On 10/18/2014 11:45 PM, Orkhan Gasimov wrote:

1. About enumerate with comments on the same line - it doesn't cause any problems on my FreeBSD 10 64-bit. Enumerate causes problems on my FreeBSD 10 32-bit - that could be because of a comment on the same line & I could check it, but if it's not recommended to have enumerate at all, then I'll leave it.

Just FYI, comments on the same line are treated as part of value i.e. not interpreted as comments.
I do not know how the value is treated by SSSD in the case of boolean.
It might try to parse it and come to conclusion that it is true or false but I do not know which conclusion it actually comes to. BTW for those who are familiar with the internals and some other threads - using ding-libs interpretation functions would have caught that. One more argument to switch to ding-libs checking (when it is ready).

As for enumeration - it is not needed in 90% of cases so we recommend not to configure it.

2. About my pam.d files - please read carefully my previous posts. I commented out the line in pam.d -> system and added it explicitly to pam.d -> login because otherwise I get locked out from the machine. I sent you the WORKING configuration and not the one which was recommended at FreeBSD posts (and also by you). And yes, in pam.d -> system there's no "ignore bla bla bla part" because in that file the line "account required /usr/local/lib/pam_sss.so <http://sss.so>" just doesn't work, with or without that part. That's what I was talking about in my reply to the post at FreeBSD forums and that's why I considered unimportant readding that "ignore ..." part in the commented "account ..." line when sending pam.d files to you.

3. I like your idea of checking everything on a blank FreeaBSD 10 setup - that way you will really determine whether the problem is between the chair and the keyboard or not.

Yeah we should develop tools in this area. +1.

?????????? ?? Blue Mail <http://r.bluemailapp.com>

?? 19.10.2014, ? 2:36, Lukas Slebodnik <lsleb...@redhat.com <mailto:lsleb...@redhat.com>> ???????:?

    On (17/10/14 16:46), Orkhan Gasimov wrote:

        1. I use FreeBSD 10.0 64-bit. (For some files bits are also
        important - for example, on a 32-bit machine the same
        configuration of /usr/local/etc/sssd/sssd.conf file introduces
        problems because of the line "enumerate = True" in the
[domain] section; only after that line is commented
    Firstly, We do not recommend to have enabled enumeration.
    Secondly, You did not have "enumerate = True" in your domain section.
    You have "enumerate = True #to enumerate users and groups"
    I wrote you in another email that comments should be on different line

        out, sssd starts.) 2. The files you requested are at
        https://cloud.mail.ru/public/afa7e1fad817/pam.d 17-Oct-14
        16:30, Lukas Slebodnik ?????:

            On (17/10/14 15:44), Orkhan Gasimov wrote:

                Unfortunately, putting that line in /etc/pam.d/system
prevents me from being
    I checked your apm configuration and you had wrong line in /etc/pam.d/system
    Currently, it is is commented out.
         "#acconut        required        /usr/local/lib/pam_sss.so  
    and the correct one is in /etc/pam.d/login
        "account         required        /usr/local/lib/pam_sss.so  <http://sss.so>  
ignore_unknown_user ignore_authinfo_unavail"

      u were
    wrong in 
    Plese move line from login -> system

                able to locally login to the BSD client. At the same
                time, the same line in /etc/pam.d/sshd or
                /etc/pam.d/login doesn't give unexpected behaviours.
Bug, bug, bug...
        no, no, no,
    The problem was between chair and keybord.
    Sorry, I could not resist :-)

            It works for me with FreeBSD 9.3. It is possible that your
            pam stack is misconfigured.

    After fixing problems with my freeipa 4.0.3, I was able to connect with ssh
    to FreeBSD 10 as freeipa_user and local_user.

    If I have time in next weeks I will try with clean FreeBSD 10 and will write
    some notes.


Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to