[Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

Orkhan Gasimov orkhan-azeri at mail.ru
Tue Oct 14 07:38:37 UTC 2014 

With help from Alexander Bokovoy I found correct log destinations:

sssd-domain-log:https://cloud.mail.ru/public/1e803a00989e%2Fsssd_eurosel.az.log
sssd-nss-log:https://cloud.mail.ru/public/ae41ae3b44b6%2Fsssd_nss.log

These files are from my second Fedora - FreeBSD setup, they have
different domain name, but everything else is identical.

Interestingly enough, there are lines in sssd_nss.log telling that there
are no users or groups in the domain. But as I said, I can ssh to the
IPA server as an IPA user.


14-Oct-14 10:23, Orkhan Gasimov пишет:
> Thanks to both of you for the interest.
> Here`s the info you asked:
>
> 1. Putting "debug_level = 7" either in [domain] or/and [nss] section 
> of the /usr/local/etc/sssd/sssd.conf file gives nothing in the log. 
> The log file located at /var/log/sssd/sssd.log is only populated with 
> data when I make some errors in sssd.conf & sssd process fails to 
> start. But that`s the case only if I deliberately introduce some 
> errors; with current configuration sssd starts successfully.
>
> 2. My original sssd.conf (without debugs) is as follows (exact copy of 
> what was shown in the post at FreeBSD forums):
>
> -----------------------------------------
> [domain/mydomain.com]
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = mydomain.com
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = ipa1.mydomain.com
> chpass_provider = ipa
> ipa_server = _srv_ #our FreeIPA server has DNS SRV entries
> ldap_tls_cacert = /etc/ssl/ca.crt
> enumerate = True #to enumerate users and groups
>
> [sssd]
> enumerate = True
> services = nss, pam, sudo
> config_file_version = 2
> domains = mydomain.com
>
> [nss]
>
> [pam]
>
> [sudo]
> -----------------------------------------
>
> Interestingly enough the [nss] section is empty, just as shown in the 
> post at FreeBSD forums.
>
> 3. The users created at the IPA server can`t locally log in to the 
> server, but it`s possible to ssh to the server as an IPA user from the 
> FreeBSD host. However, there are some interesting behaviors (again, 
> this is what happens when just following the IPA Quick Start Quide for 
> the server side & the post from FreeBSD forums for the client side):
>  - home directories are not automatically created on the IPA server;
>  - "id" command output shows correct uid, but the group of any IPA 
> user doesn`t show as "ipausers" - instead, the group name is the same 
> as username, + something like 
> "context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023".
>
> 4. Here is the list of snapshots taken from my FreeBSD VM when I 
> installed necessary ports, maybe these snapshots will provide some 
> additional info on sssd behavior:
>
> clean_install
> starting_sssd_install
> krb5_choice_added_LDAP
> openldap24-sasl-client_choice_added_FETCH_GSSAPI
> cyrus-sasl2_choice_defaults
> bind_choice_added_GSSAPI_MIT
> sssd_installation_finished
> sudo_installed_with_INSULTS_LDAP_SSSD
> cyrus-sasl2-gssapi_choice_added_MIT
> all_ports_installed_directories_created
> all_configs_applied_sssd_started
>
>
> 14-Oct-14 00:32, Lukas Slebodnik пишет:
>> On (13/10/14 20:33), Jakub Hrozek wrote:
>>> On Mon, Oct 13, 2014 at 10:10:12PM +0400, Орхан Касумов wrote:
>>>>   Good day to everybody.
>>>> There`s a post on how to make a FreeBSD client work with a FreeIPA 
>>>> server: 
>>>> https://forums.freebsd.org/viewtopic.php?f=39&t=46526&p=260146#p260146
>>>> For some reason the instructions in that post don`t lead to a 
>>>> working solution.
>>>> Getent passwd/group return no data from the IPA server, although 
>>>> ldapsearch works fine.
>>>> I followed the instructions exactly (+ configured ldap.conf & 
>>>> started sssd) and didn`t get errors anywhere, all steps completed 
>>>> successfully.
>>>> My setup: 2 VMs, one is the FreeIPA server (on Fedora 20), the 
>>>> other is a FreeBSD client (on FreeBSD 10.0).
>>>> IPA server is configured as written in the IPA Quick Start Quide, 
>>>> it has no integrated DNS server.
>>>> Both VMs have identical /etc/hosts file:
>>>>
>>>> ::1                    localhost
>>>> 127.0.0.1         localhost
>>>> 192.168.1.10   ipa1.mydomain.com ipa1
>>>> 192.168.1.30   bsd1.mydomain.com bsd1
>>>>
>>>> Seems like some instructions in etc/nsswitch.conf file, like 
>>>> "group: files sss" and "passwd: files sss" have no effect.
>>>> Does anybody tried this setup, what could be wrong with it?
>>>> I can provide outputs of any commands if necessary.
>>>> If I shouldn`t have asked this question here, please advise me 
>>>> where to ask.
>>>> Any hint on what to do will be highly appreciated!
>>> Hi,
>>>
>>> I think SSSD logs would be the best start..
>>>
>>> Put debug_level=7 into the [domain] section, restart SSSD and then 
>>> check
>>> out /var/log/sssd/*.log
>>>
>> "debug_level = 7" can be put into "nss" section as well.
>> Could you share your sssd configuration file /usr/local/etc/sssd.conf?
>>
>> LS
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141014/23822cb3/attachment.htm>

More information about the Freeipa-users mailing list