FreeBSD as Active Directory member with limited SSH access

Posted on by Andy

In order to join FreeBSD to an AD, you need to change some PAM files and install Samba. Please make sure that the network configuration is set up correctly and you are using the AD DNS servers.

Step 1: Install prerequisities

$ pkg install samba413 pam_mkhomedir sudo

Step 2: Create samba config

Create a new file /usr/local/etc/smb4.conf with your favourite editor. (VI, NeoVIM, VIM, Nano…) and add following content. If you want the explanation for the config parameter, please visit the Samba Documentation.

[global]
    netbios name = <my host name here>
    realm = <my domain here, e.g. domain.local>
    workgroup = <my domain name without .local>
    security = ADS
    local master = no
    domain master = no
    allow trusted domains = no
    winbind use default domain = yes
    winbind enum groups = yes
    winbind enum users = yes
    winbind nss info = rfc2307
    winbind cache time = 300
    winbind offline logon = no
    idmap config * : range = 2000-9999
    idmap config * : backend = tdb
    template shell = /bin/sh

Step 3: Test config, start samba and join FreeBSD to the domain

Now let us test the samba config and start the SAMBA server only once, starting at boot will come later. If asked for a password, please enter it for the specified user.

$ testparm
$ service samba_server onestart
$ net ads join -U Administrator
$ service samba_server onerestart

if successful, you can check the AD’s users and groups with wbinfo

$ wbinfo -u
$ wbinfo -g

Basically you should see all users and groups. Hurray, your box is now a domain member! or simply use:

$ wbinfo --online-status

Step 4: Make the system use AD users for authentication

Next up you the AD users accessible to PAM so that OpenSSH can use it as a backend.

Open and edit /etc/nsswitch.conf and change the following lines, both should contain compat as an initial value.

group: files winbind
passwd: files winbind

Great, next we must update PAM so that the AD user can be authenticated and its home folder is created automatically when he’s logging in for the first time. Change following fiiles: (be aware that order matters here, put the lines always before pam_unix.so lines and after the comment lines).

Please read PAM_WINBIND for more parameters and their meaning.

/etc/pam.d/sshd

auth sufficient /usr/local/lib/pam_winbind.so cached_login
account sufficient /usr/local/lib/pam_winbind.so
session optional /usr/local/lib/pam_mkhomedir.so
password sufficient /usr/local/lib/pam_winbind.so use_authtok

/etc/pam.d/system

auth sufficient /usr/local/lib/pam_winbind.so cached_login require_membership_of=<GROUP-SID>
account sufficient /usr/local/lib/pam_winbind.so
password sufficient /usr/local/lib/pam_winbind.so use_authtok

The require_membership_of parameter is needed to limit local TTY access only to a specific usergroup in case of physical server access. Here is how to find the SID for the “Domain Admins” group:

$ wbinfo --group-info="domain admins"
$ wbinfo --gid-to-sid=<use the GID from the previous command here>

Now check if PAM can read users and groups:

$ getent passwd
$ getent group

You should see all users and groups now. If you have domain trusts, users from other domains are going to be listed as well.

IMPORTANT: if using pam_mkhomedir.so samba home directories default to /home/<MY_DOMAIN>/<AD_USER>. The <MY_DOMAIN> folder needs to be created manually first!

$ mkdir /home/<MY_DOMAIN>

Step 5: Configure OpenSSH and Sudo

Ok, all great so far. Now, let’s change OpenSSH to authenticate with AD and limit login only to domain admins in this case.

edit /etc/ssh/sshd_config and change or add the following lines:

PasswordAuthentication yes
ChallengeResponseAuthentication no
AllowGroups "domain admins" wheel root

Next allow domain administrators to “sudo” commands (optional):

edit /usr/local/etc/sudoers and change or add following lines:

%domain\ admins ALL=(ALL) NOPASSWD: ALL

Please be aware that NOPASSWD is used to suppress password confirmation when executing commands with sudo. It could be that you see that as a security risk. If so, simply remove “PASSWD:” from the line.

Step 6: Start samba and winbind at boot time

Last but not least, we need to start SAMBA at boot time. Simply execute following line:

$ sysrc samba_server_enable="YES"
$ sysrc winbindd_enable="YES"
$ sysrc smbd_enable="NO"
$ sysrc nmbd_enable="NO"

That should be it. Now reboot and use your FreeBSD box as an AD member.