Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

[Fraser Tweedale]

On Wed, Oct 22, 2014 at 09:13:11AM +0500, Orkhan Gasimov wrote:
> Great news!  If I understand correctly, a package can be
> equivalent to several ports?  If this is correct, then could a
> "composite" package be built to include all necessary ports?
> 
This is not correct.  One package corresponds to one port, but like
most package managers, any missing dependencies will be brought in
when installing a package.  There are some "meta-ports" (and
corresponding packages) however, that don't contain anything
themselves but exist just to bring in a bunch of related software.
Meta-ports also have limited control over the options with which
dependencies are built.

>  * _security/sssd_ 
>  * _security/sudo_ (with SSSD
>backend)
>  * _net/openldap24-client-sasl_
>
>  * security/cyrus-sasl2
>  * security/cyrus-sasl2-gssapi
> 
Of these five packages, assuming correct options and make.conf
settings, there are only two "leaf" packages: sudo and
cyrus-sasl-gssapi.  So even without a meta-port, it is not
burdensome to install the required software from the custom repo.

> That package could be called something like "ipa-client", and make FreeBSD -
> FreeIPA integration one step closer.
> If not possible, even a pkg equivalent to "/security/sssd" would eliminate
> existing possibilities for misconfiguration.
> 
I don't think it is possible to do it at the moment, in a way that
is useful to FreeBSD users at large, without using a custom pkg(8)
repo.  This is because there is no way for building packages with
different "flavours" and having them coexist in the same repo.
Support for "flavours" is a high priority, though; it is actively
being worked on.

Until that feature arrives, custom pkg repo is the best alternative
to setting options/variables and building ports oneself.

> 22-Oct-14 07:06, Fraser Tweedale пишет:
> >I have prepared a custom pkg(8) repo with the packages built with
> >the required options/make.conf variables.  Hang tight, I'll send all
> >the info soon.
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

[Orkhan Gasimov]

Great news!
If I understand correctly, a package can be equivalent to several ports?
If this is correct, then could a "composite" package be built to include 
all necessary ports?


 * _security/sssd_ 
 * _security/sudo_ (with SSSD
   backend)
 * _net/openldap24-client-sasl_
   
 * security/cyrus-sasl2
 * security/cyrus-sasl2-gssapi

That package could be called something like "ipa-client", and make 
FreeBSD - FreeIPA integration one step closer.
If not possible, even a pkg equivalent to "/security/sssd" would 
eliminate existing possibilities for misconfiguration.


22-Oct-14 07:06, Fraser Tweedale пишет:

I have prepared a custom pkg(8) repo with the packages built with
the required options/make.conf variables.  Hang tight, I'll send all
the info soon.


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

[Fraser Tweedale]

On Tue, Oct 21, 2014 at 08:31:17PM +0200, Lukas Slebodnik wrote:
> On (20/10/14 15:06), Orkhan Gasimov wrote:
> >OK, Lukas, I did as you say:
> >1) reset my pam.d -> login to its defaul state
> >2) added to my pam.d -> system: "account  required /usr/local/lib/pam_sss.so
> >ignore_unknown_user ignore_authinfo_unavail";
> >3) commented out "enumerate = True" in my /usr/local/etc/sssd/sssd.conf.
> >Now I cannot locally login as either root or IPA user. Seems like we built
> >our SSSDs differently or from different ports.
> >Would you be so kind to share info about your choices when building SSSD?
> >
> >You're right, I'm a newbie in FreeIPA setups. But I've worked with pam stack
> >before, when configuring OpenLDAP on servers. That knowledge of pam let me
> >solve the problem of local logins with sssd by adding the appropriate line in
> >pam.d -> login instead of pam.d -> system. This setup works fine for me;
> >another setup, which you and FreeBSD forums suppose, doesn't work. Did you
> >check everything on a blank FreeBSD 10 setup?
> >
> Basically, you should do all (ipa-client-install) steps manually.
> I would recommend you to look into log file from linux machine
> /var/log/ipaclient-install.log. The main difference between linux and FreeBSD
> will be location of configuration files(/etc vs /usr/local/etc)
> 
> >There are indeed nuances that the post at FreeBSD forums didn't address:
> I would say that post was more focused on integration sssd with sudo
> and expected more experienced user with better knowledge of FreeIPA.
> It is the most difficult part.
> 
> >1) what choices should be made when building SSSD and other ports - VERY
> >IMPORTANT, but missing information;
> I am use to using install packages with utility pkg. Just some packages need
> to be build from source. (they are listed in the begging of post)
> 
I have prepared a custom pkg(8) repo with the packages built with
the required options/make.conf variables.  Hang tight, I'll send all
the info soon.

> >2) how ldap.conf should be configured on a FreeBSD client for ldapsearch to
> >work;
> I don't have configured ldap.conf. On the other hand, it can be useful for
> troubleshooting with utility ldapsearch.
> 
> >3) how krb5.conf should be configured on a FreeBSD client;
> The same as on linux. (sssd is linked with MIT kerberos)
> 
> >4) how SSH files should be configured on a FreeBSD client for single sign-on
> >to behave properly (GSS-API part);
> Linux and FreeBSD use openssh. You can inspire in changes done by script
> ipa-client-install
> 
> >5) how cron script file's executability, IPA user's shell and automatic
> >creation of home directories should be considered - there are some caveats
> why do you need cron?
> User shell can be changed on FreeIPA server or you can change sssd
> configuration man sssd.conf (see *shell*)
> 
> >for newbies;
> Do you mean "admin newbies" or "FreeIPA newbies"?
> admin should know how to configure automatic creation of directories.
> (another pam module) ipa-client install just simplify it on linux.
> 
> >6) why a user can't initially SSH or locally login to a FreeBSD client even
> >with correct configuration files (password change problem);
> FreeBSD admins should already have experiences with ldap configuration on
> FreeBSD (or at least read FreeBSD documentation). Official documentation is
> very good (ldap client configuration with nss-pam-ldapd)
> https://www.freebsd.org/doc/en/articles/ldap-auth/client.html
> 
> >7) how to setup SSSD so that it doesn't cache information too long (this is
> >not what we always want, right?).
> >
> sssd use cache by design. If you don't want to cache LDAP users, you can use
> nss-pam-ldapd. BTW this point is not related to FreeBSD
> 
> Summary:
> Fee free to write detailed howto for newbies. We will be very glad to help 
> with
> review and fixing problematic parts.
> 
> LS
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

[Lukas Slebodnik]

On (21/10/14 23:20), Орхан Касумов wrote:
>
>1. Yes, being able to find simple typos is what distinguishes a good 
>troubleshooter from a bad one. The problem really was between the chair and 
>the keyboard.
>2. Not only you were right in this aspect, but also regarding the idea that 
>comments in sssd.conf file shouldn't be on the same line as directives. 
>Putting a comment on a separate line allows sssd to start normally instead of 
>giving error messages.
>3. I already updated my post at FreeBSD forums and included your comments 
>there. Thanks for taking time to find the cause of the problems.
>4. I consider this thread closed, but still plan to write a detailed HowTo 
>about FreeBSD - FreeIPA integration, i.e. about full setup of 5 VMs:
>a) a DNS server;
You do not need extra server for dns. FreeIPA is integrated solutiona and
DNS server can be installed as part of FreeIPA.
ipa-server-install --setup-dns

>b) the first IPA server;
>c) the second IPA server for multi-master replication;
>d) a Linux IPA client (for changing LDAP users' passwords in behalf of 
>FreeBSD);
user can change password in ipa web UI (tested with FreeIPA 4)
but it is good idea to have linux client for testing purposes.

>b) a FreeBSD client - detailed steps, including many things that current post 
>at FreeBSD forums misses.
>I will then send my HowTo to both FreeBSD forums and FreeIPA team, and it's up 
>to them to decide if the HowTo is worth publishing or not.
>If the HowTo is OK, I'll translate it to another two languages: Russian and 
>Azeri.
Awesome.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

[Орхан Касумов]

1. Yes, being able to find simple typos is what distinguishes a good 
troubleshooter from a bad one. The problem really was between the chair and the 
keyboard.
2. Not only you were right in this aspect, but also regarding the idea that 
comments in sssd.conf file shouldn't be on the same line as directives. Putting 
a comment on a separate line allows sssd to start normally instead of giving 
error messages.
3. I already updated my post at FreeBSD forums and included your comments 
there. Thanks for taking time to find the cause of the problems.
4. I consider this thread closed, but still plan to write a detailed HowTo 
about FreeBSD - FreeIPA integration, i.e. about full setup of 5 VMs:
a) a DNS server;
b) the first IPA server;
c) the second IPA server for multi-master replication;
d) a Linux IPA client (for changing LDAP users' passwords in behalf of FreeBSD);
b) a FreeBSD client - detailed steps, including many things that current post 
at FreeBSD forums misses.
I will then send my HowTo to both FreeBSD forums and FreeIPA team, and it's up 
to them to decide if the HowTo is worth publishing or not.
If the HowTo is OK, I'll translate it to another two languages: Russian and 
Azeri.


Tue, 21 Oct 2014 20:31:17 +0200 от Lukas Slebodnik :
>On (20/10/14 15:06), Orkhan Gasimov wrote:
>>OK, Lukas, I did as you say:
>>1) reset my pam.d -> login to its defaul state
>>2) added to my pam.d -> system: "account  required /usr/local/lib/pam_sss.so
>>ignore_unknown_user ignore_authinfo_unavail";
>>3) commented out "enumerate = True" in my /usr/local/etc/sssd/sssd.conf.
>>Now I cannot locally login as either root or IPA user. Seems like we built
>>our SSSDs differently or from different ports.
>>Would you be so kind to share info about your choices when building SSSD?
>>
>>You're right, I'm a newbie in FreeIPA setups. But I've worked with pam stack
>>before, when configuring OpenLDAP on servers. That knowledge of pam let me
>>solve the problem of local logins with sssd by adding the appropriate line in
>>pam.d -> login instead of pam.d -> system. This setup works fine for me;
>>another setup, which you and FreeBSD forums suppose, doesn't work. Did you
>>check everything on a blank FreeBSD 10 setup?
>>
>Basically, you should do all (ipa-client-install) steps manually.
>I would recommend you to look into log file from linux machine
>/var/log/ipaclient-install.log. The main difference between linux and FreeBSD
>will be location of configuration files(/etc vs /usr/local/etc)
>
>>There are indeed nuances that the post at FreeBSD forums didn't address:
>I would say that post was more focused on integration sssd with sudo
>and expected more experienced user with better knowledge of FreeIPA.
>It is the most difficult part.
>
>>1) what choices should be made when building SSSD and other ports - VERY
>>IMPORTANT, but missing information;
>I am use to using install packages with utility pkg. Just some packages need
>to be build from source. (they are listed in the begging of post)
>
>>2) how ldap.conf should be configured on a FreeBSD client for ldapsearch to
>>work;
>I don't have configured ldap.conf. On the other hand, it can be useful for
>troubleshooting with utility ldapsearch.
>
>>3) how krb5.conf should be configured on a FreeBSD client;
>The same as on linux. (sssd is linked with MIT kerberos)
>
>>4) how SSH files should be configured on a FreeBSD client for single sign-on
>>to behave properly (GSS-API part);
>Linux and FreeBSD use openssh. You can inspire in changes done by script
>ipa-client-install
>
>>5) how cron script file's executability, IPA user's shell and automatic
>>creation of home directories should be considered - there are some caveats
>why do you need cron?
>User shell can be changed on FreeIPA server or you can change sssd
>configuration man sssd.conf (see *shell*)
>
>>for newbies;
>Do you mean "admin newbies" or "FreeIPA newbies"?
>admin should know how to configure automatic creation of directories.
>(another pam module) ipa-client install just simplify it on linux.
>
>>6) why a user can't initially SSH or locally login to a FreeBSD client even
>>with correct configuration files (password change problem);
>FreeBSD admins should already have experiences with ldap configuration on
>FreeBSD (or at least read FreeBSD documentation). Official documentation is
>very good (ldap client configuration with nss-pam-ldapd)
>https://www.freebsd.org/doc/en/articles/ldap-auth/client.html
>
>>7) how to setup SSSD so that it doesn't cache information too long (this is
>>not what we always want, right?).
>>
>sssd use cache by design. If you don't want to cache LDAP users, you can use
>nss-pam-ldapd. BTW this point is not related to FreeBSD
>
>Summary:
>Fee free to write detailed howto for newbies. We will be very glad to help with
>review and fixing problematic parts.
>
>LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org f

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

[Lukas Slebodnik]

On (20/10/14 15:06), Orkhan Gasimov wrote:
>OK, Lukas, I did as you say:
>1) reset my pam.d -> login to its defaul state
>2) added to my pam.d -> system: "account  required /usr/local/lib/pam_sss.so
>ignore_unknown_user ignore_authinfo_unavail";
>3) commented out "enumerate = True" in my /usr/local/etc/sssd/sssd.conf.
>Now I cannot locally login as either root or IPA user. Seems like we built
>our SSSDs differently or from different ports.
>Would you be so kind to share info about your choices when building SSSD?
>
>You're right, I'm a newbie in FreeIPA setups. But I've worked with pam stack
>before, when configuring OpenLDAP on servers. That knowledge of pam let me
>solve the problem of local logins with sssd by adding the appropriate line in
>pam.d -> login instead of pam.d -> system. This setup works fine for me;
>another setup, which you and FreeBSD forums suppose, doesn't work. Did you
>check everything on a blank FreeBSD 10 setup?
>
Basically, you should do all (ipa-client-install) steps manually.
I would recommend you to look into log file from linux machine
/var/log/ipaclient-install.log. The main difference between linux and FreeBSD
will be location of configuration files(/etc vs /usr/local/etc)

>There are indeed nuances that the post at FreeBSD forums didn't address:
I would say that post was more focused on integration sssd with sudo
and expected more experienced user with better knowledge of FreeIPA.
It is the most difficult part.

>1) what choices should be made when building SSSD and other ports - VERY
>IMPORTANT, but missing information;
I am use to using install packages with utility pkg. Just some packages need
to be build from source. (they are listed in the begging of post)

>2) how ldap.conf should be configured on a FreeBSD client for ldapsearch to
>work;
I don't have configured ldap.conf. On the other hand, it can be useful for
troubleshooting with utility ldapsearch.

>3) how krb5.conf should be configured on a FreeBSD client;
The same as on linux. (sssd is linked with MIT kerberos)

>4) how SSH files should be configured on a FreeBSD client for single sign-on
>to behave properly (GSS-API part);
Linux and FreeBSD use openssh. You can inspire in changes done by script
ipa-client-install

>5) how cron script file's executability, IPA user's shell and automatic
>creation of home directories should be considered - there are some caveats
why do you need cron?
User shell can be changed on FreeIPA server or you can change sssd
configuration man sssd.conf (see *shell*)

>for newbies;
Do you mean "admin newbies" or "FreeIPA newbies"?
admin should know how to configure automatic creation of directories.
(another pam module) ipa-client install just simplify it on linux.

>6) why a user can't initially SSH or locally login to a FreeBSD client even
>with correct configuration files (password change problem);
FreeBSD admins should already have experiences with ldap configuration on
FreeBSD (or at least read FreeBSD documentation). Official documentation is
very good (ldap client configuration with nss-pam-ldapd)
https://www.freebsd.org/doc/en/articles/ldap-auth/client.html

>7) how to setup SSSD so that it doesn't cache information too long (this is
>not what we always want, right?).
>
sssd use cache by design. If you don't want to cache LDAP users, you can use
nss-pam-ldapd. BTW this point is not related to FreeBSD

Summary:
Fee free to write detailed howto for newbies. We will be very glad to help with
review and fixing problematic parts.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

[Lukas Slebodnik]

On (17/10/14 16:46), Orkhan Gasimov wrote:
>1. I use FreeBSD 10.0 64-bit.
>(For some files bits are also important - for example, on a 32-bit machine
>the same configuration of
>/usr/local/etc/sssd/sssd.conf file introduces problems because of the line
>"enumerate = True" in the [domain] section; only after that line is commented
>out, sssd starts.)
>
>2. The files you requested are at
>https://cloud.mail.ru/public/afa7e1fad817/pam.d
>
Previously, I was editing my pam stack I had to overwrite my files with yours
to reproduce problem. As I thought it was your misconfiguration.

You have a typo in pam.d/system
Here is a word-diff:
[-account-]{+acconut+}  required/usr/local/lib/pam_sss.so   
ignore_unknown_user ignore_authinfo_unavail

There is also syslog message (/var/log/messages):
login: in openpam_parse_chain(): /etc/pam.d/system(19): missing or invalid 
facility
login: pam_start(): system error

Please update(remove) your post on FreeBSD forum.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Woes adding a samba server to the ipa domain

[Loris Santamaria]

El lun, 20-10-2014 a las 21:19 -0400, Dmitri Pal escribió:
> On 10/20/2014 09:15 AM, Loris Santamaria wrote:

[...]

> > 
> > Trying to join the server to the domain (net rpc join -U domainadmin -S
> > ipaserver) fails, and it causes a samba crash on the ipa server.
> > Investigating the cause of the crash I found that pdbedit crashes as
> > well (backtrace attached). I couldn't get a meaningful backtrace from
> > the samba crash however I attached it as well.
> > 
> > Seems to me that the samba ipasam backend on ipa doesn't like something
> > in the host or the "domain computers" group object in ldap, but I cannot
> > see what could be the problem. Perhaps someone more familiar with the
> > ipasam code can spot it quickly.

> Do I get it right that you really looking for
> https://fedorahosted.org/sssd/ticket/1588 that was just released
> upstream?
> It would be cool if you can try using SSSD 1.12.1 under Samba FS in
> the use case you have and provide feedback on how it works for you.
> 
> AFAIU you install Samba FS and then use ipa-client to configure SSSD
> under it and it should work.
> If not we probably should document it (but I do not see any special
> design page which leads me to the above expectation).

Ok, I'll happily try sssd 1.12.1.

Just a question, in smb.conf one should use "security = domain" or
"security = ads"?

Best regards

-- 
Loris Santamaria   linux user #70506   xmpp:lo...@lgs.com.ve
Links Global Services, C.A.http://www.lgs.com.ve
Tel: 0286 952.06.87  Cel: 0414 095.00.10  sip:1...@lgs.com.ve

"If I'd asked my customers what they wanted, they'd have said
a faster horse" - Henry Ford


smime.p7s
Description: S/MIME cryptographic signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project