On Tue, Oct 21, 2014 at 08:31:17PM +0200, Lukas Slebodnik wrote: > On (20/10/14 15:06), Orkhan Gasimov wrote: > >OK, Lukas, I did as you say: > >1) reset my pam.d -> login to its defaul state > >2) added to my pam.d -> system: "account required /usr/local/lib/pam_sss.so > >ignore_unknown_user ignore_authinfo_unavail"; > >3) commented out "enumerate = True" in my /usr/local/etc/sssd/sssd.conf. > >Now I cannot locally login as either root or IPA user. Seems like we built > >our SSSDs differently or from different ports. > >Would you be so kind to share info about your choices when building SSSD? > > > >You're right, I'm a newbie in FreeIPA setups. But I've worked with pam stack > >before, when configuring OpenLDAP on servers. That knowledge of pam let me > >solve the problem of local logins with sssd by adding the appropriate line in > >pam.d -> login instead of pam.d -> system. This setup works fine for me; > >another setup, which you and FreeBSD forums suppose, doesn't work. Did you > >check everything on a blank FreeBSD 10 setup? > > > Basically, you should do all (ipa-client-install) steps manually. > I would recommend you to look into log file from linux machine > /var/log/ipaclient-install.log. The main difference between linux and FreeBSD > will be location of configuration files(/etc vs /usr/local/etc) > > >There are indeed nuances that the post at FreeBSD forums didn't address: > I would say that post was more focused on integration sssd with sudo > and expected more experienced user with better knowledge of FreeIPA. > It is the most difficult part. > > >1) what choices should be made when building SSSD and other ports - VERY > >IMPORTANT, but missing information; > I am use to using install packages with utility pkg. Just some packages need > to be build from source. (they are listed in the begging of post) > I have prepared a custom pkg(8) repo with the packages built with the required options/make.conf variables. Hang tight, I'll send all the info soon.
> >2) how ldap.conf should be configured on a FreeBSD client for ldapsearch to > >work; > I don't have configured ldap.conf. On the other hand, it can be useful for > troubleshooting with utility ldapsearch. > > >3) how krb5.conf should be configured on a FreeBSD client; > The same as on linux. (sssd is linked with MIT kerberos) > > >4) how SSH files should be configured on a FreeBSD client for single sign-on > >to behave properly (GSS-API part); > Linux and FreeBSD use openssh. You can inspire in changes done by script > ipa-client-install > > >5) how cron script file's executability, IPA user's shell and automatic > >creation of home directories should be considered - there are some caveats > why do you need cron? > User shell can be changed on FreeIPA server or you can change sssd > configuration man sssd.conf (see *shell*) > > >for newbies; > Do you mean "admin newbies" or "FreeIPA newbies"? > admin should know how to configure automatic creation of directories. > (another pam module) ipa-client install just simplify it on linux. > > >6) why a user can't initially SSH or locally login to a FreeBSD client even > >with correct configuration files (password change problem); > FreeBSD admins should already have experiences with ldap configuration on > FreeBSD (or at least read FreeBSD documentation). Official documentation is > very good (ldap client configuration with nss-pam-ldapd) > https://www.freebsd.org/doc/en/articles/ldap-auth/client.html > > >7) how to setup SSSD so that it doesn't cache information too long (this is > >not what we always want, right?). > > > sssd use cache by design. If you don't want to cache LDAP users, you can use > nss-pam-ldapd. BTW this point is not related to FreeBSD > > Summary: > Fee free to write detailed howto for newbies. We will be very glad to help > with > review and fixing problematic parts. > > LS > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project