[Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

Dmitri Pal dpal at redhat.com
Sun Oct 19 12:08:43 UTC 2014

On 10/18/2014 11:45 PM, Orkhan Gasimov wrote:
> 1. About enumerate with comments on the same line - it doesn't cause 
> any problems on my FreeBSD 10 64-bit. Enumerate causes problems on my 
> FreeBSD 10 32-bit - that could be because of a comment on the same 
> line & I could check it, but if it's not recommended to have enumerate 
> at all, then I'll leave it.

Just FYI, comments on the same line are treated as part of value i.e. 
not interpreted as comments.
I do not know how the value is treated by SSSD in the case of boolean.
It might try to parse it and come to conclusion that it is true or false 
but I do not know which conclusion it actually comes to.
BTW for those who are familiar with the internals and some other threads 
- using ding-libs interpretation functions would have caught that. One 
more argument to switch to ding-libs checking (when it is ready).

As for enumeration - it is not needed in 90% of cases so we recommend 
not to configure it.

> 2. About my pam.d files - please read carefully my previous posts. I 
> commented out the line in pam.d -> system and added it explicitly to 
> pam.d -> login because otherwise I get locked out from the machine. I 
> sent you the WORKING configuration and not the one which was 
> recommended at FreeBSD posts (and also by you). And yes, in pam.d -> 
> system there's no "ignore bla bla bla part" because in that file the 
> line "account  required  /usr/local/lib/pam_sss.so <http://sss.so>" 
> just doesn't work, with or without that part. That's what I was 
> talking about in my reply to the post at FreeBSD forums and that's why 
> I considered unimportant readding that "ignore ..." part in the 
> commented "account ..." line when sending pam.d files to you.
> 3. I like your idea of checking everything on a blank FreeaBSD 10 
> setup - that way you will really determine whether the problem is 
> between the chair and the keyboard or not.

Yeah we should develop tools in this area. +1.

> ?????????? ?? Blue Mail <http://r.bluemailapp.com>
> ?? 19.10.2014, ? 2:36, Lukas Slebodnik <lslebodn at redhat.com 
> <mailto:lslebodn at redhat.com>> ???????:?
>     On (17/10/14 16:46), Orkhan Gasimov wrote:
>         1. I use FreeBSD 10.0 64-bit. (For some files bits are also
>         important - for example, on a 32-bit machine the same
>         configuration of /usr/local/etc/sssd/sssd.conf file introduces
>         problems because of the line "enumerate = True" in the
>         [domain] section; only after that line is commented 
>     Firstly, We do not recommend to have enabled enumeration.
>     Secondly, You did not have "enumerate = True" in your domain section.
>     You have "enumerate = True #to enumerate users and groups"
>                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>     I wrote you in another email that comments should be on different line
>         out, sssd starts.) 2. The files you requested are at
>         https://cloud.mail.ru/public/afa7e1fad817/pam.d 17-Oct-14
>         16:30, Lukas Slebodnik ?????:
>             On (17/10/14 15:44), Orkhan Gasimov wrote:
>                 Unfortunately, putting that line in /etc/pam.d/system
>                 prevents me from being 
>     I checked your apm configuration and you had wrong line in /etc/pam.d/system
>     Currently, it is is commented out.
>          "#acconut        required        /usr/local/lib/pam_sss.so  <http://sss.so>"
>     and the correct one is in /etc/pam.d/login
>         "account         required        /usr/local/lib/pam_sss.so  <http://sss.so>  ignore_unknown_user ignore_authinfo_unavail"
>     Yo!
>       u were
>     wrong in commenthttps://forums.freebsd.org/threads/freebsd-freeipa-via-sssd.46526/
>     Plese move line from login -> system
>                 able to locally login to the BSD client. At the same
>                 time, the same line in /etc/pam.d/sshd or
>                 /etc/pam.d/login doesn't give unexpected behaviours.
>                 Bug, bug, bug... 
>         no, no, no,
>     The problem was between chair and keybord.
>     Sorry, I could not resist :-)
>             It works for me with FreeBSD 9.3. It is possible that your
>             pam stack is misconfigured.
>     BTW
>     After fixing problems with my freeipa 4.0.3, I was able to connect with ssh
>     to FreeBSD 10 as freeipa_user and local_user.
>     If I have time in next weeks I will try with clean FreeBSD 10 and will write
>     some notes.
>     LS

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141019/260c4033/attachment.htm>

More information about the Freeipa-users mailing list