[Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

[Alexander Bokovoy]

On Tue, 14 Oct 2014, Orkhan Gasimov wrote:
>Thanks to both of you for the interest.
>Here`s the info you asked:
>
>1. Putting "debug_level = 7" either in [domain] or/and [nss] section 
>of the /usr/local/etc/sssd/sssd.conf file gives nothing in the log. 
>The log file located at /var/log/sssd/sssd.log is only populated with 
>data when I make some errors in sssd.conf & sssd process fails to 
>start. But that`s the case only if I deliberately introduce some 
>errors; with current configuration sssd starts successfully.
SSSD writes separate log files per each section, so you need to look at
/var/log/sssd/sssd_mydomain.com.log for [domain/mydomain.com] and
/var/log/sssd/sssd_nss.log for nss section.

>3. The users created at the IPA server can`t locally log in to the 
>server, but it`s possible to ssh to the server as an IPA user from the 
>FreeBSD host. However, there are some interesting behaviors (again, 
>this is what happens when just following the IPA Quick Start Quide for 
>the server side & the post from FreeBSD forums for the client side):
> - home directories are not automatically created on the IPA server;
> - "id" command output shows correct uid, but the group of any IPA 
>user doesn`t show as "ipausers" - instead, the group name is the same 
>as username, + something like 
>"context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023".
In FreeIPA in Fedora we switched off ipausers being a POSIX group.
FreeIPA supports POSIX and non-POSIX groups; the latter is for grouping
purposes as groups can be nested in FreeIPA. 'ipausers' is the group
every user is a member of but it is not a POSIX group anymore so it has
less effect on performance in large deployments (tens of thousands
users in the same group).

So it is expected. The group named as a username is a user-private group
which is maintained automatically per each user. It has the same GID as
user's UID.


-- 
/ Alexander Bokovoy