Archive for July, 2008
FreeBSD Single Sign on with Active Directory and Access Control
Introduction
This document describes how to join a FreeBSD box to a Windows domain controller and to control access to the FreeBSD box. We will be using Samba’s WinBind and Kerberos for authentication.
This document assumes that you have a functioning FreeBSD sever on a network with internet access.
Install Samba Port
1. Log into FreeBSD Sever
2. Su to root “su –“
3. Change to Samba 3 ports directory “cd /usr/ports/net/samba3”
4. Compile and install Samba 3 “make install”
a. Select ONLY the following Samba options in the configuration “LDAP, ADS, WINBIND, ACL_SUPPORT, SYSLOG, UTMP, PAM_SMBPASS, EXP_MODULES, & POPT”
Configure Samba
1. To get Samba and Winbind to work on boot up add the following to /etc/rc.conf file:
nmbd_enable=”YES”
smbd_enable=”YES”
winbindd_enable=”YES”
kerberos5_server_enable=”YES”
kadmind5_server_enable=”YES”
2. Move the orginal smb.conf file “mv /usr/local/etc/smb.conf /usr/local/etc/smb.conf.default”
3. Copy the following to smb.conf…
[global]
workgroup = YOURDOMAIN
server string = FreeBSD Server %v
load printers = no
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
smb ports = 139
security = ADS
realm = YOURDOMAIN.COM
password server = domaincontroler1.yourdomain.com
password server = domaincontroler2.yourdomain.com
winbind separator = \
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/tcsh
client ntlmv2 auth = yes
winbind use default domain = yes
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
disable netbios = no
dos charset = ASCII
unix charset = UTF8
display charset = UTF8
Configure Kerberos
1. Edit /etc/krb5.conf (it probably doesn’t exist) and add the following text:
default = SYSLOG:INFO:LOCAL7
[libdefaults]
ticket_lifetime = 24000
clock_skew = 300
default_realm = YOURDOMAIN.COM
[realms]
domain.LOCAL = {
kdc = domaincontroler1.yourdomain.com:88
kdc = domaincontroler2.yourdomain.com:88
admin_server = domaincontroler1.yourdomain.com:464
admin_server = domaincontroler2.yourdomain.com:464
default_domain = yourdomain.com
}
[domain_realm]
.domain.local = YOURDOMAIN.COM
2. Test Kerberos by typing “kinit <Username>”. Put a username that is on the domain controller. You should get a response of “kinit: NOTICE: ticket renewable lifetime is 1 week” and you will know its working. You can also do a “klist” to see who issued the ticket and verify its from the Smartech domain.
Joining The Domain
1. We should now be able to join the domain, enter the following:
/usr/local/bin/net ads join -U domaincontroler1.yourdomain.com -U administrator
2. It will prompt you for the domain controllers administrator password. If your successful you should see a reply like:
Using short domain name — YOURDOMAIN
Joined ‘FBTEST2′ to realm ‘YOURDOMAIN.COM’
Turning Samba on and Testing
1. Run “/usr/local/etc/rc.d/samba start”
2. Your output should look like this:
Removing stale Samba tdb files: done
Starting nmbd.
Starting smbd.
Starting winbindd.
3. Then run “wbinfo -u” and it should list all of the domain users.
4. Also “wbinfo -g” will show you a list all of the domain groups.
Name Switch Service
1. Now we tell pam to authenticate from the AD server first then failover to local accounts if the domain controller is over.
2. Edit the “/etc/nsswitch” file. Make it match the following example. Notice we only make changes to the group and passwd entries.
group: winbind files
group_compat: nis
hosts: files dns
networks: files
passwd: winbind files
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
Automatic Creation of Home Directories
1. To make automatic home directories we need to compile and install pam_mkhomedir port.
cd /usr/ports/security/pam_mkhomedir
make install
Setup SSHD Authentication with PAM
1. Now we have to make SSHD authenticate with PAM and WinBind by editing “/etc/pam.d/sshd”. This will also do the automatic home directory creation.
2. Add “auth sufficient /usr/local/lib/pam_winbind.so # Allows access to everyone in the domain” to the 3rd line under “# auth”
3. Add “session required /usr/local/lib/pam_mkhomedir.so” to the 2nd line under “# session # Creates home directories for AD authenticated users.”
4. You can also run “getent passwd” and “getent group” to get the list of users and groups that combine both the domain controllers user list with the local list and the same for groups.
Testing Domain Authentication
1. Try logging into the account with an account on the domain controller and its password. Once logged in make sure the account has a home directory by typing “pwd” to see your current path.
Setup AD Group Access Restrictions
1. Now we need to restrict the FreeBSD box to particular users. We do not want everyone to have access. No now we will need to gather some needed information.
a. Run “wbinfo -g” to view all of the groups that are in the domain controller or look in the Active Directory Users and Computers.
b. Note the groups you want to have access to the box. You are required to add “Domain Admins” as a group to all FreeBSD boxes.
c. Next we need the SID of each of the groups.
i. wbinfo -n “GROUPNAME” , will return the SID of the group.
fbtest2# wbinfo -n “domain admins”
S-1-5-21-1328793019-4053271937-1264903302-512 Domain Group (2)
ii. The long number starting with S is the SID, i.e. S-1-5-21-1328793019-4053271937-1264903302-512
2. Now we need to add the SID’s to /etc/pam.d/sshd to allow those users access and to remove access for everyone.
a. Comment out “auth sufficient /usr/local/lib/pam_winbind.so # Allows access to everyone in the domain”
b. Add “auth sufficient /usr/local/lib/pam_winbind.so try_first_pass require_membership_of=<SID> # Group: <GROUP NAME>” below it.
i.e. “auth sufficient /usr/local/lib/pam_winbind.so try_first_pass require_membership_of=S-1-5-21-1328793019-4053271937-1264903302-512 # Group: Domain Admins”
c. Make sure you label the “GROUP NAME” so that we know which group the SID belongs to.
d. Add the rest of the groups you want to have access to the box.
3. Add a user to a group on the domain controller and test your loggin.
