On 10/18/2014 11:45 PM, Orkhan Gasimov wrote:
1. About enumerate with comments on the same line - it doesn't cause
any problems on my FreeBSD 10 64-bit. Enumerate causes problems on my
FreeBSD 10 32-bit - that could be because of a comment on the same
line & I could check it, but if it's not recommended to have enumerate
at all, then I'll leave it.
Just FYI, comments on the same line are treated as part of value i.e.
not interpreted as comments.
I do not know how the value is treated by SSSD in the case of boolean.
It might try to parse it and come to conclusion that it is true or false
but I do not know which conclusion it actually comes to.
BTW for those who are familiar with the internals and some other threads
- using ding-libs interpretation functions would have caught that. One
more argument to switch to ding-libs checking (when it is ready).
As for enumeration - it is not needed in 90% of cases so we recommend
not to configure it.
2. About my pam.d files - please read carefully my previous posts. I
commented out the line in pam.d -> system and added it explicitly to
pam.d -> login because otherwise I get locked out from the machine. I
sent you the WORKING configuration and not the one which was
recommended at FreeBSD posts (and also by you). And yes, in pam.d ->
system there's no "ignore bla bla bla part" because in that file the
line "account required /usr/local/lib/pam_sss.so <http://sss.so>"
just doesn't work, with or without that part. That's what I was
talking about in my reply to the post at FreeBSD forums and that's why
I considered unimportant readding that "ignore ..." part in the
commented "account ..." line when sending pam.d files to you.
3. I like your idea of checking everything on a blank FreeaBSD 10
setup - that way you will really determine whether the problem is
between the chair and the keyboard or not.
Yeah we should develop tools in this area. +1.
?????????? ?? Blue Mail <http://r.bluemailapp.com>
?? 19.10.2014, ? 2:36, Lukas Slebodnik <lsleb...@redhat.com
<mailto:lsleb...@redhat.com>> ???????:?
On (17/10/14 16:46), Orkhan Gasimov wrote:
1. I use FreeBSD 10.0 64-bit. (For some files bits are also
important - for example, on a 32-bit machine the same
configuration of /usr/local/etc/sssd/sssd.conf file introduces
problems because of the line "enumerate = True" in the
[domain] section; only after that line is commented
Firstly, We do not recommend to have enabled enumeration.
Secondly, You did not have "enumerate = True" in your domain section.
You have "enumerate = True #to enumerate users and groups"
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
I wrote you in another email that comments should be on different line
out, sssd starts.) 2. The files you requested are at
https://cloud.mail.ru/public/afa7e1fad817/pam.d 17-Oct-14
16:30, Lukas Slebodnik ?????:
On (17/10/14 15:44), Orkhan Gasimov wrote:
Unfortunately, putting that line in /etc/pam.d/system
prevents me from being
I checked your apm configuration and you had wrong line in /etc/pam.d/system
Currently, it is is commented out.
"#acconut required /usr/local/lib/pam_sss.so
<http://sss.so>"
and the correct one is in /etc/pam.d/login
"account required /usr/local/lib/pam_sss.so <http://sss.so>
ignore_unknown_user ignore_authinfo_unavail"
Yo!
u were
wrong in
commenthttps://forums.freebsd.org/threads/freebsd-freeipa-via-sssd.46526/
Plese move line from login -> system
able to locally login to the BSD client. At the same
time, the same line in /etc/pam.d/sshd or
/etc/pam.d/login doesn't give unexpected behaviours.
Bug, bug, bug...
no, no, no,
The problem was between chair and keybord.
Sorry, I could not resist :-)
It works for me with FreeBSD 9.3. It is possible that your
pam stack is misconfigured.
BTW
After fixing problems with my freeipa 4.0.3, I was able to connect with ssh
to FreeBSD 10 as freeipa_user and local_user.
If I have time in next weeks I will try with clean FreeBSD 10 and will write
some notes.
LS
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
