OK, back to FreeIPA - FreeBSD setup.
I changed my setup: instead of 2 VMs now I have 4 VMs:

1: DNS server - set up as shown by Rajnesh Kumar Siwal in http://www.youtube.com/watch?v=0SmiwFoHVeI&index=4&list=PLdKXnZQzEG-KmtKq-LelPn5RTKfJig0Wc

2 and 3: IPA server & IPA linux client - set up as shown by Rajnesh Kumar Siwal in http://www.youtube.com/watch?v=_zlcxjkbayk

4: IPA BSD client - set up as described in the post at FreeBSD forums.


1) my IPA linux client interacts fine with the IPA server;

2) my IPA BSD client also interacts with the IPA server: it sees IPA users when issuing "getent passwd" or "getent shadow". (Previously when I used just 2 VMs and no DNS server, that didn`t happen.)

Problems after I start sssd on the FreeBSD client:

1) I can`t ssh into my IPA BSD client either as an IPA user (rsiwal) or local user (root);

2) if I restart my IPA BSD client, I also can`t login to it locally as either "root" or "rsiwal". I get totally locked out of the machine.

FreeBSD displays some errors on the screen when using:

1) SSH: https://cloud.mail.ru/public/888b415dac43%2Fssh_error_IPA_user_and_root.JPG

2) local login: https://cloud.mail.ru/public/3399c5b67c33%2Flogin_error_root_and_IPA_user.JPG

FreeBSD complains about line 19 in /etc/pam.d/system. That line reads:
account  required  /usr/local/lib/pam_sss.so ignore unknown user

The file "pam_sss.so" exists on my FreeBSD machine in the specified location. Deleting "ignore unknown user" from that line doesn`t help. Changing the position of that line so that it preceeds
account  required  pam_unix.so
also gives no result.

Please help me to understand, what can I do in such a situation? Is it a bug in pam_sss.so?

15-Oct-14 06:14, Fraser Tweedale пишет:
On Tue, Oct 14, 2014 at 03:13:06PM +0200, Lukas Slebodnik wrote:
On (14/10/14 17:48), Fraser Tweedale wrote:
On Tue, Oct 14, 2014 at 12:34:09PM +0500, Orkhan Gasimov wrote:
With help from Alexander Bokovoy I found correct log destinations:

sssd-nss-log: https://cloud.mail.ru/public/ae41ae3b44b6%2Fsssd_nss.log

These files are from my second Fedora - FreeBSD setup, they have different
domain name, but everything else is identical.

Interestingly enough, there are lines in sssd_nss.log telling that there are
no users or groups in the domain. But as I said, I can ssh to the IPA server
as an IPA user.

Hi Orkhan,

Thanks for the logs.  What were their actual locations?

I'm going to try and reproduce your setup and see whether I get the
same outcome.  I have been building and installing the ports as
indicated in the forum post, and one thing I have noticed is that
there are a lot of configuration options on some of the important
ports - perhaps there was an important option that the author forgot
to mention.

You needn't build sssd from ports. You can install sssd with pkg utility.
The only necessary step is to build openldap client with SASL support,
because default version of openldap client is build without SASL support.
sssd cannot initialize ipa_provider with openldap libraries without SASL
support. On the other hand, {ldap,krb5,ad} providers can be used without any

The steps, how to build openldap client with SASL support, are described
in freebsd forum.

It is the end of the day for me, but sssd is now installed so I
should let you know tomorrow whether I am running into the same
issues as you, or whether I find success.

(As a side node: once I get to a working setup I will create and
publish a pkg(8) repo with the needed ports built with the correct
options and make.conf variables.  This should make it easier and
certainly quicker to use FreeBSD as a FreeIPA client.)
I am not sure what you are trying to do. Everything is described on forum.
If there isn't something clear feel free to send rephrased(updated) version of
howto. I can contact an author of that post.

Since there are non-default options and make variables to be set, is
it not desirable that there be a pkg(8) repository people can use to
install the packages needed for ipa integration?

I think it is desirable.  It is easy to thanks to



Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to