On (16/10/14 13:04), Orkhan Gasimov wrote: >OK, back to FreeIPA - FreeBSD setup. >I changed my setup: instead of 2 VMs now I have 4 VMs: > >1: DNS server - set up as shown by Rajnesh Kumar Siwal in >http://www.youtube.com/watch?v=0SmiwFoHVeI&index=4&list=PLdKXnZQzEG-KmtKq-LelPn5RTKfJig0Wc > >2 and 3: IPA server & IPA linux client - set up as shown by Rajnesh Kumar >Siwal in http://www.youtube.com/watch?v=_zlcxjkbayk > >4: IPA BSD client - set up as described in the post at FreeBSD forums. > > >Results: > >1) my IPA linux client interacts fine with the IPA server; > >2) my IPA BSD client also interacts with the IPA server: it sees IPA users >when issuing "getent passwd" or "getent shadow". (Previously when I used just >2 VMs and no DNS server, that didn`t happen.) > >Problems after I start sssd on the FreeBSD client: > >1) I can`t ssh into my IPA BSD client either as an IPA user (rsiwal) or local >user (root); > >2) if I restart my IPA BSD client, I also can`t login to it locally as either >"root" or "rsiwal". I get totally locked out of the machine. > >FreeBSD displays some errors on the screen when using: > >1) SSH: >https://cloud.mail.ru/public/888b415dac43%2Fssh_error_IPA_user_and_root.JPG > >2) local login: >https://cloud.mail.ru/public/3399c5b67c33%2Flogin_error_root_and_IPA_user.JPG > >FreeBSD complains about line 19 in /etc/pam.d/system. That line reads: >account required /usr/local/lib/pam_sss.so ignore unknown user ^^^^^^^^^^^^^^^^^^^ it should we one word connected with underscores "_"
See details in: man pam_sss -> OPTIONS It would be good to use also argument ignore_authinfo_unavail in pam system config otherwise you will not be able to connect as local user if sssd will be down. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project