[Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

Lukas Slebodnik lslebodn at redhat.com
Tue Oct 21 18:31:17 UTC 2014

On (20/10/14 15:06), Orkhan Gasimov wrote:
>OK, Lukas, I did as you say:
>1) reset my pam.d -> login to its defaul state
>2) added to my pam.d -> system: "account  required /usr/local/lib/pam_sss.so
>ignore_unknown_user ignore_authinfo_unavail";
>3) commented out "enumerate = True" in my /usr/local/etc/sssd/sssd.conf.
>Now I cannot locally login as either root or IPA user. Seems like we built
>our SSSDs differently or from different ports.
>Would you be so kind to share info about your choices when building SSSD?
>You're right, I'm a newbie in FreeIPA setups. But I've worked with pam stack
>before, when configuring OpenLDAP on servers. That knowledge of pam let me
>solve the problem of local logins with sssd by adding the appropriate line in
>pam.d -> login instead of pam.d -> system. This setup works fine for me;
>another setup, which you and FreeBSD forums suppose, doesn't work. Did you
>check everything on a blank FreeBSD 10 setup?
Basically, you should do all (ipa-client-install) steps manually.
I would recommend you to look into log file from linux machine
/var/log/ipaclient-install.log. The main difference between linux and FreeBSD
will be location of configuration files(/etc vs /usr/local/etc)

>There are indeed nuances that the post at FreeBSD forums didn't address:
I would say that post was more focused on integration sssd with sudo
and expected more experienced user with better knowledge of FreeIPA.
It is the most difficult part.

>1) what choices should be made when building SSSD and other ports - VERY
>IMPORTANT, but missing information;
I am use to using install packages with utility pkg. Just some packages need
to be build from source. (they are listed in the begging of post)

>2) how ldap.conf should be configured on a FreeBSD client for ldapsearch to
I don't have configured ldap.conf. On the other hand, it can be useful for
troubleshooting with utility ldapsearch.

>3) how krb5.conf should be configured on a FreeBSD client;
The same as on linux. (sssd is linked with MIT kerberos)

>4) how SSH files should be configured on a FreeBSD client for single sign-on
>to behave properly (GSS-API part);
Linux and FreeBSD use openssh. You can inspire in changes done by script

>5) how cron script file's executability, IPA user's shell and automatic
>creation of home directories should be considered - there are some caveats
why do you need cron?
User shell can be changed on FreeIPA server or you can change sssd
configuration man sssd.conf (see *shell*)

>for newbies;
Do you mean "admin newbies" or "FreeIPA newbies"?
admin should know how to configure automatic creation of directories.
(another pam module) ipa-client install just simplify it on linux.

>6) why a user can't initially SSH or locally login to a FreeBSD client even
>with correct configuration files (password change problem);
FreeBSD admins should already have experiences with ldap configuration on
FreeBSD (or at least read FreeBSD documentation). Official documentation is
very good (ldap client configuration with nss-pam-ldapd)

>7) how to setup SSSD so that it doesn't cache information too long (this is
>not what we always want, right?).
sssd use cache by design. If you don't want to cache LDAP users, you can use
nss-pam-ldapd. BTW this point is not related to FreeBSD

Fee free to write detailed howto for newbies. We will be very glad to help with
review and fixing problematic parts.


More information about the Freeipa-users mailing list