OK, Lukas, I did as you say:
1) reset my pam.d -> login to its defaul state
2) added to my pam.d -> system: "account required
/usr/local/lib/pam_sss.so ignore_unknown_user ignore_authinfo_unavail";
3) commented out "enumerate = True" in my /usr/local/etc/sssd/sssd.conf.
Now I cannot locally login as either root or IPA user. Seems like we
built our SSSDs differently or from different ports.
Would you be so kind to share info about your choices when building SSSD?
You're right, I'm a newbie in FreeIPA setups. But I've worked with pam
stack before, when configuring OpenLDAP on servers. That knowledge of
pam let me solve the problem of local logins with sssd by adding the
appropriate line in pam.d -> login instead of pam.d -> system. This
setup works fine for me; another setup, which you and FreeBSD forums
suppose, doesn't work. Did you check everything on a blank FreeBSD 10 setup?
There are indeed nuances that the post at FreeBSD forums didn't address:
1) what choices should be made when building SSSD and other ports - VERY
IMPORTANT, but missing information;
2) how ldap.conf should be configured on a FreeBSD client for ldapsearch
to work;
3) how krb5.conf should be configured on a FreeBSD client;
4) how SSH files should be configured on a FreeBSD client for single
sign-on to behave properly (GSS-API part);
5) how cron script file's executability, IPA user's shell and automatic
creation of home directories should be considered - there are some
caveats for newbies;
6) why a user can't initially SSH or locally login to a FreeBSD client
even with correct configuration files (password change problem);
7) how to setup SSSD so that it doesn't cache information too long (this
is not what we always want, right?).
In short: a person who posted the info on FreeBSD - FreeIPA integration
at FreeBSD forums shared a lot of info, but at the same time he didn't
share other very important pieces of information, and this can cause
great frustration to people trying to follow his post. And although you
recommend me not to share my experience of setting up FreeBSD - FreeIPA
integration, I just want people to get a REALLY WORKING HowTo. I've
already tested HBAC, centralized sudo and other things in my setup, and
everything is working fine. So in near future I plan to make a REAL,
DETAILED HowTo on this subject, and I think that at least some pieces of
information in it will help people to avoid great deal of frustration.
20-Oct-14 13:01, Lukas Slebodnik пишет:
On (19/10/14 08:45), Orkhan Gasimov wrote:
2. About my pam.d files - please read carefully my previous posts.
I commented > out the line in pam.d -> system and added it explicitly to
You didn't have "account required /usr/local/lib/pam_sss.so ignore_unknown_user"
in pam.d/system. The line is commented out, but there *IS NOT* argument
ignore_unknown_use
Howto on FreeBSD forum[1] has argument ignore_unknown_user on the lines
starting with account in both pam configuration files (system, sshd)
pam.d -> login because otherwise I get locked out from the machine. I sent
I didn't touch "pam.d/login". I put "account .. pam_sss.so ignore_unknown_user"
into "pam.d/system" (the same as in [1]) and I can login as sssd user and
local user. I know that pam configuration isn't the easiest think for newbies,
but your post will be even more confusing for others. Please do not give
advices if you do not understand where is the problem and why it works with
that change.
you the WORKING configuration and not the one which was recommended at
FreeBSD posts (and also by you). And yes, in pam.d -> system there's no
"ignore bla bla bla part" because in that file the line
"account required /usr/local/lib/pam_sss.so" just doesn't work, with or
without that part.
I don't know what you did wrong, but it *works* with argument
ignore_unknown_user
How did you test?
LS
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
