community.riocities.com

NFSv4+Kerberos in FreeBSD

Intro

Setup of kerberized NFSv4 FreeBSD host with nfs users handled by FreeIPA.

The FreeBSD nfs-server host will be called zfshost and the FreeIPA server ipa in this howto. The Kerberos realm and domain will be called foo.se.

Setup the NFS daemon (without Kerberos)

Enable nfs and nfsv4

At least the following is needed in /etc/rc.conf

hostname="zfshost.foo.se"
...
ntpd_enable="YES"
...
nfs_server_enable="YES"
nfsv4_server_enable="YES"

Restrict to only NFSv4

# echo "vfs.nfsd.server_min_nfsvers=4" >> /etc/sysctl.conf
# sysctl vfs.nfsd.server_min_nfsvers=4

Start the server

# /etc/rc.d/nfsd start

Setup /etc/export with a root for the V4 exports in /exports

/export/<dir> -sec=sys -network 192.168.1.0 -mask 255.255.255.0
V4: /export/ -sec=sys

Reload exports

# /etc/rc.d/mountd onereload

<dir> should now be mountable from a NFSv4 client in 192.168.1.0/24.

Setup Kerberos

Create /etc/krb5.conf (based on the example in the man-page for krb5.conf

[libdefaults]
    default_realm = FOO.SE

[domain_realm]
    .foo.se = FOO.SE
    .bar.se = FOO.SE

[realms]
    FOO.SE = {
        kdc = ipa.foo.se
        v4_name_convert = {
            rcmd = host
        }
        default_domain = foo.se
    }

[logging]
kdc = FILE:/var/heimdal/kdc.log
kdc = SYSLOG:INFO
default = SYSLOG:INFO:USER

Test that you can authenticate against the kdc

# kinit <user>
<user>@FOO.SE's Password: 
Your password/account will expire at Sun Jul  5 19:57:05 2015

# klist 
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: <user>@FOO.SE

      Issued                Expires               Principal
      Jul  1 23:16:13 2015  Jul  2 09:16:13 2015  krbtgt/FOO.SE@FOO.SE

Start gssd

# /etc/rc.d/gssd start
Starting gssd.

Compile and Install sssd

The sssd package is built without ipa support so we can not just simply install the package, we must build it and enable ipa support (Select "SMB Install IPA and AD providers (requires Samba4)")

Patch /usr/ports/security/sssd/Makefile so it uses the right krb5.conf file.

--- Makefile.orig       2015-07-05 00:21:05.651645000 +0200
+++ Makefile    2015-07-04 00:01:29.789868000 +0200
@@ -44,6 +44,7 @@
                --with-db-path=/var/db/sss --with-pipe-path=/var/run/sss \
                --with-pubconf-path=/var/run/sss --with-mcache-path=/var/db/sss_mc \
                --with-unicode-lib=libunistring --with-autofs=no \
+               --with-krb5-conf=/etc/krb5.conf \
                --disable-cifs-idmap-plugin --disable-config-lib
 CFLAGS+=       -fstack-protector-all
 PLIST_SUB=     PYTHON_VER=${PYTHON_VER}

Build the required ports

# echo "WANT_OPENLDAP_SASL=yes" > /etc/make.conf

# cd /usr/ports/net/samba42
# make install

# /usr/ports/security/cyrus-sasl2-gssapi
# make install

# cd /usr/ports/security/sssd
# make install 

# cp /usr/local/etc/sssd/sssd.conf.sample /usr/local/etc/sssd/sssd.conf
# chmod 0600 /usr/local/etc/sssd/sssd.conf

Setup sssd and host on the FreeIPA server, then customize sssd.conf (note you need a ca.crt file for you FreeIPA server) on zfshost:

@@ -1,16 +1,32 @@
 [sssd]
 config_file_version = 2
 services = nss, pam
+enumerate = True
 # SSSD will not start if you do not configure any domains.
 # Add new domain configurations as [domain/<NAME>] sections, and
 # then add the list of domains (in the order you want them to be
 # queried) to the "domains" attribute below and uncomment it.
-; domains = LDAP
+domains = foo.se

 [nss]
+override_shell = /usr/local/bin/bash
+override_homedir = /usr/home/%u

 [pam]

+[domain/foo.se]
+cache_credentials = True
+krb5_store_password_if_offline = True
+ipa_domain = foo.se
+id_provider = ipa
+auth_provider = ipa
+access_provider = ipa
+ipa_hostname = zfshost.foo.se
+chpass_provider = ipa
+ipa_server = ipa.foo.se
+ldap_tls_cacert = /etc/ipa/ca.crt
+enumerate = True
+
 # Example LDAP domain
 ; [domain/LDAP]
 ; id_provider = ldap

Setup your NFSv4 FreeBSD host i FreeIPA (add & provision Kerberos keytab).

Store the generated keytab on the FreeBSD host as /etc/krb5.keytab (perm 0600)

Start and test sssd towards FreeIPA

# /usr/local/etc/rc.d/sssd onestart
Starting sssd.

Edit etc/nsswitch.conf

...
group: files sss
...
passwd: files sss

Now should should be able to use the id <username> command to lookup users stored in FreeIPA.

Make sure sshd and gssd are started at boot by adding the following to /etc/rc.conf

gssd_enable="YES"
sssd_enable="YES"

PAM Setup

# pkg install pam_mkhomedir

Diff to /etc/pam.d/system

@@ -7,14 +7,16 @@
 # auth
 auth           sufficient      pam_opie.so             no_warn no_fake_prompts
 auth           requisite       pam_opieaccess.so       no_warn allow_local
-#auth          sufficient      pam_krb5.so             no_warn try_first_pass
+auth           sufficient      pam_krb5.so             no_warn try_first_pass
 #auth          sufficient      pam_ssh.so              no_warn try_first_pass
+auth           sufficient      /usr/local/lib/pam_sss.so use_first_pass
 auth           required        pam_unix.so             no_warn try_first_pass nullok

 # account
 #account       required        pam_krb5.so
 account                required        pam_login_access.so
 account                required        pam_unix.so
+account                required        /usr/local/lib/pam_sss.so ignore_unknown_user

 # session
 #session       optional        pam_ssh.so              want_agent
@@ -22,4 +24,5 @@

 # password
 #password      sufficient      pam_krb5.so             no_warn try_first_pass
+password       sufficient      /usr/local/lib/pam_sss.so use_authtok
 password       required        pam_unix.so             no_warn try_first_pass

Diff to /etc/pam.d/ssh

@@ -7,8 +7,9 @@
 # auth
 auth           sufficient      pam_opie.so             no_warn no_fake_prompts
 auth           requisite       pam_opieaccess.so       no_warn allow_local
-#auth          sufficient      pam_krb5.so             no_warn try_first_pass
+auth           sufficient      pam_krb5.so             no_warn try_first_pass
 #auth          sufficient      pam_ssh.so              no_warn try_first_pass
+auth           sufficient      /usr/local/lib/pam_sss.so use_first_pass
 auth           required        pam_unix.so             no_warn try_first_pass

 # account
@@ -16,11 +17,14 @@
 #account       required        pam_krb5.so
 account                required        pam_login_access.so
 account                required        pam_unix.so
+account                required        /usr/local/lib/pam_sss.so ignore_unknown_user

 # session
 #session       optional        pam_ssh.so              want_agent
+session                required        /usr/local/lib/pam_mkhomedir.so
 session                required        pam_permit.so

 # password
 #password      sufficient      pam_krb5.so             no_warn try_first_pass
+password       sufficient      /usr/local/lib/pam_sss.so use_authtok
 password       required        pam_unix.so             no_warn try_first_pass

Now you should be able to login with SSH as a user stored in FreeIPA.

Setup the NFS daemon for Kerberos

Add the nfs service to the FreeBSD nfs server in FreeIPA

ipa$ kinit admin
ipa$ ipa service-add nfs/zfshost.foo.se
ipa$ ipa-getkeytab -s ipa.foo.sw -p nfs/zfshost.foo.se -k /tmp/nfs.keytab

Now transfer /tmp/nfs.keytab to zfshost and merge with the existing keytab.

zfshost# (echo rkt /tmp/nfs.keytab; echo wkt /etc/krb5.keytab) | /usr/local/bin/ktutil

Change /etc/exports to the following:

/export/<dir> -sec=krb5:krb5i:krb5p -network 192.168.1.0 -mask 255.255.255.0
V4: /export -sec=krb5:krb5i:krb5p

Reload the exports

zfshost# /etc/rc.d/mountd onereload

Now should should be able to use NFSv4 and Kerberos.

References

https://forums.freebsd.org/threads/freebsd-freeipa-via-sssd.46526/ https://fedorahosted.org/sssd/wiki/HOWTO_Configure_1_0_2 https://code.google.com/p/macnfsv4/wiki/FreeBSD8KerberizedNFSSetup

Published

Author

henrik

Category

HOWTOs

Tags