Native FreeBSD Kerberos/LDAP with FreeIPA/IDM | 𝚟𝚎𝚛𝚖𝚊𝚍𝚎𝚗 I want to make this clear in the first sentence because its biggest chance that people will read it – this article is entirely based on work done by Christian Hofstede-Kuhn (Larvitz) that wrote Integrating FreeBSD 15 with FreeIPA: Native Kerberos and LDAP Authentication recently. Credit goes to him. Besides that I like to share everything that could be useful – I also treat my blog as a place where I keep and maintain my FreeBSD documentation … and I have seen many blogs and sources of knowledge disappear from the Internet over time … and as I use free WordPress tear I am sure this blog (and knowledge) should be here long after I am gone. So as You see there are several motivations for this: – Keep and maintain personal version with more code snippets that I can copy/paste fast. – More detailed commands and outputs. – Some additional improvements that may be useful – like local console login. I just hope Christian will not be mad at me for this 🙂 … and I will directly notify him about this article. First of all – this new method is possible to work because FreeBSD switched from Heimdal Kerberos implementation to MIT Kerberos in FreeBSD 15.0-RELEASE … and I am really glad that FreeBSD finally did it. As You know I already messed with that topic several times in the past: Connect FreeBSD to FreeIPA/IDM Connect FreeBSD 13.2 to FreeIPA/IDM FreeBSD on FreeIPA/IDM with Poudriere Repo Connect FreeBSD 14.0-STABLE to FreeIPA/IDM All of these previous attempts had many downsides: You needed to (re)compile multiple custom packages from FreeBSD Ports . Sometimes it was needed to use custom code by Mariusz Zaborski (oshogbo) for example. Complex sssd(8) daemon with many deps/reqs including D-Bus or Python and more. Setup was complicated/fragile and prune to errors – especially during upgrades. This new way is using MIT Kerberos from FreeBSD 15.0-RELEASE and small lightweight nslcd(8) daemon from net/nss-pam-ldapd package. The only (non technical) downside is that it uses LGPL21/LGPL3 license … but as we connect to entire Linux domain with FreeIPA/IDM it does not matter much, does it? :)Now – we first need FreeIPA/IDM server … use instructions from older Connect FreeBSD 14.0-STABLE to FreeIPA/IDM article.Now for the new way … lets start by switching the pkg(8) repository from quarterly to latest . FreeBSD # mkdir -p /usr/local/etc/pkg/repos FreeBSD # sed s/quarterly/latest/g /etc/pkg/FreeBSD.conf > /usr/local/etc/pkg/repos/FreeBSD.conf Next we will install needed packages. FreeBSD # pkg install -y nss-pam-ldapd pam_mkhomedir sudo doas If your DNS configured at /etc/resolv.conf does not resolve FreeIPA/IDM use /etc/hosts instead. FreeBSD # cat << __EOF >> /etc/hosts 172.27.33.200 rhidm.lab.org rhidm 172.27.33.215 fbsd15.lab.org fbsd15 __EOF Add our new FreeBSD host and its IP on FreeIPA/IDM server. [root@idm ~]# kinit admin Password for [email protected]: [root@idm ~]# ipa dnsrecord-add lab.org fbsd15 –a-rec

Source: Hacker News | Original Link