On (20/10/14 15:06), Orkhan Gasimov wrote: >OK, Lukas, I did as you say: >1) reset my pam.d -> login to its defaul state >2) added to my pam.d -> system: "account required /usr/local/lib/pam_sss.so >ignore_unknown_user ignore_authinfo_unavail"; >3) commented out "enumerate = True" in my /usr/local/etc/sssd/sssd.conf. >Now I cannot locally login as either root or IPA user. Seems like we built >our SSSDs differently or from different ports. >Would you be so kind to share info about your choices when building SSSD? > >You're right, I'm a newbie in FreeIPA setups. But I've worked with pam stack >before, when configuring OpenLDAP on servers. That knowledge of pam let me >solve the problem of local logins with sssd by adding the appropriate line in >pam.d -> login instead of pam.d -> system. This setup works fine for me; >another setup, which you and FreeBSD forums suppose, doesn't work. Did you >check everything on a blank FreeBSD 10 setup? > Basically, you should do all (ipa-client-install) steps manually. I would recommend you to look into log file from linux machine /var/log/ipaclient-install.log. The main difference between linux and FreeBSD will be location of configuration files(/etc vs /usr/local/etc)
>There are indeed nuances that the post at FreeBSD forums didn't address: I would say that post was more focused on integration sssd with sudo and expected more experienced user with better knowledge of FreeIPA. It is the most difficult part. >1) what choices should be made when building SSSD and other ports - VERY >IMPORTANT, but missing information; I am use to using install packages with utility pkg. Just some packages need to be build from source. (they are listed in the begging of post) >2) how ldap.conf should be configured on a FreeBSD client for ldapsearch to >work; I don't have configured ldap.conf. On the other hand, it can be useful for troubleshooting with utility ldapsearch. >3) how krb5.conf should be configured on a FreeBSD client; The same as on linux. (sssd is linked with MIT kerberos) >4) how SSH files should be configured on a FreeBSD client for single sign-on >to behave properly (GSS-API part); Linux and FreeBSD use openssh. You can inspire in changes done by script ipa-client-install >5) how cron script file's executability, IPA user's shell and automatic >creation of home directories should be considered - there are some caveats why do you need cron? User shell can be changed on FreeIPA server or you can change sssd configuration man sssd.conf (see *shell*) >for newbies; Do you mean "admin newbies" or "FreeIPA newbies"? admin should know how to configure automatic creation of directories. (another pam module) ipa-client install just simplify it on linux. >6) why a user can't initially SSH or locally login to a FreeBSD client even >with correct configuration files (password change problem); FreeBSD admins should already have experiences with ldap configuration on FreeBSD (or at least read FreeBSD documentation). Official documentation is very good (ldap client configuration with nss-pam-ldapd) https://www.freebsd.org/doc/en/articles/ldap-auth/client.html >7) how to setup SSSD so that it doesn't cache information too long (this is >not what we always want, right?). > sssd use cache by design. If you don't want to cache LDAP users, you can use nss-pam-ldapd. BTW this point is not related to FreeBSD Summary: Fee free to write detailed howto for newbies. We will be very glad to help with review and fixing problematic parts. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
