The following is what we did in order to utilize all of the benefits of a FreeIPA server (on Linux) with a FreeBSD client. The software packages needed are:
In order to ensure that net/openldap24-client-sasl is used, we added a line to /etc/make.conf:
Once all software is installed, ensure the following directories exist:
The base configuration needed for authentication, authorization, HBAC, and sudo (more on sudo to follow) is:
The tricky part was getting sudo to work with host groups. FreeIPA keeps host groups in netgroups, and FreeBSD's support for netgroups is limited. One solution would have been to enable NIS services on the FreeIPA server so that we could use proper netgroups on FreeBSD clients. We didn't like that solution, so instead we wrote a script that pulls all netgroup data from FreeIPA and stores it in /etc/netgroup. We run the script every hour via cron.
We wrote a patch for pam_sss to support ignore_unknown_user. Without that support local users could authenticate when using SSSD for authentication. We submitted the patch upstream. It was accepted by the FreeIPA team and will hopefully be ported to FreeBSD soon. Our PAM configuration to support SSSD is:
To let the system know what method to use for passwd, group, sudo, etc. we updated our /etc/nsswitch.conf:
The final step was to create a kerberos keytab on the FreeIPA server and copy it over to our FreeBSD host. On the FreeIPA server we excecuted:
We then simply copied the keytab to /etc/krb5.keytab on our FreeBSD host.
- security/sssd
- security/sudo (with SSSD backend)
- net/openldap24-client-sasl
- security/cyrus-sasl2
- security/cyrus-sasl2-gssapi
In order to ensure that net/openldap24-client-sasl is used, we added a line to /etc/make.conf:
Code:
WANT_OPENLDAP_SASL=yes
Once all software is installed, ensure the following directories exist:
- /var/db/sss
- /var/log/sssd
The base configuration needed for authentication, authorization, HBAC, and sudo (more on sudo to follow) is:
Code:
[domain/<domain_name>] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = <domain_name> id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = <fqdn> chpass_provider = ipa ipa_server = _srv_ #our FreeIPA server has DNS SRV entries ldap_tls_cacert = <ldap tls CA cert location> enumerate = True #to enumerate users and groups [sssd] enumerate = True services = nss, pam, sudo config_file_version = 2 domains = <domain_name> [nss] [pam] [sudo]
The tricky part was getting sudo to work with host groups. FreeIPA keeps host groups in netgroups, and FreeBSD's support for netgroups is limited. One solution would have been to enable NIS services on the FreeIPA server so that we could use proper netgroups on FreeBSD clients. We didn't like that solution, so instead we wrote a script that pulls all netgroup data from FreeIPA and stores it in /etc/netgroup. We run the script every hour via cron.
Code:
#!/bin/sh # # Construct a netgroup file from LDAP hostgroup definitions. # This is a hack for FreeBSD IPA clients because they can't get netgroup # data through LDAP or sssd backends (lacking nsswitch/nsdb support). # PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin export PATH progname=$(basename $0) tmpf=$(mktemp) trap "rm -f $tmpf" EXIT ldapsearch -LLLx -H ldap://<ldap_server> \ -b 'cn=hostgroups,cn=accounts,dc=<domain_name>' \ '(objectClass=ipahostgroup)' cn member \ | while read line; do # new line between records; this means a record ended. if [ "$line" = "" ]; then # output netgroup line if we have members. if [ "$members" != "" ]; then echo "$groupname \\" >>$tmpf for host in $members; do echo " ($host, -, fxcorp) \\" >>$tmpf done echo "" >>$tmpf fi # reset data groupname="" members="" continue fi # parse "key: value" from LDAP key=${line%%: *} value=${line##*: } if [ "$key" = "dn" ]; then continue elif [ "$key" = "cn" ]; then groupname=$value elif [ "$key" = "member" ]; then host=${value%%,cn*} host=${host##fqdn=} members="$members $host" fi done if [ ! -s "$tmpf" ]; then echo "$progname: refusing to install an empty file, bailing" >&2 exit 1 fi install -m 0644 -o root -g wheel $tmpf /etc/netgroup rc=$? if [ $rc -ne 0 ]; then echo "$progname: error installing /etc/netgroup (rc = $rc)" >&2 exit 2 fi exit 0
We wrote a patch for pam_sss to support ignore_unknown_user. Without that support local users could authenticate when using SSSD for authentication. We submitted the patch upstream. It was accepted by the FreeIPA team and will hopefully be ported to FreeBSD soon. Our PAM configuration to support SSSD is:
Code:
# # $FreeBSD: release/10.0.0/etc/pam.d/system 197769 2009-10-05 09:28:54Z des $ # # System-wide defaults # # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient pam_krb5.so no_warn try_first_pass auth sufficient /usr/local/lib/pam_sss.so debug use_first_pass auth required pam_unix.so no_warn try_first_pass # account account required pam_login_access.so account required pam_unix.so account required /usr/local/lib/pam_sss.so ignore_unknown_user # session #session optional pam_ssh.so want_agent #session optional /usr/local/lib/pam_sss.so session required pam_lastlog.so no_fail # password #password sufficient pam_krb5.so no_warn try_first_pass password sufficient /usr/local/lib/pam_sss.so use_authtok password required pam_unix.so no_warn try_first_pass
Code:
# # $FreeBSD: release/10.0.0/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $ # # PAM configuration for the "sshd" service # # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth sufficient /usr/local/lib/pam_sss.so debug use_first_pass auth required pam_unix.so no_warn try_first_pass # account account required pam_nologin.so #account required pam_krb5.so account required pam_login_access.so account required pam_unix.so account required /usr/local/lib/pam_sss.so ignore_unknown_user # session #session optional pam_ssh.so #session required /usr/local/lib/pam_mkhomedir.so session required pam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass password sufficient /usr/local/lib/pam_sss.so debug use_authtok password required pam_unix.so no_warn try_first_pass
To let the system know what method to use for passwd, group, sudo, etc. we updated our /etc/nsswitch.conf:
Code:
# # nsswitch.conf(5) - name service switch configuration file # $FreeBSD: release/10.0.0/etc/nsswitch.conf 224765 2011-08-10 20:52:02Z dougb $ # #group: compat group: files sss group_compat: nis hosts: files dns networks: files #passwd: compat passwd: files sss passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files sudoers: sss files netgroup: files
The final step was to create a kerberos keytab on the FreeIPA server and copy it over to our FreeBSD host. On the FreeIPA server we excecuted:
Code:
freeipa-server# ipa-host-add <fqdn> freeipa-server# ipa-getkeytab -s <freeipa server hostname> -p host/<freebsd host fqdn> -k <location to export the keytab>
We then simply copied the keytab to /etc/krb5.keytab on our FreeBSD host.
Last edited by a moderator: