FreeBSD to authenticate against Active Directory
sbridges at iastate.edu
Wed Oct 3 12:03:17 PDT 2007
On Wednesday, October 03, 2007 7:32 AM Chris wrote:
> On Wed, 03 Oct 2007 03:33:50 +0100
> Stephen Allen <sdafreebsduk at rowyerboat.com> wrote:
> > Hello,
> > Is there any up-to-date definitive resource which explains how to get
> > FreeBSD (6.2) to authenticate against Active Directory (in my case
> > Windows 2003 R2 which includes SFU). There are a few informative
> > articles floating around, but most date back to 2004/2005 and most
> > involve the use of Samba and Winbind (I'd like to avoid this if
> > possible).
> > I don't really know what is possible here, I'm coming from only a
> > basic understanding of how things like pam work. Would I have to
> > configure every service separately to use Active Directory or could I
> > tell FreeBSD to blindly rely on AD for user authentication?
> > I read about pam_mkhomedir, so users could have homedirs created
> > automatically when they logged in. Is this possible in FreeBSD?
> > Would I be able to map this automatically to their existing "My
> > Documents" folder which is redirected to the network by group policy?
> > Please feel free to tell me what can/can't be done and if doing so is
> > a good/bad thing. I can explain bits in more detail if needed.
> Steve -
> You have a few options.
> 1. LDAP
> 2. OpenLDAP
> 3. The use of WinBind and it's companion apps (using ntlm etc.)
> 4. Google AD Auth Unix (or, insert your personal choice)
> What you may find - is that installing Winbind etc may be your easiest
> way to go however, I'm unsure how SFU will play along with the mix.
I also have not seen anything particularly recent; and every reference I
have seen is slightly different.
I have gotten FreeBSD to successfully authenticate to our AD servers here
(Win2003, not sure of service pack level) using pam/winbind. Pam_winbind is
configured to authenticate with Kerberos.
I use the RID IDMAP scheme with winbind for user id mapping. The AD servers
have had Unix attributes added, but I have not tested how this works for me
yet. I am also using pam_mkhomedir to create user home directories.
1. Nsswitch.conf has group and passwd set to "files winbind"
2. Krb5.conf points to the AD servers
auth sufficient pam_opie.so no_warn
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient /usr/local/lib/pam_winbind.so
#auth sufficient pam_krb5.so no_warn
#auth sufficient pam_ssh.so no_warn
auth required pam_unix.so no_warn
#account required pam_krb5.so
account sufficient /usr/local/lib/pam_winbind.so
account required pam_login_access.so
account required pam_unix.so
#session optional pam_ssh.so
session required /usr/local/lib/pam_mkhomedir.so
session required pam_lastlog.so no_fail
#password sufficient pam_krb5.so no_warn
password required pam_unix.so no_warn
4. pam_winbind now has its own conf file (copy from
/usr/local/share/examples/samba/pam_winbind to /etc/security and modify).
(contents follow) I have not tried caching.
# turn on debugging
debug = yes
# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
;cached_login = no
# authenticate using kerberos
krb5_auth = yes
# when using kerberos, request a "FILE" krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
krb5_ccache_type = FILE
# make successful authentication dependend on membership of one SID
# (can also take a name)
require_membership_of = S-1-5-21-xxxxxxxxx-xxxxxxxxxxx-xxxxxxx
5. smb.conf is attached; this is for Samba 3.0.25a.
I do not believe pam_mkhomedir will automatically mount an external
filesystem; however there is a pam module which will allow you to auto mount
filesystems at user login of various types called pam_mount  which we
have used successfully on our university-blessed RHEL5 systems. I have not
tried to compile it yet on FreeBSD. One thing we discovered on RHEL5 (we
are not using the most recent version of pam_mount, so ymmv) is that it
needs to be the module that actually grabs the password and then passes it
on to the rest of the pam stack. It was unable to retrieve the credentials
from whoever was ahead of it. We used CIFS instead of SMB which performed
Department of Economics
Iowa State University
80B Heady Hall
Ames, IA 50011
sbridges at iastate.edu
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 6448 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20071003/0d50622c/smb-xx-0001.obj
More information about the freebsd-questions