Please excuse me for that silly typo in the letter. The typo doesn`t exist either in /etc/pam.d/system or /etc/pam.d/sshd - in those files I typed "ignore_unknown_user".

I'll try "ignore_authinfo_unavail" to see if it prevents me from being locked out of the machine.

Here are the log files:

16-Oct-14 14:57, Lukas Slebodnik пишет:
On (16/10/14 13:04), Orkhan Gasimov wrote:
OK, back to FreeIPA - FreeBSD setup.
I changed my setup: instead of 2 VMs now I have 4 VMs:

1: DNS server - set up as shown by Rajnesh Kumar Siwal in

2 and 3: IPA server & IPA linux client - set up as shown by Rajnesh Kumar
Siwal in

4: IPA BSD client - set up as described in the post at FreeBSD forums.


1) my IPA linux client interacts fine with the IPA server;

2) my IPA BSD client also interacts with the IPA server: it sees IPA users
when issuing "getent passwd" or "getent shadow". (Previously when I used just
2 VMs and no DNS server, that didn`t happen.)

Problems after I start sssd on the FreeBSD client:

1) I can`t ssh into my IPA BSD client either as an IPA user (rsiwal) or local
user (root);

2) if I restart my IPA BSD client, I also can`t login to it locally as either
"root" or "rsiwal". I get totally locked out of the machine.

FreeBSD displays some errors on the screen when using:

1) SSH:

2) local login:

FreeBSD complains about line 19 in /etc/pam.d/system. That line reads:
account  required  /usr/local/lib/ ignore unknown user
                           it should we one word connected with underscores "_"

See details in:
     man pam_sss -> OPTIONS

It would be good to use also argument ignore_authinfo_unavail
in pam system config otherwise you will not be able to connect as local user
if sssd will be down.


Manage your subscription for the Freeipa-users mailing list:
Go To for more info on the project

Reply via email to