Hi, Now that I have my FreeIPA server working in my setup, I'd like to configure my Proxmox server as an IPA client; both for UNIX users and its web/API.
As you might be aware, ipa-client-install is only in sid, and it seems to be problematic. I'm posting everything I'm doing to keep this documented. $ apt install sudo $ apt install bind9utils certmonger curl krb5-user libcurl3 libnss3-tools libnss-sss libpam-sss libsasl2-modules-gssapi-mit libsss-sudo libxmlrpc-core-c3 oddjob-mkhomedir python-dnspython python-gssapi python-ldap sssd libbasicobjects0 libcollection4 libcurl3-nss libini-config5 libref-array1 gnupg2 python-cffi python-cryptography python-custodia python-dbus python-jwcrypto python-libipa-hbac python-lxml python-memcache python-netaddr python-netifaces python-nss python-pyasn1 python-qrcode python-setuptools python-usb python-yubico dnsutils keyutils python-requests $ wget http://ftp.de.debian.org/debian/pool/main/f/freeipa/freeipa-client_4.4.4-4_amd64.deb http://ftp.de.debian.org/debian/pool/main/f/freeipa/freeipa-common_4.4.4-4_all.deb http://ftp.de.debian.org/debian/pool/main/f/freeipa/python-ipaclient_4.4.4-4_all.deb http://ftp.de.debian.org/debian/pool/main/f/freeipa/python-ipalib_4.4.4-4_all.deb $ dpkg -i *.deb $ ipa-client-install -N --mkhomedir This all seems to work successfully, the server appears on the FreeIPA web console and even: $ sss_ssh_authorizedkeys $MY_IPA_USER works! But ssh, sudo don't work. However if I patch /etc/sssd/sssd.conf and add nss and pam to [sssd] services, ssh, console login and sudo work! Questions: 1) Is there anything problematic in my procedure? 2) Whom should I report a bug so /etc/sssd/sssd.conf is generated correctly? I'm guessing Debian... 3) Proxmox supposedly uses PAM for its web/API auth, but it ignores my user. It supports LDAP for authentication, though... Would you recommend using LDAP or trying to coerce PAM into working for IPA? Cheers, Álex -- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org