearly everything to make things "work". I like using the adcli tool to join to a domain (MUCH nicer than samba). But the binary version in pkg doesn't work. Building it from ports with all the obvious stuff enabled makes it work.
At this point, I have it to the point where I can successfully do a "getent", but no matter what I try, it won't auth my account. SSH, sudo, even running login directly, and it behaves as if I have a bad password.
I'm wondering if I need to use the heimdal krb package instead of MIT?
Here are my relevant configs:
krb5.conf:
[libdefaults]
default_realm = MYDOMAIN-SR.NET
forwardable = true
[realms]
MYDOMAIN-SR.NET = {
admin_server = ad.mydomain-sr.net
kdc = ad.mydomain-sr.net
}
[domain_realm]
mydomain.net = MYDOMAIN-SR.NET
.mydomain.net = MYDOMAIN-SR.NET
MYDOMAIN.net = MYDOMAIN-SR.NET
.MYDOMAIN.net = MYDOMAIN-SR.NET
nsswitch.conf:
#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: releng/10.3/etc/nsswitch.conf 224765 2011-08-10 20:52:02Z dougb $
#
#group: compat
group: files sss
#group_compat: nis
hosts: files dns
networks: files
#passwd: compat
passwd: files sss
#passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
sssd.conf:
[sssd]
config_file_version = 2
#domains = mydomain-sr.net
domains = MYDOMAIN-SR.NET
services = nss, pam, pac
fallback_homedir = /home/%u
debug_level = 9
[pam]
pam_verbosity = 3
[domain/MYDOMAIN-SR.NET]
id_provider = ad
access_provider = ad
auth_provider = ad
chpass_provider = ad
ldap_id_mapping = False
#cache_credentials = true
cache_credentials = false
ad_server = ad.mydomain-sr.net
override_shell = /bin/tcsh
#ldap_sasl_canonicalize = false
#krb5_canonicalize = false
Best Answer
(Copied from another Question. These are my notes/guide on how I got all this working at a large client with existing AD infra)
Here is my guide on AD integration via SSSD with these versions of FreeBSD, at the time of this writing (6/2017)
Installation (and the fun packaging and dependency issues)
/usr/bin
, and the other in/usr/local/bin
. Since none of the base system files seems to be in a package, you can’t simply remove the Heimdal KRB stuff. Something to be aware of.Forward dependencies of the various packages (interesting deps in bold, conflicting deps in bold italics):
net-mgmt/adcli:
net/openldap24-sasl-client
security/cyrus-sasl2-gssapi: security/cyrus-sasl2
net/openldap24-sasl-client: security/cyrus-sasl2
security/sssd: security/nss
security/sssd:
security/krb5
security/sssd: security/cyrus-sasl2
security/sssd:
net/openldap24-client
security/sssd: lang/python27
security/sssd: lang/python2
security/sssd: dns/c-ares
security/sssd: devel/tevent
security/sssd: devel/talloc
security/sssd: devel/popt
security/sssd: devel/pcre
security/sssd: devel/libunistring
security/sssd: devel/libinotify
security/sssd: devel/gettext-runtime
security/sssd: devel/ding-libs
security/sssd: devel/dbus
security/sssd: databases/tdb
security/sssd: databases/ldb
Reverse dependencies of the various packages:
net/openldap24-sasl-client: sysutils/msktutil
net/openldap24-sasl-client: net/nss-pam-ldapd-sasl
net/openldap24-sasl-client: net-mgmt/adcli
sssd
itself requires the MIT Kerberos, even though we have Heimdal as the base packageadcli
wantsopenldap-sasl-client
, but other packages (including sub-dependencies ofsssd
) pull inopenldap-client
, which is mutex with the sasl client (for whatever silly reason). This makes installation a bit of a pain, even with a minimum set of binary packages.As of this writing, the binary pkg for SSSD for FreeBSD does not include AD support in SSSD
SMB
adcli
exists, but as of this writing, doesn’t work.GSSAPI_MIT
cyrus-sasl-gssapi
is required, but the pkg binary version doesn't work, and has odd dependency issues which cause it to remove SSSD.GSSAPI_MIT
openldap-sasl-client
is required for functionality but SSSD wants to pull in the non SASL version of openldap.openldap-sasl-client
with theGSSAPI
option selected (make config
) in ports.pkg remove –f openldap-client
openldap-client
without doing any autoremoves of any other packages (like SSSD) and allow installation of the SASL versionopenldap-sasl-client
pkg remove –f sssd
(Optional) Once everything is working and verified, you can use
pkg create
to create binary packages of the four packages with the proper options enabled and use those instead of building them in ports on every system. Installation of binary follows a similar pattern to the ports build process:pkg install sssd-1.11.7_8.txz
pkg add
the other packages (not install, add), saving the openldap package for last.openldap-sasl-client
do apkg remove –f openldap-client
pkg add openldap-sasl-client-2.4.44.txz
pkg create
to replace the dependency onopenldap-client
withopenldap-sasl-client
to remove the need to do this remove/reinstall. I haven't had the time to look into doing this.openldap-client
, so you would have to fix those too.Kerberos Configuration:
/etc/pam.d
files I’ve had to modify to make SSSD work with FreeBSD:/etc/pam.d/sshd:
/etc/pam.d/system:
/etc/pam.d/su:
(indent)
system.dist
is a copy of the stock/etc/pam.d/system
file. It is included in the/etc/pam.d/su
file above to prevent issues with the su command.su
to AD accounts as root, since once root,su
doesn’t need to authenticate and the account info is pulled through the name service switch via SSSD.sudo
for security reasons aloneksu
and that works for switching from user A to user Bksu
(in/usr/bin
) doesn't have SUID set by defaultksu
work,chmod u+s /usr/bin/ksu
krb5
package installed in/usr/local/bin
) is SUID on install/usr/local/bin
is before/usr/bin
, etcksu
will prompt the user for the AD/Kerberos password of the target userpasswd
will not work to change your AD/Kerberos password even if you addpam_sss.so
to the passwd PAM file. Thepasswd
binary only supports local and NIS Usekpasswd
to change your password on the AD/Kerberos server(s).Name Service Switch:
/etc/nsswitch.conf
file should be configured to use the sss service for passwd and groups. Example:group: files sss
passwd: files sss
Joining a Domain:
adcli
kinit
before using, it does it for you based on provided creds.adcli join -D mydomain.net -U Administrator--show-details –v
adcli join –H adclient.mydomain.net -D mydomain.net -U Administrator --show-details -v
net
utilitynet
utility is part of the Samba suite.smb.conf
configuration file, which makes it more difficult and inconvenient to use, especially non-interactively.kinit
. Again, this is more inconvenient, and makes it a bit more difficult to use non-interactively in a script, since there are two steps instead of one.SSHD considerations:
/etc/ssh/sshd_config
GSSAPIAuthentication yes
PasswordAuthentication yes
ChallengeResponseAuthentication yes
PasswordAuthentication no
when using this option./bin/passwd
, which doesn’t support anything but NIS and local passwd file.GSSAPICleanupCredentials yes
kdestroy
upon logoutGSSAPIStrictAcceptorCheck no
host/<FQDN>@REALM
to speak with the KDC, but sometimes gets it wrong (for instance, if the hostname doesn't match the DNS name of the SSH server). This option allows SSHD to use any principal in the/etc/krb5.keytab
file, which includes the properhost/<FQDN>@REALM
ssh -K <ip>
to work without prompting for a password (presuming you have done a 'kinit' already, of course).