FreeBSD + FreeIPA (via SSSD)

[sethlyons]

The following is what we did in order to utilize all of the benefits of a FreeIPA server (on Linux) with a FreeBSD client. The software packages needed are:

• security/sssd
• security/sudo (with SSSD backend)
• net/openldap24-client-sasl
• security/cyrus-sasl2
• security/cyrus-sasl2-gssapi

In order to ensure that net/openldap24-client-sasl is used, we added a line to /etc/make.conf:

WANT_OPENLDAP_SASL=yes

Once all software is installed, ensure the following directories exist:

• /var/db/sss
• /var/log/sssd

The base configuration needed for authentication, authorization, HBAC, and sudo (more on sudo to follow) is:

[domain/<domain_name>]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = <domain_name>
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = <fqdn>
chpass_provider = ipa
ipa_server = _srv_ #our FreeIPA server has DNS SRV entries
ldap_tls_cacert = <ldap tls CA cert location>
enumerate = True #to enumerate users and groups

[sssd]
enumerate = True
services = nss, pam, sudo
config_file_version = 2
domains = <domain_name>

[nss]

[pam]

[sudo]

The tricky part was getting sudo to work with host groups. FreeIPA keeps host groups in netgroups, and FreeBSD's support for netgroups is limited. One solution would have been to enable NIS services on the FreeIPA server so that we could use proper netgroups on FreeBSD clients. We didn't like that solution, so instead we wrote a script that pulls all netgroup data from FreeIPA and stores it in /etc/netgroup. We run the script every hour via cron.

#!/bin/sh
#
# Construct a netgroup file from LDAP hostgroup definitions.
# This is a hack for FreeBSD IPA clients because they can't get netgroup
# data through LDAP or sssd backends (lacking nsswitch/nsdb support).
#

PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin
export PATH

progname=$(basename $0)
tmpf=$(mktemp)

trap "rm -f $tmpf" EXIT

ldapsearch -LLLx -H ldap://<ldap_server> \
           -b 'cn=hostgroups,cn=accounts,dc=<domain_name>' \
           '(objectClass=ipahostgroup)' cn member \
| while read line; do
  # new line between records; this means a record ended.
  if [ "$line" = "" ]; then
    # output netgroup line if we have members.
    if [ "$members" != "" ]; then
      echo "$groupname \\" >>$tmpf
      for host in $members; do
        echo " ($host, -, fxcorp) \\" >>$tmpf
      done
      echo "" >>$tmpf
    fi

    # reset data
    groupname=""
    members=""
    continue
  fi

  # parse "key: value" from LDAP
  key=${line%%: *}
  value=${line##*: }

  if [ "$key" = "dn" ]; then
    continue
  elif [ "$key" = "cn" ]; then
    groupname=$value
  elif [ "$key" = "member" ]; then
    host=${value%%,cn*}
    host=${host##fqdn=}
    members="$members $host"
  fi
done

if [ ! -s "$tmpf" ]; then
  echo "$progname: refusing to install an empty file, bailing" >&2
  exit 1
fi

install -m 0644 -o root -g wheel $tmpf /etc/netgroup
rc=$?

if [ $rc -ne 0 ]; then
  echo "$progname: error installing /etc/netgroup (rc = $rc)" >&2
  exit 2
fi

exit 0

We wrote a patch for pam_sss to support ignore_unknown_user. Without that support local users could authenticate when using SSSD for authentication. We submitted the patch upstream. It was accepted by the FreeIPA team and will hopefully be ported to FreeBSD soon. Our PAM configuration to support SSSD is:

#
# $FreeBSD: release/10.0.0/etc/pam.d/system 197769 2009-10-05 09:28:54Z des $
#
# System-wide defaults
#

# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient pam_krb5.so no_warn try_first_pass
auth sufficient /usr/local/lib/pam_sss.so debug use_first_pass
auth required pam_unix.so no_warn try_first_pass

# account
account required pam_login_access.so
account required pam_unix.so
account required /usr/local/lib/pam_sss.so ignore_unknown_user

# session
#session optional pam_ssh.so want_agent
#session optional /usr/local/lib/pam_sss.so
session required pam_lastlog.so no_fail

# password
#password sufficient pam_krb5.so no_warn try_first_pass
password sufficient /usr/local/lib/pam_sss.so use_authtok
password required pam_unix.so no_warn try_first_pass

#
# $FreeBSD: release/10.0.0/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
#
# PAM configuration for the "sshd" service
#

# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth sufficient /usr/local/lib/pam_sss.so debug use_first_pass
auth required pam_unix.so no_warn try_first_pass

# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
account required /usr/local/lib/pam_sss.so ignore_unknown_user

# session
#session optional pam_ssh.so
#session required /usr/local/lib/pam_mkhomedir.so
session required pam_permit.so

# password
#password sufficient pam_krb5.so no_warn try_first_pass
password sufficient /usr/local/lib/pam_sss.so debug use_authtok
password required pam_unix.so no_warn try_first_pass

To let the system know what method to use for passwd, group, sudo, etc. we updated our /etc/nsswitch.conf:

#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: release/10.0.0/etc/nsswitch.conf 224765 2011-08-10 20:52:02Z dougb $
#
#group: compat
group: files sss
group_compat: nis
hosts: files dns
networks: files
#passwd: compat
passwd: files sss
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
sudoers: sss files
netgroup: files

The final step was to create a kerberos keytab on the FreeIPA server and copy it over to our FreeBSD host. On the FreeIPA server we excecuted:

freeipa-server# ipa-host-add <fqdn>
freeipa-server# ipa-getkeytab -s <freeipa server hostname> -p host/<freebsd host fqdn> -k <location to export the keytab>

We then simply copied the keytab to /etc/krb5.keytab on our FreeBSD host.

 

[orkhan]

Thanks for the post, it seems to be the only post about FreeBSD - FreeIPA integration.

I set up everything as you advise, but get a problem: I can't locally log into my FreeBSD client (either as a local user or as an IPA user).

The problem is in this string in the /etc/pam.d/system file:

account required /usr/local/lib/pam_sss.so ignore_unknown_user

That string gives login errors, with or without the ignore_unknown_user part. The only solution I found for now is to comment that string out and add it explicitly into /etc/pam.d/login file. Then the local login process proceeds without errors.

You said: "We wrote a patch for pam_sss to support ignore_unknown_user." But the problem seems to be not in the ignore_unknown_user part, it is in the account required /usr/local/lib/pam_sss.so part.

Is it a bug in PAM/SSSD? Please advise, what to do now?

 

[orkhan]

Thanks for the post, it seems to be the only post about FreeBSD - FreeIPA integration.

I set up everything as you advise, but get a problem: I can't locally log into my FreeBSD client (either as a local user or as an IPA user).

The problem is in this string in the /etc/pam.d/system file:

account required /usr/local/lib/pam_sss.so ignore_unknown_user

That string gives login errors, with or without the ignore_unknown_user part. The only solution I found for now is to comment that string out and add it explicitly into /etc/pam.d/login file. Then the local login process proceeds without errors.

You said: "We wrote a patch for pam_sss to support ignore_unknown_user." But the problem seems to be not in the ignore_unknown_user part, it is in the account required /usr/local/lib/pam_sss.so part.

Is it a bug in PAM/SSSD? Please advise, what to do now?

I shared this problem at FreeIPA mailing lists, and Lukas Slebodnik helped to troubleshoot it:

You have a typo in pam.d/system
Here is a word-diff:
[-account-]{+acconut+} required /usr/local/lib/pam_sss.so ignore_unknown_user ignore_authinfo_unavail

It was my mistake (acconut instead of account), and a very simple one, but sometimes the simplest mistakes are hardest to find.

Another valuable advice Lukas gave was regarding comments in the /usr/local/etc/sssd/sssd.conf file, specifically this line:

enumerate = True #to enumerate users and groups

Just FYI, comments on the same line are treated as part of value i.e. not interpreted as comments.
...As for enumeration - it is not needed in 90% of cases so we recommend not to configure it.

With comments on the same line, sssd won't start. Another simple thing that causes headache.

 

[Jim Trigg]

It seems to me that a cleaner way than "--ignore-unknown-user" would be to port pam_localuser and put that as "sufficient" before pam_sss. (In my day job I'm a RHEL administrator, and my current employer uses the RH paid version of FreeIPA.)