[Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

Orkhan Gasimov orkhan-azeri at mail.ru
Fri Oct 17 10:14:32 UTC 2014 

1. You wrote:

File /etc/pam.d/system is included by /etc/pam.d/login. I cannot see a
difference.

There should not be any difference, but the frustrating point is - THERE 
IS DIFFERENCE! That's why I replied to that post at FreeBSD forums. A 
bug might be present either in PAM modules or in SSSD (I'm not a 
programmer, so can't determine where exactly).

2. Another moment:

BTW: You tested access with sshd, but file /etc/pam.d/system needn't be used
in /etc/pam.d/sshd which is used by sshd.

I was talking about local logins, not about SSH access:

"At the same time I cannot locally login to my FreeBSD host as either IPA
user or local user."

3. About changing passwords:

Unfortunatelly, it is not possible to change password for ldap (sssd) users
in FreeBSD. It is described in FreeBSD ldap client documentation (which uses
nss-pam-ldapd)
https://www.freebsd.org/doc/en/articles/ldap-auth/client.html#caveats

This really explains a lot, thanks for this link.
They write :"...most administrators are left to implement a solution 
themselves." As of now, my solution is to create a dummy Linux client 
just for changing passwords.


17-Oct-14 14:15, Lukas Slebodnik пишет:
> On (17/10/14 12:27), Orkhan Gasimov wrote:
>> Replying to myself is great... Anyway, maybe this info will be useful for
>> people like me, trying to integrate FreeBSD with FreeIPA.
>>
>> Solved some problems:
>>
>> 1. "SSH-ing as existing IPA user "rsiwal" to my FreeBSD client fails. The
>> same user can SSH or locally login to my Linux client. "
>>
>> That happened because the shell specified for user "rsiwal" was /bin/bash.
>> After changing it to /bin/sh that problem disappeared.
> It needn't be changed in LDAP(IPA). You can change(overrride) shell on client
> side.
> For details see:
>      man sssd.conf -> override_shell
>
>> 2. "At the same time I cannot locally login to my FreeBSD host as either IPA
>> user or local user."
>>
>> I posted the cause and solution at FreeBSD forums:
>> https://forums.freebsd.org/threads/freebsd-freeipa-via-sssd.46526/
>>
> In post you wrote:
>     The problem is in this string in the /etc/pam.d/system file:
>     account required /usr/local/lib/pam_sss.so ignore_unknown_user
>     
>     That string gives login errors, with or without ignore_unknown_user part.
>     The only solution I found for now is to comment that string out and add it
>     explicitly into /etc/pam.d/login file. Then local login process proceeds
>     without errors.
>
> File /etc/pam.d/system is included by /etc/pam.d/login. I cannot see a
> difference.
>
> BTW: You tested access with sshd, but file /etc/pam.d/system needn't be used
> in /etc/pam.d/sshd which is used by sshd.
>
> I would reccomend to have next line in /etc/pam.d/system and /etc/pam.d/sshd.
> Without this line, access control will not work. (HBAC)
> account required /usr/local/lib/pam_sss.so ignore_unknown_user ignore_authinfo_unavail
>
>
>> 3. "If I create a new user in IPA, he can`t initially SSH into FreeBSD
>> client.
>> BSD says: "password expired", but doesn`t take new password.
>> The same new user can SSH into my Linux client.
>> Linux says: "password expired" and allows to set a new password with a
>> message: "All authentication tokens updated successfully."
>> After I set a new password for my newly created user via Linux, I can SSH
>> into my BSD client as that user.
>> Using this hack I can create new users in IPA, SSH into Linux to change their
>> passwords and then use those new users to SSH into FreeBSD."
>>
>> Didn`t find a solution yet. But I think this is caused by lack of proper
>> configuration of Kerberos on my FreeBSD client. On my Linux client I found
>> such a configuration in /etc/krb5.conf file. However, there's no such file on
>> my FreeBSD client, as the post on FreeBSD forums didn't say anything about
>> such a file. I'll do some more checks and share the results here.
> FreeIPA requires to change password for new users.
> Unfortunatelly, it is not possible to change password for ldap (sssd) users
> in FreeBSD. It is described in FreeBSD ldap client documentation (which uses
> nss-pam-ldapd)
> https://www.freebsd.org/doc/en/articles/ldap-auth/client.html#caveats
>
> LS

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141017/c0a721ba/attachment.htm>

More information about the Freeipa-users mailing list