[Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

Mon Oct 20 10:06:02 UTC 2014

OK, Lukas, I did as you say:
1) reset my pam.d -> login to its defaul state
2) added to my pam.d -> system: "account  required 
/usr/local/lib/pam_sss.so  ignore_unknown_user ignore_authinfo_unavail";
3) commented out "enumerate = True" in my /usr/local/etc/sssd/sssd.conf.
Now I cannot locally login as either root or IPA user. Seems like we 
built our SSSDs differently or from different ports.
Would you be so kind to share info about your choices when building SSSD?

You're right, I'm a newbie in FreeIPA setups. But I've worked with pam 
stack before, when configuring OpenLDAP on servers. That knowledge of 
pam let me solve the problem of local logins with sssd by adding the 
appropriate line in pam.d -> login instead of pam.d -> system. This 
setup works fine for me; another setup, which you and FreeBSD forums 
suppose, doesn't work. Did you check everything on a blank FreeBSD 10 setup?

There are indeed nuances that the post at FreeBSD forums didn't address:
1) what choices should be made when building SSSD and other ports - VERY 
IMPORTANT, but missing information;
2) how ldap.conf should be configured on a FreeBSD client for ldapsearch 
to work;
3) how krb5.conf should be configured on a FreeBSD client;
4) how SSH files should be configured on a FreeBSD client for single 
sign-on to behave properly (GSS-API part);
5) how cron script file's executability, IPA user's shell and automatic 
creation of home directories should be considered - there are some 
caveats for newbies;
6) why a user can't initially SSH or locally login to a FreeBSD client 
even with correct configuration files (password change problem);
7) how to setup SSSD so that it doesn't cache information too long (this 
is not what we always want, right?).

In short: a person who posted the info on FreeBSD - FreeIPA integration 
at FreeBSD forums shared a lot of info, but at the same time he didn't 
share other very important pieces of information, and this can cause 
great frustration to people trying to follow his post. And although you 
recommend me not to share my experience of setting up FreeBSD - FreeIPA 
integration, I just want people to get a REALLY WORKING HowTo. I've 
already tested HBAC, centralized sudo and other things in my setup, and 
everything is working fine. So in near future I plan to make a REAL, 
DETAILED HowTo on this subject, and I think that at least some pieces of 
information in it will help people to avoid great deal of frustration.

20-Oct-14 13:01, Lukas Slebodnik пишет:
> On (19/10/14 08:45), Orkhan Gasimov wrote:
>> 2. About my pam.d files - please read carefully my previous posts.
>> I commented > out the line in pam.d -> system and added it explicitly to
> You didn't have "account required /usr/local/lib/pam_sss.so ignore_unknown_user"
> in pam.d/system. The line is commented out, but there *IS NOT* argument
>   ignore_unknown_use
>
> Howto on FreeBSD forum[1] has argument ignore_unknown_user on the lines
> starting with account in both pam configuration files (system, sshd)
>
>> pam.d -> login because otherwise I get locked out from the machine. I sent
> I didn't touch "pam.d/login". I put "account .. pam_sss.so ignore_unknown_user"
> into "pam.d/system" (the same as in [1]) and I can login as sssd user and
> local user. I know that pam configuration isn't the easiest think for newbies,
> but your post will be even more confusing for others. Please do not give
> advices if you do not understand where is the problem and why it works with
> that change.
>
>> you the WORKING configuration and not the one which was recommended at
>> FreeBSD posts (and also by you). And yes, in pam.d -> system there's no
>> "ignore bla bla bla part" because in that file the line
>> "account  required  /usr/local/lib/pam_sss.so" just doesn't work, with or
>> without that part.
> I don't know what you did wrong, but it *works* with argument ignore_unknown_user
> How did you test?
>
> LS