[Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

Alexander Bokovoy abokovoy at redhat.com
Fri Oct 17 09:01:28 UTC 2014 

On Fri, 17 Oct 2014, Orkhan Gasimov wrote:
>Replying to myself is great... Anyway, maybe this info will be useful 
>for people like me, trying to integrate FreeBSD with FreeIPA.
>
>Solved some problems:
>
>1. "SSH-ing as existing IPA user "rsiwal" to my FreeBSD client fails. 
>The same user can SSH or locally login to my Linux client. "
>
>That happened because the shell specified for user "rsiwal" was 
>/bin/bash. After changing it to /bin/sh that problem disappeared.
SSH does multi-level checks. Not only user should exist on the system
and authentication should pass but also there should be a correct shell
to run. Unfortunately, FreeBSD doesn't have bash in the default
installation. It is up to admins to provide appropriate configuration
either by setting right shell in IPA or by preparing system environment
on all hosts where the selected shell is required. With FreeIPA 4.1 we
are going to provide a mechanism to re-define some of user attributes
per-host but it would require a newer SSSD (or use of compat tree) at
the client side.


>
>2. "At the same time I cannot locally login to my FreeBSD host as 
>either IPA user or local user."
>
>I posted the cause and solution at FreeBSD forums: 
>https://forums.freebsd.org/threads/freebsd-freeipa-via-sssd.46526/

Well, note that since FreeIPA 3.3 we have support for so-called
'advices' in FreeIPA. See ipa-advise tool on IPA server. Currently it
only provides you with config-freebsd-nss-pam-ldapd advise to configure
FreeBSD with nss-pam-ldapd, but we can extend that to have SSSD covered
too.

>
>3. "If I create a new user in IPA, he can`t initially SSH into FreeBSD 
>client.
>BSD says: "password expired", but doesn`t take new password.
>The same new user can SSH into my Linux client.
>Linux says: "password expired" and allows to set a new password with a 
>message: "All authentication tokens updated successfully."
>After I set a new password for my newly created user via Linux, I can 
>SSH into my BSD client as that user.
>Using this hack I can create new users in IPA, SSH into Linux to 
>change their passwords and then use those new users to SSH into 
>FreeBSD."
>
>Didn`t find a solution yet. But I think this is caused by lack of 
>proper configuration of Kerberos on my FreeBSD client. On my Linux 
>client I found such a configuration in /etc/krb5.conf file. However, 
>there's no such file on my FreeBSD client, as the post on FreeBSD 
>forums didn't say anything about such a file. I'll do some more checks 
>and share the results here.
Well, follow your Kerberos library defaults. By default FreeBSD is built
with Heimdal so if your system uses Heimdal and SSSD is build against
it, then configure /etc/krb5.conf as 
[libdefaults]
    default_realm = EXAMPLE.ORG
[realms]
    EXAMPLE.ORG = {
	kdc = kerberos.example.org
	admin_server = kerberos.example.org
    }
[domain_realm]
    .example.org = EXAMPLE.ORG

Where kerberos.example.org is your IPA master.


-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list