# Minimal active directory authentication with kerberos



## outpaddling (May 14, 2018)

I'd like to enable sshd to authenticate using our organization's active directory server in the simplest way possible.

On CentOS, we're able do this using kerberos and pam as follows:

yum -t install krb5-workstation pam_krb5
authconfig --enablekrb5 --krb5kdc=ad.example.com --krb5adminserver=ad.example.com --krb5realm=ad.example.com --update

Does anyone know what the equivalent setup steps would be for FreeBSD 11?

Thanks,

    JB


----------



## rigoletto@ (May 15, 2018)

These ARTICLES may help you.


----------



## outpaddling (May 15, 2018)

Thanks, I had seen those before and was looking for a simpler solution.

As often happens, I found the solution shortly after posting.  There must be something about articulating a problem that clarifies it and points us toward the answer...  ;-)

The beautifully simple solution is this:

/etc/krb5.conf:

[libdefaults]
    default_realm = AD.MY.DOMAIN    # This is probably the only necessary line
    dns_lookup_realm = true
    dns_lookup_kdc = true
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = yes

/etc/pam.d/sshd: (and system, xdm, ... if you wish)

auth            sufficient      pam_krb5.so             no_warn try_first_pass

No additional ports need be installed.  Everything necessary is part of the FreeBSD base.

With this in place, users can now log in using a local password or their Active Directory password.


----------



## SirDice (May 15, 2018)

outpaddling said:


> Thanks, I had seen those before and was looking for a simpler solution.


https://wiki.samba.org/index.php/Se...troller#Provisioning_a_Samba_Active_Directory

`samba-tool domain provision --use-rfc2307 --interactive`


----------



## outpaddling (May 15, 2018)

SirDice said:


> https://wiki.samba.org/index.php/Se...troller#Provisioning_a_Samba_Active_Directory
> 
> `samba-tool domain provision --use-rfc2307 --interactive`



Thanks, but this is not what we're trying to do.  We're not creating an AD server, we're just allowing users to log into our CentOS and FreeBSD servers using their AD credentials, validated by an existing AD server.
The solution I posted above does not require samba or any other ports.


----------



## SirDice (May 15, 2018)

Ah, the title of the thread is a bit ambiguous


----------



## outpaddling (Feb 15, 2019)

BTW, I added a script for this, called auto-krb-auth-setup, to sysutils/auto-admin.


----------



## felipebsd (Apr 3, 2019)

outpaddling said:


> Thanks, I had seen those before and was looking for a simpler solution.
> 
> As often happens, I found the solution shortly after posting.  There must be something about articulating a problem that clarifies it and points us toward the answer...  ;-)
> 
> ...



Is it not necessary something else? Maybe on /etc/rc.conf

I tried on 11.2 and 12.0, here is not working.

Can somebody help me?


----------



## outpaddling (Apr 7, 2019)

Some time ago, I added a script called auto-krb-auth-setup to sysutils/auto-admin.

Try installing this port and running the script as root.

Maybe examining the script will reveal what's missing on your system.


----------

