Home 零对冲(ZeroHedge)每日HackerNews

FreeBSD 原生 Kerberos/LDAP 与 FreeIPA/IDM
Native FreeBSD Kerberos/LDAP with FreeIPA/IDM

原始链接: https://vermaden.wordpress.com/2026/02/18/native-freebsd-kerberos-ldap-with-freeipa-idm/

## 将FreeBSD与FreeIPA/IDM集成,使用Kerberos & nslcd 本指南详细介绍了将FreeBSD 15.0-RELEASE与由FreeIPA/IDM管理的Linux域集成的新方法,利用FreeBSD的MIT Kerberos和轻量级的`nslcd`守护进程。虽然该设置使用LGPL21/LGPL3许可,但在FreeIPA/IDM环境中被认为是可接受的。 该过程始于确保FreeIPA/IDM服务器正常运行(遵循先前的设置指南)。关键步骤包括将`pkg`仓库切换到‘latest’,安装`nss-pam-ldapd`、`pam_mkhomedir`、`sudo`和`doas`。配置涉及将FreeBSD主机添加到FreeIPA/IDM,检索keytab,并将其安全地放置在FreeBSD系统上。 至关重要的是,`/etc/krb5.conf`和`/usr/local/etc/nslcd.conf`需要正确配置,以指向FreeIPA/IDM服务器。然后启用并启动`nslcd`,并修改`/etc/nsswitch.conf`以利用LDAP获取用户和组信息。最后,调整PAM配置以自动创建主目录,并配置SSH以进行Kerberos/GSSAPI身份验证。这允许通过FreeIPA/IDM身份验证的用户通过SSH登录到FreeBSD主机,并在进一步配置后,直接通过控制台登录。

黑客新闻 新 | 过去 | 评论 | 提问 | 展示 | 招聘 | 提交 登录 原生 FreeBSD Kerberos/LDAP 与 FreeIPA/IDM (vermaden.wordpress.com) 5 分,由 vermaden 1小时前发布 | 隐藏 | 过去 | 收藏 | 讨论 帮助 指南 | 常见问题 | 列表 | API | 安全 | 法律 | 申请 YC | 联系 搜索:
相关文章
原文
This new way is using MIT Kerberos from FreeBSD 15.0-RELEASE and small lightweight nslcd(8) daemon from net/nss-pam-ldapd package. The only (non technical) downside is that it uses LGPL21/LGPL3 license … but as we connect to entire Linux domain with FreeIPA/IDM it does not matter much, does it? :)Now – we first need FreeIPA/IDM server … use instructions from older Connect FreeBSD 14.0-STABLE to FreeIPA/IDM article.Now for the new way … lets start by switching the pkg(8) repository from quarterly to latest. 
FreeBSD # mkdir -p /usr/local/etc/pkg/repos

FreeBSD # sed s/quarterly/latest/g /etc/pkg/FreeBSD.conf > /usr/local/etc/pkg/repos/FreeBSD.conf

Next we will install needed packages.

FreeBSD # pkg install -y nss-pam-ldapd pam_mkhomedir sudo doas

If your DNS configured at /etc/resolv.conf does not resolve FreeIPA/IDM use /etc/hosts instead.

FreeBSD # cat << __EOF >> /etc/hosts
172.27.33.200  rhidm.lab.org   rhidm
172.27.33.215  fbsd15.lab.org  fbsd15
__EOF

Add our new FreeBSD host and its IP on FreeIPA/IDM server.

[root@idm ~]# kinit admin
Password for [email protected]: 

[root@idm ~]# ipa dnsrecord-add lab.org fbsd15 --a-rec=172.27.33.215 --a-create-reverse
  Record name: fbsd15
  A record: 172.27.33.215

[root@idm ~]# ipa host-add fbsd15.lab.org
---------------------------
Added host "fbsd15.lab.org"
---------------------------
  Host name: fbsd15.lab.org
  Principal name: host/[email protected]
  Principal alias: host/[email protected]
  Password: False
  Keytab: False
  Managed by: fbsd15.lab.org

[root@idm ~]# ipa-getkeytab -s rhidm.lab.org -p host/[email protected] -k /root/fbsd15.keytab
Keytab successfully retrieved and stored in: /root/fbsd15.keytab

[root@idm ~]# cp /root/fbsd15.keytab /usr/share/ipa/html/

[root@idm ~]# chmod 644 /usr/share/ipa/html/fbsd15.keytab

On FreeBSD host copy the keytab from FreeIPA/IDM server and put it into right place with proper permissions.

FreeBSD # fetch -o /etc/krb5.keytab http://rhidm.lab.org/ipa/config/fbsd15.keytab
/root/fbsd15.keytab                            314  B  804 kBps    00s

FreeBSD # chmod 640 /etc/krb5.keytab

Verify FreeBSD keytab.

FreeBSD # klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 host/[email protected]
   1 host/[email protected]
   1 host/[email protected]
   1 host/[email protected]

The nslcd(8) daemon will need /etc/krb5.keytab keytab read access to work – to achieve that we will add sshd user to its nslcd group.

FreeBSD # groups sshd
sshd

FreeBSD # pw usermod sshd -G nslcd

FreeBSD # groups sshd
sshd nslcd

Prepare /etc/krb5.conf config.

FreeBSD # cat << __EOF > /etc/krb5.conf
[libdefaults]
  default_realm    = LAB.ORG
  dns_lookup_kdc   = false
  dns_lookup_realm = false

[realms]
  LAB.ORG = {
    kdc          = rhidm.lab.org
    admin_server = rhidm.lab.org
  }

[domain_realm]
  .lab.org = LAB.ORG
   lab.org = LAB.ORG
__EOF

Create /usr/local/etc/nslcd.conf config for nslcd(8) daemon.

FreeBSD # cat << __EOF > /usr/local/etc/nslcd.conf
# RUN AS nslcd USER 
uid nslcd
gid nslcd

# LDAP CONNECTION DETAILS
uri  ldap://rhidm.lab.org
base dc=lab,dc=org

# USE SYSTEM KEYTAB FOR AUTH
sasl_mech  GSSAPI
sasl_realm LAB.ORG

# FORCE /bin/sh SHELL
map passwd loginShell "/bin/sh"
__EOF

Enable and start the nslcd(8) daemon.

FreeBSD # service nslcd enable
nslcd enabled in /etc/rc.conf

FreeBSD # service nslcd start
Starting nslcd.

Modify /etc/nsswitch.conf config the following way with simple sed(1) one liner.

FreeBSD # sed -i '.OLD' -E \
              -e 's/^group:.*/group: files ldap/g'   \
              -e 's/^passwd:.*/passwd: files ldap/g' \
              /etc/nsswitch.conf

This is what we changed.

FreeBSD # diff -u /etc/nsswitch.conf.OLD /etc/nsswitch.conf
--- /etc/nsswitch.conf.OLD 2026-02-18 04:54:41.487608000 +0000
+++ /etc/nsswitch.conf     2026-02-18 04:59:00.234662000 +0000
@@ -1,9 +1,9 @@
-group: compat
+group: files ldap
 group_compat: nis
 hosts: files dns
 netgroup: compat
 networks: files
-passwd: compat
+passwd: files ldap
 passwd_compat: nis
 shells: files
 services: compat

One can use even more compact /etc/nsswitch.conf as shown by Christian Hofstede-Kuhn (Larvitz) below.

FreeBSD # cat << __EOF > /etc/nsswitch.conf
group: files ldap
passwd: files ldap
hosts: files dns
networks: files
shells: files
services: compat
protocols: files
rpc: files
__EOF

Now lets test how it works.

FreeBSD # id vermaden
uid=854800003(vermaden) gid=854800003(vermaden) groups=854800003(vermaden)

Now the sshd(8) part.

FreeBSD # cat << __EOF >> /etc/ssh/sshd_config
# KRB5/GSSAPI AUTH
GSSAPIAuthentication      yes
GSSAPICleanupCredentials  yes
GSSAPIStrictAcceptorCheck no
__EOF

Time to restart sshd(8) daemon.

FreeBSD # service sshd restart
Performing sanity check on sshd configuration.
Stopping sshd.
Waiting for PIDS: 1089.
Performing sanity check on sshd configuration.
Starting sshd.

Now lets test how it works over SSH.

[root@rhidm ~]# kinit vermaden
Password for [email protected]: 

[root@rhidm ~]# ssh fbsd15 -l vermaden
FreeBSD 15.0-RELEASE-p2 (GENERIC) releng/15.0-n281005-5fb0f8e9e61d

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List:        https://www.FreeBSD.org/lists/questions/
FreeBSD Forums:        https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

To change this login announcement, see motd(5).

Could not chdir to home directory /home/vermaden: No such file or directory

vermaden@fbsd15:/ $ id admin
uid=854800000(admin) gid=854800000(admins) groups=854800000(admins)

vermaden@fbsd15:/ $ id
uid=854800003(vermaden) gid=854800003(vermaden) groups=0(wheel),854800003(vermaden)

Works but … the ${HOME} directory is not automatically created because we did not configured it yet.

Lets use sed(1) again … and yes it has to be spread over two lines.

FreeBSD # sed -i '.OLD' '/^session.*/i\
session optional pam_mkhomedir.so mode=0700' /etc/pam.d/sshd

FreeBSD # ls -l /etc/pam.d/sshd*
-rw-r--r--  1 root wheel 608 Feb 18 05:18 /etc/pam.d/sshd
-rw-r--r--  1 root wheel 564 Feb 18 05:18 /etc/pam.d/sshd.OLD

FreeBSD # diff -u /etc/pam.d/sshd.OLD /etc/pam.d/sshd
--- /etc/pam.d/sshd.OLD 2026-02-18 05:20:50.344139000 +0000
+++ /etc/pam.d/sshd     2026-02-18 05:20:53.552277000 +0000
@@ -16,6 +16,7 @@
 
 # session
 #session       optional        pam_ssh.so              want_agent
+session        optional        pam_mkhomedir.so        mode=0700
 session        required        pam_permit.so
 
 # password

We use optional instead of required if for some reason pam_mkhomedir.so fails or is not available.

For the record the entire /etc/pam.d/sshd PAM config looks like that.

FreeBSD # cat /etc/pam.d/sshd
# auth
auth            required        pam_unix.so             no_warn try_first_pass

# account
account         required        pam_nologin.so
account         required        pam_login_access.so
account         required        pam_unix.so

# session
session         optional        pam_mkhomedir.so        mode=0700
session         required        pam_permit.so

# password
password        required        pam_unix.so             no_warn try_first_pass

We will now configure sudo(8) for more permissions.

FreeBSD # pw groupmod wheel -m vermaden

FreeBSD # cat << __EOF >> /usr/local/etc/sudoers
%wheel ALL=(ALL:ALL) NOPASSWD: ALL
__EOF

We will also do doas(1) here as its simpler and more secure.

FreeBSD # cat << __EOF > /usr/local/etc/doas.conf
permit nopass keepenv root   as root
permit nopass keepenv :wheel as root
__EOF

Now lets try to login again.

[root@rhidm ~]# kinit vermaden
Password for [email protected]: 

[root@rhidm ~]# ssh fbsd15 -l vermaden

vermaden@fbsd15:~ $ pwd
/home/vermaden

vermaden@fbsd15:~ $ sudo -i
root@fbsd15:~ #

Better.

I also ‘silenced’ the login a little by creating empty ~/.hushlogin file and by removing /usr/bin/fortune from the ~/.profile file.

vermaden@fbsd15~/ $ :> ~/.hushlogin

vermaden@fbsd15:~ $ sed -i '.OLD' '/fortune/d' ~/.profile

… and this is the part I added – using FreeIPA/IDM user for console access – because right now – it does not work.

FreeBSD/amd64 (fbsd15.lab.org) (ttyu0)

login: vermaden
Password:
Login incorrect

To allow that we will uncomment all lines matching the pam_krb5.so module within /etc/pam.d/system config.

FreeBSD # sed -i '.OLD' '/pam_krb5.so/s/^#//g' /etc/pam.d/system

FreeBSD # ls -l /etc/pam.d/system*
-rw-r--r--  1 root wheel 568 Feb 18 05:34 /etc/pam.d/system
-rw-r--r--  1 root wheel 571 Feb 18 05:33 /etc/pam.d/system.OLD

FreeBSD # diff -u /etc/pam.d/system.OLD /etc/pam.d/system
--- /etc/pam.d/system.OLD 2026-02-18 05:33:48.171585000 +0000
+++ /etc/pam.d/system     2026-02-18 05:34:24.444767000 +0000
@@ -4,12 +4,12 @@
 #
 
 # auth
-#auth          sufficient      pam_krb5.so             no_warn try_first_pass
+auth           sufficient      pam_krb5.so             no_warn try_first_pass
 #auth          sufficient      pam_ssh.so              no_warn try_first_pass
 auth           required        pam_unix.so             no_warn try_first_pass nullok
 
 # account
-#account       required        pam_krb5.so
+account        required        pam_krb5.so
 account                required        pam_login_access.so
 account                required        pam_unix.so
 
@@ -19,5 +19,5 @@
 session         required        pam_xdg.so
 
 # password
-#password      sufficient      pam_krb5.so             no_warn try_first_pass
+password       sufficient      pam_krb5.so             no_warn try_first_pass
 password       required        pam_unix.so             no_warn try_first_pass

Lets try again.

FreeBSD/amd64 (fbsd15.lab.org) (ttyu0)

login: vermaden
Password: 

vermaden@fbsd15:~ $ klist
klist: No credentials cache found (filename: /tmp/krb5cc_854800003_AeF9er)

vermaden@fbsd15:~ $ kinit 
Password for [email protected]: 

vermaden@fbsd15:~ $ klist
Ticket cache: FILE:/tmp/krb5cc_854800003_AeF9er
Default principal: [email protected]

Valid starting     Expires            Service principal
02/18/26 05:27:47  02/19/26 05:07:21  krbtgt/[email protected]

You have reached the end of this article – see you in the next one 🙂

EOF

联系我们 contact @ memedata.com