FreeBSD to authenticate against Active Directory

Stephanie Bridges sbridges at
Wed Oct 3 12:03:17 PDT 2007

On Wednesday, October 03, 2007 7:32 AM Chris wrote:
> On Wed, 03 Oct 2007 03:33:50 +0100
> Stephen Allen <sdafreebsduk at> wrote:
> > Hello,
> >
> > Is there any up-to-date definitive resource which explains how to get
> > FreeBSD (6.2) to authenticate against Active Directory (in my case
> > Windows 2003 R2 which includes SFU).  There are a few informative
> > articles floating around, but most date back to 2004/2005 and most
> > involve the use of Samba and Winbind (I'd like to avoid this if
> > possible).
> >
> > I don't really know what is possible here, I'm coming from only a
> > basic understanding of how things like pam work.  Would I have to
> > configure every service separately to use Active Directory or could I
> > tell FreeBSD to blindly rely on AD for user authentication?
> >
> > I read about pam_mkhomedir, so users could have homedirs created
> > automatically when they logged in.  Is this possible in FreeBSD?
> > Would I be able to map this automatically to their existing "My
> > Documents" folder which is redirected to the network by group policy?
> >
> > Please feel free to tell me what can/can't be done and if doing so is
> > a good/bad thing.  I can explain bits in more detail if needed.
> >
> Steve -
> 	You have a few options.
> 1. LDAP
> 2. OpenLDAP
> 3. The use of WinBind and it's companion apps (using ntlm etc.)
> 4. Google AD Auth Unix (or, insert your personal choice)
> What you may find - is that installing Winbind etc may be your easiest
> way to go however, I'm unsure how SFU will play along with the mix.

I also have not seen anything particularly recent; and every reference I
have seen is slightly different.

I have gotten FreeBSD to successfully authenticate to our AD servers here
(Win2003, not sure of service pack level) using pam/winbind.  Pam_winbind is
configured to authenticate with Kerberos.

I use the RID IDMAP scheme with winbind for user id mapping.  The AD servers
have had Unix attributes added, but I have not tested how this works for me
yet.  I am also using pam_mkhomedir to create user home directories.

My setup:
1. Nsswitch.conf has group and passwd set to "files winbind"
2. Krb5.conf points to the AD servers
3. /etc/pam.d/system:
# auth
auth            sufficient             no_warn
auth            requisite       no_warn allow_local
auth            sufficient      /usr/local/lib/
#auth           sufficient             no_warn
#auth           sufficient              no_warn
auth            required             no_warn
try_first_pass n

# account
#account        required
account         sufficient      /usr/local/lib/
account         required
account         required

# session
#session        optional
session         required       /usr/local/lib/
session         required          no_fail

# password
#password       sufficient             no_warn
password        required             no_warn

4. pam_winbind now has its own conf file (copy from
/usr/local/share/examples/samba/pam_winbind to /etc/security and modify).
(contents follow)  I have not tried caching.
# /etc/security/pam_winbind.conf

# turn on debugging
debug = yes

# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
;cached_login = no

# authenticate using kerberos
krb5_auth = yes

# when using kerberos, request a "FILE" krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
# afterwards)
krb5_ccache_type = FILE

# make successful authentication dependend on membership of one SID
# (can also take a name)
require_membership_of = S-1-5-21-xxxxxxxxx-xxxxxxxxxxx-xxxxxxx

5. smb.conf is attached; this is for Samba 3.0.25a.

I do not believe pam_mkhomedir will automatically mount an external
filesystem; however there is a pam module which will allow you to auto mount
filesystems at user login of various types called pam_mount [1] which we
have used successfully on our university-blessed RHEL5 systems.  I have not
tried to compile it yet on FreeBSD.  One thing we discovered on RHEL5 (we
are not using the most recent version of pam_mount, so ymmv) is that it
needs to be the module that actually grabs the password and then passes it
on to the rest of the pam stack.  It was unable to retrieve the credentials
from whoever was ahead of it.  We used CIFS instead of SMB which performed
much better.  


Stephanie Bridges
Department of Economics
Iowa State University
80B Heady Hall
Ames, IA  50011
sbridges at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smb-xx.conf
Type: application/octet-stream
Size: 6448 bytes
Desc: not available
Url :

More information about the freebsd-questions mailing list