Minimal active directory authentication with kerberos

[outpaddling]

I'd like to enable sshd to authenticate using our organization's active directory server in the simplest way possible.

On CentOS, we're able do this using kerberos and pam as follows:

yum -t install krb5-workstation pam_krb5
authconfig --enablekrb5 --krb5kdc=ad.example.com --krb5adminserver=ad.example.com --krb5realm=ad.example.com --update

Does anyone know what the equivalent setup steps would be for FreeBSD 11?

Thanks,

JB

 

[rigoletto@]

These ARTICLES may help you.

 

[outpaddling]

Thanks, I had seen those before and was looking for a simpler solution.

As often happens, I found the solution shortly after posting. There must be something about articulating a problem that clarifies it and points us toward the answer... ;-)

The beautifully simple solution is this:

/etc/krb5.conf:

[libdefaults]
default_realm = AD.MY.DOMAIN # This is probably the only necessary line
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = yes

/etc/pam.d/sshd: (and system, xdm, ... if you wish)

auth sufficient pam_krb5.so no_warn try_first_pass

No additional ports need be installed. Everything necessary is part of the FreeBSD base.

With this in place, users can now log in using a local password or their Active Directory password.

 

[SirDice]

Thanks, I had seen those before and was looking for a simpler solution.

https://wiki.samba.org/index.php/Se...troller#Provisioning_a_Samba_Active_Directory

samba-tool domain provision --use-rfc2307 --interactive

 

[outpaddling]

https://wiki.samba.org/index.php/Se...troller#Provisioning_a_Samba_Active_Directory

samba-tool domain provision --use-rfc2307 --interactive

Thanks, but this is not what we're trying to do. We're not creating an AD server, we're just allowing users to log into our CentOS and FreeBSD servers using their AD credentials, validated by an existing AD server.
The solution I posted above does not require samba or any other ports.

 

[SirDice]

Ah, the title of the thread is a bit ambiguous

 

[outpaddling]

BTW, I added a script for this, called auto-krb-auth-setup, to sysutils/auto-admin.

 

[felipebsd]

Thanks, I had seen those before and was looking for a simpler solution.

As often happens, I found the solution shortly after posting. There must be something about articulating a problem that clarifies it and points us toward the answer... ;-)

The beautifully simple solution is this:

/etc/krb5.conf:

[libdefaults]
default_realm = AD.MY.DOMAIN # This is probably the only necessary line
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = yes

/etc/pam.d/sshd: (and system, xdm, ... if you wish)

auth sufficient pam_krb5.so no_warn try_first_pass

No additional ports need be installed. Everything necessary is part of the FreeBSD base.

With this in place, users can now log in using a local password or their Active Directory password.

Is it not necessary something else? Maybe on /etc/rc.conf

I tried on 11.2 and 12.0, here is not working.

Can somebody help me?

 

[outpaddling]

Some time ago, I added a script called auto-krb-auth-setup to sysutils/auto-admin.

Try installing this port and running the script as root.

Maybe examining the script will reveal what's missing on your system.