The following is what we did in order to utilize all of the benefits of a FreeIPA server (on Linux) with a FreeBSD client. The software packages needed are:
In order to ensure that net/openldap24-client-sasl is used, we added a line to /etc/make.conf:
Once all software is installed, ensure the following directories exist:
The base configuration needed for authentication, authorization, HBAC, and sudo (more on sudo to follow) is:
The tricky part was getting sudo to work with host groups. FreeIPA keeps host groups in netgroups, and FreeBSD's support for netgroups is limited. One solution would have been to enable NIS services on the FreeIPA server so that we could use proper netgroups on FreeBSD clients. We didn't like that solution, so instead we wrote a script that pulls all netgroup data from FreeIPA and stores it in /etc/netgroup. We run the script every hour via cron.
We wrote a patch for pam_sss to support ignore_unknown_user. Without that support local users could authenticate when using SSSD for authentication. We submitted the patch upstream. It was accepted by the FreeIPA team and will hopefully be ported to FreeBSD soon. Our PAM configuration to support SSSD is:
To let the system know what method to use for passwd, group, sudo, etc. we updated our /etc/nsswitch.conf:
The final step was to create a kerberos keytab on the FreeIPA server and copy it over to our FreeBSD host. On the FreeIPA server we excecuted:
We then simply copied the keytab to /etc/krb5.keytab on our FreeBSD host.
- security/sssd
- security/sudo (with SSSD backend)
- net/openldap24-client-sasl
- security/cyrus-sasl2
- security/cyrus-sasl2-gssapi
In order to ensure that net/openldap24-client-sasl is used, we added a line to /etc/make.conf:
Code:
WANT_OPENLDAP_SASL=yes
Once all software is installed, ensure the following directories exist:
- /var/db/sss
- /var/log/sssd
The base configuration needed for authentication, authorization, HBAC, and sudo (more on sudo to follow) is:
Code:
[domain/<domain_name>]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = <domain_name>
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = <fqdn>
chpass_provider = ipa
ipa_server = _srv_ #our FreeIPA server has DNS SRV entries
ldap_tls_cacert = <ldap tls CA cert location>
enumerate = True #to enumerate users and groups
[sssd]
enumerate = True
services = nss, pam, sudo
config_file_version = 2
domains = <domain_name>
[nss]
[pam]
[sudo]
The tricky part was getting sudo to work with host groups. FreeIPA keeps host groups in netgroups, and FreeBSD's support for netgroups is limited. One solution would have been to enable NIS services on the FreeIPA server so that we could use proper netgroups on FreeBSD clients. We didn't like that solution, so instead we wrote a script that pulls all netgroup data from FreeIPA and stores it in /etc/netgroup. We run the script every hour via cron.
Code:
#!/bin/sh
#
# Construct a netgroup file from LDAP hostgroup definitions.
# This is a hack for FreeBSD IPA clients because they can't get netgroup
# data through LDAP or sssd backends (lacking nsswitch/nsdb support).
#
PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin
export PATH
progname=$(basename $0)
tmpf=$(mktemp)
trap "rm -f $tmpf" EXIT
ldapsearch -LLLx -H ldap://<ldap_server> \
-b 'cn=hostgroups,cn=accounts,dc=<domain_name>' \
'(objectClass=ipahostgroup)' cn member \
| while read line; do
# new line between records; this means a record ended.
if [ "$line" = "" ]; then
# output netgroup line if we have members.
if [ "$members" != "" ]; then
echo "$groupname \\" >>$tmpf
for host in $members; do
echo " ($host, -, fxcorp) \\" >>$tmpf
done
echo "" >>$tmpf
fi
# reset data
groupname=""
members=""
continue
fi
# parse "key: value" from LDAP
key=${line%%: *}
value=${line##*: }
if [ "$key" = "dn" ]; then
continue
elif [ "$key" = "cn" ]; then
groupname=$value
elif [ "$key" = "member" ]; then
host=${value%%,cn*}
host=${host##fqdn=}
members="$members $host"
fi
done
if [ ! -s "$tmpf" ]; then
echo "$progname: refusing to install an empty file, bailing" >&2
exit 1
fi
install -m 0644 -o root -g wheel $tmpf /etc/netgroup
rc=$?
if [ $rc -ne 0 ]; then
echo "$progname: error installing /etc/netgroup (rc = $rc)" >&2
exit 2
fi
exit 0
We wrote a patch for pam_sss to support ignore_unknown_user. Without that support local users could authenticate when using SSSD for authentication. We submitted the patch upstream. It was accepted by the FreeIPA team and will hopefully be ported to FreeBSD soon. Our PAM configuration to support SSSD is:
Code:
#
# $FreeBSD: release/10.0.0/etc/pam.d/system 197769 2009-10-05 09:28:54Z des $
#
# System-wide defaults
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient pam_krb5.so no_warn try_first_pass
auth sufficient /usr/local/lib/pam_sss.so debug use_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_login_access.so
account required pam_unix.so
account required /usr/local/lib/pam_sss.so ignore_unknown_user
# session
#session optional pam_ssh.so want_agent
#session optional /usr/local/lib/pam_sss.so
session required pam_lastlog.so no_fail
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password sufficient /usr/local/lib/pam_sss.so use_authtok
password required pam_unix.so no_warn try_first_pass
Code:
#
# $FreeBSD: release/10.0.0/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
#
# PAM configuration for the "sshd" service
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth sufficient /usr/local/lib/pam_sss.so debug use_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
account required /usr/local/lib/pam_sss.so ignore_unknown_user
# session
#session optional pam_ssh.so
#session required /usr/local/lib/pam_mkhomedir.so
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password sufficient /usr/local/lib/pam_sss.so debug use_authtok
password required pam_unix.so no_warn try_first_pass
To let the system know what method to use for passwd, group, sudo, etc. we updated our /etc/nsswitch.conf:
Code:
#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: release/10.0.0/etc/nsswitch.conf 224765 2011-08-10 20:52:02Z dougb $
#
#group: compat
group: files sss
group_compat: nis
hosts: files dns
networks: files
#passwd: compat
passwd: files sss
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
sudoers: sss files
netgroup: files
The final step was to create a kerberos keytab on the FreeIPA server and copy it over to our FreeBSD host. On the FreeIPA server we excecuted:
Code:
freeipa-server# ipa-host-add <fqdn>
freeipa-server# ipa-getkeytab -s <freeipa server hostname> -p host/<freebsd host fqdn> -k <location to export the keytab>
We then simply copied the keytab to /etc/krb5.keytab on our FreeBSD host.
Last edited by a moderator: