[Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
Lukas Slebodnik
lslebodn at redhat.com
Fri Oct 17 09:15:30 UTC 2014
On (17/10/14 12:27), Orkhan Gasimov wrote:
>Replying to myself is great... Anyway, maybe this info will be useful for
>people like me, trying to integrate FreeBSD with FreeIPA.
>
>Solved some problems:
>
>1. "SSH-ing as existing IPA user "rsiwal" to my FreeBSD client fails. The
>same user can SSH or locally login to my Linux client. "
>
>That happened because the shell specified for user "rsiwal" was /bin/bash.
>After changing it to /bin/sh that problem disappeared.
It needn't be changed in LDAP(IPA). You can change(overrride) shell on client
side.
For details see:
man sssd.conf -> override_shell
>
>2. "At the same time I cannot locally login to my FreeBSD host as either IPA
>user or local user."
>
>I posted the cause and solution at FreeBSD forums:
>https://forums.freebsd.org/threads/freebsd-freeipa-via-sssd.46526/
>
In post you wrote:
The problem is in this string in the /etc/pam.d/system file:
account required /usr/local/lib/pam_sss.so ignore_unknown_user
That string gives login errors, with or without ignore_unknown_user part.
The only solution I found for now is to comment that string out and add it
explicitly into /etc/pam.d/login file. Then local login process proceeds
without errors.
File /etc/pam.d/system is included by /etc/pam.d/login. I cannot see a
difference.
BTW: You tested access with sshd, but file /etc/pam.d/system needn't be used
in /etc/pam.d/sshd which is used by sshd.
I would reccomend to have next line in /etc/pam.d/system and /etc/pam.d/sshd.
Without this line, access control will not work. (HBAC)
account required /usr/local/lib/pam_sss.so ignore_unknown_user ignore_authinfo_unavail
>3. "If I create a new user in IPA, he can`t initially SSH into FreeBSD
>client.
>BSD says: "password expired", but doesn`t take new password.
>The same new user can SSH into my Linux client.
>Linux says: "password expired" and allows to set a new password with a
>message: "All authentication tokens updated successfully."
>After I set a new password for my newly created user via Linux, I can SSH
>into my BSD client as that user.
>Using this hack I can create new users in IPA, SSH into Linux to change their
>passwords and then use those new users to SSH into FreeBSD."
>
>Didn`t find a solution yet. But I think this is caused by lack of proper
>configuration of Kerberos on my FreeBSD client. On my Linux client I found
>such a configuration in /etc/krb5.conf file. However, there's no such file on
>my FreeBSD client, as the post on FreeBSD forums didn't say anything about
>such a file. I'll do some more checks and share the results here.
FreeIPA requires to change password for new users.
Unfortunatelly, it is not possible to change password for ldap (sssd) users
in FreeBSD. It is described in FreeBSD ldap client documentation (which uses
nss-pam-ldapd)
https://www.freebsd.org/doc/en/articles/ldap-auth/client.html#caveats
LS
More information about the Freeipa-users
mailing list