[Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
orkhan-azeri at mail.ru
Tue Oct 14 07:38:37 UTC 2014
With help from Alexander Bokovoy I found correct log destinations:
These files are from my second Fedora - FreeBSD setup, they have
different domain name, but everything else is identical.
Interestingly enough, there are lines in sssd_nss.log telling that there
are no users or groups in the domain. But as I said, I can ssh to the
IPA server as an IPA user.
14-Oct-14 10:23, Orkhan Gasimov пишет:
> Thanks to both of you for the interest.
> Here`s the info you asked:
> 1. Putting "debug_level = 7" either in [domain] or/and [nss] section
> of the /usr/local/etc/sssd/sssd.conf file gives nothing in the log.
> The log file located at /var/log/sssd/sssd.log is only populated with
> data when I make some errors in sssd.conf & sssd process fails to
> start. But that`s the case only if I deliberately introduce some
> errors; with current configuration sssd starts successfully.
> 2. My original sssd.conf (without debugs) is as follows (exact copy of
> what was shown in the post at FreeBSD forums):
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = mydomain.com
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = ipa1.mydomain.com
> chpass_provider = ipa
> ipa_server = _srv_ #our FreeIPA server has DNS SRV entries
> ldap_tls_cacert = /etc/ssl/ca.crt
> enumerate = True #to enumerate users and groups
> enumerate = True
> services = nss, pam, sudo
> config_file_version = 2
> domains = mydomain.com
> Interestingly enough the [nss] section is empty, just as shown in the
> post at FreeBSD forums.
> 3. The users created at the IPA server can`t locally log in to the
> server, but it`s possible to ssh to the server as an IPA user from the
> FreeBSD host. However, there are some interesting behaviors (again,
> this is what happens when just following the IPA Quick Start Quide for
> the server side & the post from FreeBSD forums for the client side):
> - home directories are not automatically created on the IPA server;
> - "id" command output shows correct uid, but the group of any IPA
> user doesn`t show as "ipausers" - instead, the group name is the same
> as username, + something like
> 4. Here is the list of snapshots taken from my FreeBSD VM when I
> installed necessary ports, maybe these snapshots will provide some
> additional info on sssd behavior:
> 14-Oct-14 00:32, Lukas Slebodnik пишет:
>> On (13/10/14 20:33), Jakub Hrozek wrote:
>>> On Mon, Oct 13, 2014 at 10:10:12PM +0400, Орхан Касумов wrote:
>>>> Good day to everybody.
>>>> There`s a post on how to make a FreeBSD client work with a FreeIPA
>>>> For some reason the instructions in that post don`t lead to a
>>>> working solution.
>>>> Getent passwd/group return no data from the IPA server, although
>>>> ldapsearch works fine.
>>>> I followed the instructions exactly (+ configured ldap.conf &
>>>> started sssd) and didn`t get errors anywhere, all steps completed
>>>> My setup: 2 VMs, one is the FreeIPA server (on Fedora 20), the
>>>> other is a FreeBSD client (on FreeBSD 10.0).
>>>> IPA server is configured as written in the IPA Quick Start Quide,
>>>> it has no integrated DNS server.
>>>> Both VMs have identical /etc/hosts file:
>>>> ::1 localhost
>>>> 127.0.0.1 localhost
>>>> 192.168.1.10 ipa1.mydomain.com ipa1
>>>> 192.168.1.30 bsd1.mydomain.com bsd1
>>>> Seems like some instructions in etc/nsswitch.conf file, like
>>>> "group: files sss" and "passwd: files sss" have no effect.
>>>> Does anybody tried this setup, what could be wrong with it?
>>>> I can provide outputs of any commands if necessary.
>>>> If I shouldn`t have asked this question here, please advise me
>>>> where to ask.
>>>> Any hint on what to do will be highly appreciated!
>>> I think SSSD logs would be the best start..
>>> Put debug_level=7 into the [domain] section, restart SSSD and then
>>> out /var/log/sssd/*.log
>> "debug_level = 7" can be put into "nss" section as well.
>> Could you share your sssd configuration file /usr/local/etc/sssd.conf?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Freeipa-users