OK, Lukas, I did as you say:
1) reset my pam.d -> login to its defaul state
2) added to my pam.d -> system: "account required /usr/local/lib/pam_sss.so ignore_unknown_user ignore_authinfo_unavail";
3) commented out "enumerate = True" in my /usr/local/etc/sssd/sssd.conf.
Now I cannot locally login as either root or IPA user. Seems like we built our SSSDs differently or from different ports.
Would you be so kind to share info about your choices when building SSSD?

You're right, I'm a newbie in FreeIPA setups. But I've worked with pam stack before, when configuring OpenLDAP on servers. That knowledge of pam let me solve the problem of local logins with sssd by adding the appropriate line in pam.d -> login instead of pam.d -> system. This setup works fine for me; another setup, which you and FreeBSD forums suppose, doesn't work. Did you check everything on a blank FreeBSD 10 setup?

There are indeed nuances that the post at FreeBSD forums didn't address:
1) what choices should be made when building SSSD and other ports - VERY IMPORTANT, but missing information; 2) how ldap.conf should be configured on a FreeBSD client for ldapsearch to work;
3) how krb5.conf should be configured on a FreeBSD client;
4) how SSH files should be configured on a FreeBSD client for single sign-on to behave properly (GSS-API part); 5) how cron script file's executability, IPA user's shell and automatic creation of home directories should be considered - there are some caveats for newbies; 6) why a user can't initially SSH or locally login to a FreeBSD client even with correct configuration files (password change problem); 7) how to setup SSSD so that it doesn't cache information too long (this is not what we always want, right?).

In short: a person who posted the info on FreeBSD - FreeIPA integration at FreeBSD forums shared a lot of info, but at the same time he didn't share other very important pieces of information, and this can cause great frustration to people trying to follow his post. And although you recommend me not to share my experience of setting up FreeBSD - FreeIPA integration, I just want people to get a REALLY WORKING HowTo. I've already tested HBAC, centralized sudo and other things in my setup, and everything is working fine. So in near future I plan to make a REAL, DETAILED HowTo on this subject, and I think that at least some pieces of information in it will help people to avoid great deal of frustration.

20-Oct-14 13:01, Lukas Slebodnik пишет:
On (19/10/14 08:45), Orkhan Gasimov wrote:
2. About my pam.d files - please read carefully my previous posts.
I commented > out the line in pam.d -> system and added it explicitly to
You didn't have "account required /usr/local/lib/pam_sss.so ignore_unknown_user"
in pam.d/system. The line is commented out, but there *IS NOT* argument

Howto on FreeBSD forum[1] has argument ignore_unknown_user on the lines
starting with account in both pam configuration files (system, sshd)

pam.d -> login because otherwise I get locked out from the machine. I sent
I didn't touch "pam.d/login". I put "account .. pam_sss.so ignore_unknown_user"
into "pam.d/system" (the same as in [1]) and I can login as sssd user and
local user. I know that pam configuration isn't the easiest think for newbies,
but your post will be even more confusing for others. Please do not give
advices if you do not understand where is the problem and why it works with
that change.

you the WORKING configuration and not the one which was recommended at
FreeBSD posts (and also by you). And yes, in pam.d -> system there's no
"ignore bla bla bla part" because in that file the line
"account  required  /usr/local/lib/pam_sss.so" just doesn't work, with or
without that part.
I don't know what you did wrong, but it *works* with argument 
How did you test?


Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to