Re: [Freeipa-users] Woes adding a samba server to the ipa domain
El lun, 20-10-2014 a las 21:19 -0400, Dmitri Pal escribió: On 10/20/2014 09:15 AM, Loris Santamaria wrote: [...] Trying to join the server to the domain (net rpc join -U domainadmin -S ipaserver) fails, and it causes a samba crash on the ipa server. Investigating the cause of the crash I found that pdbedit crashes as well (backtrace attached). I couldn't get a meaningful backtrace from the samba crash however I attached it as well. Seems to me that the samba ipasam backend on ipa doesn't like something in the host or the domain computers group object in ldap, but I cannot see what could be the problem. Perhaps someone more familiar with the ipasam code can spot it quickly. Do I get it right that you really looking for https://fedorahosted.org/sssd/ticket/1588 that was just released upstream? It would be cool if you can try using SSSD 1.12.1 under Samba FS in the use case you have and provide feedback on how it works for you. AFAIU you install Samba FS and then use ipa-client to configure SSSD under it and it should work. If not we probably should document it (but I do not see any special design page which leads me to the above expectation). Ok, I'll happily try sssd 1.12.1. Just a question, in smb.conf one should use security = domain or security = ads? Best regards -- Loris Santamaria linux user #70506 xmpp:lo...@lgs.com.ve Links Global Services, C.A.http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:1...@lgs.com.ve If I'd asked my customers what they wanted, they'd have said a faster horse - Henry Ford smime.p7s Description: S/MIME cryptographic signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On (17/10/14 16:46), Orkhan Gasimov wrote: 1. I use FreeBSD 10.0 64-bit. (For some files bits are also important - for example, on a 32-bit machine the same configuration of /usr/local/etc/sssd/sssd.conf file introduces problems because of the line enumerate = True in the [domain] section; only after that line is commented out, sssd starts.) 2. The files you requested are at https://cloud.mail.ru/public/afa7e1fad817/pam.d Previously, I was editing my pam stack I had to overwrite my files with yours to reproduce problem. As I thought it was your misconfiguration. You have a typo in pam.d/system Here is a word-diff: [-account-]{+acconut+} required/usr/local/lib/pam_sss.so ignore_unknown_user ignore_authinfo_unavail There is also syslog message (/var/log/messages): login: in openpam_parse_chain(): /etc/pam.d/system(19): missing or invalid facility login: pam_start(): system error Please update(remove) your post on FreeBSD forum. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On (20/10/14 15:06), Orkhan Gasimov wrote: OK, Lukas, I did as you say: 1) reset my pam.d - login to its defaul state 2) added to my pam.d - system: account required /usr/local/lib/pam_sss.so ignore_unknown_user ignore_authinfo_unavail; 3) commented out enumerate = True in my /usr/local/etc/sssd/sssd.conf. Now I cannot locally login as either root or IPA user. Seems like we built our SSSDs differently or from different ports. Would you be so kind to share info about your choices when building SSSD? You're right, I'm a newbie in FreeIPA setups. But I've worked with pam stack before, when configuring OpenLDAP on servers. That knowledge of pam let me solve the problem of local logins with sssd by adding the appropriate line in pam.d - login instead of pam.d - system. This setup works fine for me; another setup, which you and FreeBSD forums suppose, doesn't work. Did you check everything on a blank FreeBSD 10 setup? Basically, you should do all (ipa-client-install) steps manually. I would recommend you to look into log file from linux machine /var/log/ipaclient-install.log. The main difference between linux and FreeBSD will be location of configuration files(/etc vs /usr/local/etc) There are indeed nuances that the post at FreeBSD forums didn't address: I would say that post was more focused on integration sssd with sudo and expected more experienced user with better knowledge of FreeIPA. It is the most difficult part. 1) what choices should be made when building SSSD and other ports - VERY IMPORTANT, but missing information; I am use to using install packages with utility pkg. Just some packages need to be build from source. (they are listed in the begging of post) 2) how ldap.conf should be configured on a FreeBSD client for ldapsearch to work; I don't have configured ldap.conf. On the other hand, it can be useful for troubleshooting with utility ldapsearch. 3) how krb5.conf should be configured on a FreeBSD client; The same as on linux. (sssd is linked with MIT kerberos) 4) how SSH files should be configured on a FreeBSD client for single sign-on to behave properly (GSS-API part); Linux and FreeBSD use openssh. You can inspire in changes done by script ipa-client-install 5) how cron script file's executability, IPA user's shell and automatic creation of home directories should be considered - there are some caveats why do you need cron? User shell can be changed on FreeIPA server or you can change sssd configuration man sssd.conf (see *shell*) for newbies; Do you mean admin newbies or FreeIPA newbies? admin should know how to configure automatic creation of directories. (another pam module) ipa-client install just simplify it on linux. 6) why a user can't initially SSH or locally login to a FreeBSD client even with correct configuration files (password change problem); FreeBSD admins should already have experiences with ldap configuration on FreeBSD (or at least read FreeBSD documentation). Official documentation is very good (ldap client configuration with nss-pam-ldapd) https://www.freebsd.org/doc/en/articles/ldap-auth/client.html 7) how to setup SSSD so that it doesn't cache information too long (this is not what we always want, right?). sssd use cache by design. If you don't want to cache LDAP users, you can use nss-pam-ldapd. BTW this point is not related to FreeBSD Summary: Fee free to write detailed howto for newbies. We will be very glad to help with review and fixing problematic parts. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
1. Yes, being able to find simple typos is what distinguishes a good troubleshooter from a bad one. The problem really was between the chair and the keyboard. 2. Not only you were right in this aspect, but also regarding the idea that comments in sssd.conf file shouldn't be on the same line as directives. Putting a comment on a separate line allows sssd to start normally instead of giving error messages. 3. I already updated my post at FreeBSD forums and included your comments there. Thanks for taking time to find the cause of the problems. 4. I consider this thread closed, but still plan to write a detailed HowTo about FreeBSD - FreeIPA integration, i.e. about full setup of 5 VMs: a) a DNS server; b) the first IPA server; c) the second IPA server for multi-master replication; d) a Linux IPA client (for changing LDAP users' passwords in behalf of FreeBSD); b) a FreeBSD client - detailed steps, including many things that current post at FreeBSD forums misses. I will then send my HowTo to both FreeBSD forums and FreeIPA team, and it's up to them to decide if the HowTo is worth publishing or not. If the HowTo is OK, I'll translate it to another two languages: Russian and Azeri. Tue, 21 Oct 2014 20:31:17 +0200 от Lukas Slebodnik lsleb...@redhat.com: On (20/10/14 15:06), Orkhan Gasimov wrote: OK, Lukas, I did as you say: 1) reset my pam.d - login to its defaul state 2) added to my pam.d - system: account required /usr/local/lib/pam_sss.so ignore_unknown_user ignore_authinfo_unavail; 3) commented out enumerate = True in my /usr/local/etc/sssd/sssd.conf. Now I cannot locally login as either root or IPA user. Seems like we built our SSSDs differently or from different ports. Would you be so kind to share info about your choices when building SSSD? You're right, I'm a newbie in FreeIPA setups. But I've worked with pam stack before, when configuring OpenLDAP on servers. That knowledge of pam let me solve the problem of local logins with sssd by adding the appropriate line in pam.d - login instead of pam.d - system. This setup works fine for me; another setup, which you and FreeBSD forums suppose, doesn't work. Did you check everything on a blank FreeBSD 10 setup? Basically, you should do all (ipa-client-install) steps manually. I would recommend you to look into log file from linux machine /var/log/ipaclient-install.log. The main difference between linux and FreeBSD will be location of configuration files(/etc vs /usr/local/etc) There are indeed nuances that the post at FreeBSD forums didn't address: I would say that post was more focused on integration sssd with sudo and expected more experienced user with better knowledge of FreeIPA. It is the most difficult part. 1) what choices should be made when building SSSD and other ports - VERY IMPORTANT, but missing information; I am use to using install packages with utility pkg. Just some packages need to be build from source. (they are listed in the begging of post) 2) how ldap.conf should be configured on a FreeBSD client for ldapsearch to work; I don't have configured ldap.conf. On the other hand, it can be useful for troubleshooting with utility ldapsearch. 3) how krb5.conf should be configured on a FreeBSD client; The same as on linux. (sssd is linked with MIT kerberos) 4) how SSH files should be configured on a FreeBSD client for single sign-on to behave properly (GSS-API part); Linux and FreeBSD use openssh. You can inspire in changes done by script ipa-client-install 5) how cron script file's executability, IPA user's shell and automatic creation of home directories should be considered - there are some caveats why do you need cron? User shell can be changed on FreeIPA server or you can change sssd configuration man sssd.conf (see *shell*) for newbies; Do you mean admin newbies or FreeIPA newbies? admin should know how to configure automatic creation of directories. (another pam module) ipa-client install just simplify it on linux. 6) why a user can't initially SSH or locally login to a FreeBSD client even with correct configuration files (password change problem); FreeBSD admins should already have experiences with ldap configuration on FreeBSD (or at least read FreeBSD documentation). Official documentation is very good (ldap client configuration with nss-pam-ldapd) https://www.freebsd.org/doc/en/articles/ldap-auth/client.html 7) how to setup SSSD so that it doesn't cache information too long (this is not what we always want, right?). sssd use cache by design. If you don't want to cache LDAP users, you can use nss-pam-ldapd. BTW this point is not related to FreeBSD Summary: Fee free to write detailed howto for newbies. We will be very glad to help with review and fixing problematic parts. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On (21/10/14 23:20), Орхан Касумов wrote: 1. Yes, being able to find simple typos is what distinguishes a good troubleshooter from a bad one. The problem really was between the chair and the keyboard. 2. Not only you were right in this aspect, but also regarding the idea that comments in sssd.conf file shouldn't be on the same line as directives. Putting a comment on a separate line allows sssd to start normally instead of giving error messages. 3. I already updated my post at FreeBSD forums and included your comments there. Thanks for taking time to find the cause of the problems. 4. I consider this thread closed, but still plan to write a detailed HowTo about FreeBSD - FreeIPA integration, i.e. about full setup of 5 VMs: a) a DNS server; You do not need extra server for dns. FreeIPA is integrated solutiona and DNS server can be installed as part of FreeIPA. ipa-server-install --setup-dns b) the first IPA server; c) the second IPA server for multi-master replication; d) a Linux IPA client (for changing LDAP users' passwords in behalf of FreeBSD); user can change password in ipa web UI (tested with FreeIPA 4) but it is good idea to have linux client for testing purposes. b) a FreeBSD client - detailed steps, including many things that current post at FreeBSD forums misses. I will then send my HowTo to both FreeBSD forums and FreeIPA team, and it's up to them to decide if the HowTo is worth publishing or not. If the HowTo is OK, I'll translate it to another two languages: Russian and Azeri. Awesome. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On Tue, Oct 21, 2014 at 08:31:17PM +0200, Lukas Slebodnik wrote: On (20/10/14 15:06), Orkhan Gasimov wrote: OK, Lukas, I did as you say: 1) reset my pam.d - login to its defaul state 2) added to my pam.d - system: account required /usr/local/lib/pam_sss.so ignore_unknown_user ignore_authinfo_unavail; 3) commented out enumerate = True in my /usr/local/etc/sssd/sssd.conf. Now I cannot locally login as either root or IPA user. Seems like we built our SSSDs differently or from different ports. Would you be so kind to share info about your choices when building SSSD? You're right, I'm a newbie in FreeIPA setups. But I've worked with pam stack before, when configuring OpenLDAP on servers. That knowledge of pam let me solve the problem of local logins with sssd by adding the appropriate line in pam.d - login instead of pam.d - system. This setup works fine for me; another setup, which you and FreeBSD forums suppose, doesn't work. Did you check everything on a blank FreeBSD 10 setup? Basically, you should do all (ipa-client-install) steps manually. I would recommend you to look into log file from linux machine /var/log/ipaclient-install.log. The main difference between linux and FreeBSD will be location of configuration files(/etc vs /usr/local/etc) There are indeed nuances that the post at FreeBSD forums didn't address: I would say that post was more focused on integration sssd with sudo and expected more experienced user with better knowledge of FreeIPA. It is the most difficult part. 1) what choices should be made when building SSSD and other ports - VERY IMPORTANT, but missing information; I am use to using install packages with utility pkg. Just some packages need to be build from source. (they are listed in the begging of post) I have prepared a custom pkg(8) repo with the packages built with the required options/make.conf variables. Hang tight, I'll send all the info soon. 2) how ldap.conf should be configured on a FreeBSD client for ldapsearch to work; I don't have configured ldap.conf. On the other hand, it can be useful for troubleshooting with utility ldapsearch. 3) how krb5.conf should be configured on a FreeBSD client; The same as on linux. (sssd is linked with MIT kerberos) 4) how SSH files should be configured on a FreeBSD client for single sign-on to behave properly (GSS-API part); Linux and FreeBSD use openssh. You can inspire in changes done by script ipa-client-install 5) how cron script file's executability, IPA user's shell and automatic creation of home directories should be considered - there are some caveats why do you need cron? User shell can be changed on FreeIPA server or you can change sssd configuration man sssd.conf (see *shell*) for newbies; Do you mean admin newbies or FreeIPA newbies? admin should know how to configure automatic creation of directories. (another pam module) ipa-client install just simplify it on linux. 6) why a user can't initially SSH or locally login to a FreeBSD client even with correct configuration files (password change problem); FreeBSD admins should already have experiences with ldap configuration on FreeBSD (or at least read FreeBSD documentation). Official documentation is very good (ldap client configuration with nss-pam-ldapd) https://www.freebsd.org/doc/en/articles/ldap-auth/client.html 7) how to setup SSSD so that it doesn't cache information too long (this is not what we always want, right?). sssd use cache by design. If you don't want to cache LDAP users, you can use nss-pam-ldapd. BTW this point is not related to FreeBSD Summary: Fee free to write detailed howto for newbies. We will be very glad to help with review and fixing problematic parts. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
Great news! If I understand correctly, a package can be equivalent to several ports? If this is correct, then could a composite package be built to include all necessary ports? * _security/sssd_ http://www.freshports.org/security/sssd * _security/sudo_ http://www.freshports.org/security/sudo(with SSSD backend) * _net/openldap24-client-sasl_ http://www.freshports.org/net/openldap24-client-sasl * security/cyrus-sasl2 * security/cyrus-sasl2-gssapi That package could be called something like ipa-client, and make FreeBSD - FreeIPA integration one step closer. If not possible, even a pkg equivalent to /security/sssd would eliminate existing possibilities for misconfiguration. 22-Oct-14 07:06, Fraser Tweedale пишет: I have prepared a custom pkg(8) repo with the packages built with the required options/make.conf variables. Hang tight, I'll send all the info soon. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On Wed, Oct 22, 2014 at 09:13:11AM +0500, Orkhan Gasimov wrote: Great news! If I understand correctly, a package can be equivalent to several ports? If this is correct, then could a composite package be built to include all necessary ports? This is not correct. One package corresponds to one port, but like most package managers, any missing dependencies will be brought in when installing a package. There are some meta-ports (and corresponding packages) however, that don't contain anything themselves but exist just to bring in a bunch of related software. Meta-ports also have limited control over the options with which dependencies are built. * _security/sssd_ http://www.freshports.org/security/sssd * _security/sudo_ http://www.freshports.org/security/sudo(with SSSD backend) * _net/openldap24-client-sasl_ http://www.freshports.org/net/openldap24-client-sasl * security/cyrus-sasl2 * security/cyrus-sasl2-gssapi Of these five packages, assuming correct options and make.conf settings, there are only two leaf packages: sudo and cyrus-sasl-gssapi. So even without a meta-port, it is not burdensome to install the required software from the custom repo. That package could be called something like ipa-client, and make FreeBSD - FreeIPA integration one step closer. If not possible, even a pkg equivalent to /security/sssd would eliminate existing possibilities for misconfiguration. I don't think it is possible to do it at the moment, in a way that is useful to FreeBSD users at large, without using a custom pkg(8) repo. This is because there is no way for building packages with different flavours and having them coexist in the same repo. Support for flavours is a high priority, though; it is actively being worked on. Until that feature arrives, custom pkg repo is the best alternative to setting options/variables and building ports oneself. 22-Oct-14 07:06, Fraser Tweedale пишет: I have prepared a custom pkg(8) repo with the packages built with the required options/make.conf variables. Hang tight, I'll send all the info soon. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project