• chevron_right

      Keycloak Identity and Access Management on FreeBSD

      Slixfeed · Sunday, 10 March - 10:35 · 8 minutes

    Many times I wrote about FreeIPA/IDM – but I have one problem with it – its not currently possible to run FreeIPA on FreeBSD … so I searched for other open source alternatives and found Keycloak. What surprised me even more is that its even available in the FreeBSD Ports as net/keycloak port. So I wanted to check how it works/runs on FreeBSD … and this is exactly how this article happened.

    keycloak.logo

    My earlier FreeIPA/IDM attempts are below.

    First – we will create new VM for our server. I will use sysutils/vm-bhyve-devel for Bhyve but feel free to use any other hypervisor (or even w/o one). To not waste time installing I will also use provided by FreeBSD project VM-IMAGE with ZFS enabled – FreeBSD-14.0-RELEASE-amd64-zfs.raw disk0.img

    host # cat /vm/.templates/freebsd.conf
    loader="bhyveload"
    cpu=1
    memory=256M
    network0_type="virtio-net"
    network0_switch="public"
    disk0_type="nvme"
    disk0_name="disk0.img"
    
    host # vm create -t freebsd -c 2 -m 4G -s 10G keycloak
    
    host # ls -lh /vm/keycloak
    total 3402399
    -rw-------  1 root wheel   10G Mar 10 10:47 disk0.img
    -rw-r--r--  1 root wheel  209B Mar 10 07:20 keycloak.conf
    -rw-r--r--  1 root wheel   96B Mar 10 07:22 vm-bhyve.log
    
    host # cd /vm/keycloak
    
    host # rm -f disk0.img
    
    host # cp /vm/TEMPLATE/FreeBSD-14.0-RELEASE-amd64-zfs.raw disk0.img
    
    host # truncate -s 10G disk0.img
    
    host # vm start keycloak
    Starting keycloak
      * found guest in /vm/keycloak
      * booting...
    
    host # vm console keycloak
    

    Type root as user and hit [ENTER] for empty password. Now the FreeBSD setup and needed packages.

    root@freebsd:~ # :> ~/.hushlogin
    
    root@freebsd:~ # cat << EOF > /etc/rc.conf
    hostname="keycloak.lab.org"
    ifconfig_DEFAULT="inet 10.1.1.211/24"
    defaultrouter="10.1.1.1"
    growfs_enable="YES"
    zfs_enable="YES"
    sshd_enable="YES"
    postgresql_enable="YES"
    keycloak_enable="YES"
    keycloak_env="KEYCLOAK_ADMIN=admin KEYCLOAK_ADMIN_PASSWORD=password"
    EOF
    
    root@freebsd:~ # echo 10.1.1.211 keycloak.lab.org keycloak >> /etc/hosts
    
    root@freebsd:~ # mkdir -p /usr/local/etc/pkg/repos
    
    root@freebsd:~ # sed -e s/quarterly/latest/g /etc/pkg/FreeBSD.conf \
                       > /usr/local/etc/pkg/repos/FreeBSD.conf
    
    root@freebsd:~ # echo nameserver 1.1.1.1 > /etc/resolv.conf
    
    root@freebsd:~ # drill freebsd.org | grep '^[^;]'
    freebsd.org.        799     IN      A       96.47.72.84
    
    root@freebsd:~ # service netif restart
    
    root@freebsd:~ # service routing restart
    
    root@freebsd:~ # service hostname restart
    Setting hostname: keycloak.lab.org.
    
    root@keycloak:~ # passwd
    Changing local password for root
    New Password:
    Retype New Password:
    
    root@keycloak:~ # cat << EOF >> /etc/ssh/sshd_config
    PermitRootLogin yes
    UseDNS no
    EOF
    
    root@keycloak:~ # service sshd enable
    
    root@keycloak:~ # service sshd start
    
    root@keycloak:~ # exit
    

    Now switch to ssh(1) for better experience – needed to paste larger blocks of configs/text.

    host % ssh root@10.1.1.211
    
    root@keycloak:~ # pkg install -y keycloak postgresql16-server postgresql16-client
    
    root@keycloak:~ # service postgresql enable
    
    root@keycloak:~ # service postgresql initdb
    
    root@keycloak:~ # service postgresql start
    
    root@keycloak:~ # sockstat -l4
    USER     COMMAND    PID   FD  PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
    postgres postgres    2265 7   tcp4   127.0.0.1:5432        *:*
    root     syslogd      656 7   udp4   *:514                 *:*
    
    root@keycloak:~ # su - postgres -c psql
    psql (16.2)
    Type "help" for help.
    
    postgres=# ALTER USER postgres WITH PASSWORD 'password';
    
    postgres=# CREATE DATABASE keycloak with encoding 'UTF8';
    CREATE DATABASE
    
    postgres=# GRANT ALL ON DATABASE keycloak TO postgres;
    GRANT
    
    postgres=# \q
    
    root@keycloak:~ # cd /usr/local/share/java/keycloak/conf
    
    root@keycloak:~ # openssl req -x509 -newkey rsa:2048 -keyout server.key.pem -out server.crt.pem -days 36500 -nodes -subj "/C=PL/ST=lodzkie/L=Lodz/O=Vermaden/OU=HR/CN=keycloak.lab.org"
    
    root@keycloak:~ # chmod 600 server.crt.pem server.key.pem
    
    root@keycloak:~ # chown keycloak:keycloak server.crt.pem server.key.pem
    
    root@keycloak:~ # cat << EOF > /usr/local/share/java/keycloak/conf/keycloak.conf               
    db=postgres
    db-username=postgres
    db-password=password
    db-url=jdbc:postgresql://localhost:5432/keycloak
    hostname-strict-https=true
    hostname-url=https://keycloak.lab.org:8443/
    hostname-admin-url=https://keycloak.lab.org:8443/
    https-certificate-file=/usr/local/share/java/keycloak/conf/server.crt.pem
    https-certificate-key-file=/usr/local/share/java/keycloak/conf/server.key.pem
    proxy=edge
    EOF
    
    root@keycloak:~ # echo quarkus.transaction-manager.enable-recovery=true \
                        > /usr/local/share/java/keycloak/conf/quarkus.properties
    
    root@keycloak:~ # chown keycloak:keycloak /usr/local/share/java/keycloak/conf/quarkus.properties
    
    root@keycloak:~ # service keycloak enable
    
    root@keycloak:~ # service keycloak build
    The following run time non-cli properties were found, but will be ignored during build time: kc.db-url, kc.db-username, kc.db-password, kc.hostname-url, kc.hostname-admin-url, kc.hostname-strict-https, kc.https-certificate-file, kc.https-certificate-key-file, kc.proxy
    Updating the configuration and installing your custom providers, if any. Please wait.
    2024-03-10 09:01:17,701 INFO  [io.quarkus.deployment.QuarkusAugmentor] (main) Quarkus augmentation completed in 29796ms
    Server configuration updated and persisted. Run the following command to review the configuration:
    
            kc.sh show-config
    
    root@keycloak:~ # /usr/local/share/java/keycloak/bin/kc.sh show-config
    Current Mode: production
    Current Configuration:
            kc.config.built =  true (SysPropConfigSource)
            kc.db =  postgres (PropertiesConfigSource)
            kc.db-password =  ******* (PropertiesConfigSource)
            kc.db-url =  jdbc:postgresql://localhost:5432/keycloak (PropertiesConfigSource)
            kc.db-username =  postgres (PropertiesConfigSource)
            kc.hostname-admin-url =  https://keycloak.lab.org:8443/ (PropertiesConfigSource)
            kc.hostname-strict-https =  true (PropertiesConfigSource)
            kc.hostname-url =  https://keycloak.lab.org:8443/ (PropertiesConfigSource)
            kc.https-certificate-file =  /usr/local/share/java/keycloak/conf/server.crt.pem (PropertiesConfigSource)
            kc.https-certificate-key-file =  /usr/local/share/java/keycloak/conf/server.key.pem (PropertiesConfigSource)
            kc.log-console-output =  default (PropertiesConfigSource)
            kc.log-file =  ${kc.home.dir:default}${file.separator}data${file.separator}log${file.separator}keycloak.log (PropertiesConfigSource)
            kc.optimized =  true (PersistedConfigSource)
            kc.proxy =  edge (PropertiesConfigSource)
            kc.spi-hostname-default-admin-url =  https://keycloak.lab.org:8443/ (PropertiesConfigSource)
            kc.spi-hostname-default-hostname-url =  https://keycloak.lab.org:8443/ (PropertiesConfigSource)
            kc.spi-hostname-default-strict-https =  true (PropertiesConfigSource)
            kc.version =  23.0.6 (SysPropConfigSource)
    
    

    We now have needed packages installed. Self signed certificate for HTTPS generated. PostgreSQL database and Keycloak configured. We will need small patch to enable passing env(1) variables at the Keycloak daemon start. It will allow to use keycloak_env at the /etc/rc.conf main FreeBSD config file. This is needed to configure the initial admin user as sated in the Keycloak documentation.

    keycloak-0-initial-admin-user

    Now back to the patch.

    root@keycloak:~ # cat /root/keycloak.patch
    --- /root/keycloak      2024-03-08 11:46:21.847315000 +0000
    +++ /usr/local/etc/rc.d/keycloak        2024-03-08 11:47:22.027102000 +0000
    @@ -28,6 +28,7 @@
     : ${keycloak_enable:=NO}
     : ${keycloak_user:=keycloak}
     : ${keycloak_group:=keycloak}
    +: ${keycloak_env:=""}
     : ${keycloak_flags="start"}
     : ${keycloak_java_home="/usr/local/openjdk17"}
     
    @@ -54,6 +55,7 @@
     
            echo "Starting keycloak."
             ${command} ${command_args} \
    +                env ${keycloak_env} \
                     /usr/local/share/java/keycloak/bin/kc.sh \
                     ${keycloak_flags}
     }
    
    root@keycloak:~ # cd /usr/local/etc/rc.d
    
    root@keycloak:/usr/local/etc/rc.d # patch < /root/keycloak.patch
    Hmm...  Looks like a unified diff to me...
    The text leading up to this was:
    --------------------------
    |--- /root/keycloak      2024-03-08 11:46:21.847315000 +0000
    |+++ /usr/local/etc/rc.d/keycloak        2024-03-08 11:47:22.027102000 +0000
    --------------------------
    Patching file keycloak using Plan A...
    Hunk #1 succeeded at 28.
    Hunk #2 succeeded at 55 with fuzz 2.
    Hmm...  Ignoring the trailing garbage.
    done
    
    

    Now we will start Keycloak. Its possible to track its startup process in the /var/log/keycloak/keycloak.out file. Below You will find last 4 lines that you want to see – with Keycloak 23.0.6 on JVM (powered by Quarkus 3.2.10.Final) started in 19.251s. message 🙂

    root@keycloak:~ # service keycloak start
    
    root@keycloak:~ # tail -f /var/log/keycloak/keycloak.out
    (...)
    2024-03-10 09:12:15,550 INFO  [io.quarkus] (main) Keycloak 23.0.6 on JVM (powered by Quarkus 3.2.10.Final) started in 19.251s. Listening on: http://0.0.0.0:8080 and https://0.0.0.0:8443
    2024-03-10 09:12:15,551 INFO  [io.quarkus] (main) Profile prod activated. 
    2024-03-10 09:12:15,552 INFO  [io.quarkus] (main) Installed features: [agroal, cdi, hibernate-orm, jdbc-h2, jdbc-mariadb, jdbc-mssql, jdbc-mysql, jdbc-oracle, jdbc-postgresql, keycloak, logging-gelf, micrometer, narayana-jta, reactive-routes, resteasy-reactive, resteasy-reactive-jackson, smallrye-context-propagation, smallrye-health, vertx]
    2024-03-10 09:12:16,303 INFO  [org.keycloak.services] (main) KC-SERVICES0009: Added user 'admin' to realm 'master'
    [CTRL]-[C]
    
    root@keycloak:~ # top -ab -o res 10
    last pid:  3067;  load averages:  0.50,  0.47,  0.42  up 0+02:56:35    09:19:04
    18 processes:  1 running, 17 sleeping
    CPU:  1.4% user,  0.0% nice,  0.4% system,  0.2% interrupt, 98.0% idle
    Mem: 299M Active, 176M Inact, 3247M Wired, 264K Buf, 202M Free
    ARC: 2965M Total, 902M MFU, 1982M MRU, 4096B Anon, 12M Header, 50M Other
         2766M Compressed, 2934M Uncompressed, 1.06:1 Ratio
    Swap: 1024M Total, 1024M Free
    
      PID USERNAME    THR PRI NICE   SIZE    RES STATE    C   TIME    WCPU COMMAND
     2981 keycloak     41  68    0  1425M   299M uwait    1   0:37   0.00% /usr/local/openjdk17/bin/java -Dkc.config.built=true -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8 -Dsun.err.encoding=UTF-8 -Dstdout.encoding=UTF-8 -Dstderr.encoding=UTF-8 -XX:+ExitOnOutOfMemoryError -Djava.security.egd=file:/dev/urandom -XX:+UseParallelGC -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=20 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -XX:FlightRecorderOptions=stackdepth=512 --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.base/java.security=ALL-UNNAMED -Dkc.home.dir=/usr/local/share/java/keycloak/bin/.. -Djboss.server.config.dir=/usr/local/share/java/keycloak/bin/../conf -Djava.util.logging.manager=org.jboss.logmanager.LogManager -Dquarkus-log-max-startup-records=10000 -cp /usr/local/share/java/keycloak/bin/../lib/quarkus-run.jar io.quarkus.bootstrap.runner.QuarkusEntryPoint start
     3063 postgres      1  24    0   181M    49M kqread   1   0:00   0.00% postgres: postgres keycloak 127.0.0.1(21936) idle (postgres)
     2266 postgres      1  20    0   178M    48M kqread   1   0:00   0.00% postgres: checkpointer  (postgres)
     3062 postgres      1  20    0   181M    47M kqread   1   0:00   0.00% postgres: postgres keycloak 127.0.0.1(22820) idle (postgres)
     2270 postgres      1  20    0   179M    31M kqread   0   0:00   0.00% postgres: autovacuum launcher  (postgres)
     2271 postgres      1  20    0   179M    31M kqread   0   0:00   0.00% postgres: logical replication launcher  (postgres)
     2269 postgres      1  20    0   178M    31M kqread   0   0:00   0.00% postgres: walwriter  (postgres)
     2267 postgres      1  20    0   178M    31M kqread   0   0:00   0.00% postgres: background writer  (postgres)
     2265 postgres      1  20    0   178M    30M kqread   0   0:00   0.00% /usr/local/bin/postgres -D /var/db/postgres/data16
     2420 root          1  20    0    22M    11M select   1   0:01   0.00% sshd: root@pts/0 (sshd)
    
    

    Add also on the host system the IP information to the /etc/hosts file and check https://keycloak.lab.org:8443 in your browser.

    host # echo 10.1.1.211 keycloak.lab.org keycloak >> /etc/hosts
    
    host % firefox 'https://keycloak.lab.org:8443'
    

    As we use self signed certificate You will be warned by potential security risk. Hit ‘Advanced’ and then ‘Accept the Risk and Continue’ buttons.

    keycloak-1-self-cert

    Next click the Administration Console link.

    keycloak-2-main-page

    Login with admin and password (or your password if You used other one).

    keycloak-3-admin-login

    … and You can now create your new realm, add users, create groups etc. You have fully working Keycloak in production mode.

    keycloak-4-admin-console

    Now … like with FreeIPA/IDM – it would be nice to attach FreeBSD to it so one could login to FreeBSD system with Keycloak user … not so fast unfortunately. To make such things be possible You need a PAM module for Keycloak … and I was not able to find one that will work on FreeBSD … and the Keycloak package also comes without one.

    root@keycloak:~ # pkg info -l keycloak | grep -i pam
    root@keycloak:~ # 
    

    After grepping the Internet I found two solutions … but only for Linux.

    One of them was a step by step Keycloak PAM Module Development Tutorial guide which showed you how to write such PAM module.

    pam-dev

    The other one was Keycloak SSH PAM project on GitHub which provided more or less ready solution for Linux systems.

    pam-kc

    So while with FreeIPA/IDM we had server on Linux that allowed to connect FreeBSD systems to it – we now hat Keycloak server hosted on FreeBSD that allows connecting Linux systems 🙂

    Not much of an improvement – but maybe someone will find that guide useful.

    EOF
    • chevron_right

      Connect FreeBSD 14.0-STABLE to FreeIPA/IDM

      Slixfeed · Wednesday, 6 March - 15:42 · 21 minutes

    In the open source world everything lives/evolves/changes. This is why the new version of connecting latest FreeBSD 14.0-STABLE system to the FreeIPA/IDM is needed. One of the things that changed is that security/sssd is now deprecated and security/sssd2 is its successor. Also new version of ports-mgmt/poudriere-devel is available – with needed fixes already merged – and also with new restyled web interface.

    FreeIPA-logo

    I already messed with that topic several times in the past:

    This article will try to address and contain all steps needed – including setting up the FreeIPA/IDM server and including the Poudriere setup. Below You will find Table of Contents for this article. All of these systems will be Bhyve virtual machines.

    • FreeIPA/IDM Server – Installation
    • FreeIPA/IDM Server – Configuration
    • Poudriere Server – Setup
    • Poudriere Server – Build FreeIPA/IDM Client Packages
    • Poudriere Server – Update Repo/Packages
    • FreeBSD 14.0-STABLE Client – Setup
    • FreeBSD 14.0-STABLE Client – Debug Commands
    • Summary

    The FreeBSD project recently started to provide ZFS based VM images … but unfortunately only for 14.0-RELEASE and they are not created for 14.0-STABLE or 15-CURRENT versions – so we will use the UFS based ones for both Poudriere server and FreeBSD FreeIPA/IDM client. For the record – https://download.freebsd.org/snapshots/VM-IMAGES/14.0-STABLE/amd64/Latest/ – they are available here.

    Some note about commands run in this article – different colors for various hosts.

    host # top -ba -o res 3                                  // executed on the host system
    [root@idm ~]# yum update -y                              // executed on IDM server
    root@freebsd:~ # geom disk list                          // executed on Poudriere server
    root@poudriere-devel-14-stable:~ # poudriere ports -l    // executed on Poudriere server
    root@idm-client:~ # hostname idm-client.lab.org          // executed on IDM client (FreeBSD)
      important information                                  // marked as GREEN color

    For the FreeIPA/IDM server I have used Alma Linux RHEL clone – but we know that Rocky Linux or Oracle Linux would also work well. We will use three systems in this article.

    FreeIPA/IDM server – with idm.lab.org hostname.

          OS: Alma Linux
          IP: 10.0.0.200/24
          GW: 10.0.0.1
      domain: lab.org
       realm: LAB.ORG
    hostname: idm.lab.org
    

    Poudriere builder system – with poudriere-devel-14-stable.lab.org hostname.

          OS: FreeBSD 14.0-STABLE
          IP: 10.0.0.124/24
          GW: 10.0.0.1
         DNS: 1.1.1.1
      domain: -
       realm: -
    hostname: poudriere-devel-14-stable.lab.org
    

    FreeBSD client for FreeIPA/IDM system – with idm-client.lab.org hostname.

          OS: FreeBSD 14.0-STABLE
          IP: 10.0.0.233/24
          GW: 10.0.0.1
         DNS: 10.0.0.200
      domain: lab.org
       realm: LAB.ORG
    hostname: idm-client.lab.org
    

    I really like the FreeBSD Bhyve memory ballooning – which means the guest VMs only take as much RAM as guest OS allocated and not 12 GB RAM as is configured.

    host # vm list | grep -e STATE -e Running
    NAME                       DATASTORE  LOADER     CPU  MEMORY  VNC           AUTO     STATE
    idm                        default    uefi       2    4g      0.0.0.0:5900  No       Running (25284)
    idm-client-14-stable       default    bhyveload  2    1g      -             No       Running (29517)
    poudriere-devel-14-stable  default    bhyveload  8    12g     -             Yes [1]  Running (23419)
    
    host # top -ba -o res 3
    last pid:  1290;  load averages:  0.09,  0.09,  0.08  up 0+00:47:08    07:05:20
    32 processes:  1 running, 31 sleeping
    CPU:  0.0% user,  0.0% nice,  0.6% system,  0.0% interrupt, 99.4% idle
    Mem: 2983M Active, 463M Inact, 1060M Wired, 56K Buf, 27G Free
    ARC: 619M Total, 115M MFU, 497M MRU, 32K Anon, 2346K Header, 4231K Other
         551M Compressed, 1080M Uncompressed, 1.96:1 Ratio
    Swap: 4096M Total, 4096M Free
    
      PID USERNAME    THR PRI NICE   SIZE    RES STATE    C   TIME    WCPU COMMAND
    25284 root         13  20    0  4159M  1168M kqread  13   3:12   1.27% bhyve: idm (bhyve)
    23419 root         19  20    0    12G   109M kqread  15   0:27   0.00% bhyve: poudriere-devel-14-stable (bhyve)
    29517 root         13  20    0  1075M    77M kqread   5   0:20   0.00% bhyve: idm-client-14-stable (bhyve)
    
    

    As you can see I am using sysutils/vm-bhyve-devel for the Bhyve management – but You may as well use bare /usr/share/examples/bhyve/vmrun.sh instead … or even entirely different hypervisor like KVM on Linux or VirtualBox on Windows – it does not matter as long as machines have access to the Internet and they see each other in the same LAN network.

    FreeIPA/IDM Server – Installation

    I installed the Alma Linux some time ago – so the screenshot shows older 8.7 version.

    LAB.IDM.Server.ROOT

    After reboot its network is configured as shown below.

    [root@idm ~]# cat /etc/sysconfig/network-scripts/ifcfg-enp0s3
    TYPE=Ethernet
    PROXY_METHOD=none
    BROWSER_ONLY=no
    BOOTPROTO=none
    DEFROUTE=yes
    IPV4_FAILURE_FATAL=no
    IPV6INIT=no
    IPV6_DEFROUTE=yes
    IPV6_FAILURE_FATAL=no
    IPV6_ADDR_GEN_MODE=eui64
    NAME=enp0s3
    UUID=120efe1f-3cb6-40cf-8aad-b17066c08543
    DEVICE=enp0s3
    ONBOOT=yes
    IPADDR=10.0.0.200
    PREFIX=24
    GATEWAY=10.0.0.1
    DNS1=1.1.1.1
    IPV6_DISABLED=yes
    

    Some more basic setup commands below.

    
    [root@idm ~]# echo 10.0.0.200 idm.lab.org idm >> /etc/hosts
    
    [root@idm ~]# cat << EOF >> /etc/sysctl.conf
    # DISABLE IPv6 FOR MAIN enp0s3 INTERFACE
    net.ipv6.conf.enp0s3.disable_ipv6=1
    EOF
    
    [root@idm ~]# hostnamectl set-hostname idm.lab.org
    
    [root@idm ~]# timedatectl set-timezone Europe/Warsaw
    
    [root@idm ~]# timedatectl set-local-rtc 0
    
    [root@idm ~]# yum update -y
    
    [root@idm ~]# reboot
    

    Continuation after reboot.

    [root@idm ~]# yum module enable idm:DL1 -y
    
    [root@idm ~]# yum distro-sync -y
    
    [root@idm ~]# yum install -y bind-utils chrony nc
    
    [root@idm ~]# ipa-server-install                        \
                        --domain lab.org                    \
                        --realm LAB.ORG                     \
                        --reverse-zone=0.0.10.in-addr.arpa. \
                        --allow-zone-overlap                \
                        --no-forwarders                     \
                        --ntp-pool pool.ntp.org             \
                        --setup-dns                         \
                        --ds-password    password           \
                        --admin-password password           \
                        --unattended
    
    [root@idm ~]# ipactl status
    Directory Service: RUNNING
    krb5kdc Service: RUNNING
    kadmin Service: RUNNING
    named Service: RUNNING
    httpd Service: RUNNING
    ipa-custodia Service: RUNNING
    pki-tomcatd Service: RUNNING
    ipa-otpd Service: RUNNING
    ipa-dnskeysyncd Service: RUNNING
    ipa: INFO: The ipactl command was successful
    
    [root@idm ~]# systemctl list-unit-files | grep ipa | grep service
    ipa-ccache-sweep.service                   static   
    ipa-custodia.service                       disabled 
    ipa-dnskeysyncd.service                    disabled 
    ipa-healthcheck.service                    disabled 
    ipa-ods-exporter.service                   disabled 
    ipa-otpd@.service                          static   
    ipa.service                                enabled
    
    [root@idm ~]# systemctl enable --now httpd
    
    [root@idm ~]# systemctl list-unit-files | grep httpd.service
    httpd.service                              enabled  
    
    [root@idm ~]# systemctl disable firewalld
    
    [root@idm ~]# systemctl stop    firewalld
    
    [root@idm ~]# cat /etc/sssd/sssd.conf
    [domain/lab.org]
      ipa_server_mode                = True
      ipa_server                     = idm.lab.org
      ipa_hostname                   = idm.lab.org
      ipa_domain                     = lab.org
      id_provider                    = ipa
      auth_provider                  = ipa
      chpass_provider                = ipa
      access_provider                = ipa
      cache_credentials              = True
      ldap_tls_cacert                = /etc/ipa/ca.crt
      krb5_store_password_if_offline = True
    
    [sssd]
      services = nss, pam, ifp, ssh, sudo
      domains  = lab.org
    
    [nss]
      homedir_substring = /home
      memcache_timeout  = 600
    
    [pam]
    
    [sudo]
    
    [autofs]
    
    [ssh]
    
    [pac]
    
    [ifp]
      allowed_uids = ipaapi, root
    
    [session_recording]
    

    If you would like to see what a successful ipa-server-install(8) looks like – you can take a look HERE.

    We have our FreeIPA/IDM server installed.

    You will need to add 10.0.0.200 as idm.lab.org to your /etc/hosts on the system where you will be using the browser (or to your local DNS).

    host # grep idm /etc/hosts
    10.0.0.200  idm.lab.org  idm
    

    You can login to it typing https://10.0.0.200 at your local browser – you will be redirected to https://idm.lab.org/ipa/ui/ immediately and you will see the login page as shown below.

    FreeIPA-login-1

    You may login with admin username and the password you specified for the ipa-server-install(8) command (or password if you just copy pasted that command 🙂

    FreeIPA/IDM Server – Configuration

    … and after logging in I created a regular vermaden user as shown below.

    FreeIPA-login-2

    Keep in mind to reset your password by connecting to FreeIPA/IDM server.

    host # ssh -l vermaden 10.0.0.200
    (vermaden@10.0.0.200) Password:
    (vermaden@10.0.0.200) Password expired. Change your password now.
    Current Password:
    (vermaden@10.0.0.200) New password:
    (vermaden@10.0.0.200) Retype new password:
    Last failed login: Wed Oct 19 00:47:57 CEST 2022 from 10.0.0.33 on ssh:notty
    There was 1 failed login attempt since the last successful login.
    
    [vermaden@idm /]$ w
     12:58:50 up  6:39,  1 user,  load average: 0.02, 0.05, 0.00
    USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
    vermaden pts/0    10.0.0.4         12:58    1.00s  0.04s  0.01s w
    

    The more important configuration is in HBAC and Sudo rules.

    Here are HBAC related settings.

    idm-1-hbac-rules-menu

    idm-2-hbac-rules-menu

    idm-3-hbac-rules-freebsd-details

    … and the Sudo part.

    idm-4-sudo-rules-menu

    idm-5-sudo-rules-freebsd

    idm-6-sudo-rules-freebsd-details

    Poudriere Server – Setup

    One note for the FreeBSD setups below – please use /bin/sh shell (default for root since 14.0-RELEASE) for the commands … or zsh(1) for example … or other POSIX compatible shell. Some of these commands may not work properly on ‘C’ based shells or in fish(1) shell.

    This is the template I used for Bhyve VMs.

    host # cat /vm/.templates/freebsd.conf 
    loader="bhyveload"
    cpu=1
    memory=256M
    network0_type="virtio-net"
    network0_switch="public"
    disk0_type="nvme"
    disk0_name="disk0.img"
    

    We will now create poudriere-devel-14-stable VM for Poudriere server.

    host # vm create -t freebsd -s 20g -m 12g -c 8 poudriere-devel-14-stable
    
    host # du -sgA /vm/poudriere-devel-14-stable/*
    20      /vm/poudriere-devel-14-stable/disk0.img
    1       /vm/poudriere-devel-14-stable/poudriere-devel-14-stable.conf
    1       /vm/poudriere-devel-14-stable/vm-bhyve.log
    

    Now we will replace disk0.img with Latest FreeBSD 14.0-STABLE snapshot.

    host # fetch -o - 'https://download.freebsd.org/snapshots/VM-IMAGES/14.0-STABLE/amd64/Latest/FreeBSD-14.0-STABLE-amd64.raw.xz' \
             | xz -d > /vm/poudriere-devel-14-stable/disk0.img
    
    host # file -b /vm/poudriere-devel-14-stable/disk0.img 
    DOS/MBR boot sector; partition 1 : ID=0xee, start-CHS (0x0,0,2), end-CHS (0x3ff,255,63), startsector 1, 12649684 sectors
    
    host # du -sgA /vm/poudriere-devel-14-stable/*
    7       /vm/poudriere-devel-14-stable/disk0.img
    1       /vm/poudriere-devel-14-stable/poudriere-devel-14-stable.conf
    1       /vm/poudriere-devel-14-stable/vm-bhyve.log
    

    We now need to add additional disk1.img disk to for ZFS pool.

    host # truncate -s 10G /vm/poudriere-devel-14-stable/disk0.img
    
    host # vm add -d disk -t file -s 100g poudriere-devel-14-stable
    
    host # vm info poudriere-devel-14-stable | grep -A 16 virtual-disk
      virtual-disk
        number: 0
        device-type: file
        emulation: nvme
        options: -
        system-path: /vm/poudriere-devel-14-stable/disk0.img
        bytes-size: 10737418240 (10.000G)
        bytes-used: 1720046592 (1.601G)
    
      virtual-disk
        number: 1
        device-type: file
        emulation: nvme
        options: -
        system-path: /vm/poudriere-devel-14-stable/disk1.img
        bytes-size: 107374182400 (100.000G)
        bytes-used: 1024 (1.000K)
    
    host # du -sgA /vm/poudriere-devel-14-stable/*
    10      /vm/poudriere-devel-14-stable/disk0.img
    100     /vm/poudriere-devel-14-stable/disk1.img
    1       /vm/poudriere-devel-14-stable/poudriere-devel-14-stable.conf
    1       /vm/poudriere-devel-14-stable/vm-bhyve.log
    

    Now internally inside VM.

    host # vm start poudriere-devel-14-stable                              
    Starting poudriere-devel-14-stable
      * found guest in /vm/poudriere-devel-14-stable
      * booting...
    
    host # vm console poudriere-devel-14-stable
    (...)
    Starting devd.
    Starting dhclient.
    DHCPDISCOVER on vtnet0 to 255.255.255.255 port 67 interval 4
    DHCPOFFER from 10.0.0.1
    DHCPREQUEST on vtnet0 to 255.255.255.255 port 67
    DHCPACK from 10.0.0.1
    bound to 10.0.0.23 -- renewal in 43200 seconds.
    add host 127.0.0.1: gateway lo0 fib 0: route already in table
    add host ::1: gateway lo0 fib 0: route already in table
    add net fe80::: gateway ::1
    add net ff02::: gateway ::1
    add net ::ffff:0.0.0.0: gateway ::1
    add net ::0.0.0.0: gateway ::1
    Updating motd:.
    Updating /var/run/os-release done.
    Clearing /tmp (X related).
    Creating and/or trimming log files.
    Starting syslogd.
    Mounting late filesystems:.
    Starting cron.
    Starting background file system checks in 60 seconds.
    
    Wed Mar  6 08:23:03 UTC 2024
    
    FreeBSD/amd64 (freebsd) (ttyu0)
    
    login: 
    
    
    

    Use the root user with ’empty’ password – just hit [ENTER] key on password prompt.

    root@freebsd:~ # :> ~/.hushlogin
    
    root@freebsd:~ # passwd root
    Changing local password for root
    New Password:
    Retype New Password:
    
    root@freebsd:~ # geom disk list
    Geom name: nda0
    Providers:
    1. Name: nda0
       Mediasize: 10737418240 (10G)
       Sectorsize: 512
       Mode: r3w3e8
       descr: bhyve-NVMe
       lunid: 589cfc2012350001
       ident: NVME-4-0
       rotationrate: 0
       fwsectors: 0
       fwheads: 0
    
    Geom name: nda1
    Providers:
    1. Name: nda1
       Mediasize: 107374182400 (100G)
       Sectorsize: 512
       Mode: r0w0e0
       descr: bhyve-NVMe
       lunid: 589cfc20d2f40001
       ident: NVME-4-1
       rotationrate: 0
       fwsectors: 0
       fwheads: 0
    
    root@freebsd:~ # zpool create zroot nda1
    ZFS filesystem version: 5
    ZFS storage pool version: features support (5000)
    
    root@freebsd:~ # zfs set mountpoint=none zroot
    
    root@freebsd:~ # zfs list
    NAME    USED  AVAIL  REFER  MOUNTPOINT
    zroot   100K  96.4G    24K  none
    

    Now some basic configuration.

    root@freebsd:~ # cat /etc/rc.conf
    hostname="poudriere-devel-14-stable.lab.org"
    ifconfig_DEFAULT="inet 10.0.0.124/24 up"
    defaultrouter="10.0.0.1"
    zfs_enable="YES"
    sshd_enable="YES"
    nginx_enable="YES"
    
    root@freebsd:~ # cat /etc/hosts
    ::1         localhost  localhost.my.domain
    127.0.0.1   localhost  localhost.my.domain
    10.0.0.124  poudriere-devel-14-stable.lab.org  poudriere-devel-14-stable
    
    root@freebsd:~ # service sshd start
    
    root@freebsd:~ # mkdir -p /usr/local/etc/pkg/repos
    
    root@freebsd:~ # sed -e s/quarterly/latest/g /etc/pkg/FreeBSD.conf \
                       > /usr/local/etc/pkg/repos/FreeBSD.conf
    
    root@freebsd:~ # pkg install -y    \
                       beadm           \
                       lsblk           \
                       poudriere-devel \
                       nginx           \
                       git-lite        \
                       ccache4         \
                       tree
    
    root@freebsd:~ # reboot
    

    Fortunately we do not need to patch ports-mgmt/poudriere-devel anymore as the -u flag for sort(1) is already there.

    root@poudriere-devel-14-stable:~ # grep remote_all_ /usr/local/share/poudriere/common.sh | grep sort
                "${remote_all_options}" | sort -k1.2 -u | paste -s -d ' ' -)
                "${remote_all_dept}" | sort -u | paste -s -d ' ' -)
    

    We will now setup actual Poudriere server.

    root@poudriere-devel-14-stable:~ # export SSL=/usr/local/etc/ssl
    
    root@poudriere-devel-14-stable:~ # mkdir -p \
                                         /usr/ports/distfiles \
                                         ${SSL}/keys \
                                         ${SSL}/certs
    
    root@poudriere-devel-14-stable:~ # chmod 0600 ${SSL}/keys
    
    root@poudriere-devel-14-stable:~ # openssl genrsa -out ${SSL}/keys/poudriere.key 4096
    
    root@poudriere-devel-14-stable:~ # openssl rsa \
                                         -in  ${SSL}/keys/poudriere.key -pubout \
                                         -out ${SSL}/certs/poudriere.cert
    
    root@poudriere-devel-14-stable:~ # zfs create -p -o mountpoint=/var/ccache zroot/var/ccache
    
    root@poudriere-devel-14-stable:~ # zfs list
    NAME               USED  AVAIL  REFER  MOUNTPOINT
    zroot              213K  96.4G    24K  none
    zroot/var           48K  96.4G    24K  none
    zroot/var/ccache    24K  96.4G    24K  /var/ccache
    
    root@poudriere-devel-14-stable:~ # export IP=10.0.0.124
    
    root@poudriere-devel-14-stable:~ # cat << EOF > /usr/local/etc/poudriere.conf
    ZPOOL=zroot
    BASEFS=/usr/local/poudriere
    ZROOTFS=/usr/local/poudriere
    FREEBSD_HOST=ftp://ftp.freebsd.org
    POUDRIERE_DATA=/usr/local/poudriere/data
    CHECK_CHANGED_OPTIONS=verbose
    CHECK_CHANGED_DEPS=yes
    PKG_REPO_SIGNING_KEY=/usr/local/etc/ssl/keys/poudriere.key
    URL_BASE=http://${IP}/
    USE_TMPFS=no
    TMPFS_LIMIT=12
    MAX_MEMORY=12
    PARALLEL_JOBS=8
    PREPARE_PARALLEL_JOBS=8
    MAX_FILES=4096
    DISTFILES_CACHE=/usr/ports/distfiles
    KEEP_OLD_PACKAGES=yes
    KEEP_OLD_PACKAGES_COUNT=3
    CHECK_CHANGED_OPTIONS=verbose
    CHECK_CHANGED_DEPS=yes
    CCACHE_DIR=/var/ccache
    RESTRICT_NETWORKING=no
    EOF
    
    root@poudriere-devel-14-stable:~ # mkdir -p /usr/local/poudriere/data/logs/bulk
    
    root@poudriere-devel-14-stable:~ # ln -s \
                                         /usr/local/etc/ssl/certs/poudriere.cert \
                                         /usr/local/poudriere/data/logs/bulk/poudriere.cert
    
    root@poudriere-devel-14-stable:~ # service nginx enable
    
    root@poudriere-devel-14-stable:~ # sed -i '' -E 's|text/plain[\t\ ]*txt|text/plain txt log|g' /usr/local/etc/nginx/mime.types
    
    root@poudriere-devel-14-stable:~ # export IP=10.0.0.124
    
    root@poudriere-devel-14-stable:~ # cat << EOF > /usr/local/etc/nginx/nginx.conf
    events {
      worker_connections 1024;
    }
    
    http {
      include      mime.types;
      default_type application/octet-stream;
    
      server {
        listen 80 default;
        server_name ${IP};
        root /usr/local/share/poudriere/html;
    
        location /data {
          alias /usr/local/poudriere/data/logs/bulk;
          autoindex on;
        }
    
        location /packages {
          root /usr/local/poudriere/data;
          autoindex on;
        }
      }
    }
    EOF
    
    root@poudriere-devel-14-stable:~ # service nginx restart
    
    root@poudriere-devel-14-stable:~ # mkdir -p /root/.cache/ccache                                  
    
    root@poudriere-devel-14-stable:~ # ln -sf /var/ccache /root/.cache/ccache
    
    root@poudriere-devel-14-stable:~ # cat << EOF > /usr/local/etc/poudriere.d/make.conf
    ALLOW_UNSUPPORTED_SYSTEM=yes
    DISABLE_LICENSES=yes
    EOF
    
    root@poudriere-devel-14-stable:~ # cat << EOF > /var/ccache/ccache.conf
    max_size = 0
    cache_dir = /var/ccache
    base_dir = /var/ccache
    hash_dir = false
    EOF
    
    root@poudriere-devel-14-stable:~ # poudriere jail -c -j 14-0-S-amd64 -v 14.0-STABLE
    (...)
    [00:20:45] Jail 14-0-S-amd64 14.0-STABLE amd64 is ready to be used
    
    root@poudriere-devel-14-stable:~ # poudriere jail -l
    JAILNAME     VERSION     ARCH  METHOD TIMESTAMP           PATH
    14-0-S-amd64 14.0-STABLE amd64 http   2024-03-06 09:44:27 /usr/local/poudriere/jails/14-0-S-amd64
    
    root@poudriere-devel-14-stable:~ # poudriere ports -c -p idm
    [00:00:00] Creating idm fs at /usr/local/poudriere/ports/idm... done
    [00:00:00] Cloning the ports tree... done
    
    root@poudriere-devel-14-stable:~ # poudriere ports -l
    PORTSTREE METHOD    TIMESTAMP           PATH
    idm       git+https 2024-03-06 10:10:53 /usr/local/poudriere/ports/idm
    
    
    

    Poudriere Server – Build FreeIPA/IDM Client Packages

    Now we will choose needed options for our FreeBSD Ports and then start the bulk process of fetching and building them.

    root@poudriere-devel-14-stable:~ # poudriere options -c -n -p idm security/cyrus-sasl2-gssapi
    //   SELECT: (*) GSSAPI_MIT
    
    root@poudriere-devel-14-stable:~ # poudriere options -c -n -p idm net/openldap26-client
    //   SELECT: [x] GSSAPI
    
    root@poudriere-devel-14-stable:~ # poudriere options -c -n -p idm security/sudo
    // DESELECT: [ ] PAM
    //   SELECT: (*) GSSAPI_MIT
    //   SELECT: (*) SSSD2
    
    root@poudriere-devel-14-stable:~ # cat << EOF > /usr/local/etc/poudriere.d/idm
    security/krb5
    security/sudo
    security/sssd2
    security/cyrus-sasl2
    security/cyrus-sasl2-gssapi
    security/pam_mkhomedir
    net/openldap26-client
    net/samba416
    EOF
    
    root@poudriere-devel-14-stable:~ # poudriere bulk -j 14-0-S-amd64 -b latest -p idm -f /usr/local/etc/poudriere.d/idm
    
    root@poudriere-devel-14-stable:~ # zfs list
    NAME                                           USED  AVAIL  REFER  MOUNTPOINT
    zroot                                         1.51G  94.9G    24K  none
    zroot/usr                                     1.39G  94.9G    24K  none
    zroot/usr/local                               1.39G  94.9G    24K  none
    zroot/usr/local/poudriere                     1.39G  94.9G    24K  none
    zroot/usr/local/poudriere/jails               1.07G  94.9G    24K  none
    zroot/usr/local/poudriere/jails/14-0-S-amd64  1.07G  94.9G  1.07G  /usr/local/poudriere/jails/14-0-S-amd64
    zroot/usr/local/poudriere/ports                328M  94.9G    24K  none
    zroot/usr/local/poudriere/ports/idm            328M  94.9G   328M  /usr/local/poudriere/ports/idm
    zroot/var                                      117M  94.9G    24K  none
    zroot/var/ccache                               117M  94.9G   117M  /var/ccache
    
    
    

    This is how the Poudriere build process looks like from the terminal … and a view for its new ZFS datasets that Poudriere created.

    xterm-poudriere

    It was 2nd or 3rd run so when You first will run the bulk there will be more information about fetching packages etc.

    Below You can see what processes are running in htop(1) during the build.

    xterm-htop

    You can also follow the status of the build process in the browser at https://10.0.0.124 page.

    poudriere-devel-100-latest-builds

    Generally the new Poudriere interface is quite ‘large’ I would say – so I use it at 70% scale/zoom on Firefox and IMHO its more usable like that.

    poudriere-devel-70-latest-builds

    And below are the details about our build job.

    poudriere-devel-70-build-complete

    Poudriere Server – Update Repo/Packages

    Everytime you will need to update the packages in that FreeIPA/IDM repo You will need to run these commands.

    root@poudriere-devel-14-stable:~ # poudriere ports -u -p idm
    
    root@poudriere-devel-14-stable:~ # poudriere bulk -j 14-0-S-amd64 -b latest -p idm -f /usr/local/etc/poudriere.d/idm
    

    You may as well update the FreeBSD Jail when needed.

    root@poudriere-devel-14-stable:~ # poudriere jail -u -j 14-0-S-amd64
    

    FreeBSD 14.0-STABLE Client – Setup

    I will not repeat the process – but the same as with Poudriere server – you need to create FreeBSD client – for example as Bhyve VM.

    Now – the needed configuration on FreeBSD 14.0-STABLE system to connect it to FreeIPA/IDM server.

    root@idm-client:~ # :> ~/.hushlogin
    
    root@idm-client:~ # mkdir -p              \
                         /usr/local/etc/ipa   \
                         /var/log/sssd        \
                         /var/run/sss/private \
                         /var/db/sss
    
    root@idm-client:~ # echo '10.0.0.233  idm-client.lab.org  idm-client' >> /etc/hosts
    
    root@idm-client:~ # echo '10.0.0.200  idm.lab.org         idm'        >> /etc/hosts
    
    root@idm-client:~ # hostname idm-client.lab.org
    
    root@idm-client:~ # sysrc hostname=idm-client.lab.org
    
    root@idm-client:~ # fetch -o /usr/local/etc/ipa/ca.crt http://idm.lab.org/ipa/config/ca.crt
    
    

    Now we will need to add or FreeBSD client to FreeIPA/IDM. Instructions below.

    [root@idm ~]# kinit admin
    
    [root@idm ~]# ipa dnsrecord-add lab.org idm-client --a-rec=10.0.0.233 --a-create-reverse
      Record name: idm-client
      A record: 10.0.0.233
    
    [root@idm ~]# ipa host-add idm-client.lab.org
    -------------------------------
    Added host "idm-client.lab.org"
    -------------------------------
      Host name: idm-client.lab.org
      Principal name: host/idm-client.lab.org@LAB.ORG
      Principal alias: host/idm-client.lab.org@LAB.ORG
      Password: False
      Keytab: False
      Managed by: idm-client.lab.org
    
    [root@idm ~]# ipa-getkeytab -s idm.lab.org -p host/idm-client.lab.org@LAB.ORG -k /root/idm-client.lab.org.keytab
    Keytab successfully retrieved and stored in: /root/idm-client.lab.org.keytab
    
    [root@idm ~]# cp /root/idm-client.lab.org.keytab /usr/share/ipa/html/
    
    [root@idm ~]# chmod 644 /usr/share/ipa/html/idm-client.lab.org.keytab
    
    

    Now lets get back to our FreeBSD client.

    root@idm-client:~ # fetch -o /usr/local/etc/ipa/krb5.keytab \
                          http://idm.lab.org/ipa/config/idm-client.lab.org.keytab
    
    root@idm-client:~ # chmod 600 /usr/local/etc/ipa/krb5.keytab
    
    root@idm-client:~ # mkdir -p /usr/local/etc/ssl/certs
    
    root@idm-client:~ # mkdir -p /usr/local/etc/pkg/repos
    
    root@idm-client:~ # sed -e 's|quarterly|latest|g' /etc/pkg/FreeBSD.conf \
                          > /usr/local/etc/pkg/repos/FreeBSD.conf
    
    root@idm-client:~ # pkg install -y beadm
    
    root@idm-client:~ # fetch -o /usr/local/etc/ssl/certs/poudriere.cert \
                          http://idm.lab.org/data/poudriere.cert
    
    root@idm-client:~ # export IP=10.0.0.124
    
    root@idm-client:~ # cat << EOF > /usr/local/etc/pkg/repos/14-0-S-amd64.conf
    14-0-S-amd64-idm: {
      url: "http://${IP}/packages/14-0-S-amd64-idm/",
      mirror_type: "http",
      signature_type: "pubkey",
      pubkey: "/usr/local/etc/ssl/certs/poudriere.cert",
      enabled: yes,
      priority: 100
    }
    EOF
    
    root@idm-client:~ # pkg update -f
    
    root@idm-client:~ # pkg install -y      \
                          krb5              \
                          sudo              \
                          sssd2             \
                          cyrus-sasl        \
                          cyrus-sasl-gssapi \
                          openldap26-client \
                          pam_mkhomedir
    
    root@idm-client:~ # cat << EOF >> /etc/ssh/ssh_config
    GSSAPIAuthentication yes
    EOF
    
    root@idm-client:~ # cat << EOF >> /etc/ssh/sshd_config
    GSSAPIAuthentication yes
    UsePAM yes
    EOF
    
    root@idm-client:~ # cat << EOF > /usr/local/etc/sssd/sssd.conf
    [sssd]
      config_file_version      = 2
      services                 = pam, ssh, sudo, ifp, pac, nss
      domains                  = lab.org
      timeout                  = 20
    
    [domain/lab.org]
      ipa_server               = idm.lab.org
      ipa_domain               = lab.org
      pam_gssapi_services      = sudo, sudo-i
      enumerate                = True
      cache_credentials        = True
      override_shell           = /usr/local/bin/bash
      override_homedir         = /home/%u
      default_shell            = /bin/sh
      ldap_group_nesting_level = 10
      default_ccache_template  = FILE:/tmp/krb5cc_:%U
    
      krb5_ccache_template     = FILE:/tmp/krb5cc_:%U
      krb5_server              = idm.lab.org:88
      krb5_realm               = LAB.ORG
      krb5_keytab              = /usr/local/etc/ipa/krb5.keytab
      krb5_auth_timeout        = 20
    
      id_provider              = ipa
      sudo_provider            = ipa
      access_provider          = ipa
      subdomains_provider      = ipa
      auth_provider            = ipa
      chpass_provider          = ipa
      selinux_provider         = none
    EOF
    
    root@idm-client:~ # chmod 600 /usr/local/etc/sssd/sssd.conf
    
    root@idm-client:~ # cat << EOF > /etc/nsswitch.conf
    #
    # nsswitch.conf(5) - name service switch configuration file
    # $FreeBSD$
    #
    group: files sss
    group_compat: nis
    hosts: files dns
    networks: files
    passwd: files sss
    passwd_compat: nis
    shells: files
    services: compat
    services_compat: nis
    protocols: files
    rpc: files
    sudoers: sss files
    netgroup: files
    EOF
    
    root@idm-client:~ # cat /etc/rc.conf
    hostname="idm-client.lab.org"
    ifconfig_vtnet0="inet 10.0.0.233/24"
    defaultrouter="10.0.0.1"
    syslogd_flags="-ss"
    clear_tmp_enable="YES"
    sshd_enable="YES"
    zfs_enable="YES"
    sssd_enable="YES"
    
    root@idm-client:~ # cat << EOF > /usr/local/etc/openldap/ldap.conf
    BASE        dc=org,dc=lab
    URI         ldap://idm.lab.org/
    SASL_MECH   GSSAPI
    SASL_REALM  LAB.ORG
    ssl         start_tls
    TLS_CACERT  /usr/local/etc/ipa/ca.crt
    EOF
    
    root@idm-client:~ # cat << EOF > /etc/krb5.conf
    [libdefaults]
      default_realm        = LAB.ORG
      default_keytab_name  = FILE:/usr/local/etc/ipa/krb5.keytab
      default_tkt_enctypes = aes256-cts des-cbc-crc aes128-cts arcfour-hmac
      default_tgs_enctypes = aes256-cts des-cbc-crc aes128-cts arcfour-hmac
      dns_lookup_realm     = false
      dns_lookup_kdc       = false
      rdns                 = false
      ticket_lifetime      = 24h
      forwardable          = yes
    
    [realms]
      LAB.ORG = {
        kdc            = idm.lab.org:88
        master_kdc     = idm.lab.org:88
        admin_server   = idm.lab.org:749
        default_domain = lab.org
        pkinit_anchors = FILE:/usr/local/etc/ipa/ca.crt
      }
    
    [domain_realm]
      .lab.org = LAB.ORG
       lab.org = LAB.ORG
    
    [logging]
      kdc          = FILE:/var/log/krb5/krb5kdc.log
      admin_server = FILE:/var/log/krb5/kadmin.log
      kadmin_local = FILE:/var/log/krb5/kadmin_local.log
      default      = FILE:/var/log/krb5/krb5lib.log
    EOF
    
    root@idm-client:~ # cat << EOF > /etc/pam.d/system
    #
    #
    # System-wide defaults
    #
    
    # AUTH
      auth      sufficient  pam_krb5.so                      no_warn try_first_pass
    # auth      sufficient  pam_ssh.so                       no_warn try_first_pass
      auth      sufficient  /usr/local/lib/pam_sss.so        no_warn use_first_pass
      auth      required    pam_unix.so                      no_warn try_first_pass nullok
    
    # ACCOUNT
    # account   required    pam_krb5.so
      account   required    pam_login_access.so
      account   required    /usr/local/lib/pam_sss.so        ignore_unknown_user ignore_authinfo_unavail
      account   required    pam_unix.so
    
    # SESSION
    # session   optional    pam_ssh.so                       want_agent
      session   required    pam_lastlog.so                   no_fail
      session   required    /usr/local/lib/pam_mkhomedir.so  mode=0700
    
    # PASSWORD
    # password  sufficient  pam_krb5.so                      no_warn try_first_pass
      password  sufficient  /usr/local/lib/pam_sss.so        no_warn use_authtok
      password  required    pam_unix.so                      no_warn try_first_pass
    EOF
    
    root@idm-client:~ # cat << EOF > /etc/pam.d/sshd
    #
    #
    # PAM configuration for the "sshd" service
    #
    
    # AUTH
      auth      sufficient  pam_krb5.so                      no_warn try_first_pass
    # auth      sufficient  pam_ssh.so                       no_warn try_first_pass
      auth      sufficient  /usr/local/lib/pam_sss.so        no_warn use_first_pass
      auth      required    pam_unix.so                      no_warn try_first_pass
    
    # ACCOUNT
      account   required    pam_nologin.so
    # account   required    pam_krb5.so
      account   required    pam_login_access.so
      account   required    pam_unix.so
      account   required    /usr/local/lib/pam_sss.so        ignore_unknown_user ignore_authinfo_unavail
    
    # SESSION
    # session   optional    pam_ssh.so                       want_agent
      session   required    pam_permit.so
      session   required    /usr/local/lib/pam_mkhomedir.so  mode=0700
      session   optional    /usr/local/lib/pam_sss.so
    
    # PASSWORD
    # password  sufficient  pam_krb5.so                      no_warn try_first_pass
      password  sufficient  /usr/local/lib/pam_sss.so        no_warn use_authtok
      password  required    pam_unix.so                      no_warn try_first_pass
    EOF
    
    

    Our idm-client.lab.org in the FreeIPA/IDM below.

    idm-hosts

    Now reboot your idm-client.lab.org and You should be able to login to it with FreeIPA/IDM account.

    host # ssh vermaden@10.0.0.233
    (vermaden@10.0.0.233) Password:
    Last login: Wed Mar  6 07:04:42 2024
    
    vermaden@idm-client:~ $ id
    uid=1374600003(vermaden) gid=1374600000(admins) groups=1374600000(admins)
    
    vermaden@idm-client:~ $ klist
    Credentials cache: FILE:/tmp/krb5cc_1374600003
            Principal: vermaden@LAB.ORG
    
      Issued                Expires               Principal
    Mar  6 07:04:34 2024  Mar  7 06:19:19 2024  krbtgt/LAB.ORG@LAB.ORG
    
    vermaden@idm-client:~ $ sudo -i
    Password for vermaden@LAB.ORG:
    
    root@idm-client:~ # id
    uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
    

    FreeBSD 14.0-STABLE Client – Debug Commands

    Below are some commands that you may (or may not) find useful.

    root@idm-client:~ # sssctl user-checks vermaden
    user: vermaden
    action: acct 
    service: system-auth
    
    SSSD nss user lookup result:
     - user name: vermaden
     - user id: 1374600003
     - group id: 1374600000
     - gecos: Vermaden Nedamrev
     - home directory: /home/vermaden
     - shell: /bin/sh
      
    Unable to connect to system bus!
    InfoPipe User lookup with [vermaden] failed.
    testing pam_acct_mgmt   
      
    pam_acct_mgmt: Success  
      
    PAM Environment:
     - no env -
    
      
      
    root@idm-client:~ # ldapsearch -H ldap://idm.lab.org -x -b "" -s base -LLL supportedSASLMechanisms
    dn:
    supportedSASLMechanisms: EXTERNAL
    supportedSASLMechanisms: GSS-SPNEGO                      
    supportedSASLMechanisms: GSSAPI
    supportedSASLMechanisms: DIGEST-MD5
    supportedSASLMechanisms: CRAM-MD5
    supportedSASLMechanisms: LOGIN
    supportedSASLMechanisms: PLAIN
    supportedSASLMechanisms: ANONYMOUS
    
    
    
    
    
    
    root@idm-client:~ # ldapsearch -x -v -W -D 'cn=Directory Manager' uid=vermaden
    ldap_initialize(  )
    Enter LDAP Password: 
    filter: uid=vermaden
    requesting: All userApplication attributes
    # extended LDIF
    #
    # LDAPv3
    # base  (default) with scope subtree
    # filter: uid=vermaden
    # requesting: ALL
    #
    
    # search result
    search: 2
    result: 32 No such object
    
    # numResponses: 1
    
    
    
    
    
    root@idm-client:~ # ldapsearch -Y GSSAPI -Omaxssf=0 -H ldaps://idm.lab.org -b dc=lab,dc=org CN=vermaden
    SASL/GSSAPI authentication started
    SASL username: vermaden@LAB.ORG
    SASL SSF: 0
    # extended LDIF
    #
    # LDAPv3
    # base  with scope subtree
    # filter: CN=vermaden
    # requesting: ALL
    #
    
    # vermaden, groups, compat, lab.org
    dn: cn=vermaden,cn=groups,cn=compat,dc=lab,dc=org
    objectClass: posixGroup
    objectClass: ipaOverrideTarget
    objectClass: ipaexternalgroup
    objectClass: top
    gidNumber: 1374600003
    ipaAnchorUUID:: OklQQTpsYWIub3JnOjcyN2FlMjM2LTMyMTktMTFlZS04OGMyLTU4OWNmYzA4MW
     QzNQ==
    cn: vermaden
    
    # vermaden, groups, accounts, lab.org
    dn: cn=vermaden,cn=groups,cn=accounts,dc=lab,dc=org
    objectClass: posixgroup
    objectClass: ipaobject
    objectClass: mepManagedEntry
    objectClass: top
    cn: vermaden
    gidNumber: 1374600003
    description: User private group for vermaden
    mepManagedBy: uid=vermaden,cn=users,cn=accounts,dc=lab,dc=org
    ipaUniqueID: 727ae236-3219-11ee-88c2-589cfc081d35
    
    # search result
    search: 4
    result: 0 Success
    
    # numResponses: 3
    # numEntries: 2
    
    
    

    Thats it – you have FreeBSD 14.0-STABLE connected to FreeIPA/IDM server.

    Summary

    Let me know in comments how it went.

    EOF
    • chevron_right

      Two core Unix-like utilities, sudo and su, are getting rewrites in Rust

      news.movim.eu / ArsTechnica · Monday, 1 May, 2023 - 17:05

    Two of the most fundamental tools of the modern Unix-like command line, sudo and su, are being rewritten in the modern language Rust as part of a wider effort to get critical but aging infrastructure pieces replaced by memory-safe counterparts.

    As detailed at Prossimo , a joint team from Ferrous Systems and Tweede Golf , with support from Amazon Web Services, is reimplementing sudo and su. These utilities allow a user to perform actions with the privileges of another user (typically a higher-level superuser) without having to learn and enter that other user's password. Given their age and wide usage, the Prossimo team believes it's time for a rework.

    "Sudo was first developed in the 1980s. Over the decades, it has become an essential tool for performing changes while minimizing risk to an operating system," writes Josh Aas. "But because it's written in C, sudo has experienced many vulnerabilities related to memory safety issues."

    Read 4 remaining paragraphs | Comments

    • chevron_right

      Pass : À la Découverte d'un Gestionnaire de Mot de Passe

      HUC Stéphane · Wednesday, 26 October, 2022 - 15:50 edit

    [Stéphane HUC :: IT Log] nous offre une découverte approfondie du gestionnaire de mots de passes unix qu'est pass.

    • https://doc.huc.fr.eu.org/fr/post/pass-gestionnaire-mot-passe-unix/

    #pass #password #store #fr #Unix

    • chevron_right

      Unix legend, who owes us nothing, keeps fixing foundational AWK code

      news.movim.eu / ArsTechnica · Tuesday, 23 August, 2022 - 17:50 · 1 minute

    Brian Kernighan speaking onstage.

    Enlarge / Brian Kernighan speaking at a tribute to his Bell Labs coworker and The C Programming Language co-author Dennis Ritchie in 2012. Ritchie's visage in dominoes is behind Kernighan. (credit: Ben Lowe/Flickr )

    A Princeton professor, finding a little time for himself in the summer academic lull, emailed an old friend a couple months ago. Brian Kernighan said hello, asked how their US visit was going, and dropped off hundreds of lines of code that could add Unicode support for AWK, the text-parsing tool he helped create for Unix at Bell Labs in 1977.

    "I have tested this a fair amount but clearly more tests are needed," Kernighan wrote in the email, posted in late May as a kind of pseudo-commit on the onetrueawk repo by longtime maintainer Arnold Robbins. "Once I figure out how ... I will try to submit a pull request. I wish I understood git better, but in spite of your help, I still don't have a proper understanding, so this may take a while."

    Kernighan is the "K" in AWK , a special-purpose language for extracting and manipulating language that was key to Unix's pipeline features and interoperability between systems. A working awk function (AWK is the language, awk the command to invoke it) is critical to both Standard UNIX Specification and IEEE POSIX certification for interoperability. There are countless variants of awk —including modern derivations with support for Unicode—but "One True AWK," sometimes known as nawk , is a kind of canonical version based on Kernighan's 1985 book The AWK Programming Language and his subsequent input.

    Read 5 remaining paragraphs | Comments

    • Sp chevron_right

      Quick & Easy Email Attachments in Linux

      pubsub.slavino.sk / spam_resource · Friday, 17 September, 2021 - 12:00 · 1 minute

    Need to export a file from Linux via email? Got uuencode ? Do you even remember uuencode ? It's how we used to encode files for file sharing, back before you were born. Because I'm old.

    Here's a handy one-liner that will wrap your file up as a UUEncoded attachment and mail it to the address you specify. The email should come through with a properly formatted attachment that you can then download.

    Just do this:
    % cat file.zip | uuencode file.zip | mail recipient@example.com

    Or you can get a bit fancier and add a subject line and a proper from address (if your system doesn't add one already):
    % cat file.zip | uuencode file.zip | mail -s "Export of file.zip" -a "From: Me <sender@example.com>" recipient@example.com

    Or you can do it as part of a shell script, with bits that look something like this:

    FROM="Just Me <sender@example.com>"
    TO="recipient@example.com"
    FILE="file.zip"
    cat $FILE | \
    uuencode $FILE \
    mail -s "Export of $FILE attached" \
    -a "From: $FROM" \
    $TO

    I know there's probably some better way to do this, but this simple example has saved me endless amounts of time lately. I hope you find it useful, too.


    Značky: #linux, #unix, #Network, #howto

    • Sp chevron_right

      mb2md: A very useful linux/unix email utility

      pubsub.slavino.sk / spam_resource · Monday, 9 August, 2021 - 12:00 edit

    Now and then I'm going to start posting occasional Linux/unix email geek tips to Spam Resource. I hope you find them valuable. Feedback welcome -- let me know what you think! -- Al Iverson

    The linux/unix tool mb2md does one thing and it does it well: It takes and "mbox" mailbox file and converts it into Maildir files.


    Značky: #scripts, #unix, #Network, #geekery, #linux