Although sssd docs recommend to use the "AD" provider and join the domain, for which it depends on samba. So, if you want to do this, using samba directly (winbind offers integration with PAM and NSS) might be simpler
winbinddand add winbind to /etc/nsswitch.conf and /etc/pam.d/system (and maybe a few concrete pam services if they don't include system).
Give an example if possible sssd.conf.Probably the easiest to accomplish that is to use security/sssd.
Strictly speaking ADS is just a combination of Kerberos, LDAP and DNS. So really all you need is to enable kerberos authentication. But you're going to need LDAP access too in order to get information like group membership, shells, home directories etc. SSSD can take care of all this for you.
The important part is theGive an example if possible sssd.conf.
[domain/example.com] debug_level = 3 ad_domain = example.com krb5_realm = EXAMPLE.com realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/sh ldap_id_mapping = True use_fully_qualified_names = False fallback_homedir = /home/%u@%d access_provider = ad dyndns_update = false krb5_ccname_template = FILE:/tmp/krb5cc_%U ldap_user_gecos = description ad_gpo_access_control = permissive ad_maximum_machine_account_password_age = 0 ldap_referrals = false krb5_renewable_lifetime = 7d krb5_renew_interval = 8h
net ads jointo join the computer to the domain. That should also create the appropriated keys in krb5.keytab.
checking for xsltproc... /usr/local/bin/xsltproc checking for xmllint... /usr/local/bin/xmllint checking for /usr/local/share/xml/catalog... yes checking for Docbook XSL profiling templates in XML catalog... no configure: WARNING: Man pages might contain documentation for experimental features checking for /usr/local/share/xml/catalog... (cached) yes checking for Docbook XSL templates in XML catalog... no configure: error: could not find the docbook xsl catalog ===> Script "configure" failed unexpectedly. Please report the problem to [email]firstname.lastname@example.org[/email] [maintainer] and attach the "/usr/ports/security/sssd/work/sssd-1.16.5/config.log" including the output of the failure of your make command. Also, it might be a good idea to provide an overview of all packages installed on your system (e.g. a /usr/local/sbin/pkg-static info -g -Ea). *** Error code 1
If by that, you mean the machine is already joined to the domain (withComputer with FreeBSD in the domain.
net ads join), then again, authentication can be done with winbind only.
winbinddmust be running, e.g. with the following /etc/rc.conf entries:
group: files winbind passwd: files winbind
auth sufficient pam_winbind.so try_first_pass krb5_auth krb5_ccache_type="FILE" auth required pam_unix.so use_first_pass nullok account requisite pam_login_access.so account sufficient pam_unix.so account required pam_winbind.so cached_login session required pam_lastlog.so no_fail session required pam_winbind.so password sufficient pam_winbind.so password required pam_unix.so no_warn try_first_pass
auth include system account include system session include system password include system
krb5_auth) to work, you have to configure this as well, it's also in the samba wiki linked above.
PasswordAuthentication yes ChallengeResponseAuthentication no
auth sufficient /usr/local/lib/pam_winbind.so -
# # $FreeBSD$ # # PAM configuration for the "su" service # # auth auth sufficient pam_rootok.so no_warn auth sufficient pam_self.so no_warn auth requisite pam_group.so no_warn group=wheel root_only fail_safe ruser auth include system # account account include system # session session required pam_permit.so
authsection was done and not