[Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

Thu Oct 16 08:04:48 UTC 2014

OK, back to FreeIPA - FreeBSD setup.
I changed my setup: instead of 2 VMs now I have 4 VMs:

1: DNS server - set up as shown by Rajnesh Kumar Siwal in 
http://www.youtube.com/watch?v=0SmiwFoHVeI&index=4&list=PLdKXnZQzEG-KmtKq-LelPn5RTKfJig0Wc

2 and 3: IPA server & IPA linux client - set up as shown by Rajnesh 
Kumar Siwal in http://www.youtube.com/watch?v=_zlcxjkbayk

4: IPA BSD client - set up as described in the post at FreeBSD forums.

Results:

1) my IPA linux client interacts fine with the IPA server;

2) my IPA BSD client also interacts with the IPA server: it sees IPA 
users when issuing "getent passwd" or "getent shadow". (Previously when 
I used just 2 VMs and no DNS server, that didn`t happen.)

Problems after I start sssd on the FreeBSD client:

1) I can`t ssh into my IPA BSD client either as an IPA user (rsiwal) or 
local user (root);

2) if I restart my IPA BSD client, I also can`t login to it locally as 
either "root" or "rsiwal". I get totally locked out of the machine.

FreeBSD displays some errors on the screen when using:

1) SSH: 
https://cloud.mail.ru/public/888b415dac43%2Fssh_error_IPA_user_and_root.JPG

2) local login: 
https://cloud.mail.ru/public/3399c5b67c33%2Flogin_error_root_and_IPA_user.JPG

FreeBSD complains about line 19 in /etc/pam.d/system. That line reads:
account  required  /usr/local/lib/pam_sss.so ignore unknown user

The file "pam_sss.so" exists on my FreeBSD machine in the specified 
location. Deleting "ignore unknown user" from that line doesn`t help. 
Changing the position of that line so that it preceeds
account  required  pam_unix.so
also gives no result.

Please help me to understand, what can I do in such a situation? Is it a 
bug in pam_sss.so?

15-Oct-14 06:14, Fraser Tweedale пишет:
> On Tue, Oct 14, 2014 at 03:13:06PM +0200, Lukas Slebodnik wrote:
>> On (14/10/14 17:48), Fraser Tweedale wrote:
>>> On Tue, Oct 14, 2014 at 12:34:09PM +0500, Orkhan Gasimov wrote:
>>>> With help from Alexander Bokovoy I found correct log destinations:
>>>>
>>>> sssd-domain-log:
>>>> https://cloud.mail.ru/public/1e803a00989e%2Fsssd_eurosel.az.log
>>>> sssd-nss-log: https://cloud.mail.ru/public/ae41ae3b44b6%2Fsssd_nss.log
>>>>
>>>> These files are from my second Fedora - FreeBSD setup, they have different
>>>> domain name, but everything else is identical.
>>>>
>>>> Interestingly enough, there are lines in sssd_nss.log telling that there are
>>>> no users or groups in the domain. But as I said, I can ssh to the IPA server
>>>> as an IPA user.
>>>>
>>> Hi Orkhan,
>>>
>>> Thanks for the logs.  What were their actual locations?
>>>
>>> I'm going to try and reproduce your setup and see whether I get the
>>> same outcome.  I have been building and installing the ports as
>>> indicated in the forum post, and one thing I have noticed is that
>>> there are a lot of configuration options on some of the important
>>> ports - perhaps there was an important option that the author forgot
>>> to mention.
>>>
>> You needn't build sssd from ports. You can install sssd with pkg utility.
>> The only necessary step is to build openldap client with SASL support,
>> because default version of openldap client is build without SASL support.
>> sssd cannot initialize ipa_provider with openldap libraries without SASL
>> support. On the other hand, {ldap,krb5,ad} providers can be used without any
>> problem.
>>
>> The steps, how to build openldap client with SASL support, are described
>> in freebsd forum.
>>
>>> It is the end of the day for me, but sssd is now installed so I
>>> should let you know tomorrow whether I am running into the same
>>> issues as you, or whether I find success.
>>>
>>> (As a side node: once I get to a working setup I will create and
>>> publish a pkg(8) repo with the needed ports built with the correct
>>> options and make.conf variables.  This should make it easier and
>>> certainly quicker to use FreeBSD as a FreeIPA client.)
>> I am not sure what you are trying to do. Everything is described on forum.
>> If there isn't something clear feel free to send rephrased(updated) version of
>> howto. I can contact an author of that post.
>>
> Since there are non-default options and make variables to be set, is
> it not desirable that there be a pkg(8) repository people can use to
> install the packages needed for ipa integration?
>
> I think it is desirable.  It is easy to thanks to
> ports-mgmt/poudriere.
>
> Fraser
>
>> LS