This guide will describe how to enable SSH login to your FreeBSD server using your AD credentials. You can also restrict SSH access to members of a particular AD group.

  1. Update system:
    # pkg update -y
    # pkg upgrade -y
  2. Edit /usr/local/etc/smb4.conf and add the following lines to the [global] stanza:
    winbind use default domain = yes
    template homedir = /home/%D/%U
    template shell = /bin/csh
  3. Ensure /etc/rc.conf contains:
  4. Restart SAMBA services:
    # service samba_server restart
  5. Edit /etc/pam.d/sshd and add the following lines as noted:
    # $FreeBSD: release/10.0.0/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
    # PAM configuration for the "sshd" service
    # auth
    auth            sufficient             no_warn no_fake_prompts
    auth            requisite       no_warn allow_local
    auth            sufficient	/usr/local/lib/ try_first_pass require_membership_of=DOMAIN\\LinuxSSH	<-- THIS ONE
    #auth           sufficient             no_warn try_first_pass
    #auth           sufficient              no_warn try_first_pass
    auth            required             no_warn try_first_pass
    # account
    account         required
    # account       required
    account         required
    account         required
    # session
    #session        optional              want_agent
    session		required	/usr/local/lib/ krb5_auth mkhomedir <-- THIS ONE
    session         required
    # password
    #password       sufficient             no_warn try_first_pass
    password	sufficient	/usr/local/lib/	<-- THIS ONE
    password        required             no_warn try_first_pass
  6. If you left the require_membership_of= option on the auth line, you will need to create the group on your DC and add any users who should have SSH access. You will also need to add their usernames to the wheel group on the FreeBSD server or modify /etc/pam.d/su and change the group which is authorised to SU.
    pw groupmod wheel -M administrator
  7. You should then be able to SSH into your server and login as an AD account.
Categories: FreeBSDSAMBA


Leave a Reply

Your email address will not be published. Required fields are marked *