SSH for domain users

lucas1

Active Member

Reaction score: 2
Messages: 110

Good day.

Tell me how for the service SSH turn on login for Windows domain users.
 

Zirias

Son of Beastie

Reaction score: 1,507
Messages: 2,627

Probably not at all, as ssh should just use PAM. Configure PAM to include winbind from Samba, which you need anyways to join a FreeBSD machine to a Windows domain.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,285
Messages: 38,796

Probably the easiest to accomplish that is to use security/sssd.

Strictly speaking ADS is just a combination of Kerberos, LDAP and DNS. So really all you need is to enable kerberos authentication. But you're going to need LDAP access too in order to get information like group membership, shells, home directories etc. SSSD can take care of all this for you.
 

Zirias

Son of Beastie

Reaction score: 1,507
Messages: 2,627

Probably the easiest to accomplish that is to use security/sssd.
Although sssd docs recommend to use the "AD" provider and join the domain, for which it depends on samba. So, if you want to do this, using samba directly (winbind offers integration with PAM and NSS) might be simpler ;)

Of course, if for some reason you don't want to join the domain, sssd should still work.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,285
Messages: 38,796

It's the tool that's used on RHEL to make it possible. It's actually fairly easy to configure and use. We have about 800+ RHEL servers and you can login on all of them with an AD account (and the proper access permissions of course, we don't just let anyone login on servers). Cross-domain authentication/trusts work, cross-forest however does not work. Although I have figured out how to effectively make that work too (even though RedHat says it can't be done).
 

Zirias

Son of Beastie

Reaction score: 1,507
Messages: 2,627

I only have a single domain here, so that's all I can test, but for that, plain samba gets the job done just as well. All you have to do is to enable winbindd and add winbind to /etc/nsswitch.conf and /etc/pam.d/system (and maybe a few concrete pam services if they don't include system).

So, pretty well possible sssd adds features on top of that :) But I think for a simple usecase (if you want to join the domain, which would be the normal thing to do), just samba is fine.
 
OP
L

lucas1

Active Member

Reaction score: 2
Messages: 110

Probably the easiest to accomplish that is to use security/sssd.

Strictly speaking ADS is just a combination of Kerberos, LDAP and DNS. So really all you need is to enable kerberos authentication. But you're going to need LDAP access too in order to get information like group membership, shells, home directories etc. SSSD can take care of all this for you.
Give an example if possible sssd.conf.
Since even service sssd not started.
 
OP
L

lucas1

Active Member

Reaction score: 2
Messages: 110

dp_module_open_lib] (0x0010): Unable to load module [ad] with path [/usr/local/lib/sssd/libsss_ad.so]:

Yes indeed not such a module. Where to get?
 

Zirias

Son of Beastie

Reaction score: 1,507
Messages: 2,627

Build the port yourself with option SMB enabled. Or just use samba directly. In any case, you WILL have some documentation reading to do.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,285
Messages: 38,796

Give an example if possible sssd.conf.
The important part is the [domain/...] section:
Code:
[domain/example.com]
debug_level = 3
ad_domain = example.com
krb5_realm = EXAMPLE.com
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/sh
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
access_provider = ad
dyndns_update = false
krb5_ccname_template = FILE:/tmp/krb5cc_%U
ldap_user_gecos = description
ad_gpo_access_control = permissive
ad_maximum_machine_account_password_age = 0
ldap_referrals = false
krb5_renewable_lifetime = 7d
krb5_renew_interval = 8h

That should get you started. Use net ads join to join the computer to the domain. That should also create the appropriated keys in krb5.keytab.

Note that I've done this a gazillion times on RHEL, never on FreeBSD. I really should set up a Windows server with a domain and do a proper write-up for FreeBSD.
 
  • Like
Reactions: bjs
OP
L

lucas1

Active Member

Reaction score: 2
Messages: 110

Thanks for an example file.
Computer with FreeBSD in the domain.
Code:
checking for xsltproc... /usr/local/bin/xsltproc
checking for xmllint... /usr/local/bin/xmllint
checking for /usr/local/share/xml/catalog... yes
checking for Docbook XSL profiling templates in XML catalog... no
configure: WARNING: Man pages might contain documentation for experimental features
checking for /usr/local/share/xml/catalog... (cached) yes
checking for Docbook XSL templates in XML catalog... no
configure: error: could not find the docbook xsl catalog
===>  Script "configure" failed unexpectedly.
Please report the problem to [email]lukas.slebodnik@intrak.sk[/email] [maintainer] and attach
the "/usr/ports/security/sssd/work/sssd-1.16.5/config.log" including the
output of the failure of your make command. Also, it might be a good idea to
provide an overview of all packages installed on your system (e.g. a
/usr/local/sbin/pkg-static info -g -Ea).
*** Error code 1
This installation from ports for enable sssd/SMB.
sssd/DOC disable.
From packages sssd/SMB disable.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,285
Messages: 38,796

That looks like a problem with the port itself. Does it build properly if you keep DOCS enabled?
 

Zirias

Son of Beastie

Reaction score: 1,507
Messages: 2,627

Computer with FreeBSD in the domain.
If by that, you mean the machine is already joined to the domain (with net ads join), then again, authentication can be done with winbind only. winbindd must be running, e.g. with the following /etc/rc.conf entries:
Code:
samba_server_enable="YES"
winbindd_enable="YES"
Then just configure NSS, e.g. with the following changed entries in /etc/nsswitch.conf:
Code:
group: files winbind
passwd: files winbind
Details here: https://wiki.samba.org/index.php/Se...in_Member#Configuring_the_Name_Service_Switch

And for PAM, read https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM

With FreeBSD's PAM, you probably want to change /etc/pam.d/system. E.g. mine has the following:
Code:
auth        sufficient    pam_winbind.so        try_first_pass krb5_auth krb5_ccache_type="FILE"
auth        required    pam_unix.so        use_first_pass nullok

account        requisite    pam_login_access.so
account        sufficient    pam_unix.so
account        required    pam_winbind.so        cached_login

session        required    pam_lastlog.so        no_fail
session        required    pam_winbind.so

password    sufficient    pam_winbind.so
password    required    pam_unix.so        no_warn try_first_pass
Then you want to make sure the "sshd" service (/etc/pam.d/sshd) uses this as well, the simplest solution looks like this:
Code:
auth        include        system
account        include        system
session        include        system
password    include        system

For kerberos authentication ( krb5_auth) to work, you have to configure this as well, it's also in the samba wiki linked above.
 
OP
L

lucas1

Active Member

Reaction score: 2
Messages: 110

Everything is accurate.
As you wrote.
I will add just a few touches.

Samba4 already worked.

In /etc/ssh/sshd_config

Code:
PasswordAuthentication yes
ChallengeResponseAuthentication no

for /etc/pam.d/sshd and /etc/pam.d/system (for example)
Code:
auth            sufficient      /usr/local/lib/pam_winbind.so   -
Thanks.
 
OP
L

lucas1

Active Member

Reaction score: 2
Messages: 110

When executing the command su, the following appeared even for users from passwd.

su
Password:
LDAP Password:
su: Sorry

From where LDAP?
 

Zirias

Son of Beastie

Reaction score: 1,507
Messages: 2,627

Did you check /etc/pam.d/su? I've never seen this behavior with samba and winbind, so I'd assume some PAM configuration is wrong.

Edit: I left my /etc/pam.d/su alone, so it doesn't have any reference to winbind and just includes system for "auth" … it looks like this here:
Code:
#
# $FreeBSD$
#
# PAM configuration for the "su" service
#

# auth
auth        sufficient    pam_rootok.so        no_warn
auth        sufficient    pam_self.so        no_warn
auth        requisite    pam_group.so        no_warn group=wheel root_only fail_safe ruser
auth        include        system

# account
account        include        system

# session
session        required    pam_permit.so
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,285
Messages: 38,796

The OP modified system which gets included in a bunch of other PAM configurations, including su. If post #14 is correct it looks like only the auth section was done and not account,session and password too.
 
OP
L

lucas1

Active Member

Reaction score: 2
Messages: 110

Yes, there were wrong lines in the file. /etc/pam.d/system.
I forgot that I changed it.

Certainly strings
"include system"
more correct and convenient, , but it's easier for me to edit the file for each service in /etc/pam.d/.

Command "su" works.

Thank you.
 
Top