Date: Wed, 3 Oct 2007 13:08:36 -0500 From: "Stephanie Bridges" <sbridges@iastate.edu> To: <freebsd-questions@freebsd.org> Subject: RE: FreeBSD to authenticate against Active Directory Message-ID: <002401c805e8$6bf32eb0$43d98c10$@edu> In-Reply-To: <20071003073146.57166873@racerx.makeworld.com> References: <4702FF8E.8000004@rowyerboat.com> <20071003073146.57166873@racerx.makeworld.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multipart message in MIME format. ------=_NextPart_000_0025_01C805BE.831D26B0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit On Wednesday, October 03, 2007 7:32 AM Chris wrote: > > On Wed, 03 Oct 2007 03:33:50 +0100 > Stephen Allen <sdafreebsduk@rowyerboat.com> wrote: > > > Hello, > > > > Is there any up-to-date definitive resource which explains how to get > > FreeBSD (6.2) to authenticate against Active Directory (in my case > > Windows 2003 R2 which includes SFU). There are a few informative > > articles floating around, but most date back to 2004/2005 and most > > involve the use of Samba and Winbind (I'd like to avoid this if > > possible). > > > > I don't really know what is possible here, I'm coming from only a > > basic understanding of how things like pam work. Would I have to > > configure every service separately to use Active Directory or could I > > tell FreeBSD to blindly rely on AD for user authentication? > > > > I read about pam_mkhomedir, so users could have homedirs created > > automatically when they logged in. Is this possible in FreeBSD? > > Would I be able to map this automatically to their existing "My > > Documents" folder which is redirected to the network by group policy? > > > > Please feel free to tell me what can/can't be done and if doing so is > > a good/bad thing. I can explain bits in more detail if needed. > > > > Steve - > > > You have a few options. > 1. LDAP > 2. OpenLDAP > 3. The use of WinBind and it's companion apps (using ntlm etc.) > 4. Google AD Auth Unix (or, insert your personal choice) > > What you may find - is that installing Winbind etc may be your easiest > way to go however, I'm unsure how SFU will play along with the mix. > I also have not seen anything particularly recent; and every reference I have seen is slightly different. I have gotten FreeBSD to successfully authenticate to our AD servers here (Win2003, not sure of service pack level) using pam/winbind. Pam_winbind is configured to authenticate with Kerberos. I use the RID IDMAP scheme with winbind for user id mapping. The AD servers have had Unix attributes added, but I have not tested how this works for me yet. I am also using pam_mkhomedir to create user home directories. My setup: 1. Nsswitch.conf has group and passwd set to "files winbind" 2. Krb5.conf points to the AD servers 3. /etc/pam.d/system: --------------------- # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient /usr/local/lib/pam_winbind.so try_first_pass #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass n ullok # account #account required pam_krb5.so account sufficient /usr/local/lib/pam_winbind.so account required pam_login_access.so account required pam_unix.so # session #session optional pam_ssh.so session required /usr/local/lib/pam_mkhomedir.so session required pam_lastlog.so no_fail # password #password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass ---------------------------------- 4. pam_winbind now has its own conf file (copy from /usr/local/share/examples/samba/pam_winbind to /etc/security and modify). (contents follow) I have not tried caching. ----------- # # /etc/security/pam_winbind.conf # [global] # turn on debugging debug = yes # request a cached login if possible # (needs "winbind offline logon = yes" in smb.conf) ;cached_login = no # authenticate using kerberos krb5_auth = yes # when using kerberos, request a "FILE" krb5 credential cache type # (leave empty to just do krb5 authentication but not have a ticket # afterwards) krb5_ccache_type = FILE # make successful authentication dependend on membership of one SID # (can also take a name) require_membership_of = S-1-5-21-xxxxxxxxx-xxxxxxxxxxx-xxxxxxx ------------------------------------ 5. smb.conf is attached; this is for Samba 3.0.25a. I do not believe pam_mkhomedir will automatically mount an external filesystem; however there is a pam module which will allow you to auto mount filesystems at user login of various types called pam_mount [1] which we have used successfully on our university-blessed RHEL5 systems. I have not tried to compile it yet on FreeBSD. One thing we discovered on RHEL5 (we are not using the most recent version of pam_mount, so ymmv) is that it needs to be the module that actually grabs the password and then passes it on to the rest of the pam stack. It was unable to retrieve the credentials from whoever was ahead of it. We used CIFS instead of SMB which performed much better. [1] http://pam-mount.sourceforge.net/ ~~~~~~~~~~~~~~~~~~ Stephanie Bridges Department of Economics Iowa State University 80B Heady Hall Ames, IA 50011 sbridges@iastate.edu ------=_NextPart_000_0025_01C805BE.831D26B0 Content-Type: application/octet-stream; name="smb-xx.conf" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="smb-xx.conf" =0A= #=0A= #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D = Global Settings = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A= [global]=0A= =0A= # workgroup =3D NT-Domain-Name or Workgroup-Name, eg: MIDEARTH=0A= workgroup =3D IASTATE=0A= =0A= # server string is the equivalent of the NT Description field=0A= server string =3D Econ Samba test=0A= =0A= # Security mode. Defines in which mode Samba will operate. Possible =0A= # values are share, user, server, domain and ads. Most people will want =0A= # user level security. See the Samba-HOWTO-Collection for details.=0A= security =3D ads=0A= =0A= # This option is important for security. It allows you to restrict=0A= # connections to machines which are on your local network. The=0A= # following example restricts access to two C class networks and=0A= # the "loopback" interface. For more examples of the syntax see=0A= # the smb.conf man page=0A= hosts allow =3D 129.186.xxx.xxx 127.=0A= =0A= # If you want to automatically load your printer list rather=0A= # than setting them up individually then you'll need this=0A= load printers =3D yes=0A= =0A= # you may wish to override the location of the printcap file=0A= ; printcap name =3D /etc/printcap=0A= =0A= # on SystemV system setting printcap name to lpstat should allow=0A= # you to automatically obtain a printer list from the SystemV spool=0A= # system=0A= ; printcap name =3D lpstat=0A= =0A= # It should not be necessary to specify the print system type unless=0A= # it is non-standard. Currently supported print systems include:=0A= # bsd, cups, sysv, plp, lprng, aix, hpux, qnx=0A= ; printing =3D cups=0A= =0A= # Uncomment this if you want a guest account, you must add this to = /etc/passwd=0A= # otherwise the user "nobody" is used=0A= ; guest account =3D pcguest=0A= =0A= # this tells Samba to use a separate log file for each machine=0A= # that connects=0A= log file =3D /var/log/samba/log.%m=0A= =0A= # Put a capping on the size of the log files (in Kb).=0A= max log size =3D 50=0A= =0A= # Use password server option only with security =3D server=0A= # The argument list may include:=0A= # password server =3D My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]=0A= # or to auto-locate the domain controller/s=0A= # password server =3D *=0A= password server =3D server1.iastate.edu, server2.iastate.edu=0A= =0A= # Use the realm option only with security =3D ads=0A= # Specifies the Active Directory realm the host is part of=0A= realm =3D IASTATE.EDU=0A= =0A= # Backend to store user information in. New installations should =0A= # use either tdbsam or ldapsam. smbpasswd is available for backwards =0A= # compatibility. tdbsam requires no further configuration.=0A= ; passdb backend =3D tdbsam=0A= =0A= # Using the following line enables you to customise your configuration=0A= # on a per machine basis. The %m gets replaced with the netbios name=0A= # of the machine that is connecting.=0A= # Note: Consider carefully the location in the configuration file of=0A= # this line. The included file is read at that point.=0A= ; include =3D /usr/local/etc/smb.conf.%m=0A= =0A= # Most people will find that this option gives better performance.=0A= # See the chapter 'Samba performance issues' in the Samba HOWTO = Collection=0A= # and the manual pages for details.=0A= # You may want to add the following on a Linux system:=0A= ; socket options =3D SO_RCVBUF=3D8192 SO_SNDBUF=3D8192=0A= =0A= # Configure Samba to use multiple interfaces=0A= # If you have multiple network interfaces then you must list them=0A= # here. See the man page for details.=0A= ; interfaces =3D 192.168.12.2/24 192.168.13.2/24 =0A= =0A= # Browser Control Options:=0A= # set local master to no if you don't want Samba to become a master=0A= # browser on your network. Otherwise the normal election rules apply=0A= ; local master =3D no=0A= =0A= # OS Level determines the precedence of this server in master browser=0A= # elections. The default value should be reasonable=0A= ; os level =3D 33=0A= =0A= # Domain Master specifies Samba to be the Domain Master Browser. This=0A= # allows Samba to collate browse lists between subnets. Don't use this=0A= # if you already have a Windows NT domain controller doing this job=0A= ; domain master =3D yes =0A= =0A= # Preferred Master causes Samba to force a local browser election on = startup=0A= # and gives it a slightly higher chance of winning the election=0A= ; preferred master =3D yes=0A= =0A= # Enable this if you want Samba to be a domain logon server for =0A= # Windows95 workstations. =0A= ; domain logons =3D yes=0A= =0A= # if you enable domain logons then you may want a per-machine or=0A= # per user logon script=0A= # run a specific logon batch file per workstation (machine)=0A= ; logon script =3D %m.bat=0A= # run a specific logon batch file per username=0A= ; logon script =3D %U.bat=0A= =0A= # Where to store roving profiles (only for Win95 and WinNT)=0A= # %L substitutes for this servers netbios name, %U is username=0A= # You must uncomment the [Profiles] share below=0A= ; logon path =3D \\%L\Profiles\%U=0A= =0A= # Windows Internet Name Serving Support Section:=0A= # WINS Support - Tells the NMBD component of Samba to enable it's WINS = Server=0A= ; wins support =3D yes=0A= =0A= # WINS Server - Tells the NMBD components of Samba to be a WINS Client=0A= # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both=0A= wins server =3D 129.186.xxx.xxx, 129.186.xxx.xxx=0A= =0A= # WINS Proxy - Tells Samba to answer name resolution queries on=0A= # behalf of a non WINS capable client, for this to work there must be=0A= # at least one WINS Server on the network. The default is NO.=0A= ; wins proxy =3D yes=0A= =0A= # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names=0A= # via DNS nslookups. The default is NO.=0A= dns proxy =3D no =0A= =0A= # Charset settings=0A= ; display charset =3D koi8-r=0A= ; unix charset =3D koi8-r=0A= ; dos charset =3D cp866=0A= =0A= # Use extended attributes to store file modes=0A= ; store dos attributes =3D yes=0A= ; map hidden =3D no=0A= ; map system =3D no=0A= ; map archive =3D no=0A= =0A= # Use inherited ACLs for directories=0A= ; nt acl support =3D yes=0A= ; inherit acls =3D yes=0A= ; map acl inherit =3D yes =0A= =0A= # These scripts are used on a domain controller or stand-alone =0A= # machine to add or delete corresponding unix accounts=0A= ; add user script =3D /usr/sbin/useradd %u=0A= ; add group script =3D /usr/sbin/groupadd %g=0A= ; add machine script =3D /usr/sbin/adduser -n -g machines -c Machine -d = /dev/null -s /bin/false %u=0A= ; delete user script =3D /usr/sbin/userdel %u=0A= ; delete user from group script =3D /usr/sbin/deluser %u %g=0A= ; delete group script =3D /usr/sbin/groupdel %g=0A= =0A= winbind enum users =3D no=0A= winbind enum groups =3D no=0A= winbind use default domain =3D yes=0A= winbind nested groups =3D yes=0A= allow trusted domains =3D no=0A= template shell =3D /bin/tcsh=0A= template homedir =3D /home/%U=0A= =0A= idmap domains =3D IASTATE=0A= idmap config IASTATE:backend =3D rid=0A= idmap config IASTATE:default =3D yes=0A= idmap config IASTATE:base_rid =3D 0=0A= idmap config IASTATE:range =3D 100000-200000000=0A= =0A= ------=_NextPart_000_0025_01C805BE.831D26B0--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002401c805e8$6bf32eb0$43d98c10$>