[Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

Orkhan Gasimov orkhan-azeri at mail.ru
Fri Oct 17 07:27:51 UTC 2014 

Replying to myself is great... Anyway, maybe this info will be useful 
for people like me, trying to integrate FreeBSD with FreeIPA.

Solved some problems:

1. "SSH-ing as existing IPA user "rsiwal" to my FreeBSD client fails. 
The same user can SSH or locally login to my Linux client. "

That happened because the shell specified for user "rsiwal" was 
/bin/bash. After changing it to /bin/sh that problem disappeared.

2. "At the same time I cannot locally login to my FreeBSD host as either 
IPA user or local user."

I posted the cause and solution at FreeBSD forums: 
https://forums.freebsd.org/threads/freebsd-freeipa-via-sssd.46526/

3. "If I create a new user in IPA, he can`t initially SSH into FreeBSD 
client.
BSD says: "password expired", but doesn`t take new password.
The same new user can SSH into my Linux client.
Linux says: "password expired" and allows to set a new password with a 
message: "All authentication tokens updated successfully."
After I set a new password for my newly created user via Linux, I can 
SSH into my BSD client as that user.
Using this hack I can create new users in IPA, SSH into Linux to change 
their passwords and then use those new users to SSH into FreeBSD."

Didn`t find a solution yet. But I think this is caused by lack of proper 
configuration of Kerberos on my FreeBSD client. On my Linux client I 
found such a configuration in /etc/krb5.conf file. However, there's no 
such file on my FreeBSD client, as the post on FreeBSD forums didn't say 
anything about such a file. I'll do some more checks and share the 
results here.


16-Oct-14 18:23, Orkhan Gasimov пишет:
> Here`s what I have at the end of the day after various checks.
>
> SSH-ing as existing IPA user "rsiwal" to my FreeBSD client fails.
> The same user can SSH or locally login to my Linux client.
> If I create a new user in IPA, he can`t initially SSH into FreeBSD 
> client.
> BSD says: "password expired", but doesn`t take new password.
> The same new user can SSH into my Linux client.
> Linux says: "password expired" and allows to set a new password with a 
> message: "All authentication tokens updated successfully."
> After I set a new password for my newly created user via Linux, I can 
> SSH into my BSD client as that user.
> Using this hack I can create new users in IPA, SSH into Linux to 
> change their passwords and then use those new users to SSH into FreeBSD.
> At the same time I cannot locally login to my FreeBSD host as either 
> IPA user or local user.
>
> I think there`s something wrong with Kerberos setup on my FreeBSD 
> client. I suspect that because both /etc/pam.d/system and 
> /etc/pam.d/sshd files on the BSD client have a string:
> password  sufficient  /usr/local/lib/pam_sss.so use_authtok
> but BSD doesn`t let update authentication tokens when trying to change 
> expired password for a new user.
>
> There was minimal info about Kerberos setup on FreeBSD client in the 
> post at FreeBSD forums. Just this: "create a keytab on the IPA server 
> and copy it to /etc/krb5.keytab" on the FreeBSD client.
>
> Someone here wrote that he can contact the author of that post. If so, 
> please tell the author to spend a couple of hours to:
> 1) check everything he advised on a blank setup with VMs;
> 2) provide more details about correct sequence of actions.
>
> Any help will be highly appreciated!
>
> 16-Oct-14 15:13, Orkhan Gasimov пишет:
>> Please excuse me for that silly typo in the letter. The typo doesn`t 
>> exist either in /etc/pam.d/system or /etc/pam.d/sshd - in those files 
>> I typed "ignore_unknown_user".
>>
>> I'll try "ignore_authinfo_unavail" to see if it prevents me from 
>> being locked out of the machine.
>>
>> Here are the log files:
>>
>> sssd_eurosel.az.log: 
>> https://cloud.mail.ru/public/1e803a00989e%2Fsssd_eurosel.az.log
>> sssd_nss.log: https://cloud.mail.ru/public/ae41ae3b44b6%2Fsssd_nss.log
>> sssd_pam.log: https://cloud.mail.ru/public/85d311ec1d4e%2Fsssd_pam.log
>> krb5_child.log: 
>> https://cloud.mail.ru/public/c0e6712b7f1b%2Fkrb5_child.log
>> ldap_child.log: 
>> https://cloud.mail.ru/public/d9b0b1eb0da6%2Fldap_child.log
>> sssd_log: https://cloud.mail.ru/public/d4032b8e6645%2Fsssd.log
>>
>>
>> 16-Oct-14 14:57, Lukas Slebodnik пишет:
>>> On (16/10/14 13:04), Orkhan Gasimov wrote:
>>>> OK, back to FreeIPA - FreeBSD setup.
>>>> I changed my setup: instead of 2 VMs now I have 4 VMs:
>>>>
>>>> 1: DNS server - set up as shown by Rajnesh Kumar Siwal in 
>>>> http://www.youtube.com/watch?v=0SmiwFoHVeI&index=4&list=PLdKXnZQzEG-KmtKq-LelPn5RTKfJig0Wc
>>>>
>>>> 2 and 3: IPA server & IPA linux client - set up as shown by Rajnesh 
>>>> Kumar
>>>> Siwal in http://www.youtube.com/watch?v=_zlcxjkbayk
>>>>
>>>> 4: IPA BSD client - set up as described in the post at FreeBSD forums.
>>>>
>>>>
>>>> Results:
>>>>
>>>> 1) my IPA linux client interacts fine with the IPA server;
>>>>
>>>> 2) my IPA BSD client also interacts with the IPA server: it sees 
>>>> IPA users
>>>> when issuing "getent passwd" or "getent shadow". (Previously when I 
>>>> used just
>>>> 2 VMs and no DNS server, that didn`t happen.)
>>>>
>>>> Problems after I start sssd on the FreeBSD client:
>>>>
>>>> 1) I can`t ssh into my IPA BSD client either as an IPA user 
>>>> (rsiwal) or local
>>>> user (root);
>>>>
>>>> 2) if I restart my IPA BSD client, I also can`t login to it locally 
>>>> as either
>>>> "root" or "rsiwal". I get totally locked out of the machine.
>>>>
>>>> FreeBSD displays some errors on the screen when using:
>>>>
>>>> 1) SSH:
>>>> https://cloud.mail.ru/public/888b415dac43%2Fssh_error_IPA_user_and_root.JPG 
>>>>
>>>>
>>>> 2) local login:
>>>> https://cloud.mail.ru/public/3399c5b67c33%2Flogin_error_root_and_IPA_user.JPG 
>>>>
>>>>
>>>> FreeBSD complains about line 19 in /etc/pam.d/system. That line reads:
>>>> account  required  /usr/local/lib/pam_sss.so ignore unknown user
>>> ^^^^^^^^^^^^^^^^^^^
>>>                            it should we one word connected with 
>>> underscores "_"
>>>
>>> See details in:
>>>      man pam_sss -> OPTIONS
>>>
>>> It would be good to use also argument ignore_authinfo_unavail
>>> in pam system config otherwise you will not be able to connect as 
>>> local user
>>> if sssd will be down.
>>>
>>> LS
>>>
>>
>

More information about the Freeipa-users mailing list