[Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

Orkhan Gasimov orkhan-azeri at mail.ru
Sun Oct 19 03:45:55 UTC 2014


1. About enumerate with comments on the same line - it doesn't cause any problems on my FreeBSD 10 64-bit. Enumerate causes problems on my FreeBSD 10 32-bit - that could be because of a comment on the same line & I could check it, but if it's not recommended to have enumerate at all, then I'll leave it.

2. About my pam.d files - please read carefully my previous posts. I commented out the line in pam.d -> system and added it explicitly to pam.d -> login because otherwise I get locked out from the machine. I sent you the WORKING configuration and not the one which was recommended at FreeBSD posts (and also by you). And yes, in pam.d -> system there's no "ignore bla bla bla part" because in that file the line "account  required  /usr/local/lib/pam_sss.so" just doesn't work, with or without that part. That's what I was talking about in my reply to the post at FreeBSD forums and that's why I considered unimportant readding that "ignore ..." part in the commented "account ..." line when sending pam.d files to you.

3. I like your idea of checking everything on a blank FreeaBSD 10 setup - that way you will really determine whether the problem is between the chair and the keyboard or not.

Отправлено от Blue Mail



На 2:36, 19.10.2014, в 2:36, Lukas Slebodnik <lslebodn at redhat.com> написал:п>On (17/10/14 16:46), Orkhan Gasimov wrote:
>>1. I use FreeBSD 10.0 64-bit.
>>(For some files bits are also important - for example, on a 32-bit
>machine
>>the same configuration of
>>/usr/local/etc/sssd/sssd.conf file introduces problems because of the
>line
>>"enumerate = True" in the [domain] section; only after that line is
>commented
>Firstly, We do not recommend to have enabled enumeration.
>Secondly, You did not have "enumerate = True" in your domain section.
>You have "enumerate = True #to enumerate users and groups"
>          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>I wrote you in another email that comments should be on different line
>
>>out, sssd starts.)
>>
>>2. The files you requested are at
>>https://cloud.mail.ru/public/afa7e1fad817/pam.d
>>
>>17-Oct-14 16:30, Lukas Slebodnik пишет:
>>>On (17/10/14 15:44), Orkhan Gasimov wrote:
>>>>Unfortunately, putting that line in /etc/pam.d/system prevents me
>from being
>I checked your apm configuration and you had wrong line in
>/etc/pam.d/system
>Currently, it is is commented out.
>    "#acconut        required        /usr/local/lib/pam_sss.so"
>and the correct one is in /etc/pam.d/login
>"account         required        /usr/local/lib/pam_sss.so
>ignore_unknown_user ignore_authinfo_unavail"
>
>You were wrong in comment
>https://forums.freebsd.org/threads/freebsd-freeipa-via-sssd.46526/
>Plese move line from login -> system
>
>>>>able to locally login to the BSD client.
>>>>At the same time, the same line in /etc/pam.d/sshd or
>/etc/pam.d/login
>>>>doesn't give unexpected behaviours.
>>>>Bug, bug, bug...
>   no, no, no,
>The problem was between chair and keybord.
>Sorry, I could not resist :-)
>
>>>>
>>>It works for me with FreeBSD 9.3. It is possible that your pam stack
>is
>>>misconfigured.
>>>
>
>BTW
>After fixing problems with my freeipa 4.0.3, I was able to connect with
>ssh
>to FreeBSD 10 as freeipa_user and local_user.
>
>If I have time in next weeks I will try with clean FreeBSD 10 and will
>write
>some notes.
>
>LS
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141019/5575db1a/attachment.htm>


More information about the Freeipa-users mailing list