Corporate needs are simple – one ring to rule them all place to get users from. On the open source path there are several ways to achieve that. Alongside ‘plain’ OpenLDAP there is also FreeIPA – which is open source and free version of the Red Hat Identity Management (IDM).
This guide will show you how to make basic FreeIPA install and connect a FreeBSD 13.1-RELEASE system to it.
The Table of Contents for this article looks as follows.
- Connect FreeBSD to FreeIPA/Red Hat Identity Management
- FreeIPA
- FreeIPA Requirements
- FreeIPA Setup
- FreeBSD Client
- FreeBSD Packages
- FreeBSD Setup
- FreeIPA/IDM Setup Part
- Finish Setup with Web Browser in FreeIPA/IDM Page
- FreeBSD FreeIPA Login Test
- FreeBSD Jail as FreeIPA/IDM Client
- Basic FreeBSD Jail Preparations
- Configure FreeBSD Jail to Connect to FreeIPA/IDM Server
- Linux FreeIPA/IDM Client
- FreeIPA/IDM Setup Part
- Linux FreeIPA/IDM Client Setup
FreeIPA
As typical CentOS is dead (yes there is CentOS Stream available but its not a RHEL clone) I have two options here. Rocky Linux and Alma Linux. I will use the latter as it seems more popular and more up to date. In this guide the FreeIPA/IDM server will hosted on the Alma Linux 8.6 system.
To make things easier I installed that Alma Linux 8.6 with single 20GB / root on the /dev/sda1 partition. No separate /boot. No LVM. Just good old plain fucking simple single raw partition for everything. Seems no one does it these days π
[root@idm ~]# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 20G 0 disk
ββsda1 8:1 0 20G 0 part /
FreeIPA Requirements
The minimum hardware requirements for installing FreeIPA server are as follows.
RAM: 4GB
CPU: 2
HDD: 10GB
DNS: fully qualified domain name for FreeIPA
must be resolvable from DNS server configured in system
For this installation I have used the 10.0.0.0/24 network.
The FreeIPA/IDM server will get the 10.0.0.40 IP.
The FreeIPA/IDM Linux client rhlike.vercorp.org will get the 10.0.0.41 IP.
The FreeIPA/IDM FreeBSD client fbsd.vercorp.org will get the 10.0.0.42 IP.
The FreeIPA/IDM FreeBSD client fbsdjail.vercorp.org will get the 10.0.0.43 IP.
For lack of better ideas I have used vercorp.org/VERCORP.ORG as domain/realm names and idm.vercorp.org as the FreeIPA/IDM hostname.
Details of FreeIPA/IDM idm.vercorp.org system below.
IP: 10.0.0.40/24
GW: 10.0.0.1
DNS: 1.1.1.1
hostname: idm.vercorp.org
domain: vercorp.org
realm: VERCORP.ORG
FreeBSD fbsd.vercorp.org system.
IP: 10.0.0.42/24
GW: 10.0.0.1
hostname: fbsd.vercorp.org
FreeBSD Jail fbsdjail.vercorp.org system.
IP: 10.0.0.43/24
GW: 10.0.0.1
hostname: fbsdjail.vercorp.org
If you are curious what is hidden in the 10.0.0.42 IP – then its a typical Alma Linux that I first used to try if the FreeIPA/IDM works at all π
FreeIPA Setup
Because Anaconda is far from being a usable installer – this is how the only enp0s3 interface config looks like after manual intervention.
[root@idm ~]# cat /etc/sysconfig/network-scripts/ifcfg-enp0s3
NAME=enp0s3
DEVICE=enp0s3
TYPE=Ethernet
BOOTPROTO=none
UUID=b49cd1ab-d3eb-421d-b408-c052acc077da
ONBOOT=yes
IPADDR=10.0.0.40
NETMASK=255.255.255.0
GATEWAY=10.0.0.1
IPV6INIT=no
DNS1=1.1.1.1
PROXY_METHOD=none
BROWSER_ONLY=no
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
Before we will go into setup procedures – we will update that Alma Linux system.
[root@idm ~]# yum update -y
[root@idm ~]# reboot
After the reboot we will disable the IPv6 stack for main interface (enp0s3) as FreeIPA installer has some problem with it. We do not need IPv6 here anyway so …
[root@idm ~]# cat << EOF >> /etc/sysctl.conf
# DISABLE IPv6 FOR MAIN enp0s3 INTERFACE
net.ipv6.conf.enp0s3.disable_ipv6=1
EOF
Lets set our FreeIPA/IDM hostname if we missed that at the Anaconda installer part. We will also setup the system time zone.
[root@idm ~]# hostnamectl set-hostname idm.vercorp.org
[root@idm ~]# hostnamectl
Static hostname: idm.vercorp.org
Icon name: computer-vm
Chassis: vm
Machine ID: b8bfb8bcc23147eb9cc7b62c72a09c32
Boot ID: 06158ef430d9467d959076ab4396314e
Virtualization: oracle
Operating System: AlmaLinux 8.6 (Sky Tiger)
CPE OS Name: cpe:/o:almalinux:almalinux:8::baseos
Kernel: Linux 4.18.0-372.26.1.el8_6.x86_64
Architecture: x86-64
[root@idm ~]# timedatectl set-timezone Europe/Warsaw
[root@idm ~]# timedatectl set-local-rtc 0
[root@idm ~]#Β timedatectl
Local time: Mon 2022-10-17 15:08:28 CEST
Universal time: Mon 2022-10-17 13:08:28 UTC
RTC time: Sat 2022-10-15 00:28:10
Time zone: Europe/Warsaw (CEST, +0200)
System clock synchronized: yes
NTP service: inactive
RTC in local TZ: no
Lets add the system IP and name to the /etc/hosts file now.
[root@idm ~]# echo "$( hostname -i | awk '{print $NF}' ) $( hostname ) $( hostname -s )" >> /etc/hosts
[root@idm ~]# grep idm /etc/hosts
10.0.0.40 idm.vercorp.org idm
[root@idm ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.0.0.40 idm.vercorp.org idm
We need to enable the FreeIPA/IDM module in yum(8).
[root@idm ~]# yum module list idm
Last metadata expiration check: 0:00:31 ago on Tue 18 Oct 2022 01:02:51 PM CEST.
AlmaLinux 8 - AppStream
Name Stream Profiles Summary
idm DL1 adtrust, client, common [d], dns, server The Red Hat Enterprise Linux Identity Management system module
idm client [d] common [d] RHEL IdM long term support client module
Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled
[root@idm ~]# yum module enable idm:DL1 -y
Last metadata expiration check: 0:01:06 ago on Tue 18 Oct 2022 01:02:51 PM CEST.
Dependencies resolved.
=====================================================================================================
Package Architecture Version Repository Size
=====================================================================================================
Enabling module streams:
389-ds 1.4
httpd 2.4
idm DL1
pki-core 10.6
pki-deps 10.6
Transaction Summary
=====================================================================================================
Complete!
Some additional step needed.
[root@idm ~]# yum distro-sync
Last metadata expiration check: 0:10:07 ago on Mon 17 Oct 2022 03:14:32 PM CEST.
Dependencies resolved.
Nothing to do.
Complete!
We will now install FreeIPA/IDM with DNS as this setup is the most simplistic one. We focus on FreeBSD part here in that article.
[root@idm ~]# yum install -y bind-utils chrony nc
[root@idm ~]# yum module install idm:DL1/dns -y
One can use the ‘interactive’ installer and answer ‘by hand’ for all the asked questions – but to be honest I prefer to type my command once and make it ‘happen’ altogether without my time wasted.
As you probably guessed – we will use the unattended mode for the FreeIPA/IDM installer.
[root@idm ~]# ipa-server-install \
--domain vercorp.org \
--realm VERCORP.ORG \
--reverse-zone=0.0.10.in-addr.arpa. \
--no-forwarders \
--no-ntp \
--setup-dns \
--ds-password [password] \
--admin-password [password] \
--unattended
Checking DNS domain 0.0.10.in-addr.arpa., please wait ...
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.
Version 4.9.8
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure DNS (bind)
* Configure SID generation
* Configure the KDC to enable PKINIT
Excluded by options:
* Configure the NTP client (chronyd)
Warning: skipping DNS resolution of host idm.vercorp.org
Checking DNS domain vercorp.org., please wait ...
Checking DNS domain 0.0.10.in-addr.arpa., please wait ...
Checking DNS domain 0.0.10.in-addr.arpa., please wait ...
Using reverse zone(s) 0.0.10.in-addr.arpa.
Trust is configured but no NetBIOS domain name found, setting it now.
The IPA Master Server will be configured with:
Hostname: idm.vercorp.org
IP address(es): 10.0.0.40
Domain name: vercorp.org
Realm name: VERCORP.ORG
The CA will be configured with:
Subject DN: CN=Certificate Authority,O=VERCORP.ORG
Subject base: O=VERCORP.ORG
Chaining: self-signed
BIND DNS server will be configured to serve IPA domain with:
Forwarders: No forwarders
Forward policy: only
Reverse zone(s): 0.0.10.in-addr.arpa.
Disabled p11-kit-proxy
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/41]: creating directory server instance
Validate installation settings ...
Create file system structures ...
Perform SELinux labeling ...
Create database backend: dc=vercorp,dc=org ...
Perform post-installation tasks ...
[2/41]: tune ldbm plugin
[3/41]: adding default schema
[4/41]: enabling memberof plugin
[5/41]: enabling winsync plugin
[6/41]: configure password logging
[7/41]: configuring replication version plugin
[8/41]: enabling IPA enrollment plugin
[9/41]: configuring uniqueness plugin
[10/41]: configuring uuid plugin
[11/41]: configuring modrdn plugin
[12/41]: configuring DNS plugin
[13/41]: enabling entryUSN plugin
[14/41]: configuring lockout plugin
[15/41]: configuring topology plugin
[16/41]: creating indices
[17/41]: enabling referential integrity plugin
[18/41]: configuring certmap.conf
[19/41]: configure new location for managed entries
[20/41]: configure dirsrv ccache and keytab
[21/41]: enabling SASL mapping fallback
[22/41]: restarting directory server
[23/41]: adding sasl mappings to the directory
[24/41]: adding default layout
[25/41]: adding delegation layout
[26/41]: creating container for managed entries
[27/41]: configuring user private groups
[28/41]: configuring netgroups from hostgroups
[29/41]: creating default Sudo bind user
[30/41]: creating default Auto Member layout
[31/41]: adding range check plugin
[32/41]: creating default HBAC rule allow_all
[33/41]: adding entries for topology management
[34/41]: initializing group membership
[35/41]: adding master entry
[36/41]: initializing domain level
[37/41]: configuring Posix uid/gid generation
[38/41]: adding replication acis
[39/41]: activating sidgen plugin
[40/41]: activating extdom plugin
[41/41]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
[1/10]: adding kerberos container to the directory
[2/10]: configuring KDC
[3/10]: initialize kerberos container
[4/10]: adding default ACIs
[5/10]: creating a keytab for the directory
[6/10]: creating a keytab for the machine
[7/10]: adding the password extension to the directory
[8/10]: creating anonymous principal
[9/10]: starting the KDC
[10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]: starting kadmin
[2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa-custodia
[1/5]: Making sure custodia container exists
[2/5]: Generating ipa-custodia config file
[3/5]: Generating ipa-custodia keys
[4/5]: starting ipa-custodia
[5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
[1/29]: configuring certificate server instance
[2/29]: stopping certificate server instance to update CS.cfg
[3/29]: backing up CS.cfg
[4/29]: Add ipa-pki-wait-running
[5/29]: secure AJP connector
[6/29]: reindex attributes
[7/29]: exporting Dogtag certificate store pin
[8/29]: disabling nonces
[9/29]: set up CRL publishing
[10/29]: enable PKIX certificate path discovery and validation
[11/29]: authorizing RA to modify profiles
[12/29]: authorizing RA to manage lightweight CAs
[13/29]: Ensure lightweight CAs container exists
[14/29]: Ensuring backward compatibility
[15/29]: starting certificate server instance
[16/29]: configure certmonger for renewals
[17/29]: requesting RA certificate from CA
[18/29]: publishing the CA certificate
[19/29]: adding RA agent as a trusted user
[20/29]: configure certificate renewals
[21/29]: Configure HTTP to proxy connections
[22/29]: updating IPA configuration
[23/29]: enabling CA instance
[24/29]: importing IPA certificate profiles
[25/29]: migrating certificate profiles to LDAP
[26/29]: adding default CA ACL
[27/29]: adding 'ipa' CA entry
[28/29]: configuring certmonger renewal for lightweight CAs
[29/29]: deploying ACME service
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv)
[1/3]: configuring TLS for DS instance
[2/3]: adding CA certificate entry
[3/3]: restarting directory server
Done configuring directory server (dirsrv).
Configuring ipa-otpd
[1/2]: starting ipa-otpd
[2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring the web interface (httpd)
[1/22]: stopping httpd
[2/22]: backing up ssl.conf
[3/22]: disabling nss.conf
[4/22]: configuring mod_ssl certificate paths
[5/22]: setting mod_ssl protocol list
[6/22]: configuring mod_ssl log directory
[7/22]: disabling mod_ssl OCSP
[8/22]: adding URL rewriting rules
[9/22]: configuring httpd
Nothing to do for configure_httpd_wsgi_conf
[10/22]: setting up httpd keytab
[11/22]: configuring Gssproxy
[12/22]: setting up ssl
[13/22]: configure certmonger for renewals
[14/22]: publish CA cert
[15/22]: clean up any existing httpd ccaches
[16/22]: enable ccache sweep
[17/22]: configuring SELinux for httpd
[18/22]: create KDC proxy config
[19/22]: enable KDC proxy
[20/22]: starting httpd
[21/22]: configuring httpd to start on boot
[22/22]: enabling oddjobd
Done configuring the web interface (httpd).
Configuring Kerberos KDC (krb5kdc)
[1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/10]: stopping directory server
[2/10]: saving configuration
[3/10]: disabling listeners
[4/10]: enabling DS global lock
[5/10]: disabling Schema Compat
[6/10]: starting directory server
[7/10]: upgrading server
[8/10]: stopping directory server
[9/10]: restoring configuration
[10/10]: starting directory server
Done.
Restarting the KDC
dnssec-validation yes
Configuring DNS (named)
[1/12]: generating rndc key file
[2/12]: adding DNS container
[3/12]: setting up our zone
[4/12]: setting up reverse zone
[5/12]: setting up our own record
[6/12]: setting up records for other masters
[7/12]: adding NS record to the zones
[8/12]: setting up kerberos principal
[9/12]: setting up named.conf
created new /etc/named.conf
created named user config '/etc/named/ipa-ext.conf'
created named user config '/etc/named/ipa-options-ext.conf'
created named user config '/etc/named/ipa-logging-ext.conf'
[10/12]: setting up server configuration
[11/12]: configuring named to start on boot
[12/12]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Restarting the web server to pick up resolv.conf changes
Configuring DNS key synchronization service (ipa-dnskeysyncd)
[1/7]: checking status
[2/7]: setting up bind-dyndb-ldap working directory
[3/7]: setting up kerberos principal
[4/7]: setting up SoftHSM
[5/7]: adding DNSSEC containers
[6/7]: creating replica keys
[7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Updating DNS system records
Configuring SID generation
[1/8]: creating samba domain object
[2/8]: adding admin(group) SIDs
[3/8]: adding RID bases
[4/8]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
[5/8]: activating sidgen task
[6/8]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
[7/8]: adding fallback group
[8/8]: adding SIDs to existing users and groups
This step may take considerable amount of time, please wait..
Done.
Configuring client side components
This program will set up IPA client.
Version 4.9.8
Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: idm.vercorp.org
Realm: VERCORP.ORG
DNS Domain: vercorp.org
IPA Server: idm.vercorp.org
BaseDN: dc=vercorp,dc=org
Configured /etc/sssd/sssd.conf
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring vercorp.org as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
==============================================================================
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
3. Kerberos requires time synchronization between clients
and servers for correct operation. You should consider enabling chronyd.
Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
The ipa-server-install command was successful
[root@idm ~]#
Seems that all went well and now we have our FreeIPA/IDM installed.
Lets check several things.
[root@idm ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root@idm ~]# systemctl list-unit-files | grep ipa | grep service
ipa-ccache-sweep.service disabled
ipa-custodia.service disabled
ipa-dnskeysyncd.service disabled
ipa-healthcheck.service disabled
ipa-ods-exporter.service disabled
ipa-otpd@.service static
ipa.service enabled
Seems to be installed and working.
What about the /etc/sssd/sssd.conf config.
[root@idm ~]# cat /etc/sssd/sssd.conf
[domain/vercorp.org]
id_provider = ipa
ipa_server_mode = True
ipa_server = idm.vercorp.org
ipa_domain = vercorp.org
ipa_hostname = idm.vercorp.org
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_store_password_if_offline = True
[sssd]
services = nss, pam, ifp, ssh, sudo
domains = vercorp.org
[nss]
homedir_substring = /home
memcache_timeout = 600
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
allowed_uids = ipaapi, root
[session_recording]
There is also /etc/ssh/ssh_config.d/04-ipa.conf file …
[root@idm ~]# cat /etc/ssh/ssh_config.d/04-ipa.conf
# IPA-related configuration changes to ssh_config
#
PubkeyAuthentication yes
GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
#VerifyHostKeyDNS yes
# assumes that if a user does not have shell (/sbin/nologin),
# this will return nonzero exit code and proxy command will be ignored
Match exec true
ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h
For some reason we need to manually enable and start the Apache HTTP server.
[root@idm ~]# systemctl enable --now httpd
You can now access the FreeIPA/IDM at your browser on the http://idm.vercorp.org address. If you use the http://10.0.0.40 IP then you will be redirected to the http://idm.vercorp.org address so make sure you have added that host to your local /etc/hosts file.
On the second screen you will see that I have already created the vermaden user.
FreeBSD Client
UPDATE: Newer instructions for FreeBSD 13.2-RELEASE are available at the Connect FreeBSD 13.2 to FreeIPA/IDM article.
We will get straight into the point. After having FreeBSD 13.1-RELEASE installed in the most ‘default’ way in the bsdinstall(8) installer – the Auto ZFS road – we will now fetch the up to date FreeBSD Ports tree with portsnap(8) tool.
This is the main /etc/rc.conf config file.
# cat /etc/rc.conf
hostname="fbsd"
ifconfig_vtnet0="inet 10.0.0.42 netmask 255.255.255.0"
defaultrouter="10.0.0.1"
sshd_enable="YES"
moused_enable="YES"
dumpdev="AUTO"
zfs_enable="YES"
syslogd_flags="-ss"
sssd_enable="YES"
FreeBSD Packages
We need to have FreeBSD Ports tree.
# portsnap auto
Lets check what is the current default SAMBA version on FreeBSD.
# grep -i samba /usr/ports/Mk/*default*
PYTHON2 PYTHON3 RUBY RUST SAMBA SSL TCLTK VARNISH
SAMBA_DEFAULT?= 4.12
To omit a lot of pointless compilation I will first install all precompiled packages – that would also install needed dependencies. Then we will rebuild just the several needed packages.
# pkg install krb5 sudo cyrus-sasl cyrus-sasl-gssapi pam_mkhomedir openldap26-client samba412
Settings in the /etc/make.conf file.
# cat /etc/make.conf
# USE /usr/ports/obj PLACE
WRKDIRPREFIX=${PORTSDIR}/obj
OPTIONS_UNSET= DOCS EXAMPLES DEBUG X11
OPTIONS_UNSET+= DBUS GSSAPI_BASE GSSAPI_HEIMDAL
OPTIONS_SET+= GSSAPI_MIT
WITH_GSSAPI= yes
WANT_OPENLDAP_SASL= yes
Lets configure the needed ports.
# \
for I in /usr/ports/security/sudo \
/usr/ports/security/sssd \
/usr/ports/security/krb5 \
/usr/ports/security/cyrus-sasl2-gssapi \
/usr/ports/security/pam_mkhomedir \
/usr/ports/net/openldap26-client
do
make -C ${I} rmconfig
done
# \
for I in /usr/ports/security/sudo \
/usr/ports/security/sssd \
/usr/ports/security/krb5 \
/usr/ports/security/cyrus-sasl2-gssapi \
/usr/ports/security/pam_mkhomedir \
/usr/ports/net/openldap26-client
do
make -C ${I} config-recursive
done
The curses(3X) selection will look more or less like these below.
=> security/sudo | OPTIONS___________________________________________________________________________
[x] AUDIT Enable BSM audit support
[ ] DISABLE_AUTH Do not require authentication by default
[ ] DISABLE_ROOT_SUDO Do not allow root to run sudo
[ ] DOCS Build and/or install documentation
[ ] EXAMPLES Build and/or install examples
[ ] INSULTS Enable insults on failures
[x] LDAP LDAP protocol support
[ ] NLS Native Language Support
[ ] NOARGS_SHELL Run a shell if no arguments are given
[ ] OPIE Enable one-time passwords (no PAM support)
[ ] PAM Pluggable authentication module support
[ ] PYTHON Enable python plugin support
[x] SSSD Enable SSSD backend support.
=> security/sudo | Kerberos 5 Authentication (no PAM support)
( ) GSSAPI_BASE GSSAPI support via base system (needs Kerberos)
( ) GSSAPI_HEIMDAL GSSAPI support via security/heimdal
(*) GSSAPI_MIT GSSAPI support via security/krb5
=> security/sssd | OPTIONS___________________________________________________________________________
[ ] DOCS Build and/or install documentation
[x] SMB Install IPA and AD providers (requires Samba4)
=> security/cyrus-sasl2-gssapi | OPTIONS_____________________________________________________________
( ) GSSAPI_BASE GSSAPI support via base system (needs Kerberos)
( ) GSSAPI_HEIMDAL GSSAPI support via security/heimdal
(*) GSSAPI_MIT GSSAPI support via security/krb5
=> net/openldap26-client | OPTIONS___________________________________________________________________
[ ] DEBUG Build with debugging support
[ ] DOCS Build and/or install documentation
[ ] FETCH Enable fetch(3) support
[x] GSSAPI With GSSAPI support
=> security/krb5 | OPTIONS___________________________________________________________________________
[ ] DNS_FOR_REALM Enable DNS lookups for Kerberos realm names
[ ] EXAMPLES Build and/or install examples
[x] KRB5_HTML Install krb5 HTML documentation
[x] KRB5_PDF Install krb5 PDF documentation
[x] LDAP LDAP protocol support
[ ] LMDB OpenLDAP Lightning Memory-Mapped Database support
[ ] NLS Native Language Support
=> security/krb5 | Command Line Editing for kadmin and ktutil
(*) READLINE Command line editing via libreadline
( ) LIBEDIT Command line editing via libedit
We can now check what options have been saved.
# cat /var/db/ports/security_sudo-sssd/options
_OPTIONS_READ=sudo-sssd-1.9.11p3
_FILE_COMPLETE_OPTIONS_LIST=AUDIT DISABLE_AUTH DISABLE_ROOT_SUDO DOCS EXAMPLES INSULTS LDAP NLS NOARGS_SHELL OPIE PAM PYTHON SSSD GSSAPI_BASE GSSAPI_HEIMDAL GSSAPI_MIT
OPTIONS_FILE_SET+=AUDIT
OPTIONS_FILE_SET+=GSSAPI_MIT
OPTIONS_FILE_SET+=LDAP
OPTIONS_FILE_SET+=NLS
OPTIONS_FILE_SET+=SSSD
OPTIONS_FILE_UNSET+=DISABLE_AUTH
OPTIONS_FILE_UNSET+=DISABLE_ROOT_SUDO
OPTIONS_FILE_UNSET+=DOCS
OPTIONS_FILE_UNSET+=EXAMPLES
OPTIONS_FILE_UNSET+=GSSAPI_BASE
OPTIONS_FILE_UNSET+=GSSAPI_HEIMDAL
OPTIONS_FILE_UNSET+=INSULTS
OPTIONS_FILE_UNSET+=NOARGS_SHELL
OPTIONS_FILE_UNSET+=OPIE
OPTIONS_FILE_UNSET+=PAM
OPTIONS_FILE_UNSET+=PYTHON
# cat /var/db/ports/security_sssd/options
_OPTIONS_READ=sssd-1.16.5_6
_FILE_COMPLETE_OPTIONS_LIST=DOCS SMB
OPTIONS_FILE_UNSET+=DOCS
OPTIONS_FILE_SET+=SMB
# cat /var/db/ports/security_cyrus-sasl2/options
_OPTIONS_READ=cyrus-sasl-2.1.28
_FILE_COMPLETE_OPTIONS_LIST=ALWAYSTRUE AUTHDAEMOND DOCS KEEP_DB_OPEN OBSOLETE_CRAM_ATTR OBSOLETE_DIGEST_ATTR SASLDB_IN_VAR BDB1 BDB GDBM LMDB ANONYMOUS CRAM DIGEST LOGIN NTLM OTP PLAIN SCRAM
OPTIONS_FILE_SET+=ANONYMOUS
OPTIONS_FILE_SET+=AUTHDAEMOND
OPTIONS_FILE_SET+=BDB1
OPTIONS_FILE_SET+=CRAM
OPTIONS_FILE_SET+=DIGEST
OPTIONS_FILE_SET+=LOGIN
OPTIONS_FILE_SET+=NTLM
OPTIONS_FILE_SET+=OBSOLETE_CRAM_ATTR
OPTIONS_FILE_SET+=OBSOLETE_DIGEST_ATTR
OPTIONS_FILE_SET+=OTP
OPTIONS_FILE_SET+=PLAIN
OPTIONS_FILE_SET+=SCRAM
OPTIONS_FILE_UNSET+=ALWAYSTRUE
OPTIONS_FILE_UNSET+=BDB
OPTIONS_FILE_UNSET+=DOCS
OPTIONS_FILE_UNSET+=GDBM
OPTIONS_FILE_UNSET+=KEEP_DB_OPEN
OPTIONS_FILE_UNSET+=LMDB
OPTIONS_FILE_UNSET+=SASLDB_IN_VAR
# cat /var/db/ports/net_openldap26-client/options
_OPTIONS_READ=openldap26-client-2.6.3
_FILE_COMPLETE_OPTIONS_LIST=DEBUG DOCS FETCH GSSAPI
OPTIONS_FILE_SET+=GSSAPI
OPTIONS_FILE_UNSET+=DEBUG
OPTIONS_FILE_UNSET+=DOCS
OPTIONS_FILE_UNSET+=FETCH
# cat /var/db/ports/security_krb5/options
# This file is auto-generated by 'make config'.
# Options for krb5-1.20
_OPTIONS_READ=krb5-1.20
_FILE_COMPLETE_OPTIONS_LIST=DNS_FOR_REALM EXAMPLES KRB5_HTML KRB5_PDF LDAP LMDB NLS READLINE LIBEDIT
OPTIONS_FILE_UNSET+=DNS_FOR_REALM
OPTIONS_FILE_UNSET+=EXAMPLES
OPTIONS_FILE_SET+=KRB5_HTML
OPTIONS_FILE_SET+=KRB5_PDF
OPTIONS_FILE_SET+=LDAP
OPTIONS_FILE_UNSET+=LMDB
OPTIONS_FILE_SET+=NLS
OPTIONS_FILE_SET+=READLINE
OPTIONS_FILE_UNSET+=LIBEDIT
… and build them.
# \
for I in /usr/ports/security/sudo \
/usr/ports/security/sssd \
/usr/ports/security/krb5
/usr/ports/security/cyrus-sasl2-gssapi \
/usr/ports/security/pam_mkhomedir \
/usr/ports/net/openldap26-client \
do
make -C ${I} build
done
… unsinstall them and create their packages.
# \
for I in /usr/ports/security/sudo \
/usr/ports/security/sssd \
/usr/ports/security/krb5
/usr/ports/security/cyrus-sasl2-gssapi \
/usr/ports/security/pam_mkhomedir \
/usr/ports/net/openldap26-client \
do
make -C ${I} deinstall package
done
After some time we have our built packages.
# find /usr/ports/obj/ -name \*.pkg
/usr/ports/obj/usr/ports/lang/perl5.32/work/perl-5.32.1/symbian/ext/Moped/Msg/Msg.pkg
/usr/ports/obj/usr/ports/security/pam_mkhomedir/work/pkg/pam_mkhomedir-0.2.pkg
/usr/ports/obj/usr/ports/security/cyrus-sasl2-gssapi/work/pkg/cyrus-sasl-gssapi-2.1.28.pkg
/usr/ports/obj/usr/ports/security/krb5/work/pkg/krb5-1.20.pkg
/usr/ports/obj/usr/ports/security/sudo/work/pkg/sudo-1.9.11p3.pkg
/usr/ports/obj/usr/ports/security/sssd/work-default/pkg/sssd-1.16.5_6.pkg
/usr/ports/obj/usr/ports/net/openldap26-client/work/pkg/openldap26-client-2.6.3.pkg
In the future I need to add some short guide to build them regularly with Synth or Poudriere π
Now we need to install these packages in quite nontypical way. One by one – in specified order. It will not be needed it we would have a separate additional pkg(8) repository with Poudriere build packages.
Our packages:
# ls -1 *.pkg
cyrus-sasl-gssapi-2.1.28.pkg
krb5-1.20.pkg
openldap26-client-2.6.3.pkg
pam_mkhomedir-0.2.pkg
sssd-smb4-1.16.5_6.pkg
sudo-sssd-1.9.11p3.pkg
… and their install process.
# pkg install -y c-ares
# pkg add sssd-smb4-1.16.5_6.pkg
# pkg install -y cyrus-sasl-gssapi-2.1.28.pkg
(...)
New packages to be INSTALLED:
cyrus-sasl: 2.1.28
cyrus-sasl-gssapi: 2.1.28
krb5: 1.20
(...)
# pkg delete -f -y krb5
(...)
Installed packages to be REMOVED:
krb5: 1.20
(...)
# pkg add krb5-1.20.pkg
# pkg install -y sssd
# pkg add sudo-sssd-1.9.11p3.pkg
# pkg delete -f -y sssd
(...)
Installed packages to be REMOVED:
sssd: 1.16.5_6
(...)
# pkg install ding-libs ldb21 nspr nss pcre samba412
# pkg add sssd-smb4-1.16.5_6.pkg
FreeBSD Setup
Create needed dirs.
# mkdir -p \
/usr/local/etc/ipa \
/var/log/sssd \
/var/run/sss/private \
/var/db/sss
Set system hostname.
# hostname fbsd.vercorp.org
# hostname
fbsd.vercorp.org
Fetch the FreeIPA/IDM certificate.
# fetch -o /usr/local/etc/ipa/ca.crt http://10.0.0.40/ipa/config/ca.crt
FreeIPA/IDM Setup Part
We need to execute several instructions on the FreeIPA/IDM to connect FreeBSD client to it.
Its adding the A and PTR records in DNS for the 10.0.0.42 address and adding the fbsd.vercorp.org host.
We also need to generate the key for our fbsd.vercorp.org system.
[root@idm ~]# kinit admin
Password for admin@VERCORP.ORG:
[root@idm ~]# ipa dnsrecord-add vercorp.org fbsd --a-rec=10.0.0.42 --a-create-reverse
Record name: fbsd
A record: 10.0.0.42
[root@idm ~]# ipa host-add fbsd.vercorp.org
-----------------------------
Added host "fbsd.vercorp.org"
-----------------------------
Host name: fbsd.vercorp.org
Principal name: host/fbsd.vercorp.org@VERCORP.ORG
Principal alias: host/fbsd.vercorp.org@VERCORP.ORG
Password: False
Keytab: False
Managed by: fbsd.vercorp.org
[root@idm ~]# ipa-getkeytab -s idm.vercorp.org -p host/fbsd.vercorp.org@VERCORP.ORG -k /root/fbsd.vercorp.org.keytab
Keytab successfully retrieved and stored in: /root/fbsd.vercorp.org.keytab
Now we need to get ‘our’ key from FreeIPA/IDM server … along with proper /etc/hosts file.
# scp root@10.0.0.40:/root/fbsd.vercorp.org.keytab /usr/local/etc/ipa/krb5.keytab
# cat << EOF > /etc/hosts
::1 localhost localhost.my.domain
127.0.0.1 localhost localhost.my.domain
10.0.0.40 idm.vercorp.org idm
10.0.0.42 fbsd.vercorp.org fbsd
EOF
Now the /usr/local/etc/openldap/ldap.conf file.
# cat << EOF > /usr/local/etc/openldap/ldap.conf
BASE dc=org,dc=vercorp
URI ldap://idm.vercorp.org/
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
SASL_MECH GSSAPI
SASL_REALM VERCORP.ORG
ssl start_tls
TLS_CACERT /usr/local/etc/ipa/ca.crt
EOF
… and /etc/krb5.conf file.
# cat << EOF > /etc/krb5.conf
[libdefaults]
default_realm = VERCORP.ORG
default_keytab_name = FILE:/usr/local/etc/ipa/krb5.keytab
default_tkt_enctypes = aes256-cts des-cbc-crc aes128-cts arcfour-hmac
default_tgs_enctypes = aes256-cts des-cbc-crc aes128-cts arcfour-hmac
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
VERCORP.ORG = {
kdc = idm.vercorp.org:88
master_kdc = idm.vercorp.org:88
admin_server = idm.vercorp.org:749
default_domain = vercorp.org
pkinit_anchors = FILE:/usr/local/etc/ipa/ca.crt
}
[domain_realm]
.vercorp.org = VERCORP.ORG
vercorp.org = VERCORP.ORG
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmin.log
kadmin_local = FILE:/var/log/krb5/kadmin_local.log
default = FILE:/var/log/krb5/krb5lib.log
EOF
… and /usr/local/etc/sssd/sssd.conf file.
# cat << EOF > /usr/local/etc/sssd/sssd.conf
[domain/vercorp.org]
# debug_level = 9
cache_credentials = True
krb5_store_password_if_offline = True
krb5_realm = VERCORP.ORG
ipa_domain = vercorp.org
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = fbsd.vercorp.org
chpass_provider = ipa
ipa_server = _srv_, idm.vercorp.org
ldap_tls_cacert = /usr/local/etc/ipa/ca.crt
krb5_keytab = /usr/local/etc/ipa/krb5.keytab
[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2
domains = vercorp.org
[nss]
filter_users = root,toor
homedir_substring = /usr/home/%u
[pam]
[sudo]
# debug_level = 0x3ff0
[ssh]
EOF
# chmod 600 /usr/local/etc/sssd/sssd.conf
FreeBSD have user account under /usr/home to make sure /home also points there.
# ln -s /usr/home /home
The automatic startup of sssd(8) daemon (not to confuse with sshd(8)) needs to be also configured.
# sysrc sssd_enable=YES
# service sssd start
We also need to configure /etc/nsswitch.conf file.
# cp /etc/nsswitch.conf /etc/nsswitch.conf.BCK
# diff -u /etc/nsswitch.conf.BCK /etc/nsswitch.conf
--- /etc/nsswitch.conf.BCK 2022-10-24 20:10:09.163251000 +0200
+++ /etc/nsswitch.conf 2022-10-24 20:10:57.207406000 +0200
@@ -2,15 +2,17 @@
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD$
#
-group: compat
+group: files sss
group_compat: nis
hosts: files dns
-netgroup: compat
+# netgroup: compat
networks: files
-passwd: compat
+passwd: files sss
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
+sudoers: sss files
+netgroup: files
The final /etc/nsswitch.conf file looks as follows.
# cat /etc/nsswitch.conf
#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD$
#
group: files sss
group_compat: nis
hosts: files dns
# netgroup: compat
networks: files
passwd: files sss
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
sudoers: sss files
netgroup: files
Now the /etc/pam.d/system file.
# cp /etc/pam.d/system /root/etc---pam.d---system.BCK
# diff -u /root/etc---pam.d---system.BCK /etc/pam.d/system
--- /root/etc---pam.d---system.BCK 2022-10-24 20:13:05.546657000 +0200
+++ /etc/pam.d/system 2022-10-24 20:16:36.722666000 +0200
@@ -7,19 +7,23 @@
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
-#auth sufficient pam_krb5.so no_warn try_first_pass
+auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
+auth sufficient /usr/local/lib/pam_sss.so use_first_pass
auth required pam_unix.so no_warn try_first_pass nullok
# account
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
+account required /usr/local/lib/pam_sss.so ignore_unknown_user ignore_authinfo_unavail
# session
#session optional pam_ssh.so want_agent
session required pam_lastlog.so no_fail
+session required /usr/local/lib/pam_mkhomedir.so mode=0700
# password
#password sufficient pam_krb5.so no_warn try_first_pass
+password sufficient /usr/local/lib/pam_sss.so use_authtok
password required pam_unix.so no_warn try_first_pass
The final /etc/pam.d/system file looks as follows.
# cat /etc/pam.d/system
#
# $FreeBSD$
#
# System-wide defaults
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth sufficient /usr/local/lib/pam_sss.so use_first_pass
auth required pam_unix.so no_warn try_first_pass nullok
# account
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
account required /usr/local/lib/pam_sss.so ignore_unknown_user ignore_authinfo_unavail
# session
#session optional pam_ssh.so want_agent
session required pam_lastlog.so no_fail
session required /usr/local/lib/pam_mkhomedir.so mode=0700
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password sufficient /usr/local/lib/pam_sss.so use_authtok
password required pam_unix.so no_warn try_first_pass
Now its time for /etc/pam.d/sshd file.
# cp /etc/pam.d/sshd /root/etc---pam.d---sshd.BCK
# diff -u /root/etc---pam.d---sshd.BCK /etc/pam.d/sshd
--- /root/etc---pam.d---sshd.BCK 2022-10-24 20:17:34.063630000 +0200
+++ /etc/pam.d/sshd 2022-10-24 20:19:16.165810000 +0200
@@ -7,8 +7,9 @@
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
-#auth sufficient pam_krb5.so no_warn try_first_pass
+auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
+auth sufficient /usr/local/lib/pam_sss.so use_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
@@ -16,11 +17,14 @@
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
+account required /usr/local/lib/pam_sss.so ignore_unknown_user ignore_authinfo_unavail
# session
#session optional pam_ssh.so want_agent
session required pam_permit.so
+session required /usr/local/lib/pam_mkhomedir.so mode=0700
# password
#password sufficient pam_krb5.so no_warn try_first_pass
+password sufficient /usr/local/lib/pam_sss.so use_authtok
password required pam_unix.so no_warn try_first_pass
Final /etc/pam.d/sshd file below.
# cat /etc/pam.d/sshd
#
# $FreeBSD$
#
# PAM configuration for the "sshd" service
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth sufficient /usr/local/lib/pam_sss.so use_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
account required /usr/local/lib/pam_sss.so ignore_unknown_user ignore_authinfo_unavail
# session
#session optional pam_ssh.so want_agent
session required pam_permit.so
session required /usr/local/lib/pam_mkhomedir.so mode=0700
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password sufficient /usr/local/lib/pam_sss.so use_authtok
password required pam_unix.so no_warn try_first_pass
Small modification in the /etc/ssh/ssh_config and /etc/ssh/sshd_config files.
# cat << EOF >> /etc/ssh/ssh_config
GSSAPIAuthentication yes
EOF
# cat << EOF >> /etc/ssh/sshd_config
GSSAPIAuthentication yes
UsePAM yes
EOF
Finish Setup with Web Browser in FreeIPA/IDM Page
Visit the https://idm.vercorp.org/ipa/ui/#/e/hbacrule/details/freebsd page.
Next create the HBAC Rule named freebsd as showed below.
… and the Sudo Rule named freebsd name.
FreeBSD FreeIPA Login Test
After all these time consuming and pointless instructions we can now finally try to login to our FreeBSD client.
% ssh -l vermaden 10.0.0.42
(vermaden@10.0.0.42) Password:
Last login: Mon Oct 24 21:06:36 2022 from 10.0.0.3
FreeBSD 13.1-RELEASE releng/13.1-n250148-fc952ac2212 GENERIC
Welcome to FreeBSD!
Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories: https://www.FreeBSD.org/security/
FreeBSD Handbook: https://www.FreeBSD.org/handbook/
FreeBSD FAQ: https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums: https://forums.FreeBSD.org/
Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with: pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.
Show the version of FreeBSD installed: freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages: man man
FreeBSD directory layout: man hier
To change this login announcement, see motd(5).
You can upload the dmesg of your system to help developers get an overview of commonly
used hardware and peripherals for FreeBSD. Use the curl package to upload it like this:
curl -v -d "nickname=$USER" -d "description=FreeBSD/$(uname -m) on \
$(kenv smbios.system.maker) $(kenv smbios.system.product)" -d "do=addd" \
--data-urlencode 'dmesg@/var/run/dmesg.boot' http://dmesgd.nycbug.org/index.cgi
vermaden@fbsd:~ $ :> ~/.hushlogin
vermaden@fbsd:~ $ id
uid=1408200003(vermaden) gid=1408200000(admins) groups=1408200000(admins)
vermaden@fbsd:~ $ pwd
/home/vermaden
vermaden@fbsd:~ $ grep vermaden /etc/passwd /etc/group
vermaden@fbsd:~ $
vermaden@fbsd:~ $ getent passwd vermaden
vermaden:*:1408200003:1408200000:vermaden vermaden:/home/vermaden:/bin/sh
vermaden@fbsd:~ $ sudo su -
Password for vermaden@VERCORP.ORG:
root@fbsd:~ # logout
vermaden@fbsd:~ $ sudo -i
root@fbsd:~ #
Strange … seems to work properly π
FreeBSD Jail as FreeIPA/IDM Client
As ‘full’ FreeBSD system is able to connect to the FreeIPA/IDM server we will not configure FreeBSD Jail to do the same.
The FreeIPA/IDM FreeBSD client fbsdjail.vercorp.orgwill get the 10.0.0.43 IP.
Basic FreeBSD Jail Preparations
Lets setup the Jail for a start.
# mkdir -p /jail/fbsdjail /jail/BASE
# cd /jail/fbsdjail
# fetch -o /jail/BASE/13.1-RELEASE-base.txz https://download.freebsd.org/ftp/releases/amd64/13.1-RELEASE/base.txz
# tar --unlink -xvf ../BASE/13.1-RELEASE-base.txz
# cat << EOF > /etc/jail.conf
# GLOBAL
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.clean;
exec.consolelog = "/var/log/jail_${name}_console.log";
mount.devfs;
host.hostname = ${name};
path = /jail/${name};
# JAILS
fbsdjail {
ip4.addr = 10.0.0.43;
host.hostname = fbsdjail.vercorp.org;
interface = wlan0;
allow.raw_sockets;
allow.sysvipc;
}
EOF
# cat /etc/resolv.conf | tee /jail/fbsdjail/etc/resolv.conf
nameserver 10.0.0.1
# echo 10.0.0.43 fbsdjail.vercorp.org fbsdjail | tee -a /etc/hosts | tee -a /jail/fbsdjail/etc/hosts
# cat /etc/hosts /jail/fbsdjail/etc/hosts
10.0.0.43 fbsdjail.vercorp.org fbsdjail
10.0.0.43 fbsdjail.vercorp.org fbsdjail
# cat << EOF > /jail/fbsdjail/etc/rc.conf
# DAEMONS | yes
syslogd_flags="-ss"
sshd_enable=YES
# OTHER
clear_tmp_enable=YES
clear_tmp_X=YES
dumpdev=NO
update_motd=NO
EOF
# sed -i '' s/quarterly/latest/g /jail/fbsdjail/etc/pkg/FreeBSD.conf
# grep latest /jail/fbsdjail/etc/pkg/FreeBSD.conf
url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",
Now we can start our FreeBSD Jail.
# service jail onestart fbsdjail
Starting jails: fbsdjail.
# jls
JID IP Address Hostname Path
1 10.0.0.43 fbsdjail.vercorp.org /jail/fbsdjail
# jls -v
JID Hostname Path
Name State
CPUSetID
IP Address(es)
1 fbsdjail.vercorp.org /jail/fbsdjail
fbsdjail ACTIVE
3
10.0.0.43
# jexec fbsdjail
root@fbsdjail:/ #
Our FreeBSD Jail works. Lets move to next steps.
Configure FreeBSD Jail to Connect to FreeIPA/IDM Server
I could not repaste all of the instructions above – the ones that we used for a ‘full’ FreeBSD system – but the same applies to a FreeBSD Jail. π
This means that earlier Basic FreeBSD Jail Preparations section covers all that is needed in case of ‘full’ FreeBSD versus FreeBSD Jail when it comes to the FreeIPA/IDM connection.
Linux FreeIPA/IDM Client
This article is not about Linux client – which is pretty straight-forward to connect to the FreeIPA/IDM server – but for the completness of the topic – here are the instructions I used to attach Alma Linux to the FreeIPA/IDM server.
Linux rhlike.vercorp.org system.
IP: 10.0.0.41/24
GW: 10.0.0.1
hostname: rhlike.vercorp.org
First – install the @idm:client and sssd packages.
client # yum -y install @idm:client sssd
FreeIPA/IDM Setup Part
Now – as earlier with FreeBSD – the FreeIPA/IDM part comes to play.
[root@idm ~]# kinit admin
Password for admin@VERCORP.ORG:
[root@idm ~]# klist
Ticket cache: KCM:0
Default principal: admin@VERCORP.ORG
Valid starting Expires Service principal
10/19/2022 13:33:52 10/20/2022 13:11:28 krbtgt/VERCORP.ORG@VERCORP.ORG
[root@idm ~]# ipa user-find
---------------
2 users matched
---------------
User login: admin
Last name: Administrator
Home directory: /home/admin
Login shell: /bin/bash
Principal alias: admin@VERCORP.ORG, root@VERCORP.ORG
UID: 1896600000
GID: 1896600000
Account disabled: False
User login: vermaden
First name: vermaden
Last name: vermaden
Home directory: /home/vermaden
Login shell: /bin/sh
Principal name: vermaden@VERCORP.ORG
Principal alias: vermaden@VERCORP.ORG
Email address: vermaden@vercorp.org
UID: 1896600003
GID: 1000
Account disabled: False
----------------------------
Number of entries returned 2
----------------------------
[root@idm ~]# id vermaden
uid=1408200003(vermaden) gid=1408200000(admins) groups=1408200000(admins)
[root@idm ~]# ipa dnsrecord-add vercorp.org rhlike --a-rec 10.0.0.41
Record name: rhlike
A record: 10.0.0.41
We are done on the FreeIPA/IDM side.
Linux FreeIPA/IDM Client Setup
We will now continue our work on the Linux client.
client # echo "10.0.0.40 idm.vercorp.org" >> /etc/hosts
client # echo "10.0.0.41 rhlike.vercorp.org" >> /etc/hosts
client # hostnamectl set-hostname rhlike.vercorp.org
client # cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.0.0.40 idm.vercorp.org
10.0.0.41 rhlike.vercorp.org
client # ipa-client-install --uninstall
client # ipa-client-install \
--hostname=rhlike.vercorp.org \
--mkhomedir \
--server=idm.vercorp.org \
--domain vercorp.org \
--realm VERCORP.ORG
This program will set up IPA client.
Version 4.9.8
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
Do you want to configure chrony with NTP server or pool address? [no]: no
Client hostname: rhlike.vercorp.org
Realm: VERCORP.ORG
DNS Domain: vercorp.org
IPA Server: idm.vercorp.org
BaseDN: dc=vercorp,dc=org
Continue to configure the system with these values? [no]: yes
Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
User authorized to enroll computers: admin
Password for admin@VERCORP.ORG:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=VERCORP.ORG
Issuer: CN=Certificate Authority,O=VERCORP.ORG
Valid From: 2022-10-18 14:52:50
Valid Until: 2042-10-18 14:52:50
Enrolled in IPA realm VERCORP.ORG
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm VERCORP.ORG
Systemwide CA database updated.
Hostname (rhlike.vercorp.org) does not have A/AAAA record.
Failed to update DNS records.
Missing A/AAAA record(s) for host rhlike.vercorp.org: 10.0.0.41.
Missing reverse record(s) for address(es): 10.0.0.41.
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring vercorp.org as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
client # reboot
Now we will test how it goes with login against the FreeIPA/IDM server.
laptop % ssh -l vermaden 10.0.0.41
(vermaden@10.0.0.41) Password:
(vermaden@10.0.0.41) Password expired. Change your password now.
Current Password:
(vermaden@10.0.0.41) New password:
(vermaden@10.0.0.41) Retype new password:
Last failed login: Wed Oct 19 00:47:57 CEST 2022 from 10.0.0.3 on ssh:notty
There was 1 failed login attempt since the last successful login.
/usr/bin/id: cannot find name for group ID 1000
[vermaden@rhlike ~]$ w
00:48:16 up 29 min, 2 users, load average: 0.22, 0.13, 0.16
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 10.0.0.3 00:40 58.00s 0.03s 0.03s -bash
vermaden pts/1 10.0.0.3 00:48 0.00s 0.02s 0.01s w
[vermaden@rhlike ~]$ sudo su -
[root@rhlike ~]# getent passwd admin
admin:*:1896600000:1896600000:Administrator:/home/admin:/bin/bash
[root@rhlike ~]# getent passwd vermaden
vermaden:*:1896600003:1000:vermaden vermaden:/home/vermaden:/bin/sh
Seems to work at least OK π
I do not have anything more to add to this guide.
If you have – then please let me know in comments π
Regards.
EOF
Like this:
Like Loading...
ππππππππ 