Posts tagged ‘kerberos’

Connecting to Active Directory with Kerberos on FreeBSD

May 7, 2010, 3:06 pm

So, I am trying to get Active Directory integration with FreeBSD and I have been researching this for a while as I have stated.
http://rhyous.com/2010/01/13/researching-the-process-for-integrating-freebsd-with-active-directory

I don’t have it all integrated yet. I keep running into road blocks.

First, I want to be able to do integration with Kerberos alone.

One part that is really easy is connecting to active directory with kerberos.

Step 1 – Collect Active Directory information.

Active Directory Domain LD.LAB
AD Domain Controller vmdc.ld.lab
Domain Admin user name administrator
Domain Admin password pw

Step 2 – Create the /etc/krb5.conf

Here is mine. Supposedly this is case sensitive, so make sure to match the case.

[libdefaults]
  clockskew = 300
  default_realm = LD.LAB

[realms]
  LD.LAB = {
    kdc = vmdc.ld.lab
    default_domain = LD.LAB
    kpasswd_server = vmdc.ld.lab
  }

[domain_realm]
  .LD.LAB = LD.LAB

Step 3 – Acquiring a ticket

  1. Use kinit and a domain user and password to acquire a certificate.# kinit administratorEnter the password when prompted.
  2. Use klist to list the kerberos tickets.

However, once I have this working, I don’t know how to change authentication using nsswitch.conf and /etc/pam.d/sshd or system to make it work.

I assumed I wouldn’t need to change nsswitch.conf and that for Step 4 I would just have to uncomment the pam_krb5.so lines in the the /etc/pam.d/sshd and /etc/pam.d/system but unfortunately, that isn’t enough.  Authentication is not working.

I can’t seem to find much documentation on pam and kerberos in FreeBSD.  I have tried to add “debug” to the lines in the /etc/pam.d/sshd and /etc/pam.d/system but if that is adding more logging then I am not seeing it.

Tags: , , , ,
Category: FreeBSD  |  3 Comments