What are the required steps to authenticate users from an Active Directory running on Windows Server 2012 R2 in FreeBSD 10.0 using sssd
with the AD backend with Kerberos TGT working?
Active Directory – Integrate with FreeBSD 10.0 Using SSSD
active-directoryfreebsdkerberossssdwindows-server-2012-r2
Related Topic
- Freebsd – Understanding PAM authentication procedure on FreeBSD with security/sssd
- SSSD AD synchronization fails after Active Directory UPN change
- How to setup an NFS4 server that utilises Kerberos authentication from an Active Directory KDC using CentOS Linux release 7.6.1810 (Core)
- SSSD – Active Directory Password Integration Not Working
Best Answer
There are some tricky considerations to make everything works out-of-the-box. FreeBSD only supports
sssd
version 1.9.6 at this moment. So there's no support for Enterprise Principal Names.If you have a domain with non matched UPNs it will fail to login, since the Kerberos authentication will fail during the process, even with FreeBSD supporting Enterprise Principal Names with Kerberos, the
sssd
cannot handle this case.So in actual version of
sssd
you are limited to have the User Principal Name within the same Domain Name, for example:Knowing this we can describe the steps to successfully authenticate users from AD in FreeBSD.
1. Configure Kerberos
Create the file
/etc/krb5.conf
with the following content:2. Install Samba 4.1 and configure it to join the Domain
Install Samba 4.1:
Create the file
/usr/local/etc/smb4.conf
with the following content:Ask for a Administrator Kerberos Ticket:
Then join the domain and create a keytab
3. Install the sssd package and Cyrus SASL with Kerberos support
Install required packages:
Edit the file
/usr/local/etc/sssd/sssd.conf
to match this settings:4. Add sssd support to nsswitch.conf
Edit the file
/etc/nsswitch.conf
to match this settings:5. Configure PAM to allow sssd authentication and handle home directory creation
Install optional packages for home directory creation:
Modify the necessary
PAM
realms to match this settings:6. Switch to SASL enabled OpenLDAP Client
7. Finally confirm that's everything is working