FreeBSD 8 and Winbind via pam_krb5
in [FreeBSD]
|
From: Matthew X. Economou on 11 Dec 2009 16:17 I'm not sure how many of you use FreeBSD in Windows enterprises, but those that do are likely frustrated with the current support for Samba's winbind on this platform. The biggest problems revolve around Kerberos library compatibility problems and PAM module bugs. After much tearing of the hair and gnashing of the teeth, I have a functional configuration. Here's what you need to do: 1. Upgrade to FreeBSD 8 The latest FreeBSD release includes an updated version of the Heimdal Kerberos 5 implementation, which supports Microsoft's inclusion of authorization data in the Kerberos datagrams (i.e., the PAC) and Kerberos client-server interactions over TCP. Previously, the version of Heimdal included in the base system had to be replaced with a newer version found in the ports tree or with MIT Kerberos. This caused me a number of DLL errors and other compatibility problems. 2. Build net/samba33 with ADS and experimental module support Make sure to enable WITH_ADS and WITH_EXP_MODULES. If you forget to set these port build knobs, Samba will be built without support for Kerberos (required to get PAM authentication working) or idmap_rid (necessary to have consistent UIDs at sites that haven't deployed Services for UNIX or Identity Management for UNIX). 3. Configure Samba to use the Kerberos "keytab" file In addition to setting the domain, enabling the ADS security mode, and configuring an appropriate idmap backend, be sure to set "use kerberos keytab = Yes" in /usr/local/etc/smb.conf. When you join the domain (using the "net ads join" command), Samba will add the server's Kerberos keys to /etc/krb5.keytab, which are used by the Kerberos client to authenticate itself to the domain before the user logs in. 4. Use pam_krb5 instead of pam_winbind While nss_winbind works as expected, pam_winbind fails to authenticate users at all. In fact, it appears to break PAM, prohibiting logins even by authorized and correctly authenticated local users. Instead, simply uncomment the lines containing "pam_krb5.so" in the appropriate files located under /etc/pam.d/ (e.g., /etc/pam.d/system, /etc/pam.d/ sshd). No further configuration is required. Now, I'd much rather use pam_winbind for authentication (namely for cached logins), but this works well enough. 5. Use Authen::Simple::PAM for testing If you feel like debugging pam_winbind but don't want to break console logins or SSH to do so, you can create a simple test harness using this Perl module. When you specify a service name to the Authen::Simple::PAM->new method, use something unique (e.g., "test"), and then create a file with the same name under /usr/local/etc/pam.d/ or /etc/pam.d/. The contents of this file should be similar to /etc/ pam.d/system. The actual debugging I'll leave as an exercise for the reader.
From: TomB on 20 Dec 2009 03:25 On 2009-12-11, the following emerged from the brain of Matthew X. Economou: > I'm not sure how many of you use FreeBSD in Windows enterprises, but > those that do are likely frustrated with the current support for > Samba's winbind on this platform. The biggest problems revolve around > Kerberos library compatibility problems and PAM module bugs. After > much tearing of the hair and gnashing of the teeth, I have a > functional configuration. Here's what you need to do: > > 1. Upgrade to FreeBSD 8 > > The latest FreeBSD release includes an updated version of the Heimdal > Kerberos 5 implementation, which supports Microsoft's inclusion of > authorization data in the Kerberos datagrams (i.e., the PAC) and > Kerberos client-server interactions over TCP. Previously, the version > of Heimdal included in the base system had to be replaced with a newer > version found in the ports tree or with MIT Kerberos. This caused me > a number of DLL errors and other compatibility problems. > > 2. Build net/samba33 with ADS and experimental module support > > Make sure to enable WITH_ADS and WITH_EXP_MODULES. If you forget to > set these port build knobs, Samba will be built without support for > Kerberos (required to get PAM authentication working) or idmap_rid > (necessary to have consistent UIDs at sites that haven't deployed > Services for UNIX or Identity Management for UNIX). > > 3. Configure Samba to use the Kerberos "keytab" file > > In addition to setting the domain, enabling the ADS security mode, and > configuring an appropriate idmap backend, be sure to set "use kerberos > keytab = Yes" in /usr/local/etc/smb.conf. When you join the domain > (using the "net ads join" command), Samba will add the server's > Kerberos keys to /etc/krb5.keytab, which are used by the Kerberos > client to authenticate itself to the domain before the user logs in. > > 4. Use pam_krb5 instead of pam_winbind > > While nss_winbind works as expected, pam_winbind fails to authenticate > users at all. In fact, it appears to break PAM, prohibiting logins > even by authorized and correctly authenticated local users. Instead, > simply uncomment the lines containing "pam_krb5.so" in the appropriate > files located under /etc/pam.d/ (e.g., /etc/pam.d/system, /etc/pam.d/ > sshd). No further configuration is required. > > Now, I'd much rather use pam_winbind for authentication (namely for > cached logins), but this works well enough. > > 5. Use Authen::Simple::PAM for testing > > If you feel like debugging pam_winbind but don't want to break console > logins or SSH to do so, you can create a simple test harness using > this Perl module. When you specify a service name to the > Authen::Simple::PAM->new method, use something unique (e.g., "test"), > and then create a file with the same name under /usr/local/etc/pam.d/ > or /etc/pam.d/. The contents of this file should be similar to /etc/ > pam.d/system. The actual debugging I'll leave as an exercise for the > reader. Hi, Thanks for this detailed breakdown. I tried to set up a FreeBSD machine in my company network some time ago (mainly for network analysis and remote admin of our GNU/Linux and Windows servers), but I too failed miserably in getting it to play nice with the existing Windows domain. I ended up using Debian GNU/Linux instead. I will try your suggestions as soon as possible. -- If you have five dollars and Chuck Norris has five dollars, Chuck Norris has more money than you.
|
Pages: 1 Prev: Error compiling epiphany from ports Next: Why is PulseAudio used with Firefox35? |