On Wednesday, October 03, 2007 7:32 AM Chris wrote: > > On Wed, 03 Oct 2007 03:33:50 +0100 > Stephen Allen <[EMAIL PROTECTED]> wrote: > > > Hello, > > > > Is there any up-to-date definitive resource which explains how to get > > FreeBSD (6.2) to authenticate against Active Directory (in my case > > Windows 2003 R2 which includes SFU). There are a few informative > > articles floating around, but most date back to 2004/2005 and most > > involve the use of Samba and Winbind (I'd like to avoid this if > > possible). > > > > I don't really know what is possible here, I'm coming from only a > > basic understanding of how things like pam work. Would I have to > > configure every service separately to use Active Directory or could I > > tell FreeBSD to blindly rely on AD for user authentication? > > > > I read about pam_mkhomedir, so users could have homedirs created > > automatically when they logged in. Is this possible in FreeBSD? > > Would I be able to map this automatically to their existing "My > > Documents" folder which is redirected to the network by group policy? > > > > Please feel free to tell me what can/can't be done and if doing so is > > a good/bad thing. I can explain bits in more detail if needed. > > > > Steve - > > > You have a few options. > 1. LDAP > 2. OpenLDAP > 3. The use of WinBind and it's companion apps (using ntlm etc.) > 4. Google AD Auth Unix (or, insert your personal choice) > > What you may find - is that installing Winbind etc may be your easiest > way to go however, I'm unsure how SFU will play along with the mix. >
I also have not seen anything particularly recent; and every reference I have seen is slightly different. I have gotten FreeBSD to successfully authenticate to our AD servers here (Win2003, not sure of service pack level) using pam/winbind. Pam_winbind is configured to authenticate with Kerberos. I use the RID IDMAP scheme with winbind for user id mapping. The AD servers have had Unix attributes added, but I have not tested how this works for me yet. I am also using pam_mkhomedir to create user home directories. My setup: 1. Nsswitch.conf has group and passwd set to "files winbind" 2. Krb5.conf points to the AD servers 3. /etc/pam.d/system: --------------------- # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient /usr/local/lib/pam_winbind.so try_first_pass #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass n ullok # account #account required pam_krb5.so account sufficient /usr/local/lib/pam_winbind.so account required pam_login_access.so account required pam_unix.so # session #session optional pam_ssh.so session required /usr/local/lib/pam_mkhomedir.so session required pam_lastlog.so no_fail # password #password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass ---------------------------------- 4. pam_winbind now has its own conf file (copy from /usr/local/share/examples/samba/pam_winbind to /etc/security and modify). (contents follow) I have not tried caching. ----------- # # /etc/security/pam_winbind.conf # [global] # turn on debugging debug = yes # request a cached login if possible # (needs "winbind offline logon = yes" in smb.conf) ;cached_login = no # authenticate using kerberos krb5_auth = yes # when using kerberos, request a "FILE" krb5 credential cache type # (leave empty to just do krb5 authentication but not have a ticket # afterwards) krb5_ccache_type = FILE # make successful authentication dependend on membership of one SID # (can also take a name) require_membership_of = S-1-5-21-xxxxxxxxx-xxxxxxxxxxx-xxxxxxx ------------------------------------ 5. smb.conf is attached; this is for Samba 3.0.25a. I do not believe pam_mkhomedir will automatically mount an external filesystem; however there is a pam module which will allow you to auto mount filesystems at user login of various types called pam_mount  which we have used successfully on our university-blessed RHEL5 systems. I have not tried to compile it yet on FreeBSD. One thing we discovered on RHEL5 (we are not using the most recent version of pam_mount, so ymmv) is that it needs to be the module that actually grabs the password and then passes it on to the rest of the pam stack. It was unable to retrieve the credentials from whoever was ahead of it. We used CIFS instead of SMB which performed much better.  http://pam-mount.sourceforge.net/ ~~~~~~~~~~~~~~~~~~ Stephanie Bridges Department of Economics Iowa State University 80B Heady Hall Ames, IA 50011 [EMAIL PROTECTED]
Description: Binary data
_______________________________________________ firstname.lastname@example.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"