FreeBSD to authenticate against Active Directory

Stephanie Bridges sbridges at iastate.edu
Wed Oct 3 12:03:17 PDT 2007 

On Wednesday, October 03, 2007 7:32 AM Chris wrote:
> 
> On Wed, 03 Oct 2007 03:33:50 +0100
> Stephen Allen <sdafreebsduk at rowyerboat.com> wrote:
> 
> > Hello,
> >
> > Is there any up-to-date definitive resource which explains how to get
> > FreeBSD (6.2) to authenticate against Active Directory (in my case
> > Windows 2003 R2 which includes SFU).  There are a few informative
> > articles floating around, but most date back to 2004/2005 and most
> > involve the use of Samba and Winbind (I'd like to avoid this if
> > possible).
> >
> > I don't really know what is possible here, I'm coming from only a
> > basic understanding of how things like pam work.  Would I have to
> > configure every service separately to use Active Directory or could I
> > tell FreeBSD to blindly rely on AD for user authentication?
> >
> > I read about pam_mkhomedir, so users could have homedirs created
> > automatically when they logged in.  Is this possible in FreeBSD?
> > Would I be able to map this automatically to their existing "My
> > Documents" folder which is redirected to the network by group policy?
> >
> > Please feel free to tell me what can/can't be done and if doing so is
> > a good/bad thing.  I can explain bits in more detail if needed.
> >
> 
> Steve -
> 
> 
> 	You have a few options.
> 1. LDAP
> 2. OpenLDAP
> 3. The use of WinBind and it's companion apps (using ntlm etc.)
> 4. Google AD Auth Unix (or, insert your personal choice)
> 
> What you may find - is that installing Winbind etc may be your easiest
> way to go however, I'm unsure how SFU will play along with the mix.
> 

I also have not seen anything particularly recent; and every reference I
have seen is slightly different.

I have gotten FreeBSD to successfully authenticate to our AD servers here
(Win2003, not sure of service pack level) using pam/winbind.  Pam_winbind is
configured to authenticate with Kerberos.

I use the RID IDMAP scheme with winbind for user id mapping.  The AD servers
have had Unix attributes added, but I have not tested how this works for me
yet.  I am also using pam_mkhomedir to create user home directories.


My setup:
1. Nsswitch.conf has group and passwd set to "files winbind"
2. Krb5.conf points to the AD servers
3. /etc/pam.d/system:
---------------------
# auth
auth            sufficient      pam_opie.so             no_warn
no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth            sufficient      /usr/local/lib/pam_winbind.so
try_first_pass
#auth           sufficient      pam_krb5.so             no_warn
try_first_pass
#auth           sufficient      pam_ssh.so              no_warn
try_first_pass
auth            required        pam_unix.so             no_warn
try_first_pass n
ullok

# account
#account        required        pam_krb5.so
account         sufficient      /usr/local/lib/pam_winbind.so
account         required        pam_login_access.so
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so
session         required       /usr/local/lib/pam_mkhomedir.so
session         required        pam_lastlog.so          no_fail

# password
#password       sufficient      pam_krb5.so             no_warn
try_first_pass
password        required        pam_unix.so             no_warn
try_first_pass
----------------------------------

4. pam_winbind now has its own conf file (copy from
/usr/local/share/examples/samba/pam_winbind to /etc/security and modify).
(contents follow)  I have not tried caching.
-----------
#
# /etc/security/pam_winbind.conf
#
[global]

# turn on debugging
debug = yes

# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
;cached_login = no

# authenticate using kerberos
krb5_auth = yes

# when using kerberos, request a "FILE" krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
# afterwards)
krb5_ccache_type = FILE

# make successful authentication dependend on membership of one SID
# (can also take a name)
require_membership_of = S-1-5-21-xxxxxxxxx-xxxxxxxxxxx-xxxxxxx
------------------------------------

5. smb.conf is attached; this is for Samba 3.0.25a.

I do not believe pam_mkhomedir will automatically mount an external
filesystem; however there is a pam module which will allow you to auto mount
filesystems at user login of various types called pam_mount [1] which we
have used successfully on our university-blessed RHEL5 systems.  I have not
tried to compile it yet on FreeBSD.  One thing we discovered on RHEL5 (we
are not using the most recent version of pam_mount, so ymmv) is that it
needs to be the module that actually grabs the password and then passes it
on to the rest of the pam stack.  It was unable to retrieve the credentials
from whoever was ahead of it.  We used CIFS instead of SMB which performed
much better.  

[1] http://pam-mount.sourceforge.net/


~~~~~~~~~~~~~~~~~~
Stephanie Bridges
Department of Economics
Iowa State University
80B Heady Hall
Ames, IA  50011
sbridges at iastate.edu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smb-xx.conf
Type: application/octet-stream
Size: 6448 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20071003/0d50622c/smb-xx-0001.obj

More information about the freebsd-questions mailing list