{"id":1210,"date":"2022-02-17T09:49:14","date_gmt":"2022-02-17T08:49:14","guid":{"rendered":"https:\/\/ndk.sytes.net\/wordpress\/?p=1210"},"modified":"2024-10-25T11:46:30","modified_gmt":"2024-10-25T09:46:30","slug":"freebsd-as-active-directory-member-with-limited-ssh-access","status":"publish","type":"post","link":"https:\/\/ndk.sytes.net\/wordpress\/?p=1210","title":{"rendered":"FreeBSD as Active Directory member with limited SSH access"},"content":{"rendered":"\n

In order to join FreeBSD to an AD, you need to change some PAM files and install Samba. Please make sure that the network configuration is set up correctly and you are using the AD DNS servers.<\/p>\n\n\n\n

Step 1: Install prerequisities<\/h2>\n\n\n\n
$ pkg install samba413 pam_mkhomedir sudo<\/pre>\n\n\n\n
Step 2: Create samba config<\/h2>\n\n\n\n
Create a new file \/usr\/local\/etc\/smb4.conf<\/em> with your favourite editor. (VI, NeoVIM, VIM, Nano…) and add following content. If you want the explanation for the config parameter, please visit the Samba Documentation<\/a>.<\/p>\n\n\n\n
[global]\n    netbios name = <my host name here>\n    realm = <my domain here, e.g. domain.local>\n    workgroup = <my domain name without .local>\n    security = ADS\n    local master = no\n    domain master = no\n    allow trusted domains = no\n    winbind use default domain = yes\n    winbind enum groups = yes\n    winbind enum users = yes\n    winbind nss info = rfc2307\n    winbind cache time = 300\n    winbind offline logon = no\n    idmap config * : range = 2000-9999\n    idmap config * : backend = tdb\n    template shell = \/bin\/sh<\/pre>\n\n\n\n
Step 3: Test config, start samba and join FreeBSD to the domain<\/h2>\n\n\n\n
Now let us test the samba config and start the SAMBA server only once, starting at boot will come later. If asked for a password, please enter it for the specified user.<\/p>\n\n\n\n
$ testparm\n$ service samba_server onestart\n$ net ads join -U Administrator\n$ service samba_server onerestart<\/pre>\n\n\n\n
if successful, you can check the AD’s users and groups with wbinfo<\/p>\n\n\n\n
$ wbinfo -u\n$ wbinfo -g <\/pre>\n\n\n\n
Basically you should see all users and groups. Hurray, your box is now a domain member!<\/em> or simply use:<\/p>\n\n\n\n
$ wbinfo --online-status<\/pre>\n\n\n\n
Step 4: Make the system use AD users for authentication<\/h2>\n\n\n\n
Next up  you the AD users accessible to PAM so that OpenSSH can use it as a backend.<\/p>\n\n\n\n
Open and edit \/etc\/nsswitch.conf<\/em> and change the following lines, both should contain compat as an initial value.<\/p>\n\n\n\n
group: files winbind
passwd: files winbind<\/pre>\n\n\n\n
Great, next we must update PAM so that the AD user can be authenticated and its home folder is created automatically when he’s logging in for the first time. Change following fiiles: (be aware that order matters here, put the lines always before pam_unix.so lines and after the comment lines)<\/strong><\/em>.<\/p>\n\n\n\n
Please read PAM_WINBIND<\/a> for more parameters and their meaning.<\/p>\n\n\n\n
\/etc\/pam.d\/sshd<\/p>\n\n\n\n
auth sufficient \/usr\/local\/lib\/pam_winbind.so cached_login\naccount sufficient \/usr\/local\/lib\/pam_winbind.so\nsession optional \/usr\/local\/lib\/pam_mkhomedir.so\npassword sufficient \/usr\/local\/lib\/pam_winbind.so use_authtok<\/pre>\n\n\n\n
\/etc\/pam.d\/system<\/p>\n\n\n\n
auth sufficient \/usr\/local\/lib\/pam_winbind.so cached_login require_membership_of=<GROUP-SID>\naccount sufficient \/usr\/local\/lib\/pam_winbind.so\npassword sufficient \/usr\/local\/lib\/pam_winbind.so use_authtok<\/pre>\n\n\n\n
The require_membership_of<\/em> parameter is needed to limit local TTY access only to a specific usergroup in case of physical server access. Here is how to find the SID for the “Domain Admins” group:<\/p>\n\n\n\n
$ wbinfo --group-info=\"domain admins\"
$ wbinfo --gid-to-sid=<use the GID from the previous command here><\/pre>\n\n\n\n
Now check if PAM can read users and groups:<\/p>\n\n\n\n
$ getent passwd
$ getent group<\/pre>\n\n\n\n
You should see all users and groups now. If you have domain trusts, users from other domains are going to be listed as well.<\/p>\n\n\n\n
IMPORTANT: if using pam_mkhomedir.so samba home directories default to \/home\/<MY_DOMAIN>\/<AD_USER>. The <MY_DOMAIN> folder needs to be created manually first!<\/strong><\/p>\n\n\n\n
$ mkdir \/home\/<MY_DOMAIN><\/pre>\n\n\n\n
Step 5: Configure OpenSSH and Sudo<\/h2>\n\n\n\n
Ok, all great so far. Now, let’s change OpenSSH to authenticate with AD and limit login only to domain admins in this case.<\/p>\n\n\n\n
edit \/etc\/ssh\/sshd_config<\/em> and change or add the following lines:<\/p>\n\n\n\n
PasswordAuthentication yes
ChallengeResponseAuthentication no
AllowGroups \"domain admins\" wheel root<\/pre>\n\n\n\n
Next allow domain administrators to “sudo” commands (optional):<\/p>\n\n\n\n
edit \/usr\/local\/etc\/sudoers<\/em> and change or add following lines:<\/p>\n\n\n\n
%domain\\ admins ALL=(ALL) NOPASSWD: ALL<\/pre>\n\n\n\n
Please be aware that NOPASSWD is used to suppress password confirmation when executing commands with sudo. It could be that you see that as a security risk. If so, simply remove “PASSWD:” from the line.<\/p>\n\n\n\n
Step 6: Start samba and winbind at boot time<\/p>\n\n\n\n
Last but not least, we need to start SAMBA at boot time. Simply execute following line:<\/p>\n\n\n\n
$ sysrc samba_server_enable=\"YES\"
$ sysrc winbindd_enable=\"YES\"
$ sysrc smbd_enable=\"NO\"
$ sysrc nmbd_enable=\"NO\"<\/pre>\n\n\n\n
That should be it. Now reboot<\/em><\/strong> and use your FreeBSD box as an AD member.<\/p>\n","protected":false},"excerpt":{"rendered":"
In order to join FreeBSD to an AD, you need to change some PAM files and install Samba. Please make sure that the network configuration is set up correctly and you are using the AD DNS servers. Step 1: Install prerequisities $ pkg install samba413 pam_mkhomedir sudo Step 2: Create samba config Create a new […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,7],"tags":[],"class_list":["post-1210","post","type-post","status-publish","format-standard","hentry","category-linuxunix","category-servers"],"_links":{"self":[{"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/1210","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1210"}],"version-history":[{"count":15,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/1210\/revisions"}],"predecessor-version":[{"id":1322,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/1210\/revisions\/1322"}],"wp:attachment":[{"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1210"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1210"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1210"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}