Before starting the integration, ensure you have:
- FreeBSD 10.0 system with root privileges
- Windows Server 2012 R2 AD Domain Controller
- Network connectivity between systems
- Correct DNS configuration pointing to AD DC
First, install the required packages:
pkg install sssd krb5 pam_krb5Edit /etc/krb5.conf:
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.COM = {
kdc = dc.example.com
admin_server = dc.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COMCreate /usr/local/etc/sssd/sssd.conf:
[sssd]
config_file_version = 2
services = nss, pam
domains = example.com
[domain/example.com]
id_provider = ad
auth_provider = ad
access_provider = ad
ad_server = dc.example.com
ad_hostname = dc.example.com
ad_domain = example.com
krb5_realm = EXAMPLE.COM
krb5_store_password_if_offline = True
cache_credentials = True
ldap_id_mapping = True
default_shell = /bin/tcsh
fallback_homedir = /home/%uModify /etc/nsswitch.conf:
group: files sss
passwd: files sss
shadow: files sssUpdate PAM configuration in /etc/pam.d/system:
auth sufficient pam_krb5.so no_user_check
auth sufficient pam_sss.so
account required pam_sss.so
session required pam_mkhomedir.so
password sufficient pam_sss.soTest Kerberos authentication:
kinit administrator@EXAMPLE.COM
klistVerify SSSD operation:
sssctl domain-status example.com
getent passwd administrator@example.com- Check
/var/log/sssd/*.logfor errors - Verify time synchronization with
ntpdate - Ensure proper DNS resolution of AD DC
- Check firewall rules for Kerberos ports (88 TCP/UDP)
Before diving into the configuration, ensure your FreeBSD 10.0 system meets these requirements:
# Verify FreeBSD version
uname -a
# Update package database
pkg update
# Install required packages
pkg install -y krb5 sssd openldap-client cyrus-sasl-gssapiCreate /usr/local/etc/krb5.conf with your AD domain parameters:
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.COM = {
kdc = dc1.example.com
admin_server = dc1.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COMSet up /usr/local/etc/sssd/sssd.conf with these critical sections:
[sssd]
config_file_version = 2
services = nss, pam
domains = example.com
[domain/example.com]
id_provider = ad
access_provider = ad
auth_provider = krb5
chpass_provider = krb5
krb5_realm = EXAMPLE.COM
krb5_server = dc1.example.com
krb5_kpasswd = dc1.example.com
ad_server = dc1.example.com
ad_domain = example.com
cache_credentials = true
ldap_schema = ad
ldap_id_mapping = true
fallback_homedir = /home/%uModify these configuration files to enable SSSD integration:
# /etc/nsswitch.conf
passwd: files sss
group: files sss
shadow: files sss
# /etc/pam.d/system
auth sufficient pam_sss.so
account required pam_sss.soVerify your configuration with these commands:
# Test Kerberos authentication
kinit administrator@EXAMPLE.COM
klist
# Check SSSD operation
sssd -d3 -i
# Verify user lookup
getent passwd administrator@example.comIf you encounter problems, check these log files:
tail -f /var/log/sssd/*.log
journalctl -u sssdCommon fixes include:
- Verify time synchronization with
ntpdate - Check DNS resolution of AD controllers
- Validate firewall rules allowing Kerberos ports (88 TCP/UDP, 389 TCP)