I’ve documented a clean, native way to integrate FreeBSD 15 into a FreeIPA realm.
Uncategorized
9
Posts
4
Posters
0
Views
-
I’ve documented a clean, native way to integrate FreeBSD 15 into a FreeIPA realm. No heavy dependencies, no Python shims, just pure Kerberos (GSSAPI) and nslcd.
We get full SSH SSO, automated home directories, and centralized sudo rules using standard BSD tools. Pure, stateless, and sane.
-
I’ve documented a clean, native way to integrate FreeBSD 15 into a FreeIPA realm. No heavy dependencies, no Python shims, just pure Kerberos (GSSAPI) and nslcd.
We get full SSH SSO, automated home directories, and centralized sudo rules using standard BSD tools. Pure, stateless, and sane.
This looks a lot more useful then what I was able to achieve with my earlier guides.
Thank You a lot for writing it and sharing it with me.
-
This looks a lot more useful then what I was able to achieve with my earlier guides.
Thank You a lot for writing it and sharing it with me.
@vermaden I only used native FreeBSD primitives. Native Kerberos, nslcd (from ports/pkg) and openssh.
The only step that can't be done on BSD is the Keytab generation (that needs to be done on linux and then copied over).
It's super robust. I rolled that out on my homelab this weekend 🙂
-
@vermaden I only used native FreeBSD primitives. Native Kerberos, nslcd (from ports/pkg) and openssh.
The only step that can't be done on BSD is the Keytab generation (that needs to be done on linux and then copied over).
It's super robust. I rolled that out on my homelab this weekend 🙂
Still great improvement IMHO.
I really waited for MIT Kerberos implementation to be placed in the FreeBSD Base System instead of Heimdal one and since it finally landed for 15.0 it starts to pay off.
-
I’ve documented a clean, native way to integrate FreeBSD 15 into a FreeIPA realm. No heavy dependencies, no Python shims, just pure Kerberos (GSSAPI) and nslcd.
We get full SSH SSO, automated home directories, and centralized sudo rules using standard BSD tools. Pure, stateless, and sane.
-
@marzlberger I highly doubt that this is practical. It might be possible (manually), but there's a lot of dependencies, manual steps and required deep levels of understanding. If you'd want a similar result on FreeBSD, just using an LDAP server and MIT Kerberos would almost guranteed be the better approach.
-
@vermaden I only used native FreeBSD primitives. Native Kerberos, nslcd (from ports/pkg) and openssh.
The only step that can't be done on BSD is the Keytab generation (that needs to be done on linux and then copied over).
It's super robust. I rolled that out on my homelab this weekend 🙂
By the way ... have You tried if your setup works with Samba? ... or with NFSv4?
-
I’ve documented a clean, native way to integrate FreeBSD 15 into a FreeIPA realm. No heavy dependencies, no Python shims, just pure Kerberos (GSSAPI) and nslcd.
We get full SSH SSO, automated home directories, and centralized sudo rules using standard BSD tools. Pure, stateless, and sane.
@Larvitz this looks correct, almost identical to how I've done it at $corp jobs but we didn't use freeIPA
only thing missing is putting the sudo rules in LDAP too -
By the way ... have You tried if your setup works with Samba? ... or with NFSv4?
@vermaden NFSv4 Client with Kerberos works just fine. I just tried it and can mount shares from my kerberized NAS and it’s using the krb auth for authentication. Share mounts cleanly on BSD, uid and gid resolves cleanly, all looking fine.
Haven’t tried NFS server or samba.
-
undefined stefano@mastodon.bsd.cafe shared this topic
Gli ultimi otto messaggi ricevuti dalla Federazione
-
Is the Risorgimento an important part of Canadian history?
-
@liberotoncello Grazieeeeeeee
-
@BrennpunktUA can I quote you and the fantastic things you found in my upcoming article about W Social? Like, embedding / linking to some of your toots?
-
RE: https://livellosegreto.it/@sio/115961553183123746
Ovviamente
-
Stanno pensando (sì, è un termine forte) a come poter utilizzare questo accordo per la loro propaganda:
quindi non sanno ancora se contrastarlo o prendersi qualche merito.Un po' dipende da Trump: se lui è contrario, anche loro lo saranno presto.
-
E poi si sposò con il router
-
-
@ge0rg @digitalcourage Thank you for the quick text and translation work! (A pdf in french language is on the way - to late to print it for #fosdem
