FreeBSD to authenticate against Active Directory - BSD

This is a discussion on FreeBSD to authenticate against Active Directory - BSD ; Hello, Is there any up-to-date definitive resource which explains how to get FreeBSD (6.2) to authenticate against Active Directory (in my case Windows 2003 R2 which includes SFU). There are a few informative articles floating around, but most date back ...

+ Reply to Thread
Results 1 to 10 of 10

Thread: FreeBSD to authenticate against Active Directory

  1. FreeBSD to authenticate against Active Directory

    Hello,

    Is there any up-to-date definitive resource which explains how to get
    FreeBSD (6.2) to authenticate against Active Directory (in my case
    Windows 2003 R2 which includes SFU). There are a few informative
    articles floating around, but most date back to 2004/2005 and most
    involve the use of Samba and Winbind (I'd like to avoid this if
    possible).

    I don't really know what is possible here, I'm coming from only a
    basic understanding of how things like pam work. Would I have to
    configure every service separately to use Active Directory or could I
    tell FreeBSD to blindly rely on AD for user authentication?

    I read about pam_mkhomedir, so users could have homedirs created
    automatically when they logged in. Is this possible in FreeBSD?
    Would I be able to map this automatically to their existing "My
    Documents" folder which is redirected to the network by group policy?

    Please feel free to tell me what can/can't be done and if doing so is
    a good/bad thing. I can explain bits in more detail if needed.

    Kind regards,
    Steve


  2. Re: FreeBSD to authenticate against Active Directory

    Steve wrote:
    > Hello,
    >
    > Is there any up-to-date definitive resource which explains how to get
    > FreeBSD (6.2) to authenticate against Active Directory (in my case
    > Windows 2003 R2 which includes SFU). There are a few informative
    > articles floating around, but most date back to 2004/2005 and most
    > involve the use of Samba and Winbind (I'd like to avoid this if
    > possible).


    2 years ago I test this with kerberos (AD is based on kerberos) -- I
    lost access to this environment so I can't help with details)

    Basically I would:

    google on pam + kerberos

    unix + AD + kerberos (this give me an article
    from MS to get started IIRC)

    >
    > I don't really know what is possible here, I'm coming from only a
    > basic understanding of how things like pam work. Would I have to
    > configure every service separately to use Active Directory or could I
    > tell FreeBSD to blindly rely on AD for user authentication?
    >
    > I read about pam_mkhomedir, so users could have homedirs created
    > automatically when they logged in. Is this possible in FreeBSD?
    > Would I be able to map this automatically to their existing "My
    > Documents" folder which is redirected to the network by group policy?


    It seems far fetched - If you succeed, give feedback!

    Henri
    >
    > Please feel free to tell me what can/can't be done and if doing so is
    > a good/bad thing. I can explain bits in more detail if needed.
    >
    > Kind regards,
    > Steve
    >


  3. Re: FreeBSD to authenticate against Active Directory

    Hello Steve,

    Steve wrote:

    > Hello,
    >
    > Is there any up-to-date definitive resource which explains how to get
    > FreeBSD (6.2) to authenticate against Active Directory (in my case
    > Windows 2003 R2 which includes SFU). There are a few informative
    > articles floating around, but most date back to 2004/2005 and most
    > involve the use of Samba and Winbind (I'd like to avoid this if
    > possible).


    Authentcating does not seem to be the problem: it is a kerberos
    authentication that you can do against AD. Works for me with Solaris
    and Linux, so should work with FreeBSD too (althought I did not try it
    myself yet).

    But obviously, you want to implement more than authentication: you
    want the whole authorization stuff handled against AD too - users,
    groups, permissions to login to a box and that all maintained only in
    one central place: the AD. Right?

    If so, again, it works for me with Solaris and Linux, but no idea
    whether that may work with FreeBSD too. As the needed software for
    Linux is also available on FreeBSD (kerberos, ldap, nss_ldap) it might
    work.

    >
    > I don't really know what is possible here, I'm coming from only a
    > basic understanding of how things like pam work. Would I have to
    > configure every service separately to use Active Directory or could I
    > tell FreeBSD to blindly rely on AD for user authentication?


    You will have to configure the pam-modules - but I think you will be
    able th do that system wide with the /etc/pam.d/system configuration.

    >
    > I read about pam_mkhomedir, so users could have homedirs created
    > automatically when they logged in. Is this possible in FreeBSD?


    Again: working for me on Solaris and Linux, but there has been trouble
    with making it work on FreeBSD. There are reported successfull patches
    to make it work on FreeBSD - but I do not have any current information
    on that.

    > Would I be able to map this automatically to their existing "My
    > Documents" folder which is redirected to the network by group policy?


    If this folder is on a Win server, I think you will not be able to do
    so.

    >
    > Please feel free to tell me what can/can't be done and if doing so is
    > a good/bad thing. I can explain bits in more detail if needed.


    To be honest: having this central user directory with central user
    administration and central stored passwords is a great thing in larger
    environments and eases system administration a lot. But I would go the
    other way: I would set up a ldap and synchronize basic stuff against
    AD. To me it seems to be the much better maintainable solution.


    bye, gk

    --
    and he replied: no signature is better than a stupid one ...

  4. Re: FreeBSD to authenticate against Active Directory

    Thanks Georg and Henri,

    > But obviously, you want to implement more than authentication: you
    > want the whole authorization stuff handled against AD too - users,
    > groups, permissions to login to a box and that all maintained only in
    > one central place: the AD. Right?


    In one central place, yes - but I only need user authentication to be
    done against AD, primarily so I can run Postfix/Dovecot and possibly
    Samba, without have to create and maintain 2 sets of accounts.

    > You will have to configure the pam-modules - but I think you will be
    > able to do that system wide with the /etc/pam.d/system configuration.


    If possible, that's what I would want to do.

    > > I read about pam_mkhomedir, so users could have homedirs created
    > > automatically when they logged in. Is this possible in FreeBSD?


    I would need this, so users could ssh into the server.

    > To be honest: having this central user directory with central user
    > administration and central stored passwords is a great thing in larger
    > environments and eases system administration a lot. But I would go the
    > other way: I would set up a ldap and synchronize basic stuff against
    > AD. To me it seems to be the much better maintainable solution.


    I don't understand, "set up a ldap and synchronize basic stuff against
    AD". I thought that was what I was trying to do.

    Many thanks,
    Steve


  5. Re: FreeBSD to authenticate against Active Directory

    Steve,

    On Wed, 03 Oct 2007 03:13:49 -0700, Steve wrote:

    > Thanks Georg and Henri,
    >
    >> But obviously, you want to implement more than authentication: you
    >> want the whole authorization stuff handled against AD too - users,
    >> groups, permissions to login to a box and that all maintained only in
    >> one central place: the AD. Right?

    >
    > In one central place, yes - but I only need user authentication to be
    > done against AD, primarily so I can run Postfix/Dovecot and possibly
    > Samba, without have to create and maintain 2 sets of accounts.


    So what you need only is the 'kerberos-part' of AD. So it should be
    possible for you with all kerberized applications to use AD.

    >
    >> You will have to configure the pam-modules - but I think you will be
    >> able to do that system wide with the /etc/pam.d/system configuration.

    >
    > If possible, that's what I would want to do.
    >
    >> > I read about pam_mkhomedir, so users could have homedirs created
    >> > automatically when they logged in. Is this possible in FreeBSD?

    >
    > I would need this, so users could ssh into the server.


    but even if you succeed with implementing pam_mkhomedir (for which
    I really don't know the current state in regard to FreeBSD), where
    do you want to take pam_mkhomedir the needed information from? Keep
    in mind, that you need the uid and gid for the user and the shell he
    should be able to use. That information is stored somewhere else: in
    a central user directory (ldap or AD). Information about the user is
    not stored on the machine you want the user to login to. So you are
    really not done with pure kerberos authentication, you need information
    stored in ldap or AD in 'PosixAccount' and 'PosixGroup' - otherwise
    your users will have different uids and gids in your environment,
    depending on the random order they log in. Can't imagine, that it
    is what you want to have.

    >
    >> To be honest: having this central user directory with central user
    >> administration and central stored passwords is a great thing in larger
    >> environments and eases system administration a lot. But I would go the
    >> other way: I would set up a ldap and synchronize basic stuff against
    >> AD. To me it seems to be the much better maintainable solution.

    >
    > I don't understand, "set up a ldap and synchronize basic stuff against
    > AD". I thought that was what I was trying to do.


    if so, my fault, sorry I did understand, that you intended to use AD
    directly.

    ciao, gk

  6. Re: FreeBSD to authenticate against Active Directory

    Steve wrote:
    > I don't understand, "set up a ldap and synchronize basic stuff against
    > AD". I thought that was what I was trying to do.
    >
    > Many thanks,
    > Steve
    >


    Perhaps he was saying, keep a private copy of the directory in a local
    openldap database and use it to do the job. I have no experience with
    ldap, but i have with yellow pages, and frankly this is a constant cause
    of problems, and a performance sink. Maintaining local copies of such
    beasts, regularly synchronized with the central database is very easy
    and solves most problems.


    --

    Michel TALON


  7. Re: FreeBSD to authenticate against Active Directory

    Hello Matthew,

    On 4 Oct, 08:47, "Matthew X. Economou"
    wrote:
    > Your possibilities are, ordered by preference (highest first):
    >
    > 1. Samba + Winbind on the client
    > Server for NIS on the domain controllers
    >
    > 2. Samba + Winbind on the client
    > idmap_rid or other idmap backend
    >
    > 3. Manually created/updated entries in /etc/passwd
    > Authentication via pam_krb5


    At long last I've been playing, taking your advice and attempting
    option 1, but I can't make it work because it won't compile if
    'WITH_EXP_MODULES=true' is set (apparently 'WITH_EXP_MODULES' is
    needed for 'imap_rid').

    These are the instructions I've been following:

    http://joseph.randomnetworks.com/arc...ive-directory/

    The nature of the error is: "The following command failed: cc -I
    <..>". I've pasted the few error lines here (also including `uname -
    a` and `cat /var/db/ports/samba3/options`)

    http://pastebin.com/m4892a0d0

    Do you have any suggestions?

    Kind regards,
    Steve


  8. Re: FreeBSD to authenticate against Active Directory

    Begin <1194916100.255740.273430@o3g2000hsb.googlegroups.c om>
    On Mon, 12 Nov 2007 17:08:20 -0800, Steve wrote:
    > These are the instructions I've been following:
    >
    > http://joseph.randomnetworks.com/arc...ive-directory/
    >
    > The nature of the error is: "The following command failed: cc -I
    ><..>". I've pasted the few error lines here (also including `uname -
    > a` and `cat /var/db/ports/samba3/options`)


    The relevant lines are:

    nsswitch/idmap_ad.c: In function `idmap_ad_unixids_to_sids':
    nsswitch/idmap_ad.c:357: error: incompatible types in assignment
    [...]
    nsswitch/idmap_ad.c: In function `idmap_ad_sids_to_unixids':
    nsswitch/idmap_ad.c:545: error: incompatible types in assignment

    A bit of googling got me [1], which yielded

    251 static NTSTATUS idmap_ad_unixids_to_sids( [...] )
    256 ADS_STATUS rc;
    357 rc = ads_search_retry(ads, &res, filter, attrs);

    472 static NTSTATUS idmap_ad_sids_to_unixids( [...] )
    477 ADS_STATUS rc;
    545 rc = ads_search_retry(ads, &res, filter, attrs);

    I have no idea about the code, but I think something got out of sync.
    It might be fixed in the version I'm looking at, of course.


    > http://pastebin.com/m4892a0d0
    >
    > Do you have any suggestions?


    I don't know how long pastebin keeps its pastes, but probably for less
    time than the average newsserver. Altough really useful for IRC and IM
    and the like, I think it's probably a better idea to just paste (the
    relevant portions of--if you can identify them) the text here.


    [1] http://svn.netlabs.org/samba/browser...tch/idmap_ad.c

    --
    j p d (at) d s b (dot) t u d e l f t (dot) n l .
    This message was originally posted on Usenet in plain text.
    Any other representation, additions, or changes do not have my
    consent and may be a violation of international copyright law.

  9. Re: FreeBSD to authenticate against Active Directory

    Hi jpd,

    On 13 Nov, 12:24, jpd wrote:
    > I have no idea about the code, but I think something got out of sync.
    > It might be fixed in the version I'm looking at, of course.


    I compiled 'WITH_ADS=true' (contrary to the instructions) which
    enabled it to succeed.

    > I don't know how long pastebin keeps its pastes, but probably for less
    > time than the average newsserver. Altough really useful for IRC and IM


    Noted, thank you.

    So, here's my smb.conf

    [global]
    workgroup = KJN
    server string = Samba Server
    security = DOMAIN
    allow trusted domains = No
    log file = /var/log/samba/log.%m
    max log size = 50
    dns proxy = No
    wins server = betty.kjn.office
    ldap ssl = no
    idmap domains = KJN
    idmap config KJN:backend = rid
    idmap config KJN:range = 10000-20000
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    template shell = /bin/tcsh
    winbind use default domain = Yes

    And upon starting 'samba' I get the following errors in syslog. Any
    ideas how to fix?

    Nov 13 15:57:36 samba nmbd[15168]: [2007/11/13 15:57:36, 0] nmbd/
    nmbd_nameregister.c:register_name_response(130)
    Nov 13 15:57:36 samba nmbd[15168]: register_name_response: server at
    IP 192.168.0.199 rejected our name registration of SAMBA<20> IP
    192.168.0.198 with error code 6.
    Nov 13 15:57:36 samba nmbd[15168]: [2007/11/13 15:57:36, 0] nmbd/
    nmbd_mynames.c:my_name_register_failed(36)
    Nov 13 15:57:36 samba nmbd[15168]: my_name_register_failed: Failed
    to register my name SAMBA<20> on subnet 192.168.0.198.
    Nov 13 15:57:36 samba nmbd[15168]: [2007/11/13 15:57:36, 0] nmbd/
    nmbd_namelistdb.c:standard_fail_register(305)
    Nov 13 15:57:36 samba nmbd[15168]: standard_fail_register: Failed to
    register/refresh name SAMBA<20> on subnet 192.168.0.198
    Nov 13 15:57:36 samba nmbd[15168]: [2007/11/13 15:57:36, 0] nmbd/
    nmbd_nameregister.c:register_name_response(130)
    Nov 13 15:57:36 samba nmbd[15168]: register_name_response: server at
    IP 192.168.0.199 rejected our name registration of SAMBA<03> IP
    192.168.0.198 with error code 6.
    Nov 13 15:57:36 samba nmbd[15168]: [2007/11/13 15:57:36, 0] nmbd/
    nmbd_mynames.c:my_name_register_failed(36)
    Nov 13 15:57:36 samba nmbd[15168]: my_name_register_failed: Failed
    to register my name SAMBA<03> on subnet 192.168.0.198.
    Nov 13 15:57:36 samba nmbd[15168]: [2007/11/13 15:57:36, 0] nmbd/
    nmbd_namelistdb.c:standard_fail_register(305)
    Nov 13 15:57:36 samba nmbd[15168]: standard_fail_register: Failed to
    register/refresh name SAMBA<03> on subnet 192.168.0.198
    Nov 13 15:57:36 samba nmbd[15168]: [2007/11/13 15:57:36, 0] nmbd/
    nmbd_nameregister.c:register_name_response(130)
    Nov 13 15:57:36 samba nmbd[15168]: register_name_response: server at
    IP 192.168.0.199 rejected our name registration of SAMBA<00> IP
    192.168.0.198 with error code 6.
    Nov 13 15:57:36 samba nmbd[15168]: [2007/11/13 15:57:36, 0] nmbd/
    nmbd_mynames.c:my_name_register_failed(36)
    Nov 13 15:57:36 samba nmbd[15168]: my_name_register_failed: Failed
    to register my name SAMBA<00> on subnet 192.168.0.198.
    Nov 13 15:57:36 samba nmbd[15168]: [2007/11/13 15:57:36, 0] nmbd/
    nmbd_namelistdb.c:standard_fail_register(305)
    Nov 13 15:57:36 samba nmbd[15168]: standard_fail_register: Failed to
    register/refresh name SAMBA<00> on subnet 192.168.0.198
    Nov 13 15:57:36 samba winbindd[15181]: [2007/11/13 15:57:36, 0]
    nsswitch/winbindd_cache.c:initialize_winbindd_cache(2223)
    Nov 13 15:57:36 samba winbindd[15181]: initialize_winbindd_cache:
    clearing cache and re-creating with version number 1



    Many thanks,
    Steve
    --


  10. Re: FreeBSD to authenticate against Active Directory

    Begin <1194969765.690905.44340@v3g2000hsg.googlegroups.co m>
    On Tue, 13 Nov 2007 08:02:45 -0800, Steve wrote:
    > [global]
    > workgroup = KJN
    > server string = Samba Server
    > security = DOMAIN

    [snip]
    >
    > And upon starting 'samba' I get the following errors in syslog. Any
    > ideas how to fix?
    >
    > Nov 13 15:57:36 samba nmbd[15168]: [2007/11/13 15:57:36, 0] nmbd/
    > nmbd_nameregister.c:register_name_response(130)
    > Nov 13 15:57:36 samba nmbd[15168]: register_name_response: server at
    > IP 192.168.0.199 rejected our name registration of SAMBA<20> IP
    > 192.168.0.198 with error code 6.


    It's been a while, so someone else will likely know better. I'm guessing
    it is trying to register itself with the local DOMAIN controller, and
    the controller hasn't been setup to accept this samba machine. Look up
    the samba howto collection on joining domains.


    --
    j p d (at) d s b (dot) t u d e l f t (dot) n l .
    This message was originally posted on Usenet in plain text.
    Any other representation, additions, or changes do not have my
    consent and may be a violation of international copyright law.

+ Reply to Thread