Native FreeBSD Kerberos/LDAP with FreeIPA/IDM

Hacker News · Feb 18, 2026 · Collected from RSS

Full Article

I want to make this clear in the first sentence because its biggest chance that people will read it – this article is entirely based on work done by Christian Hofstede-Kuhn (Larvitz) that wrote Integrating FreeBSD 15 with FreeIPA: Native Kerberos and LDAP Authentication recently. Credit goes to him. Besides that I like to share everything that could be useful – I also treat my blog as a place where I keep and maintain my FreeBSD documentation … and I have seen many blogs and sources of knowledge disappear from the Internet over time … and as I use free WordPress tear I am sure this blog (and knowledge) should be here long after I am gone. So as You see there are several motivations for this: – Keep and maintain personal version with more code snippets that I can copy/paste fast. – More detailed commands and outputs. – Some additional improvements that may be useful – like local console login. I just hope Christian will not be mad at me for this 🙂 … and I will directly notify him about this article. First of all – this new method is possible to work because FreeBSD switched from Heimdal Kerberos implementation to MIT Kerberos in FreeBSD 15.0-RELEASE … and I am really glad that FreeBSD finally did it. As You know I already messed with that topic several times in the past: Connect FreeBSD to FreeIPA/IDM Connect FreeBSD 13.2 to FreeIPA/IDM FreeBSD on FreeIPA/IDM with Poudriere Repo Connect FreeBSD 14.0-STABLE to FreeIPA/IDM All of these previous attempts had many downsides: You needed to (re)compile multiple custom packages from FreeBSD Ports. Sometimes it was needed to use custom code by Mariusz Zaborski (oshogbo) for example. Complex sssd(8) daemon with many deps/reqs including D-Bus or Python and more. Setup was complicated/fragile and prune to errors – especially during upgrades. This new way is using MIT Kerberos from FreeBSD 15.0-RELEASE and small lightweight nslcd(8) daemon from net/nss-pam-ldapd package. The only (non technical) downside is that it uses LGPL21/LGPL3 license … but as we connect to entire Linux domain with FreeIPA/IDM it does not matter much, does it? :)Now – we first need FreeIPA/IDM server … use instructions from older Connect FreeBSD 14.0-STABLE to FreeIPA/IDM article.Now for the new way … lets start by switching the pkg(8) repository from quarterly to latest. FreeBSD # mkdir -p /usr/local/etc/pkg/repos FreeBSD # sed s/quarterly/latest/g /etc/pkg/FreeBSD.conf > /usr/local/etc/pkg/repos/FreeBSD.conf Next we will install needed packages. FreeBSD # pkg install -y nss-pam-ldapd pam_mkhomedir sudo doas If your DNS configured at /etc/resolv.conf does not resolve FreeIPA/IDM use /etc/hosts instead. FreeBSD # cat << __EOF >> /etc/hosts 172.27.33.200 rhidm.lab.org rhidm 172.27.33.215 fbsd15.lab.org fbsd15 __EOF Add our new FreeBSD host and its IP on FreeIPA/IDM server. [root@idm ~]# kinit admin Password for admin@LAB.ORG: [root@idm ~]# ipa dnsrecord-add lab.org fbsd15 --a-rec=172.27.33.215 --a-create-reverse Record name: fbsd15 A record: 172.27.33.215 [root@idm ~]# ipa host-add fbsd15.lab.org --------------------------- Added host "fbsd15.lab.org" --------------------------- Host name: fbsd15.lab.org Principal name: host/fbsd15.lab.org@LAB.ORG Principal alias: host/fbsd15.lab.org@LAB.ORG Password: False Keytab: False Managed by: fbsd15.lab.org [root@idm ~]# ipa-getkeytab -s rhidm.lab.org -p host/fbsd15.lab.org@LAB.ORG -k /root/fbsd15.keytab Keytab successfully retrieved and stored in: /root/fbsd15.keytab [root@idm ~]# cp /root/fbsd15.keytab /usr/share/ipa/html/ [root@idm ~]# chmod 644 /usr/share/ipa/html/fbsd15.keytab On FreeBSD host copy the keytab from FreeIPA/IDM server and put it into right place with proper permissions. FreeBSD # fetch -o /etc/krb5.keytab http://rhidm.lab.org/ipa/config/fbsd15.keytab /root/fbsd15.keytab 314 B 804 kBps 00s FreeBSD # chmod 640 /etc/krb5.keytab Verify FreeBSD keytab. FreeBSD # klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 host/fbsd15.lab.org@LAB.ORG 1 host/fbsd15.lab.org@LAB.ORG 1 host/fbsd15.lab.org@LAB.ORG 1 host/fbsd15.lab.org@LAB.ORG The nslcd(8) daemon will need /etc/krb5.keytab keytab read access to work – to achieve that we will add sshd user to its nslcd group. FreeBSD # groups sshd sshd FreeBSD # pw usermod sshd -G nslcd FreeBSD # groups sshd sshd nslcd Prepare /etc/krb5.conf config. FreeBSD # cat << __EOF > /etc/krb5.conf [libdefaults] default_realm = LAB.ORG dns_lookup_kdc = false dns_lookup_realm = false [realms] LAB.ORG = { kdc = rhidm.lab.org admin_server = rhidm.lab.org } [domain_realm] .lab.org = LAB.ORG lab.org = LAB.ORG __EOF Create /usr/local/etc/nslcd.conf config for nslcd(8) daemon. FreeBSD # cat << __EOF > /usr/local/etc/nslcd.conf # RUN AS nslcd USER uid nslcd gid nslcd # LDAP CONNECTION DETAILS uri ldap://rhidm.lab.org base dc=lab,dc=org # USE SYSTEM KEYTAB FOR AUTH sasl_mech GSSAPI sasl_realm LAB.ORG # FORCE /bin/sh SHELL map passwd loginShell "/bin/sh" __EOF Enable and start the nslcd(8) daemon. FreeBSD # service nslcd enable nslcd enabled in /etc/rc.conf FreeBSD # service nslcd start Starting nslcd. Modify /etc/nsswitch.conf config the following way with simple sed(1) one liner. FreeBSD # sed -i '.OLD' -E \ -e 's/^group:.*/group: files ldap/g' \ -e 's/^passwd:.*/passwd: files ldap/g' \ /etc/nsswitch.conf This is what we changed. FreeBSD # diff -u /etc/nsswitch.conf.OLD /etc/nsswitch.conf --- /etc/nsswitch.conf.OLD 2026-02-18 04:54:41.487608000 +0000 +++ /etc/nsswitch.conf 2026-02-18 04:59:00.234662000 +0000 @@ -1,9 +1,9 @@ -group: compat +group: files ldap group_compat: nis hosts: files dns netgroup: compat networks: files -passwd: compat +passwd: files ldap passwd_compat: nis shells: files services: compat One can use even more compact /etc/nsswitch.conf as shown by Christian Hofstede-Kuhn (Larvitz) below. FreeBSD # cat << __EOF > /etc/nsswitch.conf group: files ldap passwd: files ldap hosts: files dns networks: files shells: files services: compat protocols: files rpc: files __EOF Now lets test how it works. FreeBSD # id vermaden uid=854800003(vermaden) gid=854800003(vermaden) groups=854800003(vermaden) Now the sshd(8) part. FreeBSD # cat << __EOF >> /etc/ssh/sshd_config # KRB5/GSSAPI AUTH GSSAPIAuthentication yes GSSAPICleanupCredentials yes GSSAPIStrictAcceptorCheck no __EOF Time to restart sshd(8) daemon. FreeBSD # service sshd restart Performing sanity check on sshd configuration. Stopping sshd. Waiting for PIDS: 1089. Performing sanity check on sshd configuration. Starting sshd. Now lets test how it works over SSH. [root@rhidm ~]# kinit vermaden Password for vermaden@LAB.ORG: [root@rhidm ~]# ssh fbsd15 -l vermaden FreeBSD 15.0-RELEASE-p2 (GENERIC) releng/15.0-n281005-5fb0f8e9e61d Welcome to FreeBSD! Release Notes, Errata: https://www.FreeBSD.org/releases/ Security Advisories: https://www.FreeBSD.org/security/ FreeBSD Handbook: https://www.FreeBSD.org/handbook/ FreeBSD FAQ: https://www.FreeBSD.org/faq/ Questions List: https://www.FreeBSD.org/lists/questions/ FreeBSD Forums: https://forums.FreeBSD.org/ Documents installed with the system are in the /usr/local/share/doc/freebsd/ directory, or can be installed later with: pkg install en-freebsd-doc For other languages, replace "en" with a language code like de or fr. Show the version of FreeBSD installed: freebsd-version ; uname -a Please include that output and any error messages when posting questions. Introduction to manual pages: man man FreeBSD directory layout: man hier To change this login announcement, see motd(5). Could not chdir to home directory /home/vermaden: No such file or directory vermaden@fbsd15:/ $ id admin uid=854800000(admin) gid=854800000(admins) groups=854800000(admins) vermaden@fbsd15:/ $ id uid=854800003(vermaden) gid=854800003(vermaden) groups=0(wheel),854800003(vermaden) Works but … the ${HOME} directory is not automatically created because we did not configured it yet. Lets use sed(1) again … and yes it has to be spread over two lines. FreeBSD # sed -i '.OLD' '/^session.*/i\ session optional pam_mkhomedir.so mode=0700' /etc/pam.d/sshd FreeBSD # ls -l /etc/pam.d/sshd* -rw-r--r-- 1 root wheel 608 Feb 18 05:18 /etc/pam.d/sshd -rw-r--r-- 1 root wheel 564 Feb 18 05:18 /etc/pam.d/sshd.OLD FreeBSD # diff -u /etc/pam.d/sshd.OLD /etc/pam.d/sshd --- /etc/pam.d/sshd.OLD 2026-02-18 05:20:50.344139000 +0000 +++ /etc/pam.d/sshd 2026-02-18 05:20:53.552277000 +0000 @@ -16,6 +16,7 @@ # session #session optional pam_ssh.so want_agent +session optional pam_mkhomedir.so mode=0700 session required pam_permit.so # password We use optional instead of required if for some reason pam_mkhomedir.so fails or is not available. For the record the entire /etc/pam.d/sshd PAM config looks like that. FreeBSD # cat /etc/pam.d/sshd # auth auth required pam_unix.so no_warn try_first_pass # account account required pam_nologin.so account required pam_login_access.so account required pam_unix.so # session session optional pam_mkhomedir.so mode=0700 session required pam_permit.so # password password required pam_unix.so no_warn try_first_pass We will now configure sudo(8) for more permissions. FreeBSD # pw groupmod wheel -m vermaden FreeBSD # cat << __EOF >> /usr/local/etc/sudoers %wheel ALL=(ALL:ALL) NOPASSWD: ALL __EOF We will also do doas(1) here as its simpler and more secure. FreeBSD # cat << __EOF > /usr/local/etc/doas.conf permit nopass keepenv root as root permit nopass keepenv :wheel as root __EOF Now lets try to login again. [root@rhidm ~]# kinit vermaden Password for vermaden@LAB.ORG: [root@rhidm ~]# ssh fbsd15 -l vermaden vermaden@fbsd15:~ $ pwd /home/vermaden vermaden@fbsd15:~ $ sudo -i root@fbsd15:~ # Better. I also ‘silenced’ the login a little by creating empty ~/.hushlogin file and by removing /usr/bin/fortune from the ~/.profile file. vermaden@fbsd15~/ $ :> ~/.hushlogin vermaden@fbsd15:~ $ sed -i '.OLD' '/fortune/d' ~/.profile … and this is the part I added – using FreeIPA/IDM user