[Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

Orkhan Gasimov orkhan-azeri at mail.ru
Tue Oct 14 05:23:09 UTC 2014 

Thanks to both of you for the interest.
Here`s the info you asked:

1. Putting "debug_level = 7" either in [domain] or/and [nss] section of 
the /usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log 
file located at /var/log/sssd/sssd.log is only populated with data when 
I make some errors in sssd.conf & sssd process fails to start. But 
that`s the case only if I deliberately introduce some errors; with 
current configuration sssd starts successfully.

2. My original sssd.conf (without debugs) is as follows (exact copy of 
what was shown in the post at FreeBSD forums):

-----------------------------------------
[domain/mydomain.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = mydomain.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa1.mydomain.com
chpass_provider = ipa
ipa_server = _srv_ #our FreeIPA server has DNS SRV entries
ldap_tls_cacert = /etc/ssl/ca.crt
enumerate = True #to enumerate users and groups

[sssd]
enumerate = True
services = nss, pam, sudo
config_file_version = 2
domains = mydomain.com

[nss]

[pam]

[sudo]
-----------------------------------------

Interestingly enough the [nss] section is empty, just as shown in the 
post at FreeBSD forums.

3. The users created at the IPA server can`t locally log in to the 
server, but it`s possible to ssh to the server as an IPA user from the 
FreeBSD host. However, there are some interesting behaviors (again, this 
is what happens when just following the IPA Quick Start Quide for the 
server side & the post from FreeBSD forums for the client side):
  - home directories are not automatically created on the IPA server;
  - "id" command output shows correct uid, but the group of any IPA user 
doesn`t show as "ipausers" - instead, the group name is the same as 
username, + something like 
"context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023".

4. Here is the list of snapshots taken from my FreeBSD VM when I 
installed necessary ports, maybe these snapshots will provide some 
additional info on sssd behavior:

clean_install
starting_sssd_install
krb5_choice_added_LDAP
openldap24-sasl-client_choice_added_FETCH_GSSAPI
cyrus-sasl2_choice_defaults
bind_choice_added_GSSAPI_MIT
sssd_installation_finished
sudo_installed_with_INSULTS_LDAP_SSSD
cyrus-sasl2-gssapi_choice_added_MIT
all_ports_installed_directories_created
all_configs_applied_sssd_started


14-Oct-14 00:32, Lukas Slebodnik пишет:
> On (13/10/14 20:33), Jakub Hrozek wrote:
>> On Mon, Oct 13, 2014 at 10:10:12PM +0400, Орхан Касумов wrote:
>>>   Good day to everybody.
>>> There`s a post on how to make a FreeBSD client work with a FreeIPA server:  https://forums.freebsd.org/viewtopic.php?f=39&t=46526&p=260146#p260146
>>> For some reason the instructions in that post don`t lead to a working solution.
>>> Getent passwd/group return no data from the IPA server, although ldapsearch works fine.
>>> I followed the instructions exactly (+ configured ldap.conf & started sssd) and didn`t get errors anywhere, all steps completed successfully.
>>> My setup: 2 VMs, one is the FreeIPA server (on Fedora 20), the other is a FreeBSD client (on FreeBSD 10.0).
>>> IPA server is configured as written in the IPA Quick Start Quide, it has no integrated DNS server.
>>> Both VMs have identical /etc/hosts file:
>>>
>>> ::1                    localhost
>>> 127.0.0.1         localhost
>>> 192.168.1.10   ipa1.mydomain.com ipa1
>>> 192.168.1.30   bsd1.mydomain.com bsd1
>>>
>>> Seems like some instructions in etc/nsswitch.conf file, like "group: files sss" and "passwd: files sss" have no effect.
>>> Does anybody tried this setup, what could be wrong with it?
>>> I can provide outputs of any commands if necessary.
>>> If I shouldn`t have asked this question here, please advise me where to ask.
>>> Any hint on what to do will be highly appreciated!
>> Hi,
>>
>> I think SSSD logs would be the best start..
>>
>> Put debug_level=7 into the [domain] section, restart SSSD and then check
>> out /var/log/sssd/*.log
>>
> "debug_level = 7" can be put into "nss" section as well.
> Could you share your sssd configuration file /usr/local/etc/sssd.conf?
>
> LS
>

More information about the Freeipa-users mailing list