Native FreeBSD Kerberos/LDAP with FreeIPA/IDM

I want to make this clear in the first sentence because its biggest chance that people will read it – this article is entirely based on work done by Christian Hofstede-Kuhn (Larvitz) that wrote Integrating FreeBSD 15 with FreeIPA: Native Kerberos and LDAP Authentication recently. Credit goes to him. Besides that I like to share everything that could be useful – I also treat my blog as a place where I keep and maintain my FreeBSD documentation … and I have seen many blogs and sources of knowledge disappear from the Internet over time … and as I use free WordPress tear I am sure this blog (and knowledge) should be here long after I am gone.

So as You see there are several motivations for this:

– Keep and maintain personal version with more code snippets that I can copy/paste fast.

– More detailed commands and outputs.

– Some additional improvements that may be useful – like local console login.

I just hope Christian will not be mad at me for this 🙂

… and I will directly notify him about this article.

First of all – this new method is possible to work because FreeBSD switched from Heimdal Kerberos implementation to MIT Kerberos in FreeBSD 15.0-RELEASE … and I am really glad that FreeBSD finally did it.

As You know I already messed with that topic several times in the past:

All of these previous attempts had many downsides:

Next we will install needed packages.

If your DNS configured at /etc/resolv.conf does not resolve FreeIPA/IDM use /etc/hosts instead.

Add our new FreeBSD host and its IP on FreeIPA/IDM server.

On FreeBSD host copy the keytab from FreeIPA/IDM server and put it into right place with proper permissions.

Verify FreeBSD keytab.

The nslcd(8) daemon will need /etc/krb5.keytab keytab read access to work – to achieve that we will add sshd user to its nslcd group.

Prepare /etc/krb5.conf config.

Create /usr/local/etc/nslcd.conf config for nslcd(8) daemon.

Enable and start the nslcd(8) daemon.

Modify /etc/nsswitch.conf config the following way with simple sed(1) one liner.

This is what we changed.

One can use even more compact /etc/nsswitch.conf as shown by Christian Hofstede-Kuhn (Larvitz) below.

Now lets test how it works.

Now the sshd(8) part.

Time to restart sshd(8) daemon.

Now lets test how it works over SSH.

Works but … the ${HOME} directory is not automatically created because we did not configured it yet.

Lets use sed(1) again … and yes it has to be spread over two lines.

We use optional instead of required if for some reason pam_mkhomedir.so fails or is not available.

For the record the entire /etc/pam.d/sshd PAM config looks like that.

We will now configure sudo(8) for more permissions.

We will also do doas(1) here as its simpler and more secure.

Now lets try to login again.

Better.

I also ‘silenced’ the login a little by creating empty ~/.hushlogin file and by removing /usr/bin/fortune from the ~/.profile file.

… and this is the part I added – using FreeIPA/IDM user for console access – because right now – it does not work.

To allow that we will uncomment all lines matching the pam_krb5.so module within /etc/pam.d/system config.

Lets try again.

You have reached the end of this article – see you in the next one 🙂