I use a single FreeBSD host at home to serve NFS, DNS, and LDAP within jails. These are my build steps and configuration details:
Primary FreeBSD domain
# cat /etc/rc.conf # General hostname="biff" ifconfig_re0="DHCP" sshd_enable="YES" ntpd_enable="YES" zfs_enable="YES" pureftpd_enable="YES" # NFS nfs_server_enable="YES" nfs_server_flags="-u -t -n 4" nfsv4_server_enable="YES" nfsuserd_enable="YES" nfsuserd_flags="-domain hillvalley" # Jails for griff and buford cloned_interfaces="lo1 lo2" ezjail_enable="YES" jail_griff_parameters="allow.raw_sockets=1" jail_buford_parameters="allow.raw_sockets=1" # pkg install sudo # pkg install bash # pkg install pam_ldap # pkg install nss_ldap # zpool create paulie /dev/ada2 # zpool add paulie mirror /dev/ada2 /dev/ada3 # pkg install ezjail # service netif cloneup # service ezjail start # ezjail-admin install -p # ezjail-admin create griff 'lo1|127.0.1.1,re0|192.168.1.102' # ezjail-admin create buford 'lo1|127.0.2.1,re0|192.168.1.103' # ezjail-admin start griff # ezjail-admin start bufordBIND DNS jail - griff
# ezjail-admin console griff # passwd # tzsetup # sed -i .bak -e '/adjkerntz/ s/^/#/' /etc/crontab # sed -i .bak -e 's/127.0.0.1/127.0.1.1/g; s/localhost.my.domain/griff.my.domain griff/' /etc/hosts # pkg install sudo # pkg install bash # pkg install pam_ldap # pkg install nss_ldap # pkg install bind99 # cat /usr/local/etc/namedb/named.conf options { directory "/usr/local/etc/namedb/working"; pid-file "/var/run/named/pid"; dump-file "/var/dump/named_dump.db"; statistics-file "/var/stats/named.stats"; forwarders { 208.67.222.222; 208.67.220.220; }; }; zone "hillvalley" { type master; file "/usr/local/etc/namedb/hillvalley.db"; }; zone "1.168.192.in-addr.arpa" { type master; file "/usr/local/etc/namedb/1.168.192.db"; }; zone "100.168.192.in-addr.arpa" { type master; file "/usr/local/etc/namedb/100.168.192.db"; }; # cat /usr/local/etc/namedb/hillvalley.db $TTL 3h @ IN SOA griff.hillvalley. paulie.griff.hillvalley. ( 2017120700 28800 3600 604800 38400 ) hillvalley. IN NS griff.hillvalley. flux IN A 192.168.100.1 ; Modem (SB6120) delorean IN A 192.168.1.1 ; Router (ASUS RT-N66U) biff IN A 192.168.1.101 ; NFS Server (FreeBSD 11.1) griff IN A 192.168.1.102 ; DNS Server (FreeBSD Jail) buford IN A 192.168.1.103 ; LDAP Server (FreeBSD Jail) marty IN A 192.168.1.104 ; Workstation (Paul) doc IN A 192.168.1.105 ; MacBook Air (Paul Home) einstein IN A 192.168.1.106 ; iPhone 7 (Paul) jennifer IN A 192.168.1.107 ; Galaxy S7 (Audrey) lorraine IN A 192.168.1.108 ; Lenovo Laptop (Audrey Home) goldie IN A 192.168.1.109 ; Nest (Thermostat) clara IN A 192.168.1.110 ; Fire TV (Home Theater) maggie IN A 192.168.1.111 ; Boxee (Home Theater) marvin IN A 192.168.1.112 ; Nest Protect (Upstairs) strickland IN A 192.168.1.113 ; Fire TV (Bedroom) peabody IN A 192.168.1.114 ; Fire TV Stick (Exercise Room) dave IN A 192.168.1.115 ; Nest Protect (Basement) linda IN A 192.168.1.116 ; Lenovo Laptop (Audrey Work) george IN A 192.168.1.117 ; MacBook Pro (Paul Work) copernicus IN A 192.168.1.118 ; Litter-Robot (Fibonacci) seamus IN A 192.168.1.119 ; Echo Spot (Kitchen) match IN A 192.168.1.120 ; Fire TV (Bedroom) skinhead IN A 192.168.1.121 ; Fire TV (Home Theater) # cat /usr/local/etc/namedb/1.168.192.db $TTL 3h @ IN SOA griff.hillvalley. paulie.griff.hillvalley. ( 2017122200 28800 3600 604800 38400 ) IN NS griff.hillvalley. 1 IN PTR delorean.hillvalley. ; Router (ASUS RT-N66U) 101 IN PTR biff.hillvalley. ; NFS Server (FreeBSD 11.1) 102 IN PTR griff.hillvalley. ; DNS Server (FreeBSD Jail) 103 IN PTR buford.hillvalley. ; LDAP Server (FreeBSD Jail) 104 IN PTR marty.hillvalley. ; Workstation (Paul) 105 IN PTR doc.hillvalley. ; MacBook Air (Paul Home) 106 IN PTR einstein.hillvalley. ; iPhone 7 (Paul) 107 IN PTR jennifer.hillvalley. ; Galaxy S7 (Audrey) 108 IN PTR lorraine.hillvalley. ; Lenovo Laptop (Audrey Home) 109 IN PTR goldie.hillvalley. ; Nest (Thermostat) 110 IN PTR clara.hillvalley. ; Fire TV (Home Theater) 111 IN PTR maggie.hillvalley. ; Boxee (Home Theater) 112 IN PTR marvin.hillvalley. ; Nest Protect (Upstairs) 113 IN PTR strickland.hillvalley. ; Fire TV (Bedroom) 114 IN PTR peabody.hillvalley. ; Fire TV Stick (Exercise Room) 115 IN PTR dave.hillvalley. ; Nest Protect (Basement) 116 IN PTR linda.hillvalley. ; Lenovo Laptop (Audrey Work) 117 IN PTR george.hillvalley. ; MacBook Pro (Paul Work) 118 IN PTR copernicus.hillvalley. ; Litter-Robot (Fibonacci) 119 IN PTR seamus.hillvalley. ; Echo Spot (Kitchen) 120 IN PTR match.hillvalley. ; Fire TV (Bedroom) 121 IN PTR skinhead.hillvalley. ; Fire TV (Home Theater) # cat /usr/local/etc/namedb/100.168.192.db $TTL 3h @ IN SOA griff.hillvalley. paulie.griff.hillvalley. ( 2013021744 28800 3600 604800 38400 ) IN NS griff.hillvalley. 1 IN PTR flux.hillvalley. ; Modem (Motorola SB6120) # echo "named_enable=\"YES\" >> /etc/rc.conf # echo "sshd_enable=\"YES\" >> /etc/rc.conf # service named start # service sshd start # exitOpenLDAP jail - buford
# ezjail-admin console buford # passwd # tzsetup # sed -i .bak -e '/adjkerntz/ s/^/#/' /etc/crontab # sed -i .bak -e 's/127.0.0.1/127.0.1.1/g; s/localhost.my.domain/buford.my.domain buford/' /etc/hosts # pkg install sudo # pkg install bash # pkg install openldap-server # pkg install pam_ldap # pkg install nss_ldap # slappasswd -h '{SHA}' # cat /usr/local/etc/openldap/slapd.conf include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/corba.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/collective.schema include /usr/local/etc/openldap/schema/openldap.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args modulepath /usr/local/libexec/openldap moduleload back_mdb moduleload back_ldap database mdb maxsize 1073741824 suffix "dc=buford,dc=hillvalley" rootdn "cn=admin,dc=buford,dc=hillvalley" rootpw secret directory /var/db/openldap-data index objectClass eq # cat /usr/local/etc/openldap/hillvalley.ldif dn: dc=buford,dc=hillvalley objectClass: dcObject objectClass: organization o: bufford.hillvalley dc: buford dn: ou=groups,dc=buford,dc=hillvalley objectClass: top objectClass: organizationalunit ou: groups dn: ou=people,dc=buford,dc=hillvalley objectClass: top objectClass: organizationalunit ou: people dn: cn=world,ou=groups,dc=buford,dc=hillvalley objectClass: top objectClass: posixGroup cn: world gidNumber: 1001 dn: uid=paulie,ou=people,dc=buford,dc=hillvalley objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount sn: Johnson cn: Paul Johnson gecos: Paul Johnson displayName: Paul Johnson mail: paulie@pauliesworld.org uid: paulie uidNumber: 1001 gidNumber: 1001 homeDirectory: /paulie loginShell: /usr/local/bin/bash userPassword: secret # cat /etc/rc.conf sshd_enable="YES" slapd_enable="YES" slapd_flags='-h "ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap://0.0.0.0/"' slapd_sockets="/var/run/openldap/ldapi" # service sshd start # service slapd start # ldapadd -x -W -H ldap://localhost -D cn=admin,dc=buford,dc=hillvalley -f /usr/local/etc/openldap/hillvalley.ldif # exit # cat /etc/pam.d/sshd auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient /usr/local/lib/pam_ldap.so no_warn auth required pam_unix.so no_warn try_first_pass account required pam_nologin.so account required pam_login_access.so account sufficient /usr/local/lib/pam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown account required pam_unix.so session required pam_permit.so password required pam_unix.so no_warn try_first_pass # cat /etc/pam.d/system auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass nullok account required /usr/local/lib/pam_ldap.so ignore_unknown_user ignore_authinfo_unavail account required pam_login_access.so account required pam_unix.so session required pam_lastlog.so no_fail password required pam_unix.so no_warn try_first_pass # cat /usr/local/etc/ldap.conf host 192.168.1.103 base dc=buford,dc=hillvalley bind_timelimit 10 bind_policy hard nss_reconnect_tries 2 nss_reconnect_sleeptime 1 nss_reconnect_maxsleeptime 1 nss_reconnect_maxconntries 1 pam_login_attribute uid # cat /etc/nsswitch.conf group: files ldap group_compat: nis hosts: files dns netgroup: compat networks: files passwd: files ldap passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files # cp /etc/nsswitch.conf /usr/jails/griff/etc/nsswitch.conf # cp /etc/pam.d/sshd /usr/jails/griff/etc/pam.d/sshd # cp /etc/pam.d/system /usr/jails/griff/etc/pam.d/system # cp /usr/local/etc/ldap.conf /usr/jails/griff/usr/local/etc/ldap.conf # cp /etc/nsswitch.conf /usr/jails/buford/etc/nsswitch.conf # cp /etc/pam.d/sshd /usr/jails/buford/etc/pam.d/sshd # cp /etc/pam.d/system /usr/jails/buford/etc/pam.d/system # cp /usr/local/etc/ldap.conf /usr/jails/buford/usr/local/etc/ldap.conf
13:10 PST - December 22, 2018