Difference between revisions of "Systems/OS/FreeBSD"
Jump to navigation
Jump to search
Amishhammer (talk | contribs) (Created page with " = FreeBSD = == Bootstrapping a node == * Install base os * Update base with security updates ** freebsd-update fetch ** freebsd-update install * Reboot * Update ports tree...") |
m (Robot: Cosmetic changes) |
||
(5 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
− | |||
= FreeBSD = | = FreeBSD = | ||
Line 18: | Line 17: | ||
*** NOTE: Make sure to enable GSSAPI for openldap-sasl-client | *** NOTE: Make sure to enable GSSAPI for openldap-sasl-client | ||
** rehash | ** rehash | ||
− | * Setup /etc/krb5.conf | + | * Setup /etc/krb5.conf see [[Systems/Services/Kerberos]] |
− | * Setup /usr/local/etc/openldap/ldap.conf | + | * Setup /usr/local/etc/openldap/ldap.conf [[Systems/Services/LDAP]] |
* Install samba ssl root CA cert in /usr/local/etc/trusted.pem | * Install samba ssl root CA cert in /usr/local/etc/trusted.pem | ||
* Join the box to the domain | * Join the box to the domain | ||
Line 27: | Line 26: | ||
** Install /etc/periodic/hourly/100.renew (chmod +x) | ** Install /etc/periodic/hourly/100.renew (chmod +x) | ||
** Enable hourly periodics in /etc/crontab | ** Enable hourly periodics in /etc/crontab | ||
− | *** 0 | + | *** 0 * * * * root periodic hourly |
− | + | * Setup /usr/local/etc/nslcd.conf | |
− | + | * Enable services in rc.conf add the following lines to /etc/rc.conf | |
+ | ** nscd_enable="YES" | ||
+ | ** nslcd_enable="YES" | ||
+ | ** nslcd_supervisor="YES" | ||
+ | * Start the services | ||
+ | ** service nscd start | ||
+ | ** service nslcd start | ||
+ | * Update /etc/nsswitch.conf | ||
+ | ** passwd: files [success=return] cache ldap | ||
+ | ** group: files cache ldap | ||
+ | * Update pam /etc/pam.d/sshd | ||
+ | ** Uncomment auth line for krb5 module | ||
+ | ** Add ldap line for account under login_access.so: account sufficient /usr/local/lib/pam_ldap.so | ||
+ | * Update /etc/ssh/sshd_config add the following lines: | ||
+ | ** GSSAPIAuthentication yes | ||
+ | ** GSSAPICleanupCredentials yes | ||
+ | * Restart sshd: service sshd restart | ||
+ | c | ||
− | == /etc/periodic/100.renew == | + | == /etc/periodic/hourly/100.renew == |
<pre> | <pre> | ||
#!/bin/sh | #!/bin/sh | ||
Line 67: | Line 83: | ||
sleep 30 | sleep 30 | ||
done | done | ||
+ | </pre> | ||
+ | |||
+ | == /usr/local/etc/nslcd.conf == | ||
+ | <pre> | ||
+ | uid nslcd | ||
+ | gid nslcd | ||
+ | |||
+ | uri ldap://bob.ad.pumpingstationone.org/ ldap://dc01.ad.pumpingstationone.org/ | ||
+ | |||
+ | |||
+ | base dc=ad,dc=pumpingstationone,dc=org | ||
+ | sasl_mech GSSAPI | ||
+ | sasl_realm AD.PUMPINGSTATIONONE.ORG | ||
+ | krb5_ccname /tmp/krb5cc_928 | ||
+ | |||
+ | filter passwd (objectClass=posixAccount) | ||
+ | filter group (objectClass=posixGroup) | ||
+ | |||
+ | map passwd homeDirectory unixHomeDirectory | ||
+ | |||
+ | scope sub | ||
</pre> | </pre> |
Latest revision as of 07:37, 24 December 2014
FreeBSD
Bootstrapping a node
- Install base os
- Update base with security updates
- freebsd-update fetch
- freebsd-update install
- Reboot
- Update ports tree
- portsnap fetch extract
- Install base packages
- cd /usr/ports/ports-mgmt/portmaster
- make install distclean
- rehash
- portmaster -d shells/bash editors/vim-lite sysutils/tmux net/nss-pam-ldapd-sasl sysutils/msktutil security/cyrus-sasl2-gssapi
- NOTE: Make sure to enable GSSAPI for openldap-sasl-client
- rehash
- Setup /etc/krb5.conf see Systems/Services/Kerberos
- Setup /usr/local/etc/openldap/ldap.conf Systems/Services/LDAP
- Install samba ssl root CA cert in /usr/local/etc/trusted.pem
- Join the box to the domain
- kinit [email protected]
- msktutil -c --server=bob
- Install /usr/local/sbin/renew.sh (chmod +x)
- Install /etc/periodic/hourly/100.renew (chmod +x)
- Enable hourly periodics in /etc/crontab
- 0 * * * * root periodic hourly
- Setup /usr/local/etc/nslcd.conf
- Enable services in rc.conf add the following lines to /etc/rc.conf
- nscd_enable="YES"
- nslcd_enable="YES"
- nslcd_supervisor="YES"
- Start the services
- service nscd start
- service nslcd start
- Update /etc/nsswitch.conf
- passwd: files [success=return] cache ldap
- group: files cache ldap
- Update pam /etc/pam.d/sshd
- Uncomment auth line for krb5 module
- Add ldap line for account under login_access.so: account sufficient /usr/local/lib/pam_ldap.so
- Update /etc/ssh/sshd_config add the following lines:
- GSSAPIAuthentication yes
- GSSAPICleanupCredentials yes
- Restart sshd: service sshd restart
c
/etc/periodic/hourly/100.renew
#!/bin/sh if [ -r /etc/defaults/periodic.conf ] then . /etc/defaults/periodic.conf source_periodic_confs fi /usr/local/sbin/renew.sh exit 0
/usr/local/sbin/renew.sh
#!/bin/sh HOSTNAME=`/bin/hostname -s` TMPFILE=`/usr/bin/mktemp /tmp/kinit_XXXXXX` moveCC() { /usr/bin/install -S -o root -g wheel -m 0600 $TMPFILE /tmp/krb5cc_0 /usr/bin/install -S -o nslcd -g nslcd -m 0600 $TMPFILE /tmp/krb5cc_928 /bin/rm $TMPFILE } for tries in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 do /usr/bin/kinit -c $TMPFILE -t /etc/krb5.keytab ${HOSTNAME}\$ if [ $? -eq 0 ]; then moveCC break; exit fi sleep 30 done
/usr/local/etc/nslcd.conf
uid nslcd gid nslcd uri ldap://bob.ad.pumpingstationone.org/ ldap://dc01.ad.pumpingstationone.org/ base dc=ad,dc=pumpingstationone,dc=org sasl_mech GSSAPI sasl_realm AD.PUMPINGSTATIONONE.ORG krb5_ccname /tmp/krb5cc_928 filter passwd (objectClass=posixAccount) filter group (objectClass=posixGroup) map passwd homeDirectory unixHomeDirectory scope sub