[Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

Tue Oct 21 18:31:17 UTC 2014

On (20/10/14 15:06), Orkhan Gasimov wrote:
>OK, Lukas, I did as you say:
>1) reset my pam.d -> login to its defaul state
>2) added to my pam.d -> system: "account  required /usr/local/lib/pam_sss.so
>ignore_unknown_user ignore_authinfo_unavail";
>3) commented out "enumerate = True" in my /usr/local/etc/sssd/sssd.conf.
>Now I cannot locally login as either root or IPA user. Seems like we built
>our SSSDs differently or from different ports.
>Would you be so kind to share info about your choices when building SSSD?
>
>You're right, I'm a newbie in FreeIPA setups. But I've worked with pam stack
>before, when configuring OpenLDAP on servers. That knowledge of pam let me
>solve the problem of local logins with sssd by adding the appropriate line in
>pam.d -> login instead of pam.d -> system. This setup works fine for me;
>another setup, which you and FreeBSD forums suppose, doesn't work. Did you
>check everything on a blank FreeBSD 10 setup?
>
Basically, you should do all (ipa-client-install) steps manually.
I would recommend you to look into log file from linux machine
/var/log/ipaclient-install.log. The main difference between linux and FreeBSD
will be location of configuration files(/etc vs /usr/local/etc)

>There are indeed nuances that the post at FreeBSD forums didn't address:
I would say that post was more focused on integration sssd with sudo
and expected more experienced user with better knowledge of FreeIPA.
It is the most difficult part.

>1) what choices should be made when building SSSD and other ports - VERY
>IMPORTANT, but missing information;
I am use to using install packages with utility pkg. Just some packages need
to be build from source. (they are listed in the begging of post)

>2) how ldap.conf should be configured on a FreeBSD client for ldapsearch to
>work;
I don't have configured ldap.conf. On the other hand, it can be useful for
troubleshooting with utility ldapsearch.

>3) how krb5.conf should be configured on a FreeBSD client;
The same as on linux. (sssd is linked with MIT kerberos)

>4) how SSH files should be configured on a FreeBSD client for single sign-on
>to behave properly (GSS-API part);
Linux and FreeBSD use openssh. You can inspire in changes done by script
ipa-client-install

>5) how cron script file's executability, IPA user's shell and automatic
>creation of home directories should be considered - there are some caveats
why do you need cron?
User shell can be changed on FreeIPA server or you can change sssd
configuration man sssd.conf (see *shell*)

>for newbies;
Do you mean "admin newbies" or "FreeIPA newbies"?
admin should know how to configure automatic creation of directories.
(another pam module) ipa-client install just simplify it on linux.

>6) why a user can't initially SSH or locally login to a FreeBSD client even
>with correct configuration files (password change problem);
FreeBSD admins should already have experiences with ldap configuration on
FreeBSD (or at least read FreeBSD documentation). Official documentation is
very good (ldap client configuration with nss-pam-ldapd)
https://www.freebsd.org/doc/en/articles/ldap-auth/client.html

>7) how to setup SSSD so that it doesn't cache information too long (this is
>not what we always want, right?).
>
sssd use cache by design. If you don't want to cache LDAP users, you can use
nss-pam-ldapd. BTW this point is not related to FreeBSD

Summary:
Fee free to write detailed howto for newbies. We will be very glad to help with
review and fixing problematic parts.

LS