Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-23 Thread Lukas Slebodnik
On (23/10/14 11:27), Outback Dingo wrote:
On Thu, Oct 23, 2014 at 11:20 AM, Fraser Tweedale ftwee...@redhat.com
wrote:

 On Wed, Oct 22, 2014 at 03:23:56PM +0200, Lukas Slebodnik wrote:
  On (22/10/14 17:10), Fraser Tweedale wrote:
  Further to my earlier email, I have written a blog post about all
  these matters, with a particular focus on the custom package repo.
  
  I will update it tomorrow with a bit more about the package
  flavours topic.  For now, all the details for enabling and using
  the custom repo are in the post.  Check it out and let me know if
  you spot any issues.
  
  
 http://blog-ftweedal.rhcloud.com/2014/10/configuring-freebsd-as-a-freeipa-client/
  
  The disadvantage of this approach is that users need to rely on updating
  of non standard repo. https://frase.id.au/pkg/${ABI}_FreeIPA
 
  In my opinion, it's better to write howto (script) which will configure
 all
  necessary ports/files and portmaster will take care of updating ports.
  https://www.freebsd.org/doc/handbook/ports-using.html#portmaster
 
  LS

 Each has its advantages and disadvantages; people can choose what
 works for them.  Hopefully - not too far in the future - people
 won't have to choose, when binary package flavours are
 implemented.  When that happens, a small effort will be needed to
 define the FreeIPA flavour and ensure it gets included in the
 official package repos.

Fraser you missed one main point of this thread. The most problematic was
to *configure* all files and not install sssd. I don't want to say that
installing is super easy, but configuration is much more complicated.


Actually I would be inclined to assist with a ports build, so it could be
done correctly from the ports tree
and work towards having it adopted into mainline.

+1

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-23 Thread Орхан Касумов
 +1.
And even if talking about installation of the necessary software and not about 
the configuration, then why this?

 The commands to enable the custom repository and install the required 
packages on a FreeBSD host appear below.
Note that these are  Bourne  shell commands; this script will not work in the 
FreeBSD default shell  csh . 

After having baked ONE SET OF DEFAULTS into a custom package (to make our lives 
easier), you leave readers to mess with ANOTHER SET OF DEFAULTS, i.e. to change 
FreeBSD's shells?
Aren't there some discrepancies? It may be simple / useful / interesting to 
change shells, but why not make a self-sufficient article?
Please update your article to provide a full picture of what a user should do 
to install all necessary software, and also which parts should be installed 
from your repo, and which parts should be installed from ports (+ the correct 
order).
You've already done a lot of work, but with this refinement your help will be 
even more valuable.
I'm not asking for myself personally (I've already accomplished all necessary 
tasks) - just IMHO everyone writing instructions, tutorials and HowTos for the 
*nix world should stick to the rule: articles should be self-sufficient.
I.e. if they rely on techniques not detailed in them, they should at least 
include links to other WORKING articles to ensure that a reader will be able to 
COMPLETE a task.
Thanks for your contribution, Fraser.


Thu, 23 Oct 2014 09:58:33 +0200 от Lukas Slebodnik lsleb...@redhat.com:
On (23/10/14 11:27), Outback Dingo wrote:
On Thu, Oct 23, 2014 at 11:20 AM, Fraser Tweedale  ftwee...@redhat.com 
wrote:

 On Wed, Oct 22, 2014 at 03:23:56PM +0200, Lukas Slebodnik wrote:
  On (22/10/14 17:10), Fraser Tweedale wrote:
  Further to my earlier email, I have written a blog post about all
  these matters, with a particular focus on the custom package repo.
  
  I will update it tomorrow with a bit more about the package
  flavours topic.  For now, all the details for enabling and using
  the custom repo are in the post.  Check it out and let me know if
  you spot any issues.
  
  
  
 http://blog-ftweedal.rhcloud.com/2014/10/configuring-freebsd-as-a-freeipa-client/
  
  The disadvantage of this approach is that users need to rely on updating
  of non standard repo.  https://frase.id.au/pkg/${ABI}_FreeIPA
 
  In my opinion, it's better to write howto (script) which will configure
 all
  necessary ports/files and portmaster will take care of updating ports.
   https://www.freebsd.org/doc/handbook/ports-using.html#portmaster
 
  LS

 Each has its advantages and disadvantages; people can choose what
 works for them.  Hopefully - not too far in the future - people
 won't have to choose, when binary package flavours are
 implemented.  When that happens, a small effort will be needed to
 define the FreeIPA flavour and ensure it gets included in the
 official package repos.

Fraser you missed one main point of this thread. The most problematic was
to *configure* all files and not install sssd. I don't want to say that
installing is super easy, but configuration is much more complicated.


Actually I would be inclined to assist with a ports build, so it could be
done correctly from the ports tree
and work towards having it adopted into mainline.

+1

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To  http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-23 Thread Fraser Tweedale
On Thu, Oct 23, 2014 at 02:12:47PM +0400, Орхан Касумов wrote:
  +1.
 And even if talking about installation of the necessary software and not 
 about the configuration, then why this?
 
  The commands to enable the custom repository and install the required 
 packages on a FreeBSD host appear below.
 Note that these are  Bourne  shell commands; this script will not work in the 
 FreeBSD default shell  csh . 
 
 After having baked ONE SET OF DEFAULTS into a custom package (to make our 
 lives easier), you leave readers to mess with ANOTHER SET OF DEFAULTS, i.e. 
 to change FreeBSD's shells?

It is only for that one script (because csh heredocs are weird).
There is no need whatsoever for a chsh; just that one script needs
to be executed in /bin/sh.  I will clarify this in the post.

 Aren't there some discrepancies? It may be simple / useful / interesting to 
 change shells, but why not make a self-sufficient article?
 Please update your article to provide a full picture of what a user should do 
 to install all necessary software, and also which parts should be installed 
 from your repo, and which parts should be installed from ports (+ the correct 
 order).
 You've already done a lot of work, but with this refinement your help will be 
 even more valuable.
 I'm not asking for myself personally (I've already accomplished all necessary 
 tasks) - just IMHO everyone writing instructions, tutorials and HowTos for 
 the *nix world should stick to the rule: articles should be self-sufficient.
 I.e. if they rely on techniques not detailed in them, they should at least 
 include links to other WORKING articles to ensure that a reader will be able 
 to COMPLETE a task.
 Thanks for your contribution, Fraser.

 
 
 Thu, 23 Oct 2014 09:58:33 +0200 от Lukas Slebodnik lsleb...@redhat.com:
 On (23/10/14 11:27), Outback Dingo wrote:
 On Thu, Oct 23, 2014 at 11:20 AM, Fraser Tweedale  ftwee...@redhat.com 
 wrote:
 
  On Wed, Oct 22, 2014 at 03:23:56PM +0200, Lukas Slebodnik wrote:
   On (22/10/14 17:10), Fraser Tweedale wrote:
   Further to my earlier email, I have written a blog post about all
   these matters, with a particular focus on the custom package repo.
   
   I will update it tomorrow with a bit more about the package
   flavours topic.  For now, all the details for enabling and using
   the custom repo are in the post.  Check it out and let me know if
   you spot any issues.
   
   
   
  http://blog-ftweedal.rhcloud.com/2014/10/configuring-freebsd-as-a-freeipa-client/
   
   The disadvantage of this approach is that users need to rely on updating
   of non standard repo.  https://frase.id.au/pkg/${ABI}_FreeIPA
  
   In my opinion, it's better to write howto (script) which will configure
  all
   necessary ports/files and portmaster will take care of updating ports.
https://www.freebsd.org/doc/handbook/ports-using.html#portmaster
  
   LS
 
  Each has its advantages and disadvantages; people can choose what
  works for them.  Hopefully - not too far in the future - people
  won't have to choose, when binary package flavours are
  implemented.  When that happens, a small effort will be needed to
  define the FreeIPA flavour and ensure it gets included in the
  official package repos.
 
 Fraser you missed one main point of this thread. The most problematic was
 to *configure* all files and not install sssd. I don't want to say that
 installing is super easy, but configuration is much more complicated.
 
 
 Actually I would be inclined to assist with a ports build, so it could be
 done correctly from the ports tree
 and work towards having it adopted into mainline.
 
 +1
 
 LS
 
 -- 
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go To  http://freeipa.org for more info on the project
 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-23 Thread Fraser Tweedale
On Thu, Oct 23, 2014 at 09:58:33AM +0200, Lukas Slebodnik wrote:
 On (23/10/14 11:27), Outback Dingo wrote:
 On Thu, Oct 23, 2014 at 11:20 AM, Fraser Tweedale ftwee...@redhat.com
 wrote:
 
  On Wed, Oct 22, 2014 at 03:23:56PM +0200, Lukas Slebodnik wrote:
   On (22/10/14 17:10), Fraser Tweedale wrote:
   Further to my earlier email, I have written a blog post about all
   these matters, with a particular focus on the custom package repo.
   
   I will update it tomorrow with a bit more about the package
   flavours topic.  For now, all the details for enabling and using
   the custom repo are in the post.  Check it out and let me know if
   you spot any issues.
   
   
  http://blog-ftweedal.rhcloud.com/2014/10/configuring-freebsd-as-a-freeipa-client/
   
   The disadvantage of this approach is that users need to rely on updating
   of non standard repo. https://frase.id.au/pkg/${ABI}_FreeIPA
  
   In my opinion, it's better to write howto (script) which will configure
  all
   necessary ports/files and portmaster will take care of updating ports.
   https://www.freebsd.org/doc/handbook/ports-using.html#portmaster
  
   LS
 
  Each has its advantages and disadvantages; people can choose what
  works for them.  Hopefully - not too far in the future - people
  won't have to choose, when binary package flavours are
  implemented.  When that happens, a small effort will be needed to
  define the FreeIPA flavour and ensure it gets included in the
  official package repos.
 
 Fraser you missed one main point of this thread. The most problematic was
 to *configure* all files and not install sssd. I don't want to say that
 installing is super easy, but configuration is much more complicated.
 

I haven't missed that point at all.  In the post I am up front about
the difficulty and room for error in configuring all the services,
and in the conclusion I talk about the scope for further work with a
port of ipa-client-install.

I will clarify the post to try and make it clearer that it focuses
on the installation aspect of the setup and leaves other aspects for
another day.

Thanks for your feedback,

Fraser

 
 Actually I would be inclined to assist with a ports build, so it could be
 done correctly from the ports tree
 and work towards having it adopted into mainline.
 
 +1
 
 LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-23 Thread Orkhan Gasimov
You could ease everything by creating 2 files: FreeIPA.conf and FreeIPA.pem, 
uploading them to Web and sharing links to them. FreeBSD users could the use 
the fetch command to download and use your files.

Отправлено от Blue Mail



На 5:36, 24.10.2014, в 5:36, Fraser Tweedale ftwee...@redhat.com написал:пOn 
Thu, Oct 23, 2014 at 02:12:47PM +0400, Орхан Касумов wrote:
  +1.
 And even if talking about installation of the necessary software and
not about the configuration, then why this?
 
  The commands to enable the custom repository and install the
required packages on a FreeBSD host appear below.
 Note that these are  Bourne  shell commands; this script will not
work in the FreeBSD default shell  csh . 
 
 After having baked ONE SET OF DEFAULTS into a custom package (to make
our lives easier), you leave readers to mess with ANOTHER SET OF
DEFAULTS, i.e. to change FreeBSD's shells?

It is only for that one script (because csh heredocs are weird).
There is no need whatsoever for a chsh; just that one script needs
to be executed in /bin/sh.  I will clarify this in the post.

 Aren't there some discrepancies? It may be simple / useful /
interesting to change shells, but why not make a self-sufficient
article?
 Please update your article to provide a full picture of what a user
should do to install all necessary software, and also which parts
should be installed from your repo, and which parts should be installed
from ports (+ the correct order).
 You've already done a lot of work, but with this refinement your help
will be even more valuable.
 I'm not asking for myself personally (I've already accomplished all
necessary tasks) - just IMHO everyone writing instructions, tutorials
and HowTos for the *nix world should stick to the rule: articles should
be self-sufficient.
 I.e. if they rely on techniques not detailed in them, they should at
least include links to other WORKING articles to ensure that a reader
will be able to COMPLETE a task.
 Thanks for your contribution, Fraser.

 
 
 Thu, 23 Oct 2014 09:58:33 +0200 от Lukas Slebodnik
lsleb...@redhat.com:
 On (23/10/14 11:27), Outback Dingo wrote:
 On Thu, Oct 23, 2014 at 11:20 AM, Fraser Tweedale 
ftwee...@redhat.com 
 wrote:
 
  On Wed, Oct 22, 2014 at 03:23:56PM +0200, Lukas Slebodnik wrote:
   On (22/10/14 17:10), Fraser Tweedale wrote:
   Further to my earlier email, I have written a blog post about
all
   these matters, with a particular focus on the custom package
repo.
   
   I will update it tomorrow with a bit more about the package
   flavours topic.  For now, all the details for enabling and
using
   the custom repo are in the post.  Check it out and let me know
if
   you spot any issues.
   
   
  
http://blog-ftweedal.rhcloud.com/2014/10/configuring-freebsd-as-a-freeipa-client/
   
   The disadvantage of this approach is that users need to rely on
updating
   of non standard repo.  https://frase.id.au/pkg/${ABI}_FreeIPA
  
   In my opinion, it's better to write howto (script) which will
configure
  all
   necessary ports/files and portmaster will take care of updating
ports.
   
https://www.freebsd.org/doc/handbook/ports-using.html#portmaster
  
   LS
 
  Each has its advantages and disadvantages; people can choose what
  works for them.  Hopefully - not too far in the future - people
  won't have to choose, when binary package flavours are
  implemented.  When that happens, a small effort will be needed to
  define the FreeIPA flavour and ensure it gets included in the
  official package repos.
 
 Fraser you missed one main point of this thread. The most
problematic was
 to *configure* all files and not install sssd. I don't want to say
that
 installing is super easy, but configuration is much more
complicated.
 
 
 Actually I would be inclined to assist with a ports build, so it
could be
 done correctly from the ports tree
 and work towards having it adopted into mainline.
 
 +1
 
 LS
 
 -- 
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go To  http://freeipa.org for more info on the project
 
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-23 Thread Fraser Tweedale
On Fri, Oct 24, 2014 at 07:42:31AM +0500, Orkhan Gasimov wrote:
 You could ease everything by creating 2 files: FreeIPA.conf and
 FreeIPA.pem, uploading them to Web and sharing links to them.
 FreeBSD users could the use the fetch command to download and
 use your files.
 
I turned it into a shell script instead, with the appropriate
#!/bin/sh so it doesn't matter what shell they invoke it from.

Regards, Fraser

 Отправлено от Blue Mail
 
 
 
 На 5:36, 24.10.2014, в 5:36, Fraser Tweedale ftwee...@redhat.com 
 написал:пOn Thu, Oct 23, 2014 at 02:12:47PM +0400, Орхан Касумов wrote:
   +1.
  And even if talking about installation of the necessary software and
 not about the configuration, then why this?
  
   The commands to enable the custom repository and install the
 required packages on a FreeBSD host appear below.
  Note that these are  Bourne  shell commands; this script will not
 work in the FreeBSD default shell  csh . 
  
  After having baked ONE SET OF DEFAULTS into a custom package (to make
 our lives easier), you leave readers to mess with ANOTHER SET OF
 DEFAULTS, i.e. to change FreeBSD's shells?
 
 It is only for that one script (because csh heredocs are weird).
 There is no need whatsoever for a chsh; just that one script needs
 to be executed in /bin/sh.  I will clarify this in the post.
 
  Aren't there some discrepancies? It may be simple / useful /
 interesting to change shells, but why not make a self-sufficient
 article?
  Please update your article to provide a full picture of what a user
 should do to install all necessary software, and also which parts
 should be installed from your repo, and which parts should be installed
 from ports (+ the correct order).
  You've already done a lot of work, but with this refinement your help
 will be even more valuable.
  I'm not asking for myself personally (I've already accomplished all
 necessary tasks) - just IMHO everyone writing instructions, tutorials
 and HowTos for the *nix world should stick to the rule: articles should
 be self-sufficient.
  I.e. if they rely on techniques not detailed in them, they should at
 least include links to other WORKING articles to ensure that a reader
 will be able to COMPLETE a task.
  Thanks for your contribution, Fraser.
 
  
  
  Thu, 23 Oct 2014 09:58:33 +0200 от Lukas Slebodnik
 lsleb...@redhat.com:
  On (23/10/14 11:27), Outback Dingo wrote:
  On Thu, Oct 23, 2014 at 11:20 AM, Fraser Tweedale 
 ftwee...@redhat.com 
  wrote:
  
   On Wed, Oct 22, 2014 at 03:23:56PM +0200, Lukas Slebodnik wrote:
On (22/10/14 17:10), Fraser Tweedale wrote:
Further to my earlier email, I have written a blog post about
 all
these matters, with a particular focus on the custom package
 repo.

I will update it tomorrow with a bit more about the package
flavours topic.  For now, all the details for enabling and
 using
the custom repo are in the post.  Check it out and let me know
 if
you spot any issues.


   
 http://blog-ftweedal.rhcloud.com/2014/10/configuring-freebsd-as-a-freeipa-client/

The disadvantage of this approach is that users need to rely on
 updating
of non standard repo.  https://frase.id.au/pkg/${ABI}_FreeIPA
   
In my opinion, it's better to write howto (script) which will
 configure
   all
necessary ports/files and portmaster will take care of updating
 ports.

 https://www.freebsd.org/doc/handbook/ports-using.html#portmaster
   
LS
  
   Each has its advantages and disadvantages; people can choose what
   works for them.  Hopefully - not too far in the future - people
   won't have to choose, when binary package flavours are
   implemented.  When that happens, a small effort will be needed to
   define the FreeIPA flavour and ensure it gets included in the
   official package repos.
  
  Fraser you missed one main point of this thread. The most
 problematic was
  to *configure* all files and not install sssd. I don't want to say
 that
  installing is super easy, but configuration is much more
 complicated.
  
  
  Actually I would be inclined to assist with a ports build, so it
 could be
  done correctly from the ports tree
  and work towards having it adopted into mainline.
  
  +1
  
  LS
  
  -- 
  Manage your subscription for the Freeipa-users mailing list:
  https://www.redhat.com/mailman/listinfo/freeipa-users
  Go To  http://freeipa.org for more info on the project
  

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-22 Thread Fraser Tweedale
Further to my earlier email, I have written a blog post about all
these matters, with a particular focus on the custom package repo.

I will update it tomorrow with a bit more about the package
flavours topic.  For now, all the details for enabling and using
the custom repo are in the post.  Check it out and let me know if
you spot any issues.


http://blog-ftweedal.rhcloud.com/2014/10/configuring-freebsd-as-a-freeipa-client/

Cheers,

Fraser

On Wed, Oct 22, 2014 at 09:13:11AM +0500, Orkhan Gasimov wrote:
 Great news!
 If I understand correctly, a package can be equivalent to several ports?
 If this is correct, then could a composite package be built to include all
 necessary ports?
 
  * _security/sssd_ http://www.freshports.org/security/sssd
  * _security/sudo_ http://www.freshports.org/security/sudo(with SSSD
backend)
  * _net/openldap24-client-sasl_
http://www.freshports.org/net/openldap24-client-sasl
  * security/cyrus-sasl2
  * security/cyrus-sasl2-gssapi
 
 That package could be called something like ipa-client, and make FreeBSD -
 FreeIPA integration one step closer.
 If not possible, even a pkg equivalent to /security/sssd would eliminate
 existing possibilities for misconfiguration.
 
 22-Oct-14 07:06, Fraser Tweedale пишет:
 I have prepared a custom pkg(8) repo with the packages built with
 the required options/make.conf variables.  Hang tight, I'll send all
 the info soon.
 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-22 Thread Petr Spacek

On 22.10.2014 09:10, Fraser Tweedale wrote:

Further to my earlier email, I have written a blog post about all
these matters, with a particular focus on the custom package repo.

I will update it tomorrow with a bit more about the package
flavours topic.  For now, all the details for enabling and using
the custom repo are in the post.  Check it out and let me know if
you spot any issues.

 
http://blog-ftweedal.rhcloud.com/2014/10/configuring-freebsd-as-a-freeipa-client/


Hello Fraser and others,

it would be great if you could add links to your FreeIPA-related blog posts to 
http://www.freeipa.org/page/HowTos .


We are trying to build kind of 'documentation hub' with links to relevant 
posts stored elsewhere.


It is even fine to add links to mailing list archives if the particular post 
is useful to broad audience.


Have a nice day!

Petr^2 Spacek



Cheers,

Fraser

On Wed, Oct 22, 2014 at 09:13:11AM +0500, Orkhan Gasimov wrote:

Great news!
If I understand correctly, a package can be equivalent to several ports?
If this is correct, then could a composite package be built to include all
necessary ports?

  * _security/sssd_ http://www.freshports.org/security/sssd
  * _security/sudo_ http://www.freshports.org/security/sudo(with SSSD
backend)
  * _net/openldap24-client-sasl_
http://www.freshports.org/net/openldap24-client-sasl
  * security/cyrus-sasl2
  * security/cyrus-sasl2-gssapi

That package could be called something like ipa-client, and make FreeBSD -
FreeIPA integration one step closer.
If not possible, even a pkg equivalent to /security/sssd would eliminate
existing possibilities for misconfiguration.

22-Oct-14 07:06, Fraser Tweedale пишет:

I have prepared a custom pkg(8) repo with the packages built with
the required options/make.conf variables.  Hang tight, I'll send all
the info soon.


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-22 Thread Lukas Slebodnik
On (22/10/14 17:10), Fraser Tweedale wrote:
Further to my earlier email, I have written a blog post about all
these matters, with a particular focus on the custom package repo.

I will update it tomorrow with a bit more about the package
flavours topic.  For now, all the details for enabling and using
the custom repo are in the post.  Check it out and let me know if
you spot any issues.


 http://blog-ftweedal.rhcloud.com/2014/10/configuring-freebsd-as-a-freeipa-client/

The disadvantage of this approach is that users need to rely on updating
of non standard repo. https://frase.id.au/pkg/${ABI}_FreeIPA

In my opinion, it's better to write howto (script) which will configure all
necessary ports/files and portmaster will take care of updating ports.
https://www.freebsd.org/doc/handbook/ports-using.html#portmaster

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-22 Thread Outback Dingo
On Thu, Oct 23, 2014 at 12:23 AM, Lukas Slebodnik lsleb...@redhat.com
wrote:

 On (22/10/14 17:10), Fraser Tweedale wrote:
 Further to my earlier email, I have written a blog post about all
 these matters, with a particular focus on the custom package repo.
 
 I will update it tomorrow with a bit more about the package
 flavours topic.  For now, all the details for enabling and using
 the custom repo are in the post.  Check it out and let me know if
 you spot any issues.
 
 
 http://blog-ftweedal.rhcloud.com/2014/10/configuring-freebsd-as-a-freeipa-client/
 
 The disadvantage of this approach is that users need to rely on updating
 of non standard repo. https://frase.id.au/pkg/${ABI}_FreeIPA

 In my opinion, it's better to write howto (script) which will configure all
 necessary ports/files and portmaster will take care of updating ports.
 https://www.freebsd.org/doc/handbook/ports-using.html#portmaster

 LS


As an avid BSD user, with FreeIPA cloud deployed, ill fire up some FreeBSD
VMs and see if i can get a running system,
using the thread here, and the doc thats been written to sanity check
things and possibly help out with the packaging
if I can. I only need to consider, that I run Launchd on my FreeBSD
systems, so ill need to go deeper, with modified start
scripts. Ill do a few rc based stock installs of 10.1  See how we go.


 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-22 Thread Outback Dingo
On Thu, Oct 23, 2014 at 11:20 AM, Fraser Tweedale ftwee...@redhat.com
wrote:

 On Wed, Oct 22, 2014 at 03:23:56PM +0200, Lukas Slebodnik wrote:
  On (22/10/14 17:10), Fraser Tweedale wrote:
  Further to my earlier email, I have written a blog post about all
  these matters, with a particular focus on the custom package repo.
  
  I will update it tomorrow with a bit more about the package
  flavours topic.  For now, all the details for enabling and using
  the custom repo are in the post.  Check it out and let me know if
  you spot any issues.
  
  
 http://blog-ftweedal.rhcloud.com/2014/10/configuring-freebsd-as-a-freeipa-client/
  
  The disadvantage of this approach is that users need to rely on updating
  of non standard repo. https://frase.id.au/pkg/${ABI}_FreeIPA
 
  In my opinion, it's better to write howto (script) which will configure
 all
  necessary ports/files and portmaster will take care of updating ports.
  https://www.freebsd.org/doc/handbook/ports-using.html#portmaster
 
  LS

 Each has its advantages and disadvantages; people can choose what
 works for them.  Hopefully - not too far in the future - people
 won't have to choose, when binary package flavours are
 implemented.  When that happens, a small effort will be needed to
 define the FreeIPA flavour and ensure it gets included in the
 official package repos.


Actually I would be inclined to assist with a ports build, so it could be
done correctly from the ports tree
and work towards having it adopted into mainline.



 Fraser

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-22 Thread Fraser Tweedale
On Wed, Oct 22, 2014 at 01:26:42PM +0200, Petr Spacek wrote:
 On 22.10.2014 09:10, Fraser Tweedale wrote:
 Further to my earlier email, I have written a blog post about all
 these matters, with a particular focus on the custom package repo.
 
 I will update it tomorrow with a bit more about the package
 flavours topic.  For now, all the details for enabling and using
 the custom repo are in the post.  Check it out and let me know if
 you spot any issues.
 
  
  http://blog-ftweedal.rhcloud.com/2014/10/configuring-freebsd-as-a-freeipa-client/
 
 Hello Fraser and others,
 
 it would be great if you could add links to your FreeIPA-related blog posts
 to http://www.freeipa.org/page/HowTos .
 
I updated the HowTos page.

Cheers, Fraser.

 We are trying to build kind of 'documentation hub' with links to relevant
 posts stored elsewhere.
 
 It is even fine to add links to mailing list archives if the particular post
 is useful to broad audience.
 
 Have a nice day!
 
 Petr^2 Spacek
 
 
 Cheers,
 
 Fraser
 
 On Wed, Oct 22, 2014 at 09:13:11AM +0500, Orkhan Gasimov wrote:
 Great news!
 If I understand correctly, a package can be equivalent to several ports?
 If this is correct, then could a composite package be built to include all
 necessary ports?
 
   * _security/sssd_ http://www.freshports.org/security/sssd
   * _security/sudo_ http://www.freshports.org/security/sudo(with SSSD
 backend)
   * _net/openldap24-client-sasl_
 http://www.freshports.org/net/openldap24-client-sasl
   * security/cyrus-sasl2
   * security/cyrus-sasl2-gssapi
 
 That package could be called something like ipa-client, and make FreeBSD -
 FreeIPA integration one step closer.
 If not possible, even a pkg equivalent to /security/sssd would eliminate
 existing possibilities for misconfiguration.
 
 22-Oct-14 07:06, Fraser Tweedale пишет:
 I have prepared a custom pkg(8) repo with the packages built with
 the required options/make.conf variables.  Hang tight, I'll send all
 the info soon.
 
 -- 
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-21 Thread Lukas Slebodnik
On (17/10/14 16:46), Orkhan Gasimov wrote:
1. I use FreeBSD 10.0 64-bit.
(For some files bits are also important - for example, on a 32-bit machine
the same configuration of
/usr/local/etc/sssd/sssd.conf file introduces problems because of the line
enumerate = True in the [domain] section; only after that line is commented
out, sssd starts.)

2. The files you requested are at
https://cloud.mail.ru/public/afa7e1fad817/pam.d

Previously, I was editing my pam stack I had to overwrite my files with yours
to reproduce problem. As I thought it was your misconfiguration.

You have a typo in pam.d/system
Here is a word-diff:
[-account-]{+acconut+}  required/usr/local/lib/pam_sss.so   
ignore_unknown_user ignore_authinfo_unavail

There is also syslog message (/var/log/messages):
login: in openpam_parse_chain(): /etc/pam.d/system(19): missing or invalid 
facility
login: pam_start(): system error

Please update(remove) your post on FreeBSD forum.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-21 Thread Lukas Slebodnik
On (20/10/14 15:06), Orkhan Gasimov wrote:
OK, Lukas, I did as you say:
1) reset my pam.d - login to its defaul state
2) added to my pam.d - system: account  required /usr/local/lib/pam_sss.so
ignore_unknown_user ignore_authinfo_unavail;
3) commented out enumerate = True in my /usr/local/etc/sssd/sssd.conf.
Now I cannot locally login as either root or IPA user. Seems like we built
our SSSDs differently or from different ports.
Would you be so kind to share info about your choices when building SSSD?

You're right, I'm a newbie in FreeIPA setups. But I've worked with pam stack
before, when configuring OpenLDAP on servers. That knowledge of pam let me
solve the problem of local logins with sssd by adding the appropriate line in
pam.d - login instead of pam.d - system. This setup works fine for me;
another setup, which you and FreeBSD forums suppose, doesn't work. Did you
check everything on a blank FreeBSD 10 setup?

Basically, you should do all (ipa-client-install) steps manually.
I would recommend you to look into log file from linux machine
/var/log/ipaclient-install.log. The main difference between linux and FreeBSD
will be location of configuration files(/etc vs /usr/local/etc)

There are indeed nuances that the post at FreeBSD forums didn't address:
I would say that post was more focused on integration sssd with sudo
and expected more experienced user with better knowledge of FreeIPA.
It is the most difficult part.

1) what choices should be made when building SSSD and other ports - VERY
IMPORTANT, but missing information;
I am use to using install packages with utility pkg. Just some packages need
to be build from source. (they are listed in the begging of post)

2) how ldap.conf should be configured on a FreeBSD client for ldapsearch to
work;
I don't have configured ldap.conf. On the other hand, it can be useful for
troubleshooting with utility ldapsearch.

3) how krb5.conf should be configured on a FreeBSD client;
The same as on linux. (sssd is linked with MIT kerberos)

4) how SSH files should be configured on a FreeBSD client for single sign-on
to behave properly (GSS-API part);
Linux and FreeBSD use openssh. You can inspire in changes done by script
ipa-client-install

5) how cron script file's executability, IPA user's shell and automatic
creation of home directories should be considered - there are some caveats
why do you need cron?
User shell can be changed on FreeIPA server or you can change sssd
configuration man sssd.conf (see *shell*)

for newbies;
Do you mean admin newbies or FreeIPA newbies?
admin should know how to configure automatic creation of directories.
(another pam module) ipa-client install just simplify it on linux.

6) why a user can't initially SSH or locally login to a FreeBSD client even
with correct configuration files (password change problem);
FreeBSD admins should already have experiences with ldap configuration on
FreeBSD (or at least read FreeBSD documentation). Official documentation is
very good (ldap client configuration with nss-pam-ldapd)
https://www.freebsd.org/doc/en/articles/ldap-auth/client.html

7) how to setup SSSD so that it doesn't cache information too long (this is
not what we always want, right?).

sssd use cache by design. If you don't want to cache LDAP users, you can use
nss-pam-ldapd. BTW this point is not related to FreeBSD

Summary:
Fee free to write detailed howto for newbies. We will be very glad to help with
review and fixing problematic parts.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-21 Thread Орхан Касумов

1. Yes, being able to find simple typos is what distinguishes a good 
troubleshooter from a bad one. The problem really was between the chair and the 
keyboard.
2. Not only you were right in this aspect, but also regarding the idea that 
comments in sssd.conf file shouldn't be on the same line as directives. Putting 
a comment on a separate line allows sssd to start normally instead of giving 
error messages.
3. I already updated my post at FreeBSD forums and included your comments 
there. Thanks for taking time to find the cause of the problems.
4. I consider this thread closed, but still plan to write a detailed HowTo 
about FreeBSD - FreeIPA integration, i.e. about full setup of 5 VMs:
a) a DNS server;
b) the first IPA server;
c) the second IPA server for multi-master replication;
d) a Linux IPA client (for changing LDAP users' passwords in behalf of FreeBSD);
b) a FreeBSD client - detailed steps, including many things that current post 
at FreeBSD forums misses.
I will then send my HowTo to both FreeBSD forums and FreeIPA team, and it's up 
to them to decide if the HowTo is worth publishing or not.
If the HowTo is OK, I'll translate it to another two languages: Russian and 
Azeri.


Tue, 21 Oct 2014 20:31:17 +0200 от Lukas Slebodnik lsleb...@redhat.com:
On (20/10/14 15:06), Orkhan Gasimov wrote:
OK, Lukas, I did as you say:
1) reset my pam.d - login to its defaul state
2) added to my pam.d - system: account  required /usr/local/lib/pam_sss.so
ignore_unknown_user ignore_authinfo_unavail;
3) commented out enumerate = True in my /usr/local/etc/sssd/sssd.conf.
Now I cannot locally login as either root or IPA user. Seems like we built
our SSSDs differently or from different ports.
Would you be so kind to share info about your choices when building SSSD?

You're right, I'm a newbie in FreeIPA setups. But I've worked with pam stack
before, when configuring OpenLDAP on servers. That knowledge of pam let me
solve the problem of local logins with sssd by adding the appropriate line in
pam.d - login instead of pam.d - system. This setup works fine for me;
another setup, which you and FreeBSD forums suppose, doesn't work. Did you
check everything on a blank FreeBSD 10 setup?

Basically, you should do all (ipa-client-install) steps manually.
I would recommend you to look into log file from linux machine
/var/log/ipaclient-install.log. The main difference between linux and FreeBSD
will be location of configuration files(/etc vs /usr/local/etc)

There are indeed nuances that the post at FreeBSD forums didn't address:
I would say that post was more focused on integration sssd with sudo
and expected more experienced user with better knowledge of FreeIPA.
It is the most difficult part.

1) what choices should be made when building SSSD and other ports - VERY
IMPORTANT, but missing information;
I am use to using install packages with utility pkg. Just some packages need
to be build from source. (they are listed in the begging of post)

2) how ldap.conf should be configured on a FreeBSD client for ldapsearch to
work;
I don't have configured ldap.conf. On the other hand, it can be useful for
troubleshooting with utility ldapsearch.

3) how krb5.conf should be configured on a FreeBSD client;
The same as on linux. (sssd is linked with MIT kerberos)

4) how SSH files should be configured on a FreeBSD client for single sign-on
to behave properly (GSS-API part);
Linux and FreeBSD use openssh. You can inspire in changes done by script
ipa-client-install

5) how cron script file's executability, IPA user's shell and automatic
creation of home directories should be considered - there are some caveats
why do you need cron?
User shell can be changed on FreeIPA server or you can change sssd
configuration man sssd.conf (see *shell*)

for newbies;
Do you mean admin newbies or FreeIPA newbies?
admin should know how to configure automatic creation of directories.
(another pam module) ipa-client install just simplify it on linux.

6) why a user can't initially SSH or locally login to a FreeBSD client even
with correct configuration files (password change problem);
FreeBSD admins should already have experiences with ldap configuration on
FreeBSD (or at least read FreeBSD documentation). Official documentation is
very good (ldap client configuration with nss-pam-ldapd)
https://www.freebsd.org/doc/en/articles/ldap-auth/client.html

7) how to setup SSSD so that it doesn't cache information too long (this is
not what we always want, right?).

sssd use cache by design. If you don't want to cache LDAP users, you can use
nss-pam-ldapd. BTW this point is not related to FreeBSD

Summary:
Fee free to write detailed howto for newbies. We will be very glad to help with
review and fixing problematic parts.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-21 Thread Lukas Slebodnik
On (21/10/14 23:20), Орхан Касумов wrote:

1. Yes, being able to find simple typos is what distinguishes a good 
troubleshooter from a bad one. The problem really was between the chair and 
the keyboard.
2. Not only you were right in this aspect, but also regarding the idea that 
comments in sssd.conf file shouldn't be on the same line as directives. 
Putting a comment on a separate line allows sssd to start normally instead of 
giving error messages.
3. I already updated my post at FreeBSD forums and included your comments 
there. Thanks for taking time to find the cause of the problems.
4. I consider this thread closed, but still plan to write a detailed HowTo 
about FreeBSD - FreeIPA integration, i.e. about full setup of 5 VMs:
a) a DNS server;
You do not need extra server for dns. FreeIPA is integrated solutiona and
DNS server can be installed as part of FreeIPA.
ipa-server-install --setup-dns

b) the first IPA server;
c) the second IPA server for multi-master replication;
d) a Linux IPA client (for changing LDAP users' passwords in behalf of 
FreeBSD);
user can change password in ipa web UI (tested with FreeIPA 4)
but it is good idea to have linux client for testing purposes.

b) a FreeBSD client - detailed steps, including many things that current post 
at FreeBSD forums misses.
I will then send my HowTo to both FreeBSD forums and FreeIPA team, and it's up 
to them to decide if the HowTo is worth publishing or not.
If the HowTo is OK, I'll translate it to another two languages: Russian and 
Azeri.
Awesome.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-21 Thread Fraser Tweedale
On Tue, Oct 21, 2014 at 08:31:17PM +0200, Lukas Slebodnik wrote:
 On (20/10/14 15:06), Orkhan Gasimov wrote:
 OK, Lukas, I did as you say:
 1) reset my pam.d - login to its defaul state
 2) added to my pam.d - system: account  required /usr/local/lib/pam_sss.so
 ignore_unknown_user ignore_authinfo_unavail;
 3) commented out enumerate = True in my /usr/local/etc/sssd/sssd.conf.
 Now I cannot locally login as either root or IPA user. Seems like we built
 our SSSDs differently or from different ports.
 Would you be so kind to share info about your choices when building SSSD?
 
 You're right, I'm a newbie in FreeIPA setups. But I've worked with pam stack
 before, when configuring OpenLDAP on servers. That knowledge of pam let me
 solve the problem of local logins with sssd by adding the appropriate line in
 pam.d - login instead of pam.d - system. This setup works fine for me;
 another setup, which you and FreeBSD forums suppose, doesn't work. Did you
 check everything on a blank FreeBSD 10 setup?
 
 Basically, you should do all (ipa-client-install) steps manually.
 I would recommend you to look into log file from linux machine
 /var/log/ipaclient-install.log. The main difference between linux and FreeBSD
 will be location of configuration files(/etc vs /usr/local/etc)
 
 There are indeed nuances that the post at FreeBSD forums didn't address:
 I would say that post was more focused on integration sssd with sudo
 and expected more experienced user with better knowledge of FreeIPA.
 It is the most difficult part.
 
 1) what choices should be made when building SSSD and other ports - VERY
 IMPORTANT, but missing information;
 I am use to using install packages with utility pkg. Just some packages need
 to be build from source. (they are listed in the begging of post)
 
I have prepared a custom pkg(8) repo with the packages built with
the required options/make.conf variables.  Hang tight, I'll send all
the info soon.

 2) how ldap.conf should be configured on a FreeBSD client for ldapsearch to
 work;
 I don't have configured ldap.conf. On the other hand, it can be useful for
 troubleshooting with utility ldapsearch.
 
 3) how krb5.conf should be configured on a FreeBSD client;
 The same as on linux. (sssd is linked with MIT kerberos)
 
 4) how SSH files should be configured on a FreeBSD client for single sign-on
 to behave properly (GSS-API part);
 Linux and FreeBSD use openssh. You can inspire in changes done by script
 ipa-client-install
 
 5) how cron script file's executability, IPA user's shell and automatic
 creation of home directories should be considered - there are some caveats
 why do you need cron?
 User shell can be changed on FreeIPA server or you can change sssd
 configuration man sssd.conf (see *shell*)
 
 for newbies;
 Do you mean admin newbies or FreeIPA newbies?
 admin should know how to configure automatic creation of directories.
 (another pam module) ipa-client install just simplify it on linux.
 
 6) why a user can't initially SSH or locally login to a FreeBSD client even
 with correct configuration files (password change problem);
 FreeBSD admins should already have experiences with ldap configuration on
 FreeBSD (or at least read FreeBSD documentation). Official documentation is
 very good (ldap client configuration with nss-pam-ldapd)
 https://www.freebsd.org/doc/en/articles/ldap-auth/client.html
 
 7) how to setup SSSD so that it doesn't cache information too long (this is
 not what we always want, right?).
 
 sssd use cache by design. If you don't want to cache LDAP users, you can use
 nss-pam-ldapd. BTW this point is not related to FreeBSD
 
 Summary:
 Fee free to write detailed howto for newbies. We will be very glad to help 
 with
 review and fixing problematic parts.
 
 LS
 
 -- 
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-21 Thread Orkhan Gasimov

Great news!
If I understand correctly, a package can be equivalent to several ports?
If this is correct, then could a composite package be built to include 
all necessary ports?


 * _security/sssd_ http://www.freshports.org/security/sssd
 * _security/sudo_ http://www.freshports.org/security/sudo(with SSSD
   backend)
 * _net/openldap24-client-sasl_
   http://www.freshports.org/net/openldap24-client-sasl
 * security/cyrus-sasl2
 * security/cyrus-sasl2-gssapi

That package could be called something like ipa-client, and make 
FreeBSD - FreeIPA integration one step closer.
If not possible, even a pkg equivalent to /security/sssd would 
eliminate existing possibilities for misconfiguration.


22-Oct-14 07:06, Fraser Tweedale пишет:

I have prepared a custom pkg(8) repo with the packages built with
the required options/make.conf variables.  Hang tight, I'll send all
the info soon.


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-21 Thread Fraser Tweedale
On Wed, Oct 22, 2014 at 09:13:11AM +0500, Orkhan Gasimov wrote:
 Great news!  If I understand correctly, a package can be
 equivalent to several ports?  If this is correct, then could a
 composite package be built to include all necessary ports?
 
This is not correct.  One package corresponds to one port, but like
most package managers, any missing dependencies will be brought in
when installing a package.  There are some meta-ports (and
corresponding packages) however, that don't contain anything
themselves but exist just to bring in a bunch of related software.
Meta-ports also have limited control over the options with which
dependencies are built.

  * _security/sssd_ http://www.freshports.org/security/sssd
  * _security/sudo_ http://www.freshports.org/security/sudo(with SSSD
backend)
  * _net/openldap24-client-sasl_
http://www.freshports.org/net/openldap24-client-sasl
  * security/cyrus-sasl2
  * security/cyrus-sasl2-gssapi
 
Of these five packages, assuming correct options and make.conf
settings, there are only two leaf packages: sudo and
cyrus-sasl-gssapi.  So even without a meta-port, it is not
burdensome to install the required software from the custom repo.

 That package could be called something like ipa-client, and make FreeBSD -
 FreeIPA integration one step closer.
 If not possible, even a pkg equivalent to /security/sssd would eliminate
 existing possibilities for misconfiguration.
 
I don't think it is possible to do it at the moment, in a way that
is useful to FreeBSD users at large, without using a custom pkg(8)
repo.  This is because there is no way for building packages with
different flavours and having them coexist in the same repo.
Support for flavours is a high priority, though; it is actively
being worked on.

Until that feature arrives, custom pkg repo is the best alternative
to setting options/variables and building ports oneself.

 22-Oct-14 07:06, Fraser Tweedale пишет:
 I have prepared a custom pkg(8) repo with the packages built with
 the required options/make.conf variables.  Hang tight, I'll send all
 the info soon.
 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-20 Thread Lukas Slebodnik
On (19/10/14 08:45), Orkhan Gasimov wrote:
 2. About my pam.d files - please read carefully my previous posts.
 I commented  out the line in pam.d - system and added it explicitly to
You didn't have account required /usr/local/lib/pam_sss.so ignore_unknown_user
in pam.d/system. The line is commented out, but there *IS NOT* argument
 ignore_unknown_use

Howto on FreeBSD forum[1] has argument ignore_unknown_user on the lines
starting with account in both pam configuration files (system, sshd)

 pam.d - login because otherwise I get locked out from the machine. I sent
I didn't touch pam.d/login. I put account .. pam_sss.so ignore_unknown_user
into pam.d/system (the same as in [1]) and I can login as sssd user and
local user. I know that pam configuration isn't the easiest think for newbies,
but your post will be even more confusing for others. Please do not give
advices if you do not understand where is the problem and why it works with
that change.

 you the WORKING configuration and not the one which was recommended at
 FreeBSD posts (and also by you). And yes, in pam.d - system there's no
 ignore bla bla bla part because in that file the line
 account  required  /usr/local/lib/pam_sss.so just doesn't work, with or
 without that part.
I don't know what you did wrong, but it *works* with argument 
ignore_unknown_user
How did you test?

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-20 Thread Orkhan Gasimov

OK, Lukas, I did as you say:
1) reset my pam.d - login to its defaul state
2) added to my pam.d - system: account  required 
/usr/local/lib/pam_sss.so  ignore_unknown_user ignore_authinfo_unavail;

3) commented out enumerate = True in my /usr/local/etc/sssd/sssd.conf.
Now I cannot locally login as either root or IPA user. Seems like we 
built our SSSDs differently or from different ports.

Would you be so kind to share info about your choices when building SSSD?

You're right, I'm a newbie in FreeIPA setups. But I've worked with pam 
stack before, when configuring OpenLDAP on servers. That knowledge of 
pam let me solve the problem of local logins with sssd by adding the 
appropriate line in pam.d - login instead of pam.d - system. This 
setup works fine for me; another setup, which you and FreeBSD forums 
suppose, doesn't work. Did you check everything on a blank FreeBSD 10 setup?


There are indeed nuances that the post at FreeBSD forums didn't address:
1) what choices should be made when building SSSD and other ports - VERY 
IMPORTANT, but missing information;
2) how ldap.conf should be configured on a FreeBSD client for ldapsearch 
to work;

3) how krb5.conf should be configured on a FreeBSD client;
4) how SSH files should be configured on a FreeBSD client for single 
sign-on to behave properly (GSS-API part);
5) how cron script file's executability, IPA user's shell and automatic 
creation of home directories should be considered - there are some 
caveats for newbies;
6) why a user can't initially SSH or locally login to a FreeBSD client 
even with correct configuration files (password change problem);
7) how to setup SSSD so that it doesn't cache information too long (this 
is not what we always want, right?).


In short: a person who posted the info on FreeBSD - FreeIPA integration 
at FreeBSD forums shared a lot of info, but at the same time he didn't 
share other very important pieces of information, and this can cause 
great frustration to people trying to follow his post. And although you 
recommend me not to share my experience of setting up FreeBSD - FreeIPA 
integration, I just want people to get a REALLY WORKING HowTo. I've 
already tested HBAC, centralized sudo and other things in my setup, and 
everything is working fine. So in near future I plan to make a REAL, 
DETAILED HowTo on this subject, and I think that at least some pieces of 
information in it will help people to avoid great deal of frustration.



20-Oct-14 13:01, Lukas Slebodnik пишет:

On (19/10/14 08:45), Orkhan Gasimov wrote:

2. About my pam.d files - please read carefully my previous posts.
I commented  out the line in pam.d - system and added it explicitly to

You didn't have account required /usr/local/lib/pam_sss.so ignore_unknown_user
in pam.d/system. The line is commented out, but there *IS NOT* argument
  ignore_unknown_use

Howto on FreeBSD forum[1] has argument ignore_unknown_user on the lines
starting with account in both pam configuration files (system, sshd)


pam.d - login because otherwise I get locked out from the machine. I sent

I didn't touch pam.d/login. I put account .. pam_sss.so ignore_unknown_user
into pam.d/system (the same as in [1]) and I can login as sssd user and
local user. I know that pam configuration isn't the easiest think for newbies,
but your post will be even more confusing for others. Please do not give
advices if you do not understand where is the problem and why it works with
that change.


you the WORKING configuration and not the one which was recommended at
FreeBSD posts (and also by you). And yes, in pam.d - system there's no
ignore bla bla bla part because in that file the line
account  required  /usr/local/lib/pam_sss.so just doesn't work, with or
without that part.

I don't know what you did wrong, but it *works* with argument 
ignore_unknown_user
How did you test?

LS


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-19 Thread Dmitri Pal

On 10/18/2014 11:45 PM, Orkhan Gasimov wrote:


1. About enumerate with comments on the same line - it doesn't cause 
any problems on my FreeBSD 10 64-bit. Enumerate causes problems on my 
FreeBSD 10 32-bit - that could be because of a comment on the same 
line  I could check it, but if it's not recommended to have enumerate 
at all, then I'll leave it.




Just FYI, comments on the same line are treated as part of value i.e. 
not interpreted as comments.

I do not know how the value is treated by SSSD in the case of boolean.
It might try to parse it and come to conclusion that it is true or false 
but I do not know which conclusion it actually comes to.
BTW for those who are familiar with the internals and some other threads 
- using ding-libs interpretation functions would have caught that. One 
more argument to switch to ding-libs checking (when it is ready).


As for enumeration - it is not needed in 90% of cases so we recommend 
not to configure it.


2. About my pam.d files - please read carefully my previous posts. I 
commented out the line in pam.d - system and added it explicitly to 
pam.d - login because otherwise I get locked out from the machine. I 
sent you the WORKING configuration and not the one which was 
recommended at FreeBSD posts (and also by you). And yes, in pam.d - 
system there's no ignore bla bla bla part because in that file the 
line account  required  /usr/local/lib/pam_sss.so http://sss.so 
just doesn't work, with or without that part. That's what I was 
talking about in my reply to the post at FreeBSD forums and that's why 
I considered unimportant readding that ignore ... part in the 
commented account ... line when sending pam.d files to you.


3. I like your idea of checking everything on a blank FreeaBSD 10 
setup - that way you will really determine whether the problem is 
between the chair and the keyboard or not.




Yeah we should develop tools in this area. +1.


?? ?? Blue Mail http://r.bluemailapp.com

?? 19.10.2014, ? 2:36, Lukas Slebodnik lsleb...@redhat.com 
mailto:lsleb...@redhat.com ???:?


On (17/10/14 16:46), Orkhan Gasimov wrote:

1. I use FreeBSD 10.0 64-bit. (For some files bits are also
important - for example, on a 32-bit machine the same
configuration of /usr/local/etc/sssd/sssd.conf file introduces
problems because of the line enumerate = True in the
[domain] section; only after that line is commented 


Firstly, We do not recommend to have enabled enumeration.
Secondly, You did not have enumerate = True in your domain section.
You have enumerate = True #to enumerate users and groups
   ^^^
I wrote you in another email that comments should be on different line

out, sssd starts.) 2. The files you requested are at
https://cloud.mail.ru/public/afa7e1fad817/pam.d 17-Oct-14
16:30, Lukas Slebodnik ?:

On (17/10/14 15:44), Orkhan Gasimov wrote:

Unfortunately, putting that line in /etc/pam.d/system
prevents me from being 


I checked your apm configuration and you had wrong line in /etc/pam.d/system
Currently, it is is commented out.
 #acconutrequired/usr/local/lib/pam_sss.so  
http://sss.so
and the correct one is in /etc/pam.d/login
account required/usr/local/lib/pam_sss.so  http://sss.so  
ignore_unknown_user ignore_authinfo_unavail

Yo!
  u were
wrong in 
commenthttps://forums.freebsd.org/threads/freebsd-freeipa-via-sssd.46526/
Plese move line from login - system

able to locally login to the BSD client. At the same
time, the same line in /etc/pam.d/sshd or
/etc/pam.d/login doesn't give unexpected behaviours.
Bug, bug, bug... 


no, no, no,
The problem was between chair and keybord.
Sorry, I could not resist :-)

It works for me with FreeBSD 9.3. It is possible that your
pam stack is misconfigured.


BTW
After fixing problems with my freeipa 4.0.3, I was able to connect with ssh
to FreeBSD 10 as freeipa_user and local_user.

If I have time in next weeks I will try with clean FreeBSD 10 and will write
some notes.

LS






--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-17 Thread Orkhan Gasimov
Replying to myself is great... Anyway, maybe this info will be useful 
for people like me, trying to integrate FreeBSD with FreeIPA.


Solved some problems:

1. SSH-ing as existing IPA user rsiwal to my FreeBSD client fails. 
The same user can SSH or locally login to my Linux client. 


That happened because the shell specified for user rsiwal was 
/bin/bash. After changing it to /bin/sh that problem disappeared.


2. At the same time I cannot locally login to my FreeBSD host as either 
IPA user or local user.


I posted the cause and solution at FreeBSD forums: 
https://forums.freebsd.org/threads/freebsd-freeipa-via-sssd.46526/


3. If I create a new user in IPA, he can`t initially SSH into FreeBSD 
client.

BSD says: password expired, but doesn`t take new password.
The same new user can SSH into my Linux client.
Linux says: password expired and allows to set a new password with a 
message: All authentication tokens updated successfully.
After I set a new password for my newly created user via Linux, I can 
SSH into my BSD client as that user.
Using this hack I can create new users in IPA, SSH into Linux to change 
their passwords and then use those new users to SSH into FreeBSD.


Didn`t find a solution yet. But I think this is caused by lack of proper 
configuration of Kerberos on my FreeBSD client. On my Linux client I 
found such a configuration in /etc/krb5.conf file. However, there's no 
such file on my FreeBSD client, as the post on FreeBSD forums didn't say 
anything about such a file. I'll do some more checks and share the 
results here.



16-Oct-14 18:23, Orkhan Gasimov пишет:

Here`s what I have at the end of the day after various checks.

SSH-ing as existing IPA user rsiwal to my FreeBSD client fails.
The same user can SSH or locally login to my Linux client.
If I create a new user in IPA, he can`t initially SSH into FreeBSD 
client.

BSD says: password expired, but doesn`t take new password.
The same new user can SSH into my Linux client.
Linux says: password expired and allows to set a new password with a 
message: All authentication tokens updated successfully.
After I set a new password for my newly created user via Linux, I can 
SSH into my BSD client as that user.
Using this hack I can create new users in IPA, SSH into Linux to 
change their passwords and then use those new users to SSH into FreeBSD.
At the same time I cannot locally login to my FreeBSD host as either 
IPA user or local user.


I think there`s something wrong with Kerberos setup on my FreeBSD 
client. I suspect that because both /etc/pam.d/system and 
/etc/pam.d/sshd files on the BSD client have a string:

password  sufficient  /usr/local/lib/pam_sss.so use_authtok
but BSD doesn`t let update authentication tokens when trying to change 
expired password for a new user.


There was minimal info about Kerberos setup on FreeBSD client in the 
post at FreeBSD forums. Just this: create a keytab on the IPA server 
and copy it to /etc/krb5.keytab on the FreeBSD client.


Someone here wrote that he can contact the author of that post. If so, 
please tell the author to spend a couple of hours to:

1) check everything he advised on a blank setup with VMs;
2) provide more details about correct sequence of actions.

Any help will be highly appreciated!

16-Oct-14 15:13, Orkhan Gasimov пишет:
Please excuse me for that silly typo in the letter. The typo doesn`t 
exist either in /etc/pam.d/system or /etc/pam.d/sshd - in those files 
I typed ignore_unknown_user.


I'll try ignore_authinfo_unavail to see if it prevents me from 
being locked out of the machine.


Here are the log files:

sssd_eurosel.az.log: 
https://cloud.mail.ru/public/1e803a00989e%2Fsssd_eurosel.az.log

sssd_nss.log: https://cloud.mail.ru/public/ae41ae3b44b6%2Fsssd_nss.log
sssd_pam.log: https://cloud.mail.ru/public/85d311ec1d4e%2Fsssd_pam.log
krb5_child.log: 
https://cloud.mail.ru/public/c0e6712b7f1b%2Fkrb5_child.log
ldap_child.log: 
https://cloud.mail.ru/public/d9b0b1eb0da6%2Fldap_child.log

sssd_log: https://cloud.mail.ru/public/d4032b8e6645%2Fsssd.log


16-Oct-14 14:57, Lukas Slebodnik пишет:

On (16/10/14 13:04), Orkhan Gasimov wrote:

OK, back to FreeIPA - FreeBSD setup.
I changed my setup: instead of 2 VMs now I have 4 VMs:

1: DNS server - set up as shown by Rajnesh Kumar Siwal in 
http://www.youtube.com/watch?v=0SmiwFoHVeIindex=4list=PLdKXnZQzEG-KmtKq-LelPn5RTKfJig0Wc


2 and 3: IPA server  IPA linux client - set up as shown by Rajnesh 
Kumar

Siwal in http://www.youtube.com/watch?v=_zlcxjkbayk

4: IPA BSD client - set up as described in the post at FreeBSD forums.


Results:

1) my IPA linux client interacts fine with the IPA server;

2) my IPA BSD client also interacts with the IPA server: it sees 
IPA users
when issuing getent passwd or getent shadow. (Previously when I 
used just

2 VMs and no DNS server, that didn`t happen.)

Problems after I start sssd on the FreeBSD client:

1) I can`t ssh into my IPA BSD client either as an IPA user 
(rsiwal) or local


Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-17 Thread Alexander Bokovoy

On Fri, 17 Oct 2014, Orkhan Gasimov wrote:
Replying to myself is great... Anyway, maybe this info will be useful 
for people like me, trying to integrate FreeBSD with FreeIPA.


Solved some problems:

1. SSH-ing as existing IPA user rsiwal to my FreeBSD client fails. 
The same user can SSH or locally login to my Linux client. 


That happened because the shell specified for user rsiwal was 
/bin/bash. After changing it to /bin/sh that problem disappeared.

SSH does multi-level checks. Not only user should exist on the system
and authentication should pass but also there should be a correct shell
to run. Unfortunately, FreeBSD doesn't have bash in the default
installation. It is up to admins to provide appropriate configuration
either by setting right shell in IPA or by preparing system environment
on all hosts where the selected shell is required. With FreeIPA 4.1 we
are going to provide a mechanism to re-define some of user attributes
per-host but it would require a newer SSSD (or use of compat tree) at
the client side.




2. At the same time I cannot locally login to my FreeBSD host as 
either IPA user or local user.


I posted the cause and solution at FreeBSD forums: 
https://forums.freebsd.org/threads/freebsd-freeipa-via-sssd.46526/


Well, note that since FreeIPA 3.3 we have support for so-called
'advices' in FreeIPA. See ipa-advise tool on IPA server. Currently it
only provides you with config-freebsd-nss-pam-ldapd advise to configure
FreeBSD with nss-pam-ldapd, but we can extend that to have SSSD covered
too.



3. If I create a new user in IPA, he can`t initially SSH into FreeBSD 
client.

BSD says: password expired, but doesn`t take new password.
The same new user can SSH into my Linux client.
Linux says: password expired and allows to set a new password with a 
message: All authentication tokens updated successfully.
After I set a new password for my newly created user via Linux, I can 
SSH into my BSD client as that user.
Using this hack I can create new users in IPA, SSH into Linux to 
change their passwords and then use those new users to SSH into 
FreeBSD.


Didn`t find a solution yet. But I think this is caused by lack of 
proper configuration of Kerberos on my FreeBSD client. On my Linux 
client I found such a configuration in /etc/krb5.conf file. However, 
there's no such file on my FreeBSD client, as the post on FreeBSD 
forums didn't say anything about such a file. I'll do some more checks 
and share the results here.

Well, follow your Kerberos library defaults. By default FreeBSD is built
with Heimdal so if your system uses Heimdal and SSSD is build against
it, then configure /etc/krb5.conf as 
[libdefaults]

   default_realm = EXAMPLE.ORG
[realms]
   EXAMPLE.ORG = {
kdc = kerberos.example.org
admin_server = kerberos.example.org
   }
[domain_realm]
   .example.org = EXAMPLE.ORG

Where kerberos.example.org is your IPA master.


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-17 Thread Lukas Slebodnik
On (17/10/14 12:27), Orkhan Gasimov wrote:
Replying to myself is great... Anyway, maybe this info will be useful for
people like me, trying to integrate FreeBSD with FreeIPA.

Solved some problems:

1. SSH-ing as existing IPA user rsiwal to my FreeBSD client fails. The
same user can SSH or locally login to my Linux client. 

That happened because the shell specified for user rsiwal was /bin/bash.
After changing it to /bin/sh that problem disappeared.
It needn't be changed in LDAP(IPA). You can change(overrride) shell on client
side.
For details see:
man sssd.conf - override_shell


2. At the same time I cannot locally login to my FreeBSD host as either IPA
user or local user.

I posted the cause and solution at FreeBSD forums:
https://forums.freebsd.org/threads/freebsd-freeipa-via-sssd.46526/

In post you wrote:
   The problem is in this string in the /etc/pam.d/system file:
   account required /usr/local/lib/pam_sss.so ignore_unknown_user
   
   That string gives login errors, with or without ignore_unknown_user part.
   The only solution I found for now is to comment that string out and add it
   explicitly into /etc/pam.d/login file. Then local login process proceeds
   without errors.

File /etc/pam.d/system is included by /etc/pam.d/login. I cannot see a
difference.

BTW: You tested access with sshd, but file /etc/pam.d/system needn't be used
in /etc/pam.d/sshd which is used by sshd.

I would reccomend to have next line in /etc/pam.d/system and /etc/pam.d/sshd.
Without this line, access control will not work. (HBAC)
account required /usr/local/lib/pam_sss.so ignore_unknown_user 
ignore_authinfo_unavail


3. If I create a new user in IPA, he can`t initially SSH into FreeBSD
client.
BSD says: password expired, but doesn`t take new password.
The same new user can SSH into my Linux client.
Linux says: password expired and allows to set a new password with a
message: All authentication tokens updated successfully.
After I set a new password for my newly created user via Linux, I can SSH
into my BSD client as that user.
Using this hack I can create new users in IPA, SSH into Linux to change their
passwords and then use those new users to SSH into FreeBSD.

Didn`t find a solution yet. But I think this is caused by lack of proper
configuration of Kerberos on my FreeBSD client. On my Linux client I found
such a configuration in /etc/krb5.conf file. However, there's no such file on
my FreeBSD client, as the post on FreeBSD forums didn't say anything about
such a file. I'll do some more checks and share the results here.
FreeIPA requires to change password for new users.
Unfortunatelly, it is not possible to change password for ldap (sssd) users
in FreeBSD. It is described in FreeBSD ldap client documentation (which uses
nss-pam-ldapd)
https://www.freebsd.org/doc/en/articles/ldap-auth/client.html#caveats

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-17 Thread Lukas Slebodnik
On (17/10/14 12:01), Alexander Bokovoy wrote:
Didn`t find a solution yet. But I think this is caused by lack of proper
configuration of Kerberos on my FreeBSD client. On my Linux client I found
such a configuration in /etc/krb5.conf file. However, there's no such file
on my FreeBSD client, as the post on FreeBSD forums didn't say anything
about such a file. I'll do some more checks and share the results here.
Well, follow your Kerberos library defaults. By default FreeBSD is built
with Heimdal so if your system uses Heimdal and SSSD is build against
It is true that default Kerberos library on FreeBSD is Heimdal. It is stored
in default paths (/usr/bin, /usr/lib).

SSSD does not work with Heimdal, therefore it is linked with MIT krb5 = 1.10
on FreeBSD, which is stored in (/usr/local/bin, /usr/local/lib)

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-17 Thread Orkhan Gasimov
This idea is great, it would be invaluable for many people trying to 
integrate FreeBSD with FreeIPA. Currently there's only one post about 
this at FreeBSD forums, but it's not detailed and tells nothing about 
many cavets of the process.

You would have helped a lot of people to avoid frustration.

17-Oct-14 14:01, Alexander Bokovoy пишет:

See ipa-advise tool on IPA server. Currently it
only provides you with config-freebsd-nss-pam-ldapd advise to configure
FreeBSD with nss-pam-ldapd, but we can extend that to have SSSD covered
too. 


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-17 Thread Orkhan Gasimov
Unfortunately, putting that line in /etc/pam.d/system prevents me from 
being able to locally login to the BSD client.
At the same time, the same line in /etc/pam.d/sshd or /etc/pam.d/login 
doesn't give unexpected behaviours.

Bug, bug, bug...

17-Oct-14 14:15, Lukas Slebodnik пишет:

I would reccomend to have next line in /etc/pam.d/system and /etc/pam.d/sshd.
Without this line, access control will not work. (HBAC)
account required /usr/local/lib/pam_sss.so ignore_unknown_user 
ignore_authinfo_unavail


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-17 Thread Martin Kosek
On 10/17/2014 01:01 PM, Orkhan Gasimov wrote:
 That format is not simple for me, as I'm not a programmer. But after I check,
 double-check and triple-check my FreeBSD - FreeIPA integration via SSSD and
 assure that it works without unexpected behaviors, I'll probably write a 
 HOW-TO
 on this process and post it at FreeBSD forums.

Thanks! Would you consider also adding the HOWTO to
http://www.freeipa.org/page/HowTos
so that other people can follow your steps?

 I'll then share the link to my
 post here, so that:
 1) FreeIPA community could also check the post for any errors;
 2) someone more prepared could translate the whole process into the format
 appropriate for the ipa-advise tool.
 
 17-Oct-14 15:37, Alexander Bokovoy пишет:
 FreeIPA is an open source project where anyone can contribute in their
 areas of interest. You are welcome to contribute recipes for FreeBSD.

 The code is around
 https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/advise/plugins/legacy_clients.py


 As you can see, most recipes are structured in easy way and adding new
 is as simple as adding new class definition there.
 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-17 Thread Orkhan Gasimov
Of course! But for now I'm in process of checking my integration and 
there are some things I don't like.
First and foremost, any change on the IPA server is not automatically 
reflected on the BSD client.
Only after SSSD is manually restarted on the client, something  like 
it's cache is cleared happens and new rules apply.
For now I'm not even checking something complex like sudo rule groups 
with host groups, it's just a simple sudo rule for a single user.
I hope for collaboration with other interested people to find a stable 
solution for FreeIPA - FreeBSD interaction via SSSD, so that as a result 
of all this effort a well-detailed tutorial could be written and shared 
with all *nix users.


17-Oct-14 16:17, Martin Kosek пишет:

On 10/17/2014 01:01 PM, Orkhan Gasimov wrote:

That format is not simple for me, as I'm not a programmer. But after I check,
double-check and triple-check my FreeBSD - FreeIPA integration via SSSD and
assure that it works without unexpected behaviors, I'll probably write a HOW-TO
on this process and post it at FreeBSD forums.

Thanks! Would you consider also adding the HOWTO to
http://www.freeipa.org/page/HowTos
so that other people can follow your steps?


I'll then share the link to my
post here, so that:
1) FreeIPA community could also check the post for any errors;
2) someone more prepared could translate the whole process into the format
appropriate for the ipa-advise tool.

17-Oct-14 15:37, Alexander Bokovoy пишет:

FreeIPA is an open source project where anyone can contribute in their
areas of interest. You are welcome to contribute recipes for FreeBSD.

The code is around
https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/advise/plugins/legacy_clients.py


As you can see, most recipes are structured in easy way and adding new
is as simple as adding new class definition there.


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-17 Thread Lukas Slebodnik
On (17/10/14 15:44), Orkhan Gasimov wrote:
Unfortunately, putting that line in /etc/pam.d/system prevents me from being
able to locally login to the BSD client.
At the same time, the same line in /etc/pam.d/sshd or /etc/pam.d/login
doesn't give unexpected behaviours.
Bug, bug, bug...

It works for me with FreeBSD 9.3. It is possible that your pam stack is
misconfigured.

Which version of FreBSD do you use?

Could you send me all files from /etc/pam.d/?

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-17 Thread Martin Kosek
On 10/17/2014 01:28 PM, Orkhan Gasimov wrote:
 Of course! But for now I'm in process of checking my integration and there are
 some things I don't like.
 First and foremost, any change on the IPA server is not automatically 
 reflected
 on the BSD client.
 Only after SSSD is manually restarted on the client, something  like it's 
 cache
 is cleared happens and new rules apply.
 For now I'm not even checking something complex like sudo rule groups with 
 host
 groups, it's just a simple sudo rule for a single user.
 I hope for collaboration with other interested people to find a stable 
 solution
 for FreeIPA - FreeBSD interaction via SSSD, so that as a result of all this
 effort a well-detailed tutorial could be written and shared with all *nix 
 users.

+1. Or, even better approach would be if ipa-client-install script gets ported
some nice day to FreeBSD so that sssdassorted services do not need to be
configured automatically and can use autodiscover features of
ipa-client-install. But this is even farther future :-)

 17-Oct-14 16:17, Martin Kosek пишет:
 On 10/17/2014 01:01 PM, Orkhan Gasimov wrote:
 That format is not simple for me, as I'm not a programmer. But after I 
 check,
 double-check and triple-check my FreeBSD - FreeIPA integration via SSSD and
 assure that it works without unexpected behaviors, I'll probably write a 
 HOW-TO
 on this process and post it at FreeBSD forums.
 Thanks! Would you consider also adding the HOWTO to
 http://www.freeipa.org/page/HowTos
 so that other people can follow your steps?

 I'll then share the link to my
 post here, so that:
 1) FreeIPA community could also check the post for any errors;
 2) someone more prepared could translate the whole process into the format
 appropriate for the ipa-advise tool.

 17-Oct-14 15:37, Alexander Bokovoy пишет:
 FreeIPA is an open source project where anyone can contribute in their
 areas of interest. You are welcome to contribute recipes for FreeBSD.

 The code is around
 https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/advise/plugins/legacy_clients.py



 As you can see, most recipes are structured in easy way and adding new
 is as simple as adding new class definition there.
 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-17 Thread Lukas Slebodnik
On (17/10/14 16:28), Orkhan Gasimov wrote:
Of course! But for now I'm in process of checking my integration and there
are some things I don't like.
First and foremost, any change on the IPA server is not automatically
reflected on the BSD client.
sssd uses few levels of caches. If you want to have up-to-date data
you need to invalidate sssd cache (sss_cache -UG).
Details are in man sss_cache. It is not related to FreeBSD. The same behaviour
is on LInux.

If user authenticates to machine with sssd then fresh data is downloaded from
server. That's the only exception.

Only after SSSD is manually restarted on the client, something  like it's
cache is cleared happens and new rules apply.
For now I'm not even checking something complex like sudo rule groups with
host groups, it's just a simple sudo rule for a single user.
sudo is much more tricky about up-to-date data. sssd uses peridic tasks for
refreshing rules. It is not possible to invalidate sudo rules with tool
sss_cache. Detail description of sudo rules caching mechanism is in manual page
man sssd-sudo - THE SUDO RULE CACHING MECHANISM

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-17 Thread Orkhan Gasimov
I found another solution (currently checked it only for adding/deleting 
a sudo rule for a user, and also enabling/disabling a user) - add to the 
[domain] section of the sssd.conf file: entry_cache_timeout = 5.



17-Oct-14 16:39, Lukas Slebodnik пишет:

sssd uses few levels of caches. If you want to have up-to-date data
you need to invalidate sssd cache (sss_cache -UG).


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-16 Thread Orkhan Gasimov

OK, back to FreeIPA - FreeBSD setup.
I changed my setup: instead of 2 VMs now I have 4 VMs:

1: DNS server - set up as shown by Rajnesh Kumar Siwal in 
http://www.youtube.com/watch?v=0SmiwFoHVeIindex=4list=PLdKXnZQzEG-KmtKq-LelPn5RTKfJig0Wc


2 and 3: IPA server  IPA linux client - set up as shown by Rajnesh 
Kumar Siwal in http://www.youtube.com/watch?v=_zlcxjkbayk


4: IPA BSD client - set up as described in the post at FreeBSD forums.


Results:

1) my IPA linux client interacts fine with the IPA server;

2) my IPA BSD client also interacts with the IPA server: it sees IPA 
users when issuing getent passwd or getent shadow. (Previously when 
I used just 2 VMs and no DNS server, that didn`t happen.)


Problems after I start sssd on the FreeBSD client:

1) I can`t ssh into my IPA BSD client either as an IPA user (rsiwal) or 
local user (root);


2) if I restart my IPA BSD client, I also can`t login to it locally as 
either root or rsiwal. I get totally locked out of the machine.


FreeBSD displays some errors on the screen when using:

1) SSH: 
https://cloud.mail.ru/public/888b415dac43%2Fssh_error_IPA_user_and_root.JPG


2) local login: 
https://cloud.mail.ru/public/3399c5b67c33%2Flogin_error_root_and_IPA_user.JPG


FreeBSD complains about line 19 in /etc/pam.d/system. That line reads:
account  required  /usr/local/lib/pam_sss.so ignore unknown user

The file pam_sss.so exists on my FreeBSD machine in the specified 
location. Deleting ignore unknown user from that line doesn`t help. 
Changing the position of that line so that it preceeds

account  required  pam_unix.so
also gives no result.

Please help me to understand, what can I do in such a situation? Is it a 
bug in pam_sss.so?


15-Oct-14 06:14, Fraser Tweedale пишет:

On Tue, Oct 14, 2014 at 03:13:06PM +0200, Lukas Slebodnik wrote:

On (14/10/14 17:48), Fraser Tweedale wrote:

On Tue, Oct 14, 2014 at 12:34:09PM +0500, Orkhan Gasimov wrote:

With help from Alexander Bokovoy I found correct log destinations:

sssd-domain-log:
https://cloud.mail.ru/public/1e803a00989e%2Fsssd_eurosel.az.log
sssd-nss-log: https://cloud.mail.ru/public/ae41ae3b44b6%2Fsssd_nss.log

These files are from my second Fedora - FreeBSD setup, they have different
domain name, but everything else is identical.

Interestingly enough, there are lines in sssd_nss.log telling that there are
no users or groups in the domain. But as I said, I can ssh to the IPA server
as an IPA user.


Hi Orkhan,

Thanks for the logs.  What were their actual locations?

I'm going to try and reproduce your setup and see whether I get the
same outcome.  I have been building and installing the ports as
indicated in the forum post, and one thing I have noticed is that
there are a lot of configuration options on some of the important
ports - perhaps there was an important option that the author forgot
to mention.


You needn't build sssd from ports. You can install sssd with pkg utility.
The only necessary step is to build openldap client with SASL support,
because default version of openldap client is build without SASL support.
sssd cannot initialize ipa_provider with openldap libraries without SASL
support. On the other hand, {ldap,krb5,ad} providers can be used without any
problem.

The steps, how to build openldap client with SASL support, are described
in freebsd forum.


It is the end of the day for me, but sssd is now installed so I
should let you know tomorrow whether I am running into the same
issues as you, or whether I find success.

(As a side node: once I get to a working setup I will create and
publish a pkg(8) repo with the needed ports built with the correct
options and make.conf variables.  This should make it easier and
certainly quicker to use FreeBSD as a FreeIPA client.)

I am not sure what you are trying to do. Everything is described on forum.
If there isn't something clear feel free to send rephrased(updated) version of
howto. I can contact an author of that post.


Since there are non-default options and make variables to be set, is
it not desirable that there be a pkg(8) repository people can use to
install the packages needed for ipa integration?

I think it is desirable.  It is easy to thanks to
ports-mgmt/poudriere.

Fraser


LS


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-16 Thread Lukas Slebodnik
On (16/10/14 13:04), Orkhan Gasimov wrote:
OK, back to FreeIPA - FreeBSD setup.
I changed my setup: instead of 2 VMs now I have 4 VMs:

1: DNS server - set up as shown by Rajnesh Kumar Siwal in 
http://www.youtube.com/watch?v=0SmiwFoHVeIindex=4list=PLdKXnZQzEG-KmtKq-LelPn5RTKfJig0Wc

2 and 3: IPA server  IPA linux client - set up as shown by Rajnesh Kumar
Siwal in http://www.youtube.com/watch?v=_zlcxjkbayk

4: IPA BSD client - set up as described in the post at FreeBSD forums.


Results:

1) my IPA linux client interacts fine with the IPA server;

2) my IPA BSD client also interacts with the IPA server: it sees IPA users
when issuing getent passwd or getent shadow. (Previously when I used just
2 VMs and no DNS server, that didn`t happen.)

Problems after I start sssd on the FreeBSD client:

1) I can`t ssh into my IPA BSD client either as an IPA user (rsiwal) or local
user (root);

2) if I restart my IPA BSD client, I also can`t login to it locally as either
root or rsiwal. I get totally locked out of the machine.

FreeBSD displays some errors on the screen when using:

1) SSH:
https://cloud.mail.ru/public/888b415dac43%2Fssh_error_IPA_user_and_root.JPG

2) local login:
https://cloud.mail.ru/public/3399c5b67c33%2Flogin_error_root_and_IPA_user.JPG

FreeBSD complains about line 19 in /etc/pam.d/system. That line reads:
account  required  /usr/local/lib/pam_sss.so ignore unknown user
  ^^^
  it should we one word connected with underscores _

See details in:
man pam_sss - OPTIONS

It would be good to use also argument ignore_authinfo_unavail
in pam system config otherwise you will not be able to connect as local user
if sssd will be down.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-16 Thread Orkhan Gasimov
Please excuse me for that silly typo in the letter. The typo doesn`t 
exist either in /etc/pam.d/system or /etc/pam.d/sshd - in those files I 
typed ignore_unknown_user.


I'll try ignore_authinfo_unavail to see if it prevents me from being 
locked out of the machine.


Here are the log files:

sssd_eurosel.az.log: 
https://cloud.mail.ru/public/1e803a00989e%2Fsssd_eurosel.az.log

sssd_nss.log: https://cloud.mail.ru/public/ae41ae3b44b6%2Fsssd_nss.log
sssd_pam.log: https://cloud.mail.ru/public/85d311ec1d4e%2Fsssd_pam.log
krb5_child.log: https://cloud.mail.ru/public/c0e6712b7f1b%2Fkrb5_child.log
ldap_child.log: https://cloud.mail.ru/public/d9b0b1eb0da6%2Fldap_child.log
sssd_log: https://cloud.mail.ru/public/d4032b8e6645%2Fsssd.log


16-Oct-14 14:57, Lukas Slebodnik пишет:

On (16/10/14 13:04), Orkhan Gasimov wrote:

OK, back to FreeIPA - FreeBSD setup.
I changed my setup: instead of 2 VMs now I have 4 VMs:

1: DNS server - set up as shown by Rajnesh Kumar Siwal in 
http://www.youtube.com/watch?v=0SmiwFoHVeIindex=4list=PLdKXnZQzEG-KmtKq-LelPn5RTKfJig0Wc

2 and 3: IPA server  IPA linux client - set up as shown by Rajnesh Kumar
Siwal in http://www.youtube.com/watch?v=_zlcxjkbayk

4: IPA BSD client - set up as described in the post at FreeBSD forums.


Results:

1) my IPA linux client interacts fine with the IPA server;

2) my IPA BSD client also interacts with the IPA server: it sees IPA users
when issuing getent passwd or getent shadow. (Previously when I used just
2 VMs and no DNS server, that didn`t happen.)

Problems after I start sssd on the FreeBSD client:

1) I can`t ssh into my IPA BSD client either as an IPA user (rsiwal) or local
user (root);

2) if I restart my IPA BSD client, I also can`t login to it locally as either
root or rsiwal. I get totally locked out of the machine.

FreeBSD displays some errors on the screen when using:

1) SSH:
https://cloud.mail.ru/public/888b415dac43%2Fssh_error_IPA_user_and_root.JPG

2) local login:
https://cloud.mail.ru/public/3399c5b67c33%2Flogin_error_root_and_IPA_user.JPG

FreeBSD complains about line 19 in /etc/pam.d/system. That line reads:
account  required  /usr/local/lib/pam_sss.so ignore unknown user

   ^^^
   it should we one word connected with underscores _

See details in:
 man pam_sss - OPTIONS

It would be good to use also argument ignore_authinfo_unavail
in pam system config otherwise you will not be able to connect as local user
if sssd will be down.

LS



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-16 Thread Orkhan Gasimov

Here`s what I have at the end of the day after various checks.

SSH-ing as existing IPA user rsiwal to my FreeBSD client fails.
The same user can SSH or locally login to my Linux client.
If I create a new user in IPA, he can`t initially SSH into FreeBSD client.
BSD says: password expired, but doesn`t take new password.
The same new user can SSH into my Linux client.
Linux says: password expired and allows to set a new password with a 
message: All authentication tokens updated successfully.
After I set a new password for my newly created user via Linux, I can 
SSH into my BSD client as that user.
Using this hack I can create new users in IPA, SSH into Linux to change 
their passwords and then use those new users to SSH into FreeBSD.
At the same time I cannot locally login to my FreeBSD host as either IPA 
user or local user.


I think there`s something wrong with Kerberos setup on my FreeBSD 
client. I suspect that because both /etc/pam.d/system and 
/etc/pam.d/sshd files on the BSD client have a string:

password  sufficient  /usr/local/lib/pam_sss.so use_authtok
but BSD doesn`t let update authentication tokens when trying to change 
expired password for a new user.


There was minimal info about Kerberos setup on FreeBSD client in the 
post at FreeBSD forums. Just this: create a keytab on the IPA server 
and copy it to /etc/krb5.keytab on the FreeBSD client.


Someone here wrote that he can contact the author of that post. If so, 
please tell the author to spend a couple of hours to:

1) check everything he advised on a blank setup with VMs;
2) provide more details about correct sequence of actions.

Any help will be highly appreciated!

16-Oct-14 15:13, Orkhan Gasimov пишет:
Please excuse me for that silly typo in the letter. The typo doesn`t 
exist either in /etc/pam.d/system or /etc/pam.d/sshd - in those files 
I typed ignore_unknown_user.


I'll try ignore_authinfo_unavail to see if it prevents me from being 
locked out of the machine.


Here are the log files:

sssd_eurosel.az.log: 
https://cloud.mail.ru/public/1e803a00989e%2Fsssd_eurosel.az.log

sssd_nss.log: https://cloud.mail.ru/public/ae41ae3b44b6%2Fsssd_nss.log
sssd_pam.log: https://cloud.mail.ru/public/85d311ec1d4e%2Fsssd_pam.log
krb5_child.log: 
https://cloud.mail.ru/public/c0e6712b7f1b%2Fkrb5_child.log
ldap_child.log: 
https://cloud.mail.ru/public/d9b0b1eb0da6%2Fldap_child.log

sssd_log: https://cloud.mail.ru/public/d4032b8e6645%2Fsssd.log


16-Oct-14 14:57, Lukas Slebodnik пишет:

On (16/10/14 13:04), Orkhan Gasimov wrote:

OK, back to FreeIPA - FreeBSD setup.
I changed my setup: instead of 2 VMs now I have 4 VMs:

1: DNS server - set up as shown by Rajnesh Kumar Siwal in 
http://www.youtube.com/watch?v=0SmiwFoHVeIindex=4list=PLdKXnZQzEG-KmtKq-LelPn5RTKfJig0Wc


2 and 3: IPA server  IPA linux client - set up as shown by Rajnesh 
Kumar

Siwal in http://www.youtube.com/watch?v=_zlcxjkbayk

4: IPA BSD client - set up as described in the post at FreeBSD forums.


Results:

1) my IPA linux client interacts fine with the IPA server;

2) my IPA BSD client also interacts with the IPA server: it sees IPA 
users
when issuing getent passwd or getent shadow. (Previously when I 
used just

2 VMs and no DNS server, that didn`t happen.)

Problems after I start sssd on the FreeBSD client:

1) I can`t ssh into my IPA BSD client either as an IPA user (rsiwal) 
or local

user (root);

2) if I restart my IPA BSD client, I also can`t login to it locally 
as either

root or rsiwal. I get totally locked out of the machine.

FreeBSD displays some errors on the screen when using:

1) SSH:
https://cloud.mail.ru/public/888b415dac43%2Fssh_error_IPA_user_and_root.JPG 



2) local login:
https://cloud.mail.ru/public/3399c5b67c33%2Flogin_error_root_and_IPA_user.JPG 



FreeBSD complains about line 19 in /etc/pam.d/system. That line reads:
account  required  /usr/local/lib/pam_sss.so ignore unknown user

^^^
   it should we one word connected with 
underscores _


See details in:
 man pam_sss - OPTIONS

It would be good to use also argument ignore_authinfo_unavail
in pam system config otherwise you will not be able to connect as 
local user

if sssd will be down.

LS





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-14 Thread Alexander Bokovoy

On Tue, 14 Oct 2014, Orkhan Gasimov wrote:

Thanks to both of you for the interest.
Here`s the info you asked:

1. Putting debug_level = 7 either in [domain] or/and [nss] section 
of the /usr/local/etc/sssd/sssd.conf file gives nothing in the log. 
The log file located at /var/log/sssd/sssd.log is only populated with 
data when I make some errors in sssd.conf  sssd process fails to 
start. But that`s the case only if I deliberately introduce some 
errors; with current configuration sssd starts successfully.

SSSD writes separate log files per each section, so you need to look at
/var/log/sssd/sssd_mydomain.com.log for [domain/mydomain.com] and
/var/log/sssd/sssd_nss.log for nss section.

3. The users created at the IPA server can`t locally log in to the 
server, but it`s possible to ssh to the server as an IPA user from the 
FreeBSD host. However, there are some interesting behaviors (again, 
this is what happens when just following the IPA Quick Start Quide for 
the server side  the post from FreeBSD forums for the client side):

- home directories are not automatically created on the IPA server;
- id command output shows correct uid, but the group of any IPA 
user doesn`t show as ipausers - instead, the group name is the same 
as username, + something like 
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023.

In FreeIPA in Fedora we switched off ipausers being a POSIX group.
FreeIPA supports POSIX and non-POSIX groups; the latter is for grouping
purposes as groups can be nested in FreeIPA. 'ipausers' is the group
every user is a member of but it is not a POSIX group anymore so it has
less effect on performance in large deployments (tens of thousands
users in the same group).

So it is expected. The group named as a username is a user-private group
which is maintained automatically per each user. It has the same GID as
user's UID.


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-14 Thread Orkhan Gasimov

With help from Alexander Bokovoy I found correct log destinations:

sssd-domain-log: 
https://cloud.mail.ru/public/1e803a00989e%2Fsssd_eurosel.az.log

sssd-nss-log: https://cloud.mail.ru/public/ae41ae3b44b6%2Fsssd_nss.log

These files are from my second Fedora - FreeBSD setup, they have 
different domain name, but everything else is identical.


Interestingly enough, there are lines in sssd_nss.log telling that there 
are no users or groups in the domain. But as I said, I can ssh to the 
IPA server as an IPA user.


14-Oct-14 00:32, Lukas Slebodnik пишет:

On (13/10/14 20:33), Jakub Hrozek wrote:

On Mon, Oct 13, 2014 at 10:10:12PM +0400, Орхан Касумов wrote:

  Good day to everybody.
There`s a post on how to make a FreeBSD client work with a FreeIPA server:  
https://forums.freebsd.org/viewtopic.php?f=39t=46526p=260146#p260146
For some reason the instructions in that post don`t lead to a working solution.
Getent passwd/group return no data from the IPA server, although ldapsearch 
works fine.
I followed the instructions exactly (+ configured ldap.conf  started sssd) and 
didn`t get errors anywhere, all steps completed successfully.
My setup: 2 VMs, one is the FreeIPA server (on Fedora 20), the other is a 
FreeBSD client (on FreeBSD 10.0).
IPA server is configured as written in the IPA Quick Start Quide, it has no 
integrated DNS server.
Both VMs have identical /etc/hosts file:

::1localhost
127.0.0.1 localhost
192.168.1.10   ipa1.mydomain.com ipa1
192.168.1.30   bsd1.mydomain.com bsd1

Seems like some instructions in etc/nsswitch.conf file, like group: files sss and 
passwd: files sss have no effect.
Does anybody tried this setup, what could be wrong with it?
I can provide outputs of any commands if necessary.
If I shouldn`t have asked this question here, please advise me where to ask.
Any hint on what to do will be highly appreciated!

Hi,

I think SSSD logs would be the best start..

Put debug_level=7 into the [domain] section, restart SSSD and then check
out /var/log/sssd/*.log


debug_level = 7 can be put into nss section as well.
Could you share your sssd configuration file /usr/local/etc/sssd.conf?

LS



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-14 Thread Orkhan Gasimov

With help from Alexander Bokovoy I found correct log destinations:

sssd-domain-log:https://cloud.mail.ru/public/1e803a00989e%2Fsssd_eurosel.az.log
sssd-nss-log:https://cloud.mail.ru/public/ae41ae3b44b6%2Fsssd_nss.log

These files are from my second Fedora - FreeBSD setup, they have
different domain name, but everything else is identical.

Interestingly enough, there are lines in sssd_nss.log telling that there
are no users or groups in the domain. But as I said, I can ssh to the
IPA server as an IPA user.


14-Oct-14 10:23, Orkhan Gasimov пишет:

Thanks to both of you for the interest.
Here`s the info you asked:

1. Putting debug_level = 7 either in [domain] or/and [nss] section 
of the /usr/local/etc/sssd/sssd.conf file gives nothing in the log. 
The log file located at /var/log/sssd/sssd.log is only populated with 
data when I make some errors in sssd.conf  sssd process fails to 
start. But that`s the case only if I deliberately introduce some 
errors; with current configuration sssd starts successfully.


2. My original sssd.conf (without debugs) is as follows (exact copy of 
what was shown in the post at FreeBSD forums):


-
[domain/mydomain.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = mydomain.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa1.mydomain.com
chpass_provider = ipa
ipa_server = _srv_ #our FreeIPA server has DNS SRV entries
ldap_tls_cacert = /etc/ssl/ca.crt
enumerate = True #to enumerate users and groups

[sssd]
enumerate = True
services = nss, pam, sudo
config_file_version = 2
domains = mydomain.com

[nss]

[pam]

[sudo]
-

Interestingly enough the [nss] section is empty, just as shown in the 
post at FreeBSD forums.


3. The users created at the IPA server can`t locally log in to the 
server, but it`s possible to ssh to the server as an IPA user from the 
FreeBSD host. However, there are some interesting behaviors (again, 
this is what happens when just following the IPA Quick Start Quide for 
the server side  the post from FreeBSD forums for the client side):

 - home directories are not automatically created on the IPA server;
 - id command output shows correct uid, but the group of any IPA 
user doesn`t show as ipausers - instead, the group name is the same 
as username, + something like 
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023.


4. Here is the list of snapshots taken from my FreeBSD VM when I 
installed necessary ports, maybe these snapshots will provide some 
additional info on sssd behavior:


clean_install
starting_sssd_install
krb5_choice_added_LDAP
openldap24-sasl-client_choice_added_FETCH_GSSAPI
cyrus-sasl2_choice_defaults
bind_choice_added_GSSAPI_MIT
sssd_installation_finished
sudo_installed_with_INSULTS_LDAP_SSSD
cyrus-sasl2-gssapi_choice_added_MIT
all_ports_installed_directories_created
all_configs_applied_sssd_started


14-Oct-14 00:32, Lukas Slebodnik пишет:

On (13/10/14 20:33), Jakub Hrozek wrote:

On Mon, Oct 13, 2014 at 10:10:12PM +0400, Орхан Касумов wrote:

  Good day to everybody.
There`s a post on how to make a FreeBSD client work with a FreeIPA 
server: 
https://forums.freebsd.org/viewtopic.php?f=39t=46526p=260146#p260146
For some reason the instructions in that post don`t lead to a 
working solution.
Getent passwd/group return no data from the IPA server, although 
ldapsearch works fine.
I followed the instructions exactly (+ configured ldap.conf  
started sssd) and didn`t get errors anywhere, all steps completed 
successfully.
My setup: 2 VMs, one is the FreeIPA server (on Fedora 20), the 
other is a FreeBSD client (on FreeBSD 10.0).
IPA server is configured as written in the IPA Quick Start Quide, 
it has no integrated DNS server.

Both VMs have identical /etc/hosts file:

::1localhost
127.0.0.1 localhost
192.168.1.10   ipa1.mydomain.com ipa1
192.168.1.30   bsd1.mydomain.com bsd1

Seems like some instructions in etc/nsswitch.conf file, like 
group: files sss and passwd: files sss have no effect.

Does anybody tried this setup, what could be wrong with it?
I can provide outputs of any commands if necessary.
If I shouldn`t have asked this question here, please advise me 
where to ask.

Any hint on what to do will be highly appreciated!

Hi,

I think SSSD logs would be the best start..

Put debug_level=7 into the [domain] section, restart SSSD and then 
check

out /var/log/sssd/*.log


debug_level = 7 can be put into nss section as well.
Could you share your sssd configuration file /usr/local/etc/sssd.conf?

LS





-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-14 Thread Fraser Tweedale
On Tue, Oct 14, 2014 at 12:34:09PM +0500, Orkhan Gasimov wrote:
 With help from Alexander Bokovoy I found correct log destinations:
 
 sssd-domain-log:
 https://cloud.mail.ru/public/1e803a00989e%2Fsssd_eurosel.az.log
 sssd-nss-log: https://cloud.mail.ru/public/ae41ae3b44b6%2Fsssd_nss.log
 
 These files are from my second Fedora - FreeBSD setup, they have different
 domain name, but everything else is identical.
 
 Interestingly enough, there are lines in sssd_nss.log telling that there are
 no users or groups in the domain. But as I said, I can ssh to the IPA server
 as an IPA user.
 
Hi Orkhan,

Thanks for the logs.  What were their actual locations?

I'm going to try and reproduce your setup and see whether I get the
same outcome.  I have been building and installing the ports as
indicated in the forum post, and one thing I have noticed is that
there are a lot of configuration options on some of the important
ports - perhaps there was an important option that the author forgot
to mention.

It is the end of the day for me, but sssd is now installed so I
should let you know tomorrow whether I am running into the same
issues as you, or whether I find success.

(As a side node: once I get to a working setup I will create and
publish a pkg(8) repo with the needed ports built with the correct
options and make.conf variables.  This should make it easier and
certainly quicker to use FreeBSD as a FreeIPA client.)

Cheers,

Fraser

 14-Oct-14 00:32, Lukas Slebodnik пишет:
 On (13/10/14 20:33), Jakub Hrozek wrote:
 On Mon, Oct 13, 2014 at 10:10:12PM +0400, Орхан Касумов wrote:
   Good day to everybody.
 There`s a post on how to make a FreeBSD client work with a FreeIPA server: 
  https://forums.freebsd.org/viewtopic.php?f=39t=46526p=260146#p260146
 For some reason the instructions in that post don`t lead to a working 
 solution.
 Getent passwd/group return no data from the IPA server, although 
 ldapsearch works fine.
 I followed the instructions exactly (+ configured ldap.conf  started 
 sssd) and didn`t get errors anywhere, all steps completed successfully.
 My setup: 2 VMs, one is the FreeIPA server (on Fedora 20), the other is a 
 FreeBSD client (on FreeBSD 10.0).
 IPA server is configured as written in the IPA Quick Start Quide, it has 
 no integrated DNS server.
 Both VMs have identical /etc/hosts file:
 
 ::1localhost
 127.0.0.1 localhost
 192.168.1.10   ipa1.mydomain.com ipa1
 192.168.1.30   bsd1.mydomain.com bsd1
 
 Seems like some instructions in etc/nsswitch.conf file, like group: files 
 sss and passwd: files sss have no effect.
 Does anybody tried this setup, what could be wrong with it?
 I can provide outputs of any commands if necessary.
 If I shouldn`t have asked this question here, please advise me where to 
 ask.
 Any hint on what to do will be highly appreciated!
 Hi,
 
 I think SSSD logs would be the best start..
 
 Put debug_level=7 into the [domain] section, restart SSSD and then check
 out /var/log/sssd/*.log
 
 debug_level = 7 can be put into nss section as well.
 Could you share your sssd configuration file /usr/local/etc/sssd.conf?
 
 LS
 
 
 -- 
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-14 Thread Alexander Bokovoy

On Tue, 14 Oct 2014, Orkhan Gasimov wrote:

With help from Alexander Bokovoy I found correct log destinations:

sssd-domain-log:https://cloud.mail.ru/public/1e803a00989e%2Fsssd_eurosel.az.log
sssd-nss-log:https://cloud.mail.ru/public/ae41ae3b44b6%2Fsssd_nss.log

These files are from my second Fedora - FreeBSD setup, they have
different domain name, but everything else is identical.

Interestingly enough, there are lines in sssd_nss.log telling that there
are no users or groups in the domain. But as I said, I can ssh to the
IPA server as an IPA user.

You have basic problem of DNS resolution at the FreeBSD client side:
(Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]]
[request_watch_destructor] (0x0400): Deleting request watch
(Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [resolve_srv_done]
(0x0020): SRV query failed: [Domain name not found]
(Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [fo_set_port_status]
(0x0100): Marking port 0 of server '(no name)' as 'not working'
(Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [set_srv_data_status]
(0x0100): Marking SRV lookup of service 'IPA' as 'not resolved'
(Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]]
[be_resolve_server_process] (0x0080): Couldn't resolve server (SRV
lookup meta-server), resolver returned (5)
...
(Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [fo_set_port_status]
(0x0100): Marking port 0 of server '(no name)' as 'not working'
(Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [set_srv_data_status]
(0x0100): Marking SRV lookup of service 'IPA' as 'not resolved'
(Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]]
[be_resolve_server_process] (0x0080): Couldn't resolve server (SRV
lookup meta-server), resolver returned (5)
(Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]]
[be_resolve_server_process] (0x1000): Trying with the next one!
(Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [get_port_status]
(0x1000): Port status of port 0 for server '(no name)' is 'not working'
(Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]]
[fo_resolve_service_send] (0x0020): No available servers for service
'IPA'
(Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]]
[be_resolve_server_done] (0x1000): Server resolution failed: 5
(Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]]
[sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5
[Input/output error])
(Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [be_run_offline_cb]
(0x0080): Going offline. Running callbacks.


Make sure your DNS infrastructure is actually working. Run following on
FreeBSD side:

dig SRV _ldap._tcp.eurosel.az
dig SRV _kerberos._tcp.eurosel.az

and fix either your resolver or DNS server to properly resolve SRV
records for IPA domain (assuming eurosel.az is your IPA domain).

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-14 Thread Orkhan Gasimov

Thanks for taking time to find a solution.

1. Location of log files is /var/log/sssd , I just didn`t know that each 
section of sssd.conf file produced its own log file:


/var/log/sssd/sssd_your.domain.log
/var/log/sssd/sssd_nss.log

2. For the client side, here again the list of snapshots taken from my 
FreeBSD VM when I installed necessary ports, maybe these snapshots will 
provide some additional info on sssd behavior:


clean_install
starting_sssd_install
krb5_choice_added_LDAP
openldap24-sasl-client_choice_added_FETCH_GSSAPI
cyrus-sasl2_choice_defaults
bind_choice_added_GSSAPI_MIT
sssd_installation_finished
sudo_installed_with_INSULTS_LDAP_SSSD
cyrus-sasl2-gssapi_choice_added_MIT
all_ports_installed_directories_created
all_configs_applied_sssd_started

3. For the server side, one thing that I had to do differently when 
adding the client to the server, is I used the --force option, as the 
server complained about the host not having a DNS A record (I don`t run 
DNS server on IPA server).


14-Oct-14 12:48, Fraser Tweedale пишет:

On Tue, Oct 14, 2014 at 12:34:09PM +0500, Orkhan Gasimov wrote:

With help from Alexander Bokovoy I found correct log destinations:

sssd-domain-log:
https://cloud.mail.ru/public/1e803a00989e%2Fsssd_eurosel.az.log
sssd-nss-log: https://cloud.mail.ru/public/ae41ae3b44b6%2Fsssd_nss.log

These files are from my second Fedora - FreeBSD setup, they have different
domain name, but everything else is identical.

Interestingly enough, there are lines in sssd_nss.log telling that there are
no users or groups in the domain. But as I said, I can ssh to the IPA server
as an IPA user.


Hi Orkhan,

Thanks for the logs.  What were their actual locations?

I'm going to try and reproduce your setup and see whether I get the
same outcome.  I have been building and installing the ports as
indicated in the forum post, and one thing I have noticed is that
there are a lot of configuration options on some of the important
ports - perhaps there was an important option that the author forgot
to mention.

It is the end of the day for me, but sssd is now installed so I
should let you know tomorrow whether I am running into the same
issues as you, or whether I find success.

(As a side node: once I get to a working setup I will create and
publish a pkg(8) repo with the needed ports built with the correct
options and make.conf variables.  This should make it easier and
certainly quicker to use FreeBSD as a FreeIPA client.)

Cheers,

Fraser


14-Oct-14 00:32, Lukas Slebodnik пишет:

On (13/10/14 20:33), Jakub Hrozek wrote:

On Mon, Oct 13, 2014 at 10:10:12PM +0400, Орхан Касумов wrote:

  Good day to everybody.
There`s a post on how to make a FreeBSD client work with a FreeIPA server:  
https://forums.freebsd.org/viewtopic.php?f=39t=46526p=260146#p260146
For some reason the instructions in that post don`t lead to a working solution.
Getent passwd/group return no data from the IPA server, although ldapsearch 
works fine.
I followed the instructions exactly (+ configured ldap.conf  started sssd) and 
didn`t get errors anywhere, all steps completed successfully.
My setup: 2 VMs, one is the FreeIPA server (on Fedora 20), the other is a 
FreeBSD client (on FreeBSD 10.0).
IPA server is configured as written in the IPA Quick Start Quide, it has no 
integrated DNS server.
Both VMs have identical /etc/hosts file:

::1localhost
127.0.0.1 localhost
192.168.1.10   ipa1.mydomain.com ipa1
192.168.1.30   bsd1.mydomain.com bsd1

Seems like some instructions in etc/nsswitch.conf file, like group: files sss and 
passwd: files sss have no effect.
Does anybody tried this setup, what could be wrong with it?
I can provide outputs of any commands if necessary.
If I shouldn`t have asked this question here, please advise me where to ask.
Any hint on what to do will be highly appreciated!

Hi,

I think SSSD logs would be the best start..

Put debug_level=7 into the [domain] section, restart SSSD and then check
out /var/log/sssd/*.log


debug_level = 7 can be put into nss section as well.
Could you share your sssd configuration file /usr/local/etc/sssd.conf?

LS


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-14 Thread Lukas Slebodnik
On (14/10/14 10:23), Orkhan Gasimov wrote:
Thanks to both of you for the interest.
Here`s the info you asked:

1. Putting debug_level = 7 either in [domain] or/and [nss] section of the
/usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log file
located at /var/log/sssd/sssd.log is only populated with data when I make
some errors in sssd.conf  sssd process fails to start. But that`s the case
only if I deliberately introduce some errors; with current configuration sssd
starts successfully.

2. My original sssd.conf (without debugs) is as follows (exact copy of what
was shown in the post at FreeBSD forums):

-
[domain/mydomain.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = mydomain.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa1.mydomain.com
chpass_provider = ipa
ipa_server = _srv_ #our FreeIPA server has DNS SRV entries


[resolv_getsrv_send] (0x0100): Trying to resolve SRV record of 
'_ldap._tcp.eurosel.az'
...
[resolve_srv_done] (0x0020): SRV query failed: [Domain name not found]
[set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'not 
resolved'
[be_resolve_server_process] (0x0080): Couldn't resolve server (SRV lookup 
meta-server), resolver returned (5)

DNS discovery of IPA server failed, becuase you just configured few hostnames
in /etc/hosts

You can add IP address or hostname to the option ipa_server
e.g.
ipa_server = _srv_, vm-120.eurosel.az

BTW In my opinion, it is better to have comment before the optiona and not on
the same line :-)

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-14 Thread Orkhan Gasimov

I suspected that problems could arise with DNS, and here they are...

In fact, this entire string: ipa_server = _srv_ #our FreeIPA server has 
DNS SRV entries was taken as-is from the how-to on FreeBSD forums. 
First I commented it out, because was unsure sure if it was appropriate 
for my simple setup with just 2 VMs and and a bunch of records in 
/etc/hosts file. After starting sssd, I could get no IPA data 
withgetent passwd or getent group commands. They I uncommented it 
and restarted sssd, but things remained the same.


Now your advice is:  ...add IP address or hostname to the option 
ipa_server, but you use an arbitrary name like vm-120.eurosel.az. 
Could you please explain which host`s FQDN I should put there? If I use 
ipa1.eurosel.az, then sssd won`t start (complains about ...Looping 
detected inside krb5_get_in_tkt...).


If it MUST be a DNS server, then everything changes. And the question 
then becomes: is it possible to set up a test FreeIPA client-server 
interaction using only 2 VMs and proper records in /etc/hosts instead of 
a DNS server? Or one MUST add a third VM and make it a DNS server to 
facilitate client-server interaction?


14-Oct-14 12:58, Lukas Slebodnik пишет:

On (14/10/14 10:23), Orkhan Gasimov wrote:

Thanks to both of you for the interest.
Here`s the info you asked:

1. Putting debug_level = 7 either in [domain] or/and [nss] section of the
/usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log file
located at /var/log/sssd/sssd.log is only populated with data when I make
some errors in sssd.conf  sssd process fails to start. But that`s the case
only if I deliberately introduce some errors; with current configuration sssd
starts successfully.

2. My original sssd.conf (without debugs) is as follows (exact copy of what
was shown in the post at FreeBSD forums):

-
[domain/mydomain.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = mydomain.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa1.mydomain.com
chpass_provider = ipa
ipa_server = _srv_ #our FreeIPA server has DNS SRV entries


[resolv_getsrv_send] (0x0100): Trying to resolve SRV record of 
'_ldap._tcp.eurosel.az'
...
[resolve_srv_done] (0x0020): SRV query failed: [Domain name not found]
[set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'not 
resolved'
[be_resolve_server_process] (0x0080): Couldn't resolve server (SRV lookup 
meta-server), resolver returned (5)

DNS discovery of IPA server failed, becuase you just configured few hostnames
in /etc/hosts

You can add IP address or hostname to the option ipa_server
e.g.
 ipa_server = _srv_, vm-120.eurosel.az

BTW In my opinion, it is better to have comment before the optiona and not on
the same line :-)

LS


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-14 Thread Orkhan Gasimov
I tried to avoid setting up a third VM to serve as a DNS server for my 
test scenario. Thought it would be possible to set up working FreeIPA 
client-server interaction with just 2 VMs  correct hostnames  
/etc/hosts files in them.


Do I correctly understand your idea that it`s a MUST to set up a DNS 
server to facilitate FreeIPA client-server interaction? Or there`s a way 
to do it with just 2 VMs and no DNS server?



14-Oct-14 12:50, Alexander Bokovoy пишет:

On Tue, 14 Oct 2014, Orkhan Gasimov wrote:

With help from Alexander Bokovoy I found correct log destinations:

sssd-domain-log:https://cloud.mail.ru/public/1e803a00989e%2Fsssd_eurosel.az.log 


sssd-nss-log:https://cloud.mail.ru/public/ae41ae3b44b6%2Fsssd_nss.log

These files are from my second Fedora - FreeBSD setup, they have
different domain name, but everything else is identical.

Interestingly enough, there are lines in sssd_nss.log telling that there
are no users or groups in the domain. But as I said, I can ssh to the
IPA server as an IPA user.

You have basic problem of DNS resolution at the FreeBSD client side:
(Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]]
[request_watch_destructor] (0x0400): Deleting request watch
(Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [resolve_srv_done]
(0x0020): SRV query failed: [Domain name not found]
(Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [fo_set_port_status]
(0x0100): Marking port 0 of server '(no name)' as 'not working'
(Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [set_srv_data_status]
(0x0100): Marking SRV lookup of service 'IPA' as 'not resolved'
(Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]]
[be_resolve_server_process] (0x0080): Couldn't resolve server (SRV
lookup meta-server), resolver returned (5)
...
(Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [fo_set_port_status]
(0x0100): Marking port 0 of server '(no name)' as 'not working'
(Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [set_srv_data_status]
(0x0100): Marking SRV lookup of service 'IPA' as 'not resolved'
(Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]]
[be_resolve_server_process] (0x0080): Couldn't resolve server (SRV
lookup meta-server), resolver returned (5)
(Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]]
[be_resolve_server_process] (0x1000): Trying with the next one!
(Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [get_port_status]
(0x1000): Port status of port 0 for server '(no name)' is 'not working'
(Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]]
[fo_resolve_service_send] (0x0020): No available servers for service
'IPA'
(Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]]
[be_resolve_server_done] (0x1000): Server resolution failed: 5
(Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]]
[sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5
[Input/output error])
(Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [be_run_offline_cb]
(0x0080): Going offline. Running callbacks.


Make sure your DNS infrastructure is actually working. Run following on
FreeBSD side:

dig SRV _ldap._tcp.eurosel.az
dig SRV _kerberos._tcp.eurosel.az

and fix either your resolver or DNS server to properly resolve SRV
records for IPA domain (assuming eurosel.az is your IPA domain).



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-14 Thread Petr Spacek

On 14.10.2014 11:49, Orkhan Gasimov wrote:

I suspected that problems could arise with DNS, and here they are...

In fact, this entire string: ipa_server = _srv_ #our FreeIPA server has DNS
SRV entries was taken as-is from the how-to on FreeBSD forums. First I
commented it out, because was unsure sure if it was appropriate for my simple
setup with just 2 VMs and and a bunch of records in /etc/hosts file. After
starting sssd, I could get no IPA data withgetent passwd or getent group
commands. They I uncommented it and restarted sssd, but things remained the 
same.

Now your advice is:  ...add IP address or hostname to the option ipa_server,
but you use an arbitrary name like vm-120.eurosel.az. Could you please
explain which host`s FQDN I should put there? If I use ipa1.eurosel.az, then
sssd won`t start (complains about ...Looping detected inside
krb5_get_in_tkt...).

If it MUST be a DNS server, then everything changes. And the question then
becomes: is it possible to set up a test FreeIPA client-server interaction
using only 2 VMs and proper records in /etc/hosts instead of a DNS server? Or
one MUST add a third VM and make it a DNS server to facilitate client-server
interaction?


IPA theoretically can work without DNS records but it requires very careful 
configuration on clients and is strongly discouraged.


If you want to do quick  dirty test, do this:
$ ipa-server-install --setup-dns --forwarder ip address of your *existing* 
DNS server
+ specify IPA domain name which is sub-domain of you existing domain (e.g. 
ipa.eurosel.az)

+ change /etc/resolv.conf on *all* clients to point to IPA server

*This is a dirty trick* and it will not work unless all your clients has the 
IPA server in resolv.conf. It will most likely break when you try to use AD 
trust with AD clients etc.



*In production environment* you should add NS records for ipa.eurosel.az 
domain to the parent DNS zone to create proper delegation. In that case you 
don't need to fiddle with resolv.conf on all clients.


Let me know if you need further assistance.

Petr^2 Spacek



14-Oct-14 12:58, Lukas Slebodnik пишет:

On (14/10/14 10:23), Orkhan Gasimov wrote:

Thanks to both of you for the interest.
Here`s the info you asked:

1. Putting debug_level = 7 either in [domain] or/and [nss] section of the
/usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log file
located at /var/log/sssd/sssd.log is only populated with data when I make
some errors in sssd.conf  sssd process fails to start. But that`s the case
only if I deliberately introduce some errors; with current configuration sssd
starts successfully.

2. My original sssd.conf (without debugs) is as follows (exact copy of what
was shown in the post at FreeBSD forums):

-
[domain/mydomain.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = mydomain.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa1.mydomain.com
chpass_provider = ipa
ipa_server = _srv_ #our FreeIPA server has DNS SRV entries


[resolv_getsrv_send] (0x0100): Trying to resolve SRV record of
'_ldap._tcp.eurosel.az'
...
[resolve_srv_done] (0x0020): SRV query failed: [Domain name not found]
[set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'not
resolved'
[be_resolve_server_process] (0x0080): Couldn't resolve server (SRV lookup
meta-server), resolver returned (5)

DNS discovery of IPA server failed, becuase you just configured few hostnames
in /etc/hosts

You can add IP address or hostname to the option ipa_server
e.g.
 ipa_server = _srv_, vm-120.eurosel.az

BTW In my opinion, it is better to have comment before the optiona and not on
the same line :-)


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-14 Thread Alexander Bokovoy

On Tue, 14 Oct 2014, Orkhan Gasimov wrote:
I tried to avoid setting up a third VM to serve as a DNS server for my 
test scenario. Thought it would be possible to set up working FreeIPA 
client-server interaction with just 2 VMs  correct hostnames  
/etc/hosts files in them.

Many applications rely on service discovery based on DNS. In particular,
SSSD uses this approach if you don't set explicitly servers for LDAP,
Kerberos, IPA, etc. See sssd-ldap(5), sssd-krb5(5), sssd-ipa(5), section
'SERVICE DISCOVERY'.

The mechanism is described in RFC 2782. It becomes even more important
for cases like integration with Active Directory where AD side relies on
DNS service discovery unconditionally.

IPA has integrated DNS server, all you needed to do is to run
'ipa-server-install --setup-dns' or 'ipa-dns-install' afterwards.

If you don't want to use IPA-provided DNS server, at the end of
ipa-server-install a sample DNS zone was generated to show what records
need to be added to your DNS zone.


Do I correctly understand your idea that it`s a MUST to set up a DNS 
server to facilitate FreeIPA client-server interaction? Or there`s a 
way to do it with just 2 VMs and no DNS server?

Use integrated DNS server in FreeIPA server, this is supported way of
doing it. FreeIPA then will make it manageable through its tools -- be
it command line interface or web UI.


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-14 Thread Orkhan Gasimov

I`ll try such a test setup, then share information about results.

14-Oct-14 15:04, Petr Spacek пишет:

On 14.10.2014 11:49, Orkhan Gasimov wrote:

I suspected that problems could arise with DNS, and here they are...

In fact, this entire string: ipa_server = _srv_ #our FreeIPA server 
has DNS

SRV entries was taken as-is from the how-to on FreeBSD forums. First I
commented it out, because was unsure sure if it was appropriate for 
my simple
setup with just 2 VMs and and a bunch of records in /etc/hosts file. 
After
starting sssd, I could get no IPA data withgetent passwd or getent 
group
commands. They I uncommented it and restarted sssd, but things 
remained the same.


Now your advice is:  ...add IP address or hostname to the option 
ipa_server,

but you use an arbitrary name like vm-120.eurosel.az. Could you please
explain which host`s FQDN I should put there? If I use 
ipa1.eurosel.az, then

sssd won`t start (complains about ...Looping detected inside
krb5_get_in_tkt...).

If it MUST be a DNS server, then everything changes. And the question 
then
becomes: is it possible to set up a test FreeIPA client-server 
interaction
using only 2 VMs and proper records in /etc/hosts instead of a DNS 
server? Or
one MUST add a third VM and make it a DNS server to facilitate 
client-server

interaction?


IPA theoretically can work without DNS records but it requires very 
careful configuration on clients and is strongly discouraged.


If you want to do quick  dirty test, do this:
$ ipa-server-install --setup-dns --forwarder ip address of your 
*existing* DNS server
+ specify IPA domain name which is sub-domain of you existing domain 
(e.g. ipa.eurosel.az)

+ change /etc/resolv.conf on *all* clients to point to IPA server

*This is a dirty trick* and it will not work unless all your clients 
has the IPA server in resolv.conf. It will most likely break when you 
try to use AD trust with AD clients etc.



*In production environment* you should add NS records for 
ipa.eurosel.az domain to the parent DNS zone to create proper 
delegation. In that case you don't need to fiddle with resolv.conf on 
all clients.


Let me know if you need further assistance.

Petr^2 Spacek



14-Oct-14 12:58, Lukas Slebodnik пишет:

On (14/10/14 10:23), Orkhan Gasimov wrote:

Thanks to both of you for the interest.
Here`s the info you asked:

1. Putting debug_level = 7 either in [domain] or/and [nss] 
section of the
/usr/local/etc/sssd/sssd.conf file gives nothing in the log. The 
log file
located at /var/log/sssd/sssd.log is only populated with data when 
I make
some errors in sssd.conf  sssd process fails to start. But that`s 
the case
only if I deliberately introduce some errors; with current 
configuration sssd

starts successfully.

2. My original sssd.conf (without debugs) is as follows (exact copy 
of what

was shown in the post at FreeBSD forums):

-
[domain/mydomain.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = mydomain.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa1.mydomain.com
chpass_provider = ipa
ipa_server = _srv_ #our FreeIPA server has DNS SRV entries


[resolv_getsrv_send] (0x0100): Trying to resolve SRV record of
'_ldap._tcp.eurosel.az'
...
[resolve_srv_done] (0x0020): SRV query failed: [Domain name not found]
[set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' 
as 'not

resolved'
[be_resolve_server_process] (0x0080): Couldn't resolve server (SRV 
lookup

meta-server), resolver returned (5)

DNS discovery of IPA server failed, becuase you just configured few 
hostnames

in /etc/hosts

You can add IP address or hostname to the option ipa_server
e.g.
 ipa_server = _srv_, vm-120.eurosel.az

BTW In my opinion, it is better to have comment before the optiona 
and not on

the same line :-)




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-14 Thread Petr Spacek

On 14.10.2014 11:49, Orkhan Gasimov wrote:

I suspected that problems could arise with DNS, and here they are...

In fact, this entire string: ipa_server = _srv_ #our FreeIPA server has DNS
SRV entries was taken as-is from the how-to on FreeBSD forums. First I
commented it out, because was unsure sure if it was appropriate for my simple
setup with just 2 VMs and and a bunch of records in /etc/hosts file. After
starting sssd, I could get no IPA data withgetent passwd or getent group
commands. They I uncommented it and restarted sssd, but things remained the 
same.

Now your advice is:  ...add IP address or hostname to the option ipa_server,
but you use an arbitrary name like vm-120.eurosel.az. Could you please
explain which host`s FQDN I should put there? If I use ipa1.eurosel.az, then
sssd won`t start (complains about ...Looping detected inside
krb5_get_in_tkt...).

If it MUST be a DNS server, then everything changes. And the question then
becomes: is it possible to set up a test FreeIPA client-server interaction
using only 2 VMs and proper records in /etc/hosts instead of a DNS server? Or
one MUST add a third VM and make it a DNS server to facilitate client-server
interaction?


IPA theoretically can work without DNS records but it requires very careful 
configuration on clients and is strongly discouraged.


If you want to do quick  dirty test, do this:
$ ipa-server-install --setup-dns --forwarder ip address of your *existing* 
DNS server
+ specify IPA domain name which is sub-domain of you existing domain (e.g. 
ipa.eurosel.az)

+ change /etc/resolv.conf on *all* clients to point to IPA server

*This is a dirty trick* and it will not work unless all your clients has the 
IPA server in resolv.conf. It will most likely break when you try to use AD 
trust with AD clients etc.



*In production environment* you should add NS records for ipa.eurosel.az 
domain to the parent DNS zone to create proper delegation. In that case you 
don't need to fiddle with resolv.conf on all clients.


Let me know if you need further assistance.

Petr^2 Spacek



14-Oct-14 12:58, Lukas Slebodnik пишет:

On (14/10/14 10:23), Orkhan Gasimov wrote:

Thanks to both of you for the interest.
Here`s the info you asked:

1. Putting debug_level = 7 either in [domain] or/and [nss] section of the
/usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log file
located at /var/log/sssd/sssd.log is only populated with data when I make
some errors in sssd.conf  sssd process fails to start. But that`s the case
only if I deliberately introduce some errors; with current configuration sssd
starts successfully.

2. My original sssd.conf (without debugs) is as follows (exact copy of what
was shown in the post at FreeBSD forums):

-
[domain/mydomain.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = mydomain.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa1.mydomain.com
chpass_provider = ipa
ipa_server = _srv_ #our FreeIPA server has DNS SRV entries


[resolv_getsrv_send] (0x0100): Trying to resolve SRV record of
'_ldap._tcp.eurosel.az'
...
[resolve_srv_done] (0x0020): SRV query failed: [Domain name not found]
[set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'not
resolved'
[be_resolve_server_process] (0x0080): Couldn't resolve server (SRV lookup
meta-server), resolver returned (5)

DNS discovery of IPA server failed, becuase you just configured few hostnames
in /etc/hosts

You can add IP address or hostname to the option ipa_server
e.g.
 ipa_server = _srv_, vm-120.eurosel.az

BTW In my opinion, it is better to have comment before the optiona and not on
the same line :-)


--
Petr^2 Spacek

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-14 Thread Orkhan Gasimov

I need further assistance with this moment:
specify IPA domain name which is sub-domain of you existing domain 
(e.g. ipa.eurosel.az) .


Currently my FreeIPA server's hostname is ipa1.eurosel.az, and client's 
hostname is bsd1.eurosel.az.

So when running this command:

ipa-server-install --setup-dns --forwarder ip address of your 
*existing* DNS server,


the installation program detects the hostname of the VM 
(ipa1.eurosel.az) and offers it as IPA server FQDN;
then it offers eurosel.az as the domain name. I can make changes right 
during the installation process (FQDN = ipa1.ipa.eurosel.az  domain = 
ipa.eurosel.az), but then there will be a conflict with the real 
hostname and records in the /etc/hosts file.


On the other hand, if I change the hostname of the server VM to 
ipa1.ipa.eurosel.az prior to running the IPA installation program, 
then the installation program will offer my server an FQDN of 
ipa1.ipa.eurosel.az and a domain name of ipa.eurosel.az. But doesn`t 
it mean that my client`s hostname should also be changed to 
bsd1.ipa.eurosel.az? I`d like to avoid this, because in production I 
won`t be able to change the domain part of FQDN for hundreds of clients.


Please don`t hesitate to explain a little clearer.

14-Oct-14 16:29, Petr Spacek пишет:

On 14.10.2014 11:49, Orkhan Gasimov wrote:

I suspected that problems could arise with DNS, and here they are...

In fact, this entire string: ipa_server = _srv_ #our FreeIPA server 
has DNS

SRV entries was taken as-is from the how-to on FreeBSD forums. First I
commented it out, because was unsure sure if it was appropriate for 
my simple
setup with just 2 VMs and and a bunch of records in /etc/hosts file. 
After
starting sssd, I could get no IPA data withgetent passwd or getent 
group
commands. They I uncommented it and restarted sssd, but things 
remained the same.


Now your advice is:  ...add IP address or hostname to the option 
ipa_server,

but you use an arbitrary name like vm-120.eurosel.az. Could you please
explain which host`s FQDN I should put there? If I use 
ipa1.eurosel.az, then

sssd won`t start (complains about ...Looping detected inside
krb5_get_in_tkt...).

If it MUST be a DNS server, then everything changes. And the question 
then
becomes: is it possible to set up a test FreeIPA client-server 
interaction
using only 2 VMs and proper records in /etc/hosts instead of a DNS 
server? Or
one MUST add a third VM and make it a DNS server to facilitate 
client-server

interaction?


IPA theoretically can work without DNS records but it requires very 
careful configuration on clients and is strongly discouraged.


If you want to do quick  dirty test, do this:
$ ipa-server-install --setup-dns --forwarder ip address of your 
*existing* DNS server
+ specify IPA domain name which is sub-domain of you existing domain 
(e.g. ipa.eurosel.az)

+ change /etc/resolv.conf on *all* clients to point to IPA server

*This is a dirty trick* and it will not work unless all your clients 
has the IPA server in resolv.conf. It will most likely break when you 
try to use AD trust with AD clients etc.



*In production environment* you should add NS records for 
ipa.eurosel.az domain to the parent DNS zone to create proper 
delegation. In that case you don't need to fiddle with resolv.conf on 
all clients.


Let me know if you need further assistance.

Petr^2 Spacek



14-Oct-14 12:58, Lukas Slebodnik пишет:

On (14/10/14 10:23), Orkhan Gasimov wrote:

Thanks to both of you for the interest.
Here`s the info you asked:

1. Putting debug_level = 7 either in [domain] or/and [nss] 
section of the
/usr/local/etc/sssd/sssd.conf file gives nothing in the log. The 
log file
located at /var/log/sssd/sssd.log is only populated with data when 
I make
some errors in sssd.conf  sssd process fails to start. But that`s 
the case
only if I deliberately introduce some errors; with current 
configuration sssd

starts successfully.

2. My original sssd.conf (without debugs) is as follows (exact copy 
of what

was shown in the post at FreeBSD forums):

-
[domain/mydomain.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = mydomain.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa1.mydomain.com
chpass_provider = ipa
ipa_server = _srv_ #our FreeIPA server has DNS SRV entries


[resolv_getsrv_send] (0x0100): Trying to resolve SRV record of
'_ldap._tcp.eurosel.az'
...
[resolve_srv_done] (0x0020): SRV query failed: [Domain name not found]
[set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' 
as 'not

resolved'
[be_resolve_server_process] (0x0080): Couldn't resolve server (SRV 
lookup

meta-server), resolver returned (5)

DNS discovery of IPA server failed, becuase you just configured few 
hostnames

in /etc/hosts

You can add IP address or hostname to the option ipa_server
e.g.
 ipa_server = _srv_, vm-120.eurosel.az

BTW In my opinion, it is better to have 

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-14 Thread Petr Spacek

On 14.10.2014 13:48, Orkhan Gasimov wrote:

I need further assistance with this moment:
specify IPA domain name which is sub-domain of you existing domain (e.g.
ipa.eurosel.az) .

Currently my FreeIPA server's hostname is ipa1.eurosel.az, and client's
hostname is bsd1.eurosel.az.
So when running this command:

ipa-server-install --setup-dns --forwarder ip address of your *existing* DNS
server,

the installation program detects the hostname of the VM (ipa1.eurosel.az) and
offers it as IPA server FQDN;
then it offers eurosel.az as the domain name. I can make changes right
during the installation process (FQDN = ipa1.ipa.eurosel.az  domain =
ipa.eurosel.az), but then there will be a conflict with the real hostname and
records in the /etc/hosts file.

On the other hand, if I change the hostname of the server VM to
ipa1.ipa.eurosel.az prior to running the IPA installation program, then the
installation program will offer my server an FQDN of ipa1.ipa.eurosel.az and
a domain name of ipa.eurosel.az. But doesn`t it mean that my client`s
hostname should also be changed to bsd1.ipa.eurosel.az? I`d like to avoid
this, because in production I won`t be able to change the domain part of FQDN
for hundreds of clients.


Clients don't need to be in the same domain as IPA. The IPA domain in DNS is 
necessary to store 'metadata' like SRV and TXT records etc.


You can even experiment with IPA servers which are not in the IPA domain but 
I'm not sure how much it was tested.


Alexander can add more details about records required for AD integration and 
how it should work with clients which are not in the IPA domain.


Petr^2 Spacek



14-Oct-14 16:29, Petr Spacek пишет:

On 14.10.2014 11:49, Orkhan Gasimov wrote:

I suspected that problems could arise with DNS, and here they are...

In fact, this entire string: ipa_server = _srv_ #our FreeIPA server has DNS
SRV entries was taken as-is from the how-to on FreeBSD forums. First I
commented it out, because was unsure sure if it was appropriate for my simple
setup with just 2 VMs and and a bunch of records in /etc/hosts file. After
starting sssd, I could get no IPA data withgetent passwd or getent group
commands. They I uncommented it and restarted sssd, but things remained the
same.

Now your advice is:  ...add IP address or hostname to the option ipa_server,
but you use an arbitrary name like vm-120.eurosel.az. Could you please
explain which host`s FQDN I should put there? If I use ipa1.eurosel.az, then
sssd won`t start (complains about ...Looping detected inside
krb5_get_in_tkt...).

If it MUST be a DNS server, then everything changes. And the question then
becomes: is it possible to set up a test FreeIPA client-server interaction
using only 2 VMs and proper records in /etc/hosts instead of a DNS server? Or
one MUST add a third VM and make it a DNS server to facilitate client-server
interaction?


IPA theoretically can work without DNS records but it requires very careful
configuration on clients and is strongly discouraged.

If you want to do quick  dirty test, do this:
$ ipa-server-install --setup-dns --forwarder ip address of your *existing*
DNS server
+ specify IPA domain name which is sub-domain of you existing domain (e.g.
ipa.eurosel.az)
+ change /etc/resolv.conf on *all* clients to point to IPA server

*This is a dirty trick* and it will not work unless all your clients has the
IPA server in resolv.conf. It will most likely break when you try to use AD
trust with AD clients etc.


*In production environment* you should add NS records for ipa.eurosel.az
domain to the parent DNS zone to create proper delegation. In that case you
don't need to fiddle with resolv.conf on all clients.

Let me know if you need further assistance.

Petr^2 Spacek



14-Oct-14 12:58, Lukas Slebodnik пишет:

On (14/10/14 10:23), Orkhan Gasimov wrote:

Thanks to both of you for the interest.
Here`s the info you asked:

1. Putting debug_level = 7 either in [domain] or/and [nss] section of the
/usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log file
located at /var/log/sssd/sssd.log is only populated with data when I make
some errors in sssd.conf  sssd process fails to start. But that`s the case
only if I deliberately introduce some errors; with current configuration
sssd
starts successfully.

2. My original sssd.conf (without debugs) is as follows (exact copy of what
was shown in the post at FreeBSD forums):

-
[domain/mydomain.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = mydomain.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa1.mydomain.com
chpass_provider = ipa
ipa_server = _srv_ #our FreeIPA server has DNS SRV entries


[resolv_getsrv_send] (0x0100): Trying to resolve SRV record of
'_ldap._tcp.eurosel.az'
...
[resolve_srv_done] (0x0020): SRV query failed: [Domain name not found]
[set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'not
resolved'

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-14 Thread Orkhan Gasimov

So which way do I go?
1) Change the server VM`s hostname from ipa1.eurosel.az to 
ipa1.ipa.eurosel.az prior to issuing IPA installation command
2) or leave my hostname and contents of /etc/hosts file intact and 
specify a different FQDN and domain part of the IPA server after issuing 
IPA installation command?

Yes, I know - this is a question Homer Simpson would ask.


14-Oct-14 17:43, Petr Spacek пишет:

On 14.10.2014 13:48, Orkhan Gasimov wrote:

I need further assistance with this moment:
specify IPA domain name which is sub-domain of you existing domain 
(e.g.

ipa.eurosel.az) .

Currently my FreeIPA server's hostname is ipa1.eurosel.az, and client's
hostname is bsd1.eurosel.az.
So when running this command:

ipa-server-install --setup-dns --forwarder ip address of your 
*existing* DNS

server,

the installation program detects the hostname of the VM 
(ipa1.eurosel.az) and

offers it as IPA server FQDN;
then it offers eurosel.az as the domain name. I can make changes right
during the installation process (FQDN = ipa1.ipa.eurosel.az  domain =
ipa.eurosel.az), but then there will be a conflict with the real 
hostname and

records in the /etc/hosts file.

On the other hand, if I change the hostname of the server VM to
ipa1.ipa.eurosel.az prior to running the IPA installation program, 
then the
installation program will offer my server an FQDN of 
ipa1.ipa.eurosel.az and

a domain name of ipa.eurosel.az. But doesn`t it mean that my client`s
hostname should also be changed to bsd1.ipa.eurosel.az? I`d like to 
avoid
this, because in production I won`t be able to change the domain part 
of FQDN

for hundreds of clients.


Clients don't need to be in the same domain as IPA. The IPA domain in 
DNS is necessary to store 'metadata' like SRV and TXT records etc.


You can even experiment with IPA servers which are not in the IPA 
domain but I'm not sure how much it was tested.


Alexander can add more details about records required for AD 
integration and how it should work with clients which are not in the 
IPA domain.


Petr^2 Spacek



14-Oct-14 16:29, Petr Spacek пишет:

On 14.10.2014 11:49, Orkhan Gasimov wrote:

I suspected that problems could arise with DNS, and here they are...

In fact, this entire string: ipa_server = _srv_ #our FreeIPA 
server has DNS
SRV entries was taken as-is from the how-to on FreeBSD forums. 
First I
commented it out, because was unsure sure if it was appropriate for 
my simple
setup with just 2 VMs and and a bunch of records in /etc/hosts 
file. After
starting sssd, I could get no IPA data withgetent passwd or 
getent group
commands. They I uncommented it and restarted sssd, but things 
remained the

same.

Now your advice is:  ...add IP address or hostname to the option 
ipa_server,
but you use an arbitrary name like vm-120.eurosel.az. Could you 
please
explain which host`s FQDN I should put there? If I use 
ipa1.eurosel.az, then

sssd won`t start (complains about ...Looping detected inside
krb5_get_in_tkt...).

If it MUST be a DNS server, then everything changes. And the 
question then
becomes: is it possible to set up a test FreeIPA client-server 
interaction
using only 2 VMs and proper records in /etc/hosts instead of a DNS 
server? Or
one MUST add a third VM and make it a DNS server to facilitate 
client-server

interaction?


IPA theoretically can work without DNS records but it requires very 
careful

configuration on clients and is strongly discouraged.

If you want to do quick  dirty test, do this:
$ ipa-server-install --setup-dns --forwarder ip address of your 
*existing*

DNS server
+ specify IPA domain name which is sub-domain of you existing domain 
(e.g.

ipa.eurosel.az)
+ change /etc/resolv.conf on *all* clients to point to IPA server

*This is a dirty trick* and it will not work unless all your clients 
has the
IPA server in resolv.conf. It will most likely break when you try to 
use AD

trust with AD clients etc.


*In production environment* you should add NS records for 
ipa.eurosel.az
domain to the parent DNS zone to create proper delegation. In that 
case you

don't need to fiddle with resolv.conf on all clients.

Let me know if you need further assistance.

Petr^2 Spacek



14-Oct-14 12:58, Lukas Slebodnik пишет:

On (14/10/14 10:23), Orkhan Gasimov wrote:

Thanks to both of you for the interest.
Here`s the info you asked:

1. Putting debug_level = 7 either in [domain] or/and [nss] 
section of the
/usr/local/etc/sssd/sssd.conf file gives nothing in the log. The 
log file
located at /var/log/sssd/sssd.log is only populated with data 
when I make
some errors in sssd.conf  sssd process fails to start. But 
that`s the case
only if I deliberately introduce some errors; with current 
configuration

sssd
starts successfully.

2. My original sssd.conf (without debugs) is as follows (exact 
copy of what

was shown in the post at FreeBSD forums):

-
[domain/mydomain.com]
cache_credentials = True
krb5_store_password_if_offline 

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-14 Thread Alexander Bokovoy

On Tue, 14 Oct 2014, Orkhan Gasimov wrote:

So which way do I go?
1) Change the server VM`s hostname from ipa1.eurosel.az to 
ipa1.ipa.eurosel.az prior to issuing IPA installation command
2) or leave my hostname and contents of /etc/hosts file intact and 
specify a different FQDN and domain part of the IPA server after 
issuing IPA installation command?

Yes, I know - this is a question Homer Simpson would ask.

Allocate ipa.eurosel.az domain zone to FreeIPA and install FreeIPA with
integrated DNS. Essentially, (1), with domain=ipa.eurosel.az, realm
IPA.EUROSEL.AZ.

If you want later to see how this setup scales, all you would need to do
is to make sure the other clients would use ipa1.ipa.eurosel.az as a
resolver.




14-Oct-14 17:43, Petr Spacek пишет:

On 14.10.2014 13:48, Orkhan Gasimov wrote:

I need further assistance with this moment:
specify IPA domain name which is sub-domain of you existing 
domain (e.g.

ipa.eurosel.az) .

Currently my FreeIPA server's hostname is ipa1.eurosel.az, and client's
hostname is bsd1.eurosel.az.
So when running this command:

ipa-server-install --setup-dns --forwarder ip address of your 
*existing* DNS

server,

the installation program detects the hostname of the VM 
(ipa1.eurosel.az) and

offers it as IPA server FQDN;
then it offers eurosel.az as the domain name. I can make changes right
during the installation process (FQDN = ipa1.ipa.eurosel.az  domain =
ipa.eurosel.az), but then there will be a conflict with the real 
hostname and

records in the /etc/hosts file.

On the other hand, if I change the hostname of the server VM to
ipa1.ipa.eurosel.az prior to running the IPA installation 
program, then the
installation program will offer my server an FQDN of 
ipa1.ipa.eurosel.az and

a domain name of ipa.eurosel.az. But doesn`t it mean that my client`s
hostname should also be changed to bsd1.ipa.eurosel.az? I`d like 
to avoid
this, because in production I won`t be able to change the domain 
part of FQDN

for hundreds of clients.


Clients don't need to be in the same domain as IPA. The IPA domain 
in DNS is necessary to store 'metadata' like SRV and TXT records 
etc.


You can even experiment with IPA servers which are not in the IPA 
domain but I'm not sure how much it was tested.


Alexander can add more details about records required for AD 
integration and how it should work with clients which are not in the 
IPA domain.


Petr^2 Spacek



14-Oct-14 16:29, Petr Spacek пишет:

On 14.10.2014 11:49, Orkhan Gasimov wrote:

I suspected that problems could arise with DNS, and here they are...

In fact, this entire string: ipa_server = _srv_ #our FreeIPA 
server has DNS
SRV entries was taken as-is from the how-to on FreeBSD 
forums. First I
commented it out, because was unsure sure if it was 
appropriate for my simple
setup with just 2 VMs and and a bunch of records in /etc/hosts 
file. After
starting sssd, I could get no IPA data withgetent passwd or 
getent group
commands. They I uncommented it and restarted sssd, but things 
remained the

same.

Now your advice is:  ...add IP address or hostname to the 
option ipa_server,
but you use an arbitrary name like vm-120.eurosel.az. Could 
you please
explain which host`s FQDN I should put there? If I use 
ipa1.eurosel.az, then

sssd won`t start (complains about ...Looping detected inside
krb5_get_in_tkt...).

If it MUST be a DNS server, then everything changes. And the 
question then
becomes: is it possible to set up a test FreeIPA client-server 
interaction
using only 2 VMs and proper records in /etc/hosts instead of a 
DNS server? Or
one MUST add a third VM and make it a DNS server to facilitate 
client-server

interaction?


IPA theoretically can work without DNS records but it requires 
very careful

configuration on clients and is strongly discouraged.

If you want to do quick  dirty test, do this:
$ ipa-server-install --setup-dns --forwarder ip address of your 
*existing*

DNS server
+ specify IPA domain name which is sub-domain of you existing 
domain (e.g.

ipa.eurosel.az)
+ change /etc/resolv.conf on *all* clients to point to IPA server

*This is a dirty trick* and it will not work unless all your 
clients has the
IPA server in resolv.conf. It will most likely break when you 
try to use AD

trust with AD clients etc.


*In production environment* you should add NS records for 
ipa.eurosel.az
domain to the parent DNS zone to create proper delegation. In 
that case you

don't need to fiddle with resolv.conf on all clients.

Let me know if you need further assistance.

Petr^2 Spacek



14-Oct-14 12:58, Lukas Slebodnik пишет:

On (14/10/14 10:23), Orkhan Gasimov wrote:

Thanks to both of you for the interest.
Here`s the info you asked:

1. Putting debug_level = 7 either in [domain] or/and 
[nss] section of the
/usr/local/etc/sssd/sssd.conf file gives nothing in the 
log. The log file
located at /var/log/sssd/sssd.log is only populated with 
data when I make
some errors in sssd.conf  sssd process fails to start. 
But 

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-14 Thread Petr Spacek

On 14.10.2014 15:06, Alexander Bokovoy wrote:

On Tue, 14 Oct 2014, Orkhan Gasimov wrote:

So which way do I go?
1) Change the server VM`s hostname from ipa1.eurosel.az to
ipa1.ipa.eurosel.az prior to issuing IPA installation command
2) or leave my hostname and contents of /etc/hosts file intact and specify a
different FQDN and domain part of the IPA server after issuing IPA
installation command?
Yes, I know - this is a question Homer Simpson would ask.

Allocate ipa.eurosel.az domain zone to FreeIPA and install FreeIPA with
integrated DNS. Essentially, (1), with domain=ipa.eurosel.az, realm
IPA.EUROSEL.AZ.

If you want later to see how this setup scales, all you would need to do
is to make sure the other clients would use ipa1.ipa.eurosel.az as a
resolver.


Again - in production it is unnecessary to change resolv.conf if you have 
proper NS records in place.


Petr^2 Spacek


14-Oct-14 17:43, Petr Spacek пишет:

On 14.10.2014 13:48, Orkhan Gasimov wrote:

I need further assistance with this moment:
specify IPA domain name which is sub-domain of you existing domain (e.g.
ipa.eurosel.az) .

Currently my FreeIPA server's hostname is ipa1.eurosel.az, and client's
hostname is bsd1.eurosel.az.
So when running this command:

ipa-server-install --setup-dns --forwarder ip address of your *existing*
DNS
server,

the installation program detects the hostname of the VM (ipa1.eurosel.az) and
offers it as IPA server FQDN;
then it offers eurosel.az as the domain name. I can make changes right
during the installation process (FQDN = ipa1.ipa.eurosel.az  domain =
ipa.eurosel.az), but then there will be a conflict with the real hostname and
records in the /etc/hosts file.

On the other hand, if I change the hostname of the server VM to
ipa1.ipa.eurosel.az prior to running the IPA installation program, then the
installation program will offer my server an FQDN of ipa1.ipa.eurosel.az
and
a domain name of ipa.eurosel.az. But doesn`t it mean that my client`s
hostname should also be changed to bsd1.ipa.eurosel.az? I`d like to avoid
this, because in production I won`t be able to change the domain part of FQDN
for hundreds of clients.


Clients don't need to be in the same domain as IPA. The IPA domain in DNS
is necessary to store 'metadata' like SRV and TXT records etc.

You can even experiment with IPA servers which are not in the IPA domain
but I'm not sure how much it was tested.

Alexander can add more details about records required for AD integration
and how it should work with clients which are not in the IPA domain.

Petr^2 Spacek



14-Oct-14 16:29, Petr Spacek пишет:

On 14.10.2014 11:49, Orkhan Gasimov wrote:

I suspected that problems could arise with DNS, and here they are...

In fact, this entire string: ipa_server = _srv_ #our FreeIPA server has
DNS
SRV entries was taken as-is from the how-to on FreeBSD forums. First I
commented it out, because was unsure sure if it was appropriate for my
simple
setup with just 2 VMs and and a bunch of records in /etc/hosts file. After
starting sssd, I could get no IPA data withgetent passwd or getent
group
commands. They I uncommented it and restarted sssd, but things remained the
same.

Now your advice is:  ...add IP address or hostname to the option
ipa_server,
but you use an arbitrary name like vm-120.eurosel.az. Could you please
explain which host`s FQDN I should put there? If I use
ipa1.eurosel.az, then
sssd won`t start (complains about ...Looping detected inside
krb5_get_in_tkt...).

If it MUST be a DNS server, then everything changes. And the question then
becomes: is it possible to set up a test FreeIPA client-server interaction
using only 2 VMs and proper records in /etc/hosts instead of a DNS
server? Or
one MUST add a third VM and make it a DNS server to facilitate
client-server
interaction?


IPA theoretically can work without DNS records but it requires very careful
configuration on clients and is strongly discouraged.

If you want to do quick  dirty test, do this:
$ ipa-server-install --setup-dns --forwarder ip address of your *existing*
DNS server
+ specify IPA domain name which is sub-domain of you existing domain (e.g.
ipa.eurosel.az)
+ change /etc/resolv.conf on *all* clients to point to IPA server

*This is a dirty trick* and it will not work unless all your clients has the
IPA server in resolv.conf. It will most likely break when you try to use AD
trust with AD clients etc.


*In production environment* you should add NS records for ipa.eurosel.az
domain to the parent DNS zone to create proper delegation. In that case you
don't need to fiddle with resolv.conf on all clients.

Let me know if you need further assistance.

Petr^2 Spacek



14-Oct-14 12:58, Lukas Slebodnik пишет:

On (14/10/14 10:23), Orkhan Gasimov wrote:

Thanks to both of you for the interest.
Here`s the info you asked:

1. Putting debug_level = 7 either in [domain] or/and [nss] section
of the
/usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log file
located at 

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-14 Thread Orkhan Gasimov
Ok, friends, you helped me to understand one thing. My test scenario with 2 VMs 
and no DNS server introduces problems with DNS resolution, which seems to be 
almost necessary. So now I have 2 tasks:
1) properly configure IPA server to work with DNS;
2) make a FreeBSD host (which is a non-native client for FreeIPA) join an IPA 
domain.
As problems of the first task can be errantly considered to be problems of the 
second task, I'll change my approach. First I'll try to set up a Fedora FreeIPA 
server with DNS and add a native Fedora FreeIPA client to it. (I guess a 
Fedora client:
1) should be easier to set up;
2) is guaranteed to work if configured properly.)
Then I'll try to add a FreeBSD client to my working setup and see if the post 
at FreeBSD forums leads to a working solution. I'll share the results with you, 
however it may take some time before I set up a working Fedora IPA server - 
Fedora IPA client setup. If you have any links to proved-to-work tutorials 
(either in text or video format), please share.

Отправлено от Blue Mail



На 23:47, 14.10.2014, в 23:47, Petr Spacek pspa...@redhat.com написал:пOn 
14.10.2014 15:06, Alexander Bokovoy wrote:
 On Tue, 14 Oct 2014, Orkhan Gasimov wrote:
 So which way do I go?
 1) Change the server VM`s hostname from ipa1.eurosel.az to
 ipa1.ipa.eurosel.az prior to issuing IPA installation command
 2) or leave my hostname and contents of /etc/hosts file intact and
specify a
 different FQDN and domain part of the IPA server after issuing IPA
 installation command?
 Yes, I know - this is a question Homer Simpson would ask.
 Allocate ipa.eurosel.az domain zone to FreeIPA and install FreeIPA
with
 integrated DNS. Essentially, (1), with domain=ipa.eurosel.az, realm
 IPA.EUROSEL.AZ.

 If you want later to see how this setup scales, all you would need to
do
 is to make sure the other clients would use ipa1.ipa.eurosel.az as a
 resolver.

Again - in production it is unnecessary to change resolv.conf if you
have 
proper NS records in place.

Petr^2 Spacek

 14-Oct-14 17:43, Petr Spacek пишет:
 On 14.10.2014 13:48, Orkhan Gasimov wrote:
 I need further assistance with this moment:
 specify IPA domain name which is sub-domain of you existing
domain (e.g.
 ipa.eurosel.az) .

 Currently my FreeIPA server's hostname is ipa1.eurosel.az, and
client's
 hostname is bsd1.eurosel.az.
 So when running this command:

 ipa-server-install --setup-dns --forwarder ip address of your
*existing*
 DNS
 server,

 the installation program detects the hostname of the VM
(ipa1.eurosel.az) and
 offers it as IPA server FQDN;
 then it offers eurosel.az as the domain name. I can make changes
right
 during the installation process (FQDN = ipa1.ipa.eurosel.az 
domain =
 ipa.eurosel.az), but then there will be a conflict with the real
hostname and
 records in the /etc/hosts file.

 On the other hand, if I change the hostname of the server VM to
 ipa1.ipa.eurosel.az prior to running the IPA installation
program, then the
 installation program will offer my server an FQDN of
ipa1.ipa.eurosel.az
 and
 a domain name of ipa.eurosel.az. But doesn`t it mean that my
client`s
 hostname should also be changed to bsd1.ipa.eurosel.az? I`d like
to avoid
 this, because in production I won`t be able to change the domain
part of FQDN
 for hundreds of clients.

 Clients don't need to be in the same domain as IPA. The IPA domain
in DNS
 is necessary to store 'metadata' like SRV and TXT records etc.

 You can even experiment with IPA servers which are not in the IPA
domain
 but I'm not sure how much it was tested.

 Alexander can add more details about records required for AD
integration
 and how it should work with clients which are not in the IPA
domain.

 Petr^2 Spacek


 14-Oct-14 16:29, Petr Spacek пишет:
 On 14.10.2014 11:49, Orkhan Gasimov wrote:
 I suspected that problems could arise with DNS, and here they
are...

 In fact, this entire string: ipa_server = _srv_ #our FreeIPA
server has
 DNS
 SRV entries was taken as-is from the how-to on FreeBSD forums.
First I
 commented it out, because was unsure sure if it was appropriate
for my
 simple
 setup with just 2 VMs and and a bunch of records in /etc/hosts
file. After
 starting sssd, I could get no IPA data withgetent passwd or
getent
 group
 commands. They I uncommented it and restarted sssd, but things
remained the
 same.

 Now your advice is:  ...add IP address or hostname to the
option
 ipa_server,
 but you use an arbitrary name like vm-120.eurosel.az. Could
you please
 explain which host`s FQDN I should put there? If I use
 ipa1.eurosel.az, then
 sssd won`t start (complains about ...Looping detected inside
 krb5_get_in_tkt...).

 If it MUST be a DNS server, then everything changes. And the
question then
 becomes: is it possible to set up a test FreeIPA client-server
interaction
 using only 2 VMs and proper records in /etc/hosts instead of a
DNS
 server? Or
 one MUST add a third VM and make it a DNS server to facilitate
 client-server
 interaction?

 IPA 

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-14 Thread Fraser Tweedale
On Tue, Oct 14, 2014 at 03:13:06PM +0200, Lukas Slebodnik wrote:
 On (14/10/14 17:48), Fraser Tweedale wrote:
 On Tue, Oct 14, 2014 at 12:34:09PM +0500, Orkhan Gasimov wrote:
  With help from Alexander Bokovoy I found correct log destinations:
  
  sssd-domain-log:
  https://cloud.mail.ru/public/1e803a00989e%2Fsssd_eurosel.az.log
  sssd-nss-log: https://cloud.mail.ru/public/ae41ae3b44b6%2Fsssd_nss.log
  
  These files are from my second Fedora - FreeBSD setup, they have different
  domain name, but everything else is identical.
  
  Interestingly enough, there are lines in sssd_nss.log telling that there 
  are
  no users or groups in the domain. But as I said, I can ssh to the IPA 
  server
  as an IPA user.
  
 Hi Orkhan,
 
 Thanks for the logs.  What were their actual locations?
 
 I'm going to try and reproduce your setup and see whether I get the
 same outcome.  I have been building and installing the ports as
 indicated in the forum post, and one thing I have noticed is that
 there are a lot of configuration options on some of the important
 ports - perhaps there was an important option that the author forgot
 to mention.
 
 You needn't build sssd from ports. You can install sssd with pkg utility.
 The only necessary step is to build openldap client with SASL support,
 because default version of openldap client is build without SASL support.
 sssd cannot initialize ipa_provider with openldap libraries without SASL
 support. On the other hand, {ldap,krb5,ad} providers can be used without any
 problem.
 
 The steps, how to build openldap client with SASL support, are described
 in freebsd forum.
 
 It is the end of the day for me, but sssd is now installed so I
 should let you know tomorrow whether I am running into the same
 issues as you, or whether I find success.
 
 (As a side node: once I get to a working setup I will create and
 publish a pkg(8) repo with the needed ports built with the correct
 options and make.conf variables.  This should make it easier and
 certainly quicker to use FreeBSD as a FreeIPA client.)
 I am not sure what you are trying to do. Everything is described on forum.
 If there isn't something clear feel free to send rephrased(updated) version of
 howto. I can contact an author of that post.
 
Since there are non-default options and make variables to be set, is
it not desirable that there be a pkg(8) repository people can use to
install the packages needed for ipa integration?

I think it is desirable.  It is easy to thanks to
ports-mgmt/poudriere.

Fraser

 LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-13 Thread Jakub Hrozek
On Mon, Oct 13, 2014 at 10:10:12PM +0400, Орхан Касумов wrote:
  Good day to everybody.
 There`s a post on how to make a FreeBSD client work with a FreeIPA server:  
 https://forums.freebsd.org/viewtopic.php?f=39t=46526p=260146#p260146  
 For some reason the instructions in that post don`t lead to a working 
 solution.
 Getent passwd/group return no data from the IPA server, although ldapsearch 
 works fine.
 I followed the instructions exactly (+ configured ldap.conf  started sssd) 
 and didn`t get errors anywhere, all steps completed successfully.
 My setup: 2 VMs, one is the FreeIPA server (on Fedora 20), the other is a 
 FreeBSD client (on FreeBSD 10.0).
 IPA server is configured as written in the IPA Quick Start Quide, it has no 
 integrated DNS server.
 Both VMs have identical /etc/hosts file:
 
 ::1                    localhost
 127.0.0.1         localhost
 192.168.1.10   ipa1.mydomain.com ipa1
 192.168.1.30   bsd1.mydomain.com bsd1
 
 Seems like some instructions in etc/nsswitch.conf file, like group: files 
 sss and passwd: files sss have no effect.
 Does anybody tried this setup, what could be wrong with it?
 I can provide outputs of any commands if necessary.
 If I shouldn`t have asked this question here, please advise me where to ask.
 Any hint on what to do will be highly appreciated!

Hi,

I think SSSD logs would be the best start..

Put debug_level=7 into the [domain] section, restart SSSD and then check
out /var/log/sssd/*.log

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-13 Thread Lukas Slebodnik
On (13/10/14 20:33), Jakub Hrozek wrote:
On Mon, Oct 13, 2014 at 10:10:12PM +0400, Орхан Касумов wrote:
  Good day to everybody.
 There`s a post on how to make a FreeBSD client work with a FreeIPA server:  
 https://forums.freebsd.org/viewtopic.php?f=39t=46526p=260146#p260146  
 For some reason the instructions in that post don`t lead to a working 
 solution.
 Getent passwd/group return no data from the IPA server, although ldapsearch 
 works fine.
 I followed the instructions exactly (+ configured ldap.conf  started sssd) 
 and didn`t get errors anywhere, all steps completed successfully.
 My setup: 2 VMs, one is the FreeIPA server (on Fedora 20), the other is a 
 FreeBSD client (on FreeBSD 10.0).
 IPA server is configured as written in the IPA Quick Start Quide, it has no 
 integrated DNS server.
 Both VMs have identical /etc/hosts file:
 
 ::1                    localhost
 127.0.0.1         localhost
 192.168.1.10   ipa1.mydomain.com ipa1
 192.168.1.30   bsd1.mydomain.com bsd1
 
 Seems like some instructions in etc/nsswitch.conf file, like group: files 
 sss and passwd: files sss have no effect.
 Does anybody tried this setup, what could be wrong with it?
 I can provide outputs of any commands if necessary.
 If I shouldn`t have asked this question here, please advise me where to ask.
 Any hint on what to do will be highly appreciated!

Hi,

I think SSSD logs would be the best start..

Put debug_level=7 into the [domain] section, restart SSSD and then check
out /var/log/sssd/*.log


debug_level = 7 can be put into nss section as well.
Could you share your sssd configuration file /usr/local/etc/sssd.conf?

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-13 Thread Orkhan Gasimov

Thanks to both of you for the interest.
Here`s the info you asked:

1. Putting debug_level = 7 either in [domain] or/and [nss] section of 
the /usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log 
file located at /var/log/sssd/sssd.log is only populated with data when 
I make some errors in sssd.conf  sssd process fails to start. But 
that`s the case only if I deliberately introduce some errors; with 
current configuration sssd starts successfully.


2. My original sssd.conf (without debugs) is as follows (exact copy of 
what was shown in the post at FreeBSD forums):


-
[domain/mydomain.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = mydomain.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa1.mydomain.com
chpass_provider = ipa
ipa_server = _srv_ #our FreeIPA server has DNS SRV entries
ldap_tls_cacert = /etc/ssl/ca.crt
enumerate = True #to enumerate users and groups

[sssd]
enumerate = True
services = nss, pam, sudo
config_file_version = 2
domains = mydomain.com

[nss]

[pam]

[sudo]
-

Interestingly enough the [nss] section is empty, just as shown in the 
post at FreeBSD forums.


3. The users created at the IPA server can`t locally log in to the 
server, but it`s possible to ssh to the server as an IPA user from the 
FreeBSD host. However, there are some interesting behaviors (again, this 
is what happens when just following the IPA Quick Start Quide for the 
server side  the post from FreeBSD forums for the client side):

 - home directories are not automatically created on the IPA server;
 - id command output shows correct uid, but the group of any IPA user 
doesn`t show as ipausers - instead, the group name is the same as 
username, + something like 
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023.


4. Here is the list of snapshots taken from my FreeBSD VM when I 
installed necessary ports, maybe these snapshots will provide some 
additional info on sssd behavior:


clean_install
starting_sssd_install
krb5_choice_added_LDAP
openldap24-sasl-client_choice_added_FETCH_GSSAPI
cyrus-sasl2_choice_defaults
bind_choice_added_GSSAPI_MIT
sssd_installation_finished
sudo_installed_with_INSULTS_LDAP_SSSD
cyrus-sasl2-gssapi_choice_added_MIT
all_ports_installed_directories_created
all_configs_applied_sssd_started


14-Oct-14 00:32, Lukas Slebodnik пишет:

On (13/10/14 20:33), Jakub Hrozek wrote:

On Mon, Oct 13, 2014 at 10:10:12PM +0400, Орхан Касумов wrote:

  Good day to everybody.
There`s a post on how to make a FreeBSD client work with a FreeIPA server:  
https://forums.freebsd.org/viewtopic.php?f=39t=46526p=260146#p260146
For some reason the instructions in that post don`t lead to a working solution.
Getent passwd/group return no data from the IPA server, although ldapsearch 
works fine.
I followed the instructions exactly (+ configured ldap.conf  started sssd) and 
didn`t get errors anywhere, all steps completed successfully.
My setup: 2 VMs, one is the FreeIPA server (on Fedora 20), the other is a 
FreeBSD client (on FreeBSD 10.0).
IPA server is configured as written in the IPA Quick Start Quide, it has no 
integrated DNS server.
Both VMs have identical /etc/hosts file:

::1localhost
127.0.0.1 localhost
192.168.1.10   ipa1.mydomain.com ipa1
192.168.1.30   bsd1.mydomain.com bsd1

Seems like some instructions in etc/nsswitch.conf file, like group: files sss and 
passwd: files sss have no effect.
Does anybody tried this setup, what could be wrong with it?
I can provide outputs of any commands if necessary.
If I shouldn`t have asked this question here, please advise me where to ask.
Any hint on what to do will be highly appreciated!

Hi,

I think SSSD logs would be the best start..

Put debug_level=7 into the [domain] section, restart SSSD and then check
out /var/log/sssd/*.log


debug_level = 7 can be put into nss section as well.
Could you share your sssd configuration file /usr/local/etc/sssd.conf?

LS



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project