1. Yes, being able to find simple typos is what distinguishes a good troubleshooter from a bad one. The problem really was between the chair and the keyboard. 2. Not only you were right in this aspect, but also regarding the idea that comments in sssd.conf file shouldn't be on the same line as directives. Putting a comment on a separate line allows sssd to start normally instead of giving error messages. 3. I already updated my post at FreeBSD forums and included your comments there. Thanks for taking time to find the cause of the problems. 4. I consider this thread closed, but still plan to write a detailed HowTo about FreeBSD - FreeIPA integration, i.e. about full setup of 5 VMs: a) a DNS server; b) the first IPA server; c) the second IPA server for multi-master replication; d) a Linux IPA client (for changing LDAP users' passwords in behalf of FreeBSD); b) a FreeBSD client - detailed steps, including many things that current post at FreeBSD forums misses. I will then send my HowTo to both FreeBSD forums and FreeIPA team, and it's up to them to decide if the HowTo is worth publishing or not. If the HowTo is OK, I'll translate it to another two languages: Russian and Azeri.
Tue, 21 Oct 2014 20:31:17 +0200 от Lukas Slebodnik <lsleb...@redhat.com>: >On (20/10/14 15:06), Orkhan Gasimov wrote: >>OK, Lukas, I did as you say: >>1) reset my pam.d -> login to its defaul state >>2) added to my pam.d -> system: "account required /usr/local/lib/pam_sss.so >>ignore_unknown_user ignore_authinfo_unavail"; >>3) commented out "enumerate = True" in my /usr/local/etc/sssd/sssd.conf. >>Now I cannot locally login as either root or IPA user. Seems like we built >>our SSSDs differently or from different ports. >>Would you be so kind to share info about your choices when building SSSD? >> >>You're right, I'm a newbie in FreeIPA setups. But I've worked with pam stack >>before, when configuring OpenLDAP on servers. That knowledge of pam let me >>solve the problem of local logins with sssd by adding the appropriate line in >>pam.d -> login instead of pam.d -> system. This setup works fine for me; >>another setup, which you and FreeBSD forums suppose, doesn't work. Did you >>check everything on a blank FreeBSD 10 setup? >> >Basically, you should do all (ipa-client-install) steps manually. >I would recommend you to look into log file from linux machine >/var/log/ipaclient-install.log. The main difference between linux and FreeBSD >will be location of configuration files(/etc vs /usr/local/etc) > >>There are indeed nuances that the post at FreeBSD forums didn't address: >I would say that post was more focused on integration sssd with sudo >and expected more experienced user with better knowledge of FreeIPA. >It is the most difficult part. > >>1) what choices should be made when building SSSD and other ports - VERY >>IMPORTANT, but missing information; >I am use to using install packages with utility pkg. Just some packages need >to be build from source. (they are listed in the begging of post) > >>2) how ldap.conf should be configured on a FreeBSD client for ldapsearch to >>work; >I don't have configured ldap.conf. On the other hand, it can be useful for >troubleshooting with utility ldapsearch. > >>3) how krb5.conf should be configured on a FreeBSD client; >The same as on linux. (sssd is linked with MIT kerberos) > >>4) how SSH files should be configured on a FreeBSD client for single sign-on >>to behave properly (GSS-API part); >Linux and FreeBSD use openssh. You can inspire in changes done by script >ipa-client-install > >>5) how cron script file's executability, IPA user's shell and automatic >>creation of home directories should be considered - there are some caveats >why do you need cron? >User shell can be changed on FreeIPA server or you can change sssd >configuration man sssd.conf (see *shell*) > >>for newbies; >Do you mean "admin newbies" or "FreeIPA newbies"? >admin should know how to configure automatic creation of directories. >(another pam module) ipa-client install just simplify it on linux. > >>6) why a user can't initially SSH or locally login to a FreeBSD client even >>with correct configuration files (password change problem); >FreeBSD admins should already have experiences with ldap configuration on >FreeBSD (or at least read FreeBSD documentation). Official documentation is >very good (ldap client configuration with nss-pam-ldapd) >https://www.freebsd.org/doc/en/articles/ldap-auth/client.html > >>7) how to setup SSSD so that it doesn't cache information too long (this is >>not what we always want, right?). >> >sssd use cache by design. If you don't want to cache LDAP users, you can use >nss-pam-ldapd. BTW this point is not related to FreeBSD > >Summary: >Fee free to write detailed howto for newbies. We will be very glad to help with >review and fixing problematic parts. > >LS
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project