使用带有Kerberos TGT的AD后端的sssd在FreeBSD 10.0中运行在
Windows Server 2012 R2上的Active Directory中对用户进行身份验证的必要步骤是什么?
有一些棘手的考虑因素使一切都开箱即用. FreeBSD此时只支持sssd 1.9.6版.因此,不支持Enterprise Principal Names.
如果您的域名具有不匹配的UPN,则无法登录,因为在此过程中Kerberos身份验证将失败,即使FreeBSD支持使用Kerberos的企业主体名称,sssd也无法处理此情况.
因此,在sssd的实际版本中,您只能在同一域名中使用用户主体名称,例如:
Domain Name = example.com NetBIOS Name = EXAMPLE User Principal Name: username@example.com sAMAccountName: username
了解这一点,我们可以描述在FreeBSD中成功验证AD用户的步骤.
1.配置Kerberos
[libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = yes
2.安装Samba 4.1并将其配置为加入域
安装Samba 4.1:
$pkg install samba41
使用以下内容创建文件/usr/local/etc/smb4.conf:
[global] security = ads realm = EXAMPLE.COM workgroup = EXAMPLE kerberos method = secrets and keytab client signing = yes client use spnego = yes log file = /var/log/samba/%m.log
要求管理员Kerberos票证:
$kinit Administrator
然后加入域并创建密钥表
$net ads join createupn=host/server-hostname.example.com@EXAMPLE.COM -k $net ads keytab create -k
3.使用Kerberos支持安装sssd软件包和Cyrus SASL
安装所需的包:
$pkg install sssd cyrus-sasl-gssapi
编辑文件/usr/local/etc/sssd/sssd.conf以匹配此设置:
[sssd] config_file_version = 2 services = nss,pam domains = example.com [nss] [pam] [domain/example.com] # Uncomment if you need offline logins #cache_credentials = true id_provider = ad auth_provider = ad access_provider = ad chpass_provider = ad # Comment out if the users have the shell and home dir set on the AD side default_shell = /bin/tcsh fallback_homedir = /home/%u # Uncomment and adjust if the default principal SHORTNAME$@REALM is not available #ldap_sasl_mech = GSSAPI #ldap_sasl_authid = SERVER-HOSTNAME$@EXAMPLE.COM
编辑文件/etc/nsswitch.conf以匹配此设置:
group: files sss passwd: files sss
5.配置PAM以允许sssd身份验证并处理主目录创建
安装主目录创建的可选包:
$pkg install pam_mkhomedir
修改必要的PAM域以匹配此设置:
auth sufficient /usr/local/lib/pam_sss.so account required /usr/local/lib/pam_sss.so ignore_unknown_user session required /usr/local/lib/pam_mkhomedir.so mode=0700 session optional /usr/local/lib/pam_sss.so password sufficient /usr/local/lib/pam_sss.so use_authtok
6.切换到启用SASL的OpenLDAP客户端
$pkg remove -f openldap-client $pkg install openldap-sasl-client
7.最后确认一切正常
$getent passwd <username>