[Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

Fraser Tweedale ftweedal at redhat.com
Wed Oct 22 02:06:28 UTC 2014

On Tue, Oct 21, 2014 at 08:31:17PM +0200, Lukas Slebodnik wrote:
> On (20/10/14 15:06), Orkhan Gasimov wrote:
> >OK, Lukas, I did as you say:
> >1) reset my pam.d -> login to its defaul state
> >2) added to my pam.d -> system: "account  required /usr/local/lib/pam_sss.so
> >ignore_unknown_user ignore_authinfo_unavail";
> >3) commented out "enumerate = True" in my /usr/local/etc/sssd/sssd.conf.
> >Now I cannot locally login as either root or IPA user. Seems like we built
> >our SSSDs differently or from different ports.
> >Would you be so kind to share info about your choices when building SSSD?
> >
> >You're right, I'm a newbie in FreeIPA setups. But I've worked with pam stack
> >before, when configuring OpenLDAP on servers. That knowledge of pam let me
> >solve the problem of local logins with sssd by adding the appropriate line in
> >pam.d -> login instead of pam.d -> system. This setup works fine for me;
> >another setup, which you and FreeBSD forums suppose, doesn't work. Did you
> >check everything on a blank FreeBSD 10 setup?
> >
> Basically, you should do all (ipa-client-install) steps manually.
> I would recommend you to look into log file from linux machine
> /var/log/ipaclient-install.log. The main difference between linux and FreeBSD
> will be location of configuration files(/etc vs /usr/local/etc)
> >There are indeed nuances that the post at FreeBSD forums didn't address:
> I would say that post was more focused on integration sssd with sudo
> and expected more experienced user with better knowledge of FreeIPA.
> It is the most difficult part.
> >1) what choices should be made when building SSSD and other ports - VERY
> >IMPORTANT, but missing information;
> I am use to using install packages with utility pkg. Just some packages need
> to be build from source. (they are listed in the begging of post)
I have prepared a custom pkg(8) repo with the packages built with
the required options/make.conf variables.  Hang tight, I'll send all
the info soon.

> >2) how ldap.conf should be configured on a FreeBSD client for ldapsearch to
> >work;
> I don't have configured ldap.conf. On the other hand, it can be useful for
> troubleshooting with utility ldapsearch.
> >3) how krb5.conf should be configured on a FreeBSD client;
> The same as on linux. (sssd is linked with MIT kerberos)
> >4) how SSH files should be configured on a FreeBSD client for single sign-on
> >to behave properly (GSS-API part);
> Linux and FreeBSD use openssh. You can inspire in changes done by script
> ipa-client-install
> >5) how cron script file's executability, IPA user's shell and automatic
> >creation of home directories should be considered - there are some caveats
> why do you need cron?
> User shell can be changed on FreeIPA server or you can change sssd
> configuration man sssd.conf (see *shell*)
> >for newbies;
> Do you mean "admin newbies" or "FreeIPA newbies"?
> admin should know how to configure automatic creation of directories.
> (another pam module) ipa-client install just simplify it on linux.
> >6) why a user can't initially SSH or locally login to a FreeBSD client even
> >with correct configuration files (password change problem);
> FreeBSD admins should already have experiences with ldap configuration on
> FreeBSD (or at least read FreeBSD documentation). Official documentation is
> very good (ldap client configuration with nss-pam-ldapd)
> https://www.freebsd.org/doc/en/articles/ldap-auth/client.html
> >7) how to setup SSSD so that it doesn't cache information too long (this is
> >not what we always want, right?).
> >
> sssd use cache by design. If you don't want to cache LDAP users, you can use
> nss-pam-ldapd. BTW this point is not related to FreeBSD
> Summary:
> Fee free to write detailed howto for newbies. We will be very glad to help with
> review and fixing problematic parts.
> LS
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list