Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On (23/10/14 11:27), Outback Dingo wrote: On Thu, Oct 23, 2014 at 11:20 AM, Fraser Tweedale ftwee...@redhat.com wrote: On Wed, Oct 22, 2014 at 03:23:56PM +0200, Lukas Slebodnik wrote: On (22/10/14 17:10), Fraser Tweedale wrote: Further to my earlier email, I have written a blog post about all these matters, with a particular focus on the custom package repo. I will update it tomorrow with a bit more about the package flavours topic. For now, all the details for enabling and using the custom repo are in the post. Check it out and let me know if you spot any issues. http://blog-ftweedal.rhcloud.com/2014/10/configuring-freebsd-as-a-freeipa-client/ The disadvantage of this approach is that users need to rely on updating of non standard repo. https://frase.id.au/pkg/${ABI}_FreeIPA In my opinion, it's better to write howto (script) which will configure all necessary ports/files and portmaster will take care of updating ports. https://www.freebsd.org/doc/handbook/ports-using.html#portmaster LS Each has its advantages and disadvantages; people can choose what works for them. Hopefully - not too far in the future - people won't have to choose, when binary package flavours are implemented. When that happens, a small effort will be needed to define the FreeIPA flavour and ensure it gets included in the official package repos. Fraser you missed one main point of this thread. The most problematic was to *configure* all files and not install sssd. I don't want to say that installing is super easy, but configuration is much more complicated. Actually I would be inclined to assist with a ports build, so it could be done correctly from the ports tree and work towards having it adopted into mainline. +1 LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
+1. And even if talking about installation of the necessary software and not about the configuration, then why this? The commands to enable the custom repository and install the required packages on a FreeBSD host appear below. Note that these are Bourne shell commands; this script will not work in the FreeBSD default shell csh . After having baked ONE SET OF DEFAULTS into a custom package (to make our lives easier), you leave readers to mess with ANOTHER SET OF DEFAULTS, i.e. to change FreeBSD's shells? Aren't there some discrepancies? It may be simple / useful / interesting to change shells, but why not make a self-sufficient article? Please update your article to provide a full picture of what a user should do to install all necessary software, and also which parts should be installed from your repo, and which parts should be installed from ports (+ the correct order). You've already done a lot of work, but with this refinement your help will be even more valuable. I'm not asking for myself personally (I've already accomplished all necessary tasks) - just IMHO everyone writing instructions, tutorials and HowTos for the *nix world should stick to the rule: articles should be self-sufficient. I.e. if they rely on techniques not detailed in them, they should at least include links to other WORKING articles to ensure that a reader will be able to COMPLETE a task. Thanks for your contribution, Fraser. Thu, 23 Oct 2014 09:58:33 +0200 от Lukas Slebodnik lsleb...@redhat.com: On (23/10/14 11:27), Outback Dingo wrote: On Thu, Oct 23, 2014 at 11:20 AM, Fraser Tweedale ftwee...@redhat.com wrote: On Wed, Oct 22, 2014 at 03:23:56PM +0200, Lukas Slebodnik wrote: On (22/10/14 17:10), Fraser Tweedale wrote: Further to my earlier email, I have written a blog post about all these matters, with a particular focus on the custom package repo. I will update it tomorrow with a bit more about the package flavours topic. For now, all the details for enabling and using the custom repo are in the post. Check it out and let me know if you spot any issues. http://blog-ftweedal.rhcloud.com/2014/10/configuring-freebsd-as-a-freeipa-client/ The disadvantage of this approach is that users need to rely on updating of non standard repo. https://frase.id.au/pkg/${ABI}_FreeIPA In my opinion, it's better to write howto (script) which will configure all necessary ports/files and portmaster will take care of updating ports. https://www.freebsd.org/doc/handbook/ports-using.html#portmaster LS Each has its advantages and disadvantages; people can choose what works for them. Hopefully - not too far in the future - people won't have to choose, when binary package flavours are implemented. When that happens, a small effort will be needed to define the FreeIPA flavour and ensure it gets included in the official package repos. Fraser you missed one main point of this thread. The most problematic was to *configure* all files and not install sssd. I don't want to say that installing is super easy, but configuration is much more complicated. Actually I would be inclined to assist with a ports build, so it could be done correctly from the ports tree and work towards having it adopted into mainline. +1 LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On Thu, Oct 23, 2014 at 02:12:47PM +0400, Орхан Касумов wrote: +1. And even if talking about installation of the necessary software and not about the configuration, then why this? The commands to enable the custom repository and install the required packages on a FreeBSD host appear below. Note that these are Bourne shell commands; this script will not work in the FreeBSD default shell csh . After having baked ONE SET OF DEFAULTS into a custom package (to make our lives easier), you leave readers to mess with ANOTHER SET OF DEFAULTS, i.e. to change FreeBSD's shells? It is only for that one script (because csh heredocs are weird). There is no need whatsoever for a chsh; just that one script needs to be executed in /bin/sh. I will clarify this in the post. Aren't there some discrepancies? It may be simple / useful / interesting to change shells, but why not make a self-sufficient article? Please update your article to provide a full picture of what a user should do to install all necessary software, and also which parts should be installed from your repo, and which parts should be installed from ports (+ the correct order). You've already done a lot of work, but with this refinement your help will be even more valuable. I'm not asking for myself personally (I've already accomplished all necessary tasks) - just IMHO everyone writing instructions, tutorials and HowTos for the *nix world should stick to the rule: articles should be self-sufficient. I.e. if they rely on techniques not detailed in them, they should at least include links to other WORKING articles to ensure that a reader will be able to COMPLETE a task. Thanks for your contribution, Fraser. Thu, 23 Oct 2014 09:58:33 +0200 от Lukas Slebodnik lsleb...@redhat.com: On (23/10/14 11:27), Outback Dingo wrote: On Thu, Oct 23, 2014 at 11:20 AM, Fraser Tweedale ftwee...@redhat.com wrote: On Wed, Oct 22, 2014 at 03:23:56PM +0200, Lukas Slebodnik wrote: On (22/10/14 17:10), Fraser Tweedale wrote: Further to my earlier email, I have written a blog post about all these matters, with a particular focus on the custom package repo. I will update it tomorrow with a bit more about the package flavours topic. For now, all the details for enabling and using the custom repo are in the post. Check it out and let me know if you spot any issues. http://blog-ftweedal.rhcloud.com/2014/10/configuring-freebsd-as-a-freeipa-client/ The disadvantage of this approach is that users need to rely on updating of non standard repo. https://frase.id.au/pkg/${ABI}_FreeIPA In my opinion, it's better to write howto (script) which will configure all necessary ports/files and portmaster will take care of updating ports. https://www.freebsd.org/doc/handbook/ports-using.html#portmaster LS Each has its advantages and disadvantages; people can choose what works for them. Hopefully - not too far in the future - people won't have to choose, when binary package flavours are implemented. When that happens, a small effort will be needed to define the FreeIPA flavour and ensure it gets included in the official package repos. Fraser you missed one main point of this thread. The most problematic was to *configure* all files and not install sssd. I don't want to say that installing is super easy, but configuration is much more complicated. Actually I would be inclined to assist with a ports build, so it could be done correctly from the ports tree and work towards having it adopted into mainline. +1 LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On Thu, Oct 23, 2014 at 09:58:33AM +0200, Lukas Slebodnik wrote: On (23/10/14 11:27), Outback Dingo wrote: On Thu, Oct 23, 2014 at 11:20 AM, Fraser Tweedale ftwee...@redhat.com wrote: On Wed, Oct 22, 2014 at 03:23:56PM +0200, Lukas Slebodnik wrote: On (22/10/14 17:10), Fraser Tweedale wrote: Further to my earlier email, I have written a blog post about all these matters, with a particular focus on the custom package repo. I will update it tomorrow with a bit more about the package flavours topic. For now, all the details for enabling and using the custom repo are in the post. Check it out and let me know if you spot any issues. http://blog-ftweedal.rhcloud.com/2014/10/configuring-freebsd-as-a-freeipa-client/ The disadvantage of this approach is that users need to rely on updating of non standard repo. https://frase.id.au/pkg/${ABI}_FreeIPA In my opinion, it's better to write howto (script) which will configure all necessary ports/files and portmaster will take care of updating ports. https://www.freebsd.org/doc/handbook/ports-using.html#portmaster LS Each has its advantages and disadvantages; people can choose what works for them. Hopefully - not too far in the future - people won't have to choose, when binary package flavours are implemented. When that happens, a small effort will be needed to define the FreeIPA flavour and ensure it gets included in the official package repos. Fraser you missed one main point of this thread. The most problematic was to *configure* all files and not install sssd. I don't want to say that installing is super easy, but configuration is much more complicated. I haven't missed that point at all. In the post I am up front about the difficulty and room for error in configuring all the services, and in the conclusion I talk about the scope for further work with a port of ipa-client-install. I will clarify the post to try and make it clearer that it focuses on the installation aspect of the setup and leaves other aspects for another day. Thanks for your feedback, Fraser Actually I would be inclined to assist with a ports build, so it could be done correctly from the ports tree and work towards having it adopted into mainline. +1 LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
You could ease everything by creating 2 files: FreeIPA.conf and FreeIPA.pem, uploading them to Web and sharing links to them. FreeBSD users could the use the fetch command to download and use your files. Отправлено от Blue Mail На 5:36, 24.10.2014, в 5:36, Fraser Tweedale ftwee...@redhat.com написал:пOn Thu, Oct 23, 2014 at 02:12:47PM +0400, Орхан Касумов wrote: +1. And even if talking about installation of the necessary software and not about the configuration, then why this? The commands to enable the custom repository and install the required packages on a FreeBSD host appear below. Note that these are Bourne shell commands; this script will not work in the FreeBSD default shell csh . After having baked ONE SET OF DEFAULTS into a custom package (to make our lives easier), you leave readers to mess with ANOTHER SET OF DEFAULTS, i.e. to change FreeBSD's shells? It is only for that one script (because csh heredocs are weird). There is no need whatsoever for a chsh; just that one script needs to be executed in /bin/sh. I will clarify this in the post. Aren't there some discrepancies? It may be simple / useful / interesting to change shells, but why not make a self-sufficient article? Please update your article to provide a full picture of what a user should do to install all necessary software, and also which parts should be installed from your repo, and which parts should be installed from ports (+ the correct order). You've already done a lot of work, but with this refinement your help will be even more valuable. I'm not asking for myself personally (I've already accomplished all necessary tasks) - just IMHO everyone writing instructions, tutorials and HowTos for the *nix world should stick to the rule: articles should be self-sufficient. I.e. if they rely on techniques not detailed in them, they should at least include links to other WORKING articles to ensure that a reader will be able to COMPLETE a task. Thanks for your contribution, Fraser. Thu, 23 Oct 2014 09:58:33 +0200 от Lukas Slebodnik lsleb...@redhat.com: On (23/10/14 11:27), Outback Dingo wrote: On Thu, Oct 23, 2014 at 11:20 AM, Fraser Tweedale ftwee...@redhat.com wrote: On Wed, Oct 22, 2014 at 03:23:56PM +0200, Lukas Slebodnik wrote: On (22/10/14 17:10), Fraser Tweedale wrote: Further to my earlier email, I have written a blog post about all these matters, with a particular focus on the custom package repo. I will update it tomorrow with a bit more about the package flavours topic. For now, all the details for enabling and using the custom repo are in the post. Check it out and let me know if you spot any issues. http://blog-ftweedal.rhcloud.com/2014/10/configuring-freebsd-as-a-freeipa-client/ The disadvantage of this approach is that users need to rely on updating of non standard repo. https://frase.id.au/pkg/${ABI}_FreeIPA In my opinion, it's better to write howto (script) which will configure all necessary ports/files and portmaster will take care of updating ports. https://www.freebsd.org/doc/handbook/ports-using.html#portmaster LS Each has its advantages and disadvantages; people can choose what works for them. Hopefully - not too far in the future - people won't have to choose, when binary package flavours are implemented. When that happens, a small effort will be needed to define the FreeIPA flavour and ensure it gets included in the official package repos. Fraser you missed one main point of this thread. The most problematic was to *configure* all files and not install sssd. I don't want to say that installing is super easy, but configuration is much more complicated. Actually I would be inclined to assist with a ports build, so it could be done correctly from the ports tree and work towards having it adopted into mainline. +1 LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On Fri, Oct 24, 2014 at 07:42:31AM +0500, Orkhan Gasimov wrote: You could ease everything by creating 2 files: FreeIPA.conf and FreeIPA.pem, uploading them to Web and sharing links to them. FreeBSD users could the use the fetch command to download and use your files. I turned it into a shell script instead, with the appropriate #!/bin/sh so it doesn't matter what shell they invoke it from. Regards, Fraser Отправлено от Blue Mail На 5:36, 24.10.2014, в 5:36, Fraser Tweedale ftwee...@redhat.com написал:пOn Thu, Oct 23, 2014 at 02:12:47PM +0400, Орхан Касумов wrote: +1. And even if talking about installation of the necessary software and not about the configuration, then why this? The commands to enable the custom repository and install the required packages on a FreeBSD host appear below. Note that these are Bourne shell commands; this script will not work in the FreeBSD default shell csh . After having baked ONE SET OF DEFAULTS into a custom package (to make our lives easier), you leave readers to mess with ANOTHER SET OF DEFAULTS, i.e. to change FreeBSD's shells? It is only for that one script (because csh heredocs are weird). There is no need whatsoever for a chsh; just that one script needs to be executed in /bin/sh. I will clarify this in the post. Aren't there some discrepancies? It may be simple / useful / interesting to change shells, but why not make a self-sufficient article? Please update your article to provide a full picture of what a user should do to install all necessary software, and also which parts should be installed from your repo, and which parts should be installed from ports (+ the correct order). You've already done a lot of work, but with this refinement your help will be even more valuable. I'm not asking for myself personally (I've already accomplished all necessary tasks) - just IMHO everyone writing instructions, tutorials and HowTos for the *nix world should stick to the rule: articles should be self-sufficient. I.e. if they rely on techniques not detailed in them, they should at least include links to other WORKING articles to ensure that a reader will be able to COMPLETE a task. Thanks for your contribution, Fraser. Thu, 23 Oct 2014 09:58:33 +0200 от Lukas Slebodnik lsleb...@redhat.com: On (23/10/14 11:27), Outback Dingo wrote: On Thu, Oct 23, 2014 at 11:20 AM, Fraser Tweedale ftwee...@redhat.com wrote: On Wed, Oct 22, 2014 at 03:23:56PM +0200, Lukas Slebodnik wrote: On (22/10/14 17:10), Fraser Tweedale wrote: Further to my earlier email, I have written a blog post about all these matters, with a particular focus on the custom package repo. I will update it tomorrow with a bit more about the package flavours topic. For now, all the details for enabling and using the custom repo are in the post. Check it out and let me know if you spot any issues. http://blog-ftweedal.rhcloud.com/2014/10/configuring-freebsd-as-a-freeipa-client/ The disadvantage of this approach is that users need to rely on updating of non standard repo. https://frase.id.au/pkg/${ABI}_FreeIPA In my opinion, it's better to write howto (script) which will configure all necessary ports/files and portmaster will take care of updating ports. https://www.freebsd.org/doc/handbook/ports-using.html#portmaster LS Each has its advantages and disadvantages; people can choose what works for them. Hopefully - not too far in the future - people won't have to choose, when binary package flavours are implemented. When that happens, a small effort will be needed to define the FreeIPA flavour and ensure it gets included in the official package repos. Fraser you missed one main point of this thread. The most problematic was to *configure* all files and not install sssd. I don't want to say that installing is super easy, but configuration is much more complicated. Actually I would be inclined to assist with a ports build, so it could be done correctly from the ports tree and work towards having it adopted into mainline. +1 LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
Further to my earlier email, I have written a blog post about all these matters, with a particular focus on the custom package repo. I will update it tomorrow with a bit more about the package flavours topic. For now, all the details for enabling and using the custom repo are in the post. Check it out and let me know if you spot any issues. http://blog-ftweedal.rhcloud.com/2014/10/configuring-freebsd-as-a-freeipa-client/ Cheers, Fraser On Wed, Oct 22, 2014 at 09:13:11AM +0500, Orkhan Gasimov wrote: Great news! If I understand correctly, a package can be equivalent to several ports? If this is correct, then could a composite package be built to include all necessary ports? * _security/sssd_ http://www.freshports.org/security/sssd * _security/sudo_ http://www.freshports.org/security/sudo(with SSSD backend) * _net/openldap24-client-sasl_ http://www.freshports.org/net/openldap24-client-sasl * security/cyrus-sasl2 * security/cyrus-sasl2-gssapi That package could be called something like ipa-client, and make FreeBSD - FreeIPA integration one step closer. If not possible, even a pkg equivalent to /security/sssd would eliminate existing possibilities for misconfiguration. 22-Oct-14 07:06, Fraser Tweedale пишет: I have prepared a custom pkg(8) repo with the packages built with the required options/make.conf variables. Hang tight, I'll send all the info soon. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On 22.10.2014 09:10, Fraser Tweedale wrote: Further to my earlier email, I have written a blog post about all these matters, with a particular focus on the custom package repo. I will update it tomorrow with a bit more about the package flavours topic. For now, all the details for enabling and using the custom repo are in the post. Check it out and let me know if you spot any issues. http://blog-ftweedal.rhcloud.com/2014/10/configuring-freebsd-as-a-freeipa-client/ Hello Fraser and others, it would be great if you could add links to your FreeIPA-related blog posts to http://www.freeipa.org/page/HowTos . We are trying to build kind of 'documentation hub' with links to relevant posts stored elsewhere. It is even fine to add links to mailing list archives if the particular post is useful to broad audience. Have a nice day! Petr^2 Spacek Cheers, Fraser On Wed, Oct 22, 2014 at 09:13:11AM +0500, Orkhan Gasimov wrote: Great news! If I understand correctly, a package can be equivalent to several ports? If this is correct, then could a composite package be built to include all necessary ports? * _security/sssd_ http://www.freshports.org/security/sssd * _security/sudo_ http://www.freshports.org/security/sudo(with SSSD backend) * _net/openldap24-client-sasl_ http://www.freshports.org/net/openldap24-client-sasl * security/cyrus-sasl2 * security/cyrus-sasl2-gssapi That package could be called something like ipa-client, and make FreeBSD - FreeIPA integration one step closer. If not possible, even a pkg equivalent to /security/sssd would eliminate existing possibilities for misconfiguration. 22-Oct-14 07:06, Fraser Tweedale пишет: I have prepared a custom pkg(8) repo with the packages built with the required options/make.conf variables. Hang tight, I'll send all the info soon. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On (22/10/14 17:10), Fraser Tweedale wrote: Further to my earlier email, I have written a blog post about all these matters, with a particular focus on the custom package repo. I will update it tomorrow with a bit more about the package flavours topic. For now, all the details for enabling and using the custom repo are in the post. Check it out and let me know if you spot any issues. http://blog-ftweedal.rhcloud.com/2014/10/configuring-freebsd-as-a-freeipa-client/ The disadvantage of this approach is that users need to rely on updating of non standard repo. https://frase.id.au/pkg/${ABI}_FreeIPA In my opinion, it's better to write howto (script) which will configure all necessary ports/files and portmaster will take care of updating ports. https://www.freebsd.org/doc/handbook/ports-using.html#portmaster LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On Thu, Oct 23, 2014 at 12:23 AM, Lukas Slebodnik lsleb...@redhat.com wrote: On (22/10/14 17:10), Fraser Tweedale wrote: Further to my earlier email, I have written a blog post about all these matters, with a particular focus on the custom package repo. I will update it tomorrow with a bit more about the package flavours topic. For now, all the details for enabling and using the custom repo are in the post. Check it out and let me know if you spot any issues. http://blog-ftweedal.rhcloud.com/2014/10/configuring-freebsd-as-a-freeipa-client/ The disadvantage of this approach is that users need to rely on updating of non standard repo. https://frase.id.au/pkg/${ABI}_FreeIPA In my opinion, it's better to write howto (script) which will configure all necessary ports/files and portmaster will take care of updating ports. https://www.freebsd.org/doc/handbook/ports-using.html#portmaster LS As an avid BSD user, with FreeIPA cloud deployed, ill fire up some FreeBSD VMs and see if i can get a running system, using the thread here, and the doc thats been written to sanity check things and possibly help out with the packaging if I can. I only need to consider, that I run Launchd on my FreeBSD systems, so ill need to go deeper, with modified start scripts. Ill do a few rc based stock installs of 10.1 See how we go. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On Thu, Oct 23, 2014 at 11:20 AM, Fraser Tweedale ftwee...@redhat.com wrote: On Wed, Oct 22, 2014 at 03:23:56PM +0200, Lukas Slebodnik wrote: On (22/10/14 17:10), Fraser Tweedale wrote: Further to my earlier email, I have written a blog post about all these matters, with a particular focus on the custom package repo. I will update it tomorrow with a bit more about the package flavours topic. For now, all the details for enabling and using the custom repo are in the post. Check it out and let me know if you spot any issues. http://blog-ftweedal.rhcloud.com/2014/10/configuring-freebsd-as-a-freeipa-client/ The disadvantage of this approach is that users need to rely on updating of non standard repo. https://frase.id.au/pkg/${ABI}_FreeIPA In my opinion, it's better to write howto (script) which will configure all necessary ports/files and portmaster will take care of updating ports. https://www.freebsd.org/doc/handbook/ports-using.html#portmaster LS Each has its advantages and disadvantages; people can choose what works for them. Hopefully - not too far in the future - people won't have to choose, when binary package flavours are implemented. When that happens, a small effort will be needed to define the FreeIPA flavour and ensure it gets included in the official package repos. Actually I would be inclined to assist with a ports build, so it could be done correctly from the ports tree and work towards having it adopted into mainline. Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On Wed, Oct 22, 2014 at 01:26:42PM +0200, Petr Spacek wrote: On 22.10.2014 09:10, Fraser Tweedale wrote: Further to my earlier email, I have written a blog post about all these matters, with a particular focus on the custom package repo. I will update it tomorrow with a bit more about the package flavours topic. For now, all the details for enabling and using the custom repo are in the post. Check it out and let me know if you spot any issues. http://blog-ftweedal.rhcloud.com/2014/10/configuring-freebsd-as-a-freeipa-client/ Hello Fraser and others, it would be great if you could add links to your FreeIPA-related blog posts to http://www.freeipa.org/page/HowTos . I updated the HowTos page. Cheers, Fraser. We are trying to build kind of 'documentation hub' with links to relevant posts stored elsewhere. It is even fine to add links to mailing list archives if the particular post is useful to broad audience. Have a nice day! Petr^2 Spacek Cheers, Fraser On Wed, Oct 22, 2014 at 09:13:11AM +0500, Orkhan Gasimov wrote: Great news! If I understand correctly, a package can be equivalent to several ports? If this is correct, then could a composite package be built to include all necessary ports? * _security/sssd_ http://www.freshports.org/security/sssd * _security/sudo_ http://www.freshports.org/security/sudo(with SSSD backend) * _net/openldap24-client-sasl_ http://www.freshports.org/net/openldap24-client-sasl * security/cyrus-sasl2 * security/cyrus-sasl2-gssapi That package could be called something like ipa-client, and make FreeBSD - FreeIPA integration one step closer. If not possible, even a pkg equivalent to /security/sssd would eliminate existing possibilities for misconfiguration. 22-Oct-14 07:06, Fraser Tweedale пишет: I have prepared a custom pkg(8) repo with the packages built with the required options/make.conf variables. Hang tight, I'll send all the info soon. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On (17/10/14 16:46), Orkhan Gasimov wrote: 1. I use FreeBSD 10.0 64-bit. (For some files bits are also important - for example, on a 32-bit machine the same configuration of /usr/local/etc/sssd/sssd.conf file introduces problems because of the line enumerate = True in the [domain] section; only after that line is commented out, sssd starts.) 2. The files you requested are at https://cloud.mail.ru/public/afa7e1fad817/pam.d Previously, I was editing my pam stack I had to overwrite my files with yours to reproduce problem. As I thought it was your misconfiguration. You have a typo in pam.d/system Here is a word-diff: [-account-]{+acconut+} required/usr/local/lib/pam_sss.so ignore_unknown_user ignore_authinfo_unavail There is also syslog message (/var/log/messages): login: in openpam_parse_chain(): /etc/pam.d/system(19): missing or invalid facility login: pam_start(): system error Please update(remove) your post on FreeBSD forum. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On (20/10/14 15:06), Orkhan Gasimov wrote: OK, Lukas, I did as you say: 1) reset my pam.d - login to its defaul state 2) added to my pam.d - system: account required /usr/local/lib/pam_sss.so ignore_unknown_user ignore_authinfo_unavail; 3) commented out enumerate = True in my /usr/local/etc/sssd/sssd.conf. Now I cannot locally login as either root or IPA user. Seems like we built our SSSDs differently or from different ports. Would you be so kind to share info about your choices when building SSSD? You're right, I'm a newbie in FreeIPA setups. But I've worked with pam stack before, when configuring OpenLDAP on servers. That knowledge of pam let me solve the problem of local logins with sssd by adding the appropriate line in pam.d - login instead of pam.d - system. This setup works fine for me; another setup, which you and FreeBSD forums suppose, doesn't work. Did you check everything on a blank FreeBSD 10 setup? Basically, you should do all (ipa-client-install) steps manually. I would recommend you to look into log file from linux machine /var/log/ipaclient-install.log. The main difference between linux and FreeBSD will be location of configuration files(/etc vs /usr/local/etc) There are indeed nuances that the post at FreeBSD forums didn't address: I would say that post was more focused on integration sssd with sudo and expected more experienced user with better knowledge of FreeIPA. It is the most difficult part. 1) what choices should be made when building SSSD and other ports - VERY IMPORTANT, but missing information; I am use to using install packages with utility pkg. Just some packages need to be build from source. (they are listed in the begging of post) 2) how ldap.conf should be configured on a FreeBSD client for ldapsearch to work; I don't have configured ldap.conf. On the other hand, it can be useful for troubleshooting with utility ldapsearch. 3) how krb5.conf should be configured on a FreeBSD client; The same as on linux. (sssd is linked with MIT kerberos) 4) how SSH files should be configured on a FreeBSD client for single sign-on to behave properly (GSS-API part); Linux and FreeBSD use openssh. You can inspire in changes done by script ipa-client-install 5) how cron script file's executability, IPA user's shell and automatic creation of home directories should be considered - there are some caveats why do you need cron? User shell can be changed on FreeIPA server or you can change sssd configuration man sssd.conf (see *shell*) for newbies; Do you mean admin newbies or FreeIPA newbies? admin should know how to configure automatic creation of directories. (another pam module) ipa-client install just simplify it on linux. 6) why a user can't initially SSH or locally login to a FreeBSD client even with correct configuration files (password change problem); FreeBSD admins should already have experiences with ldap configuration on FreeBSD (or at least read FreeBSD documentation). Official documentation is very good (ldap client configuration with nss-pam-ldapd) https://www.freebsd.org/doc/en/articles/ldap-auth/client.html 7) how to setup SSSD so that it doesn't cache information too long (this is not what we always want, right?). sssd use cache by design. If you don't want to cache LDAP users, you can use nss-pam-ldapd. BTW this point is not related to FreeBSD Summary: Fee free to write detailed howto for newbies. We will be very glad to help with review and fixing problematic parts. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
1. Yes, being able to find simple typos is what distinguishes a good troubleshooter from a bad one. The problem really was between the chair and the keyboard. 2. Not only you were right in this aspect, but also regarding the idea that comments in sssd.conf file shouldn't be on the same line as directives. Putting a comment on a separate line allows sssd to start normally instead of giving error messages. 3. I already updated my post at FreeBSD forums and included your comments there. Thanks for taking time to find the cause of the problems. 4. I consider this thread closed, but still plan to write a detailed HowTo about FreeBSD - FreeIPA integration, i.e. about full setup of 5 VMs: a) a DNS server; b) the first IPA server; c) the second IPA server for multi-master replication; d) a Linux IPA client (for changing LDAP users' passwords in behalf of FreeBSD); b) a FreeBSD client - detailed steps, including many things that current post at FreeBSD forums misses. I will then send my HowTo to both FreeBSD forums and FreeIPA team, and it's up to them to decide if the HowTo is worth publishing or not. If the HowTo is OK, I'll translate it to another two languages: Russian and Azeri. Tue, 21 Oct 2014 20:31:17 +0200 от Lukas Slebodnik lsleb...@redhat.com: On (20/10/14 15:06), Orkhan Gasimov wrote: OK, Lukas, I did as you say: 1) reset my pam.d - login to its defaul state 2) added to my pam.d - system: account required /usr/local/lib/pam_sss.so ignore_unknown_user ignore_authinfo_unavail; 3) commented out enumerate = True in my /usr/local/etc/sssd/sssd.conf. Now I cannot locally login as either root or IPA user. Seems like we built our SSSDs differently or from different ports. Would you be so kind to share info about your choices when building SSSD? You're right, I'm a newbie in FreeIPA setups. But I've worked with pam stack before, when configuring OpenLDAP on servers. That knowledge of pam let me solve the problem of local logins with sssd by adding the appropriate line in pam.d - login instead of pam.d - system. This setup works fine for me; another setup, which you and FreeBSD forums suppose, doesn't work. Did you check everything on a blank FreeBSD 10 setup? Basically, you should do all (ipa-client-install) steps manually. I would recommend you to look into log file from linux machine /var/log/ipaclient-install.log. The main difference between linux and FreeBSD will be location of configuration files(/etc vs /usr/local/etc) There are indeed nuances that the post at FreeBSD forums didn't address: I would say that post was more focused on integration sssd with sudo and expected more experienced user with better knowledge of FreeIPA. It is the most difficult part. 1) what choices should be made when building SSSD and other ports - VERY IMPORTANT, but missing information; I am use to using install packages with utility pkg. Just some packages need to be build from source. (they are listed in the begging of post) 2) how ldap.conf should be configured on a FreeBSD client for ldapsearch to work; I don't have configured ldap.conf. On the other hand, it can be useful for troubleshooting with utility ldapsearch. 3) how krb5.conf should be configured on a FreeBSD client; The same as on linux. (sssd is linked with MIT kerberos) 4) how SSH files should be configured on a FreeBSD client for single sign-on to behave properly (GSS-API part); Linux and FreeBSD use openssh. You can inspire in changes done by script ipa-client-install 5) how cron script file's executability, IPA user's shell and automatic creation of home directories should be considered - there are some caveats why do you need cron? User shell can be changed on FreeIPA server or you can change sssd configuration man sssd.conf (see *shell*) for newbies; Do you mean admin newbies or FreeIPA newbies? admin should know how to configure automatic creation of directories. (another pam module) ipa-client install just simplify it on linux. 6) why a user can't initially SSH or locally login to a FreeBSD client even with correct configuration files (password change problem); FreeBSD admins should already have experiences with ldap configuration on FreeBSD (or at least read FreeBSD documentation). Official documentation is very good (ldap client configuration with nss-pam-ldapd) https://www.freebsd.org/doc/en/articles/ldap-auth/client.html 7) how to setup SSSD so that it doesn't cache information too long (this is not what we always want, right?). sssd use cache by design. If you don't want to cache LDAP users, you can use nss-pam-ldapd. BTW this point is not related to FreeBSD Summary: Fee free to write detailed howto for newbies. We will be very glad to help with review and fixing problematic parts. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On (21/10/14 23:20), Орхан Касумов wrote: 1. Yes, being able to find simple typos is what distinguishes a good troubleshooter from a bad one. The problem really was between the chair and the keyboard. 2. Not only you were right in this aspect, but also regarding the idea that comments in sssd.conf file shouldn't be on the same line as directives. Putting a comment on a separate line allows sssd to start normally instead of giving error messages. 3. I already updated my post at FreeBSD forums and included your comments there. Thanks for taking time to find the cause of the problems. 4. I consider this thread closed, but still plan to write a detailed HowTo about FreeBSD - FreeIPA integration, i.e. about full setup of 5 VMs: a) a DNS server; You do not need extra server for dns. FreeIPA is integrated solutiona and DNS server can be installed as part of FreeIPA. ipa-server-install --setup-dns b) the first IPA server; c) the second IPA server for multi-master replication; d) a Linux IPA client (for changing LDAP users' passwords in behalf of FreeBSD); user can change password in ipa web UI (tested with FreeIPA 4) but it is good idea to have linux client for testing purposes. b) a FreeBSD client - detailed steps, including many things that current post at FreeBSD forums misses. I will then send my HowTo to both FreeBSD forums and FreeIPA team, and it's up to them to decide if the HowTo is worth publishing or not. If the HowTo is OK, I'll translate it to another two languages: Russian and Azeri. Awesome. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On Tue, Oct 21, 2014 at 08:31:17PM +0200, Lukas Slebodnik wrote: On (20/10/14 15:06), Orkhan Gasimov wrote: OK, Lukas, I did as you say: 1) reset my pam.d - login to its defaul state 2) added to my pam.d - system: account required /usr/local/lib/pam_sss.so ignore_unknown_user ignore_authinfo_unavail; 3) commented out enumerate = True in my /usr/local/etc/sssd/sssd.conf. Now I cannot locally login as either root or IPA user. Seems like we built our SSSDs differently or from different ports. Would you be so kind to share info about your choices when building SSSD? You're right, I'm a newbie in FreeIPA setups. But I've worked with pam stack before, when configuring OpenLDAP on servers. That knowledge of pam let me solve the problem of local logins with sssd by adding the appropriate line in pam.d - login instead of pam.d - system. This setup works fine for me; another setup, which you and FreeBSD forums suppose, doesn't work. Did you check everything on a blank FreeBSD 10 setup? Basically, you should do all (ipa-client-install) steps manually. I would recommend you to look into log file from linux machine /var/log/ipaclient-install.log. The main difference between linux and FreeBSD will be location of configuration files(/etc vs /usr/local/etc) There are indeed nuances that the post at FreeBSD forums didn't address: I would say that post was more focused on integration sssd with sudo and expected more experienced user with better knowledge of FreeIPA. It is the most difficult part. 1) what choices should be made when building SSSD and other ports - VERY IMPORTANT, but missing information; I am use to using install packages with utility pkg. Just some packages need to be build from source. (they are listed in the begging of post) I have prepared a custom pkg(8) repo with the packages built with the required options/make.conf variables. Hang tight, I'll send all the info soon. 2) how ldap.conf should be configured on a FreeBSD client for ldapsearch to work; I don't have configured ldap.conf. On the other hand, it can be useful for troubleshooting with utility ldapsearch. 3) how krb5.conf should be configured on a FreeBSD client; The same as on linux. (sssd is linked with MIT kerberos) 4) how SSH files should be configured on a FreeBSD client for single sign-on to behave properly (GSS-API part); Linux and FreeBSD use openssh. You can inspire in changes done by script ipa-client-install 5) how cron script file's executability, IPA user's shell and automatic creation of home directories should be considered - there are some caveats why do you need cron? User shell can be changed on FreeIPA server or you can change sssd configuration man sssd.conf (see *shell*) for newbies; Do you mean admin newbies or FreeIPA newbies? admin should know how to configure automatic creation of directories. (another pam module) ipa-client install just simplify it on linux. 6) why a user can't initially SSH or locally login to a FreeBSD client even with correct configuration files (password change problem); FreeBSD admins should already have experiences with ldap configuration on FreeBSD (or at least read FreeBSD documentation). Official documentation is very good (ldap client configuration with nss-pam-ldapd) https://www.freebsd.org/doc/en/articles/ldap-auth/client.html 7) how to setup SSSD so that it doesn't cache information too long (this is not what we always want, right?). sssd use cache by design. If you don't want to cache LDAP users, you can use nss-pam-ldapd. BTW this point is not related to FreeBSD Summary: Fee free to write detailed howto for newbies. We will be very glad to help with review and fixing problematic parts. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
Great news! If I understand correctly, a package can be equivalent to several ports? If this is correct, then could a composite package be built to include all necessary ports? * _security/sssd_ http://www.freshports.org/security/sssd * _security/sudo_ http://www.freshports.org/security/sudo(with SSSD backend) * _net/openldap24-client-sasl_ http://www.freshports.org/net/openldap24-client-sasl * security/cyrus-sasl2 * security/cyrus-sasl2-gssapi That package could be called something like ipa-client, and make FreeBSD - FreeIPA integration one step closer. If not possible, even a pkg equivalent to /security/sssd would eliminate existing possibilities for misconfiguration. 22-Oct-14 07:06, Fraser Tweedale пишет: I have prepared a custom pkg(8) repo with the packages built with the required options/make.conf variables. Hang tight, I'll send all the info soon. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On Wed, Oct 22, 2014 at 09:13:11AM +0500, Orkhan Gasimov wrote: Great news! If I understand correctly, a package can be equivalent to several ports? If this is correct, then could a composite package be built to include all necessary ports? This is not correct. One package corresponds to one port, but like most package managers, any missing dependencies will be brought in when installing a package. There are some meta-ports (and corresponding packages) however, that don't contain anything themselves but exist just to bring in a bunch of related software. Meta-ports also have limited control over the options with which dependencies are built. * _security/sssd_ http://www.freshports.org/security/sssd * _security/sudo_ http://www.freshports.org/security/sudo(with SSSD backend) * _net/openldap24-client-sasl_ http://www.freshports.org/net/openldap24-client-sasl * security/cyrus-sasl2 * security/cyrus-sasl2-gssapi Of these five packages, assuming correct options and make.conf settings, there are only two leaf packages: sudo and cyrus-sasl-gssapi. So even without a meta-port, it is not burdensome to install the required software from the custom repo. That package could be called something like ipa-client, and make FreeBSD - FreeIPA integration one step closer. If not possible, even a pkg equivalent to /security/sssd would eliminate existing possibilities for misconfiguration. I don't think it is possible to do it at the moment, in a way that is useful to FreeBSD users at large, without using a custom pkg(8) repo. This is because there is no way for building packages with different flavours and having them coexist in the same repo. Support for flavours is a high priority, though; it is actively being worked on. Until that feature arrives, custom pkg repo is the best alternative to setting options/variables and building ports oneself. 22-Oct-14 07:06, Fraser Tweedale пишет: I have prepared a custom pkg(8) repo with the packages built with the required options/make.conf variables. Hang tight, I'll send all the info soon. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On (19/10/14 08:45), Orkhan Gasimov wrote: 2. About my pam.d files - please read carefully my previous posts. I commented out the line in pam.d - system and added it explicitly to You didn't have account required /usr/local/lib/pam_sss.so ignore_unknown_user in pam.d/system. The line is commented out, but there *IS NOT* argument ignore_unknown_use Howto on FreeBSD forum[1] has argument ignore_unknown_user on the lines starting with account in both pam configuration files (system, sshd) pam.d - login because otherwise I get locked out from the machine. I sent I didn't touch pam.d/login. I put account .. pam_sss.so ignore_unknown_user into pam.d/system (the same as in [1]) and I can login as sssd user and local user. I know that pam configuration isn't the easiest think for newbies, but your post will be even more confusing for others. Please do not give advices if you do not understand where is the problem and why it works with that change. you the WORKING configuration and not the one which was recommended at FreeBSD posts (and also by you). And yes, in pam.d - system there's no ignore bla bla bla part because in that file the line account required /usr/local/lib/pam_sss.so just doesn't work, with or without that part. I don't know what you did wrong, but it *works* with argument ignore_unknown_user How did you test? LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
OK, Lukas, I did as you say: 1) reset my pam.d - login to its defaul state 2) added to my pam.d - system: account required /usr/local/lib/pam_sss.so ignore_unknown_user ignore_authinfo_unavail; 3) commented out enumerate = True in my /usr/local/etc/sssd/sssd.conf. Now I cannot locally login as either root or IPA user. Seems like we built our SSSDs differently or from different ports. Would you be so kind to share info about your choices when building SSSD? You're right, I'm a newbie in FreeIPA setups. But I've worked with pam stack before, when configuring OpenLDAP on servers. That knowledge of pam let me solve the problem of local logins with sssd by adding the appropriate line in pam.d - login instead of pam.d - system. This setup works fine for me; another setup, which you and FreeBSD forums suppose, doesn't work. Did you check everything on a blank FreeBSD 10 setup? There are indeed nuances that the post at FreeBSD forums didn't address: 1) what choices should be made when building SSSD and other ports - VERY IMPORTANT, but missing information; 2) how ldap.conf should be configured on a FreeBSD client for ldapsearch to work; 3) how krb5.conf should be configured on a FreeBSD client; 4) how SSH files should be configured on a FreeBSD client for single sign-on to behave properly (GSS-API part); 5) how cron script file's executability, IPA user's shell and automatic creation of home directories should be considered - there are some caveats for newbies; 6) why a user can't initially SSH or locally login to a FreeBSD client even with correct configuration files (password change problem); 7) how to setup SSSD so that it doesn't cache information too long (this is not what we always want, right?). In short: a person who posted the info on FreeBSD - FreeIPA integration at FreeBSD forums shared a lot of info, but at the same time he didn't share other very important pieces of information, and this can cause great frustration to people trying to follow his post. And although you recommend me not to share my experience of setting up FreeBSD - FreeIPA integration, I just want people to get a REALLY WORKING HowTo. I've already tested HBAC, centralized sudo and other things in my setup, and everything is working fine. So in near future I plan to make a REAL, DETAILED HowTo on this subject, and I think that at least some pieces of information in it will help people to avoid great deal of frustration. 20-Oct-14 13:01, Lukas Slebodnik пишет: On (19/10/14 08:45), Orkhan Gasimov wrote: 2. About my pam.d files - please read carefully my previous posts. I commented out the line in pam.d - system and added it explicitly to You didn't have account required /usr/local/lib/pam_sss.so ignore_unknown_user in pam.d/system. The line is commented out, but there *IS NOT* argument ignore_unknown_use Howto on FreeBSD forum[1] has argument ignore_unknown_user on the lines starting with account in both pam configuration files (system, sshd) pam.d - login because otherwise I get locked out from the machine. I sent I didn't touch pam.d/login. I put account .. pam_sss.so ignore_unknown_user into pam.d/system (the same as in [1]) and I can login as sssd user and local user. I know that pam configuration isn't the easiest think for newbies, but your post will be even more confusing for others. Please do not give advices if you do not understand where is the problem and why it works with that change. you the WORKING configuration and not the one which was recommended at FreeBSD posts (and also by you). And yes, in pam.d - system there's no ignore bla bla bla part because in that file the line account required /usr/local/lib/pam_sss.so just doesn't work, with or without that part. I don't know what you did wrong, but it *works* with argument ignore_unknown_user How did you test? LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On 10/18/2014 11:45 PM, Orkhan Gasimov wrote: 1. About enumerate with comments on the same line - it doesn't cause any problems on my FreeBSD 10 64-bit. Enumerate causes problems on my FreeBSD 10 32-bit - that could be because of a comment on the same line I could check it, but if it's not recommended to have enumerate at all, then I'll leave it. Just FYI, comments on the same line are treated as part of value i.e. not interpreted as comments. I do not know how the value is treated by SSSD in the case of boolean. It might try to parse it and come to conclusion that it is true or false but I do not know which conclusion it actually comes to. BTW for those who are familiar with the internals and some other threads - using ding-libs interpretation functions would have caught that. One more argument to switch to ding-libs checking (when it is ready). As for enumeration - it is not needed in 90% of cases so we recommend not to configure it. 2. About my pam.d files - please read carefully my previous posts. I commented out the line in pam.d - system and added it explicitly to pam.d - login because otherwise I get locked out from the machine. I sent you the WORKING configuration and not the one which was recommended at FreeBSD posts (and also by you). And yes, in pam.d - system there's no ignore bla bla bla part because in that file the line account required /usr/local/lib/pam_sss.so http://sss.so just doesn't work, with or without that part. That's what I was talking about in my reply to the post at FreeBSD forums and that's why I considered unimportant readding that ignore ... part in the commented account ... line when sending pam.d files to you. 3. I like your idea of checking everything on a blank FreeaBSD 10 setup - that way you will really determine whether the problem is between the chair and the keyboard or not. Yeah we should develop tools in this area. +1. ?? ?? Blue Mail http://r.bluemailapp.com ?? 19.10.2014, ? 2:36, Lukas Slebodnik lsleb...@redhat.com mailto:lsleb...@redhat.com ???:? On (17/10/14 16:46), Orkhan Gasimov wrote: 1. I use FreeBSD 10.0 64-bit. (For some files bits are also important - for example, on a 32-bit machine the same configuration of /usr/local/etc/sssd/sssd.conf file introduces problems because of the line enumerate = True in the [domain] section; only after that line is commented Firstly, We do not recommend to have enabled enumeration. Secondly, You did not have enumerate = True in your domain section. You have enumerate = True #to enumerate users and groups ^^^ I wrote you in another email that comments should be on different line out, sssd starts.) 2. The files you requested are at https://cloud.mail.ru/public/afa7e1fad817/pam.d 17-Oct-14 16:30, Lukas Slebodnik ?: On (17/10/14 15:44), Orkhan Gasimov wrote: Unfortunately, putting that line in /etc/pam.d/system prevents me from being I checked your apm configuration and you had wrong line in /etc/pam.d/system Currently, it is is commented out. #acconutrequired/usr/local/lib/pam_sss.so http://sss.so and the correct one is in /etc/pam.d/login account required/usr/local/lib/pam_sss.so http://sss.so ignore_unknown_user ignore_authinfo_unavail Yo! u were wrong in commenthttps://forums.freebsd.org/threads/freebsd-freeipa-via-sssd.46526/ Plese move line from login - system able to locally login to the BSD client. At the same time, the same line in /etc/pam.d/sshd or /etc/pam.d/login doesn't give unexpected behaviours. Bug, bug, bug... no, no, no, The problem was between chair and keybord. Sorry, I could not resist :-) It works for me with FreeBSD 9.3. It is possible that your pam stack is misconfigured. BTW After fixing problems with my freeipa 4.0.3, I was able to connect with ssh to FreeBSD 10 as freeipa_user and local_user. If I have time in next weeks I will try with clean FreeBSD 10 and will write some notes. LS -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
Replying to myself is great... Anyway, maybe this info will be useful for people like me, trying to integrate FreeBSD with FreeIPA. Solved some problems: 1. SSH-ing as existing IPA user rsiwal to my FreeBSD client fails. The same user can SSH or locally login to my Linux client. That happened because the shell specified for user rsiwal was /bin/bash. After changing it to /bin/sh that problem disappeared. 2. At the same time I cannot locally login to my FreeBSD host as either IPA user or local user. I posted the cause and solution at FreeBSD forums: https://forums.freebsd.org/threads/freebsd-freeipa-via-sssd.46526/ 3. If I create a new user in IPA, he can`t initially SSH into FreeBSD client. BSD says: password expired, but doesn`t take new password. The same new user can SSH into my Linux client. Linux says: password expired and allows to set a new password with a message: All authentication tokens updated successfully. After I set a new password for my newly created user via Linux, I can SSH into my BSD client as that user. Using this hack I can create new users in IPA, SSH into Linux to change their passwords and then use those new users to SSH into FreeBSD. Didn`t find a solution yet. But I think this is caused by lack of proper configuration of Kerberos on my FreeBSD client. On my Linux client I found such a configuration in /etc/krb5.conf file. However, there's no such file on my FreeBSD client, as the post on FreeBSD forums didn't say anything about such a file. I'll do some more checks and share the results here. 16-Oct-14 18:23, Orkhan Gasimov пишет: Here`s what I have at the end of the day after various checks. SSH-ing as existing IPA user rsiwal to my FreeBSD client fails. The same user can SSH or locally login to my Linux client. If I create a new user in IPA, he can`t initially SSH into FreeBSD client. BSD says: password expired, but doesn`t take new password. The same new user can SSH into my Linux client. Linux says: password expired and allows to set a new password with a message: All authentication tokens updated successfully. After I set a new password for my newly created user via Linux, I can SSH into my BSD client as that user. Using this hack I can create new users in IPA, SSH into Linux to change their passwords and then use those new users to SSH into FreeBSD. At the same time I cannot locally login to my FreeBSD host as either IPA user or local user. I think there`s something wrong with Kerberos setup on my FreeBSD client. I suspect that because both /etc/pam.d/system and /etc/pam.d/sshd files on the BSD client have a string: password sufficient /usr/local/lib/pam_sss.so use_authtok but BSD doesn`t let update authentication tokens when trying to change expired password for a new user. There was minimal info about Kerberos setup on FreeBSD client in the post at FreeBSD forums. Just this: create a keytab on the IPA server and copy it to /etc/krb5.keytab on the FreeBSD client. Someone here wrote that he can contact the author of that post. If so, please tell the author to spend a couple of hours to: 1) check everything he advised on a blank setup with VMs; 2) provide more details about correct sequence of actions. Any help will be highly appreciated! 16-Oct-14 15:13, Orkhan Gasimov пишет: Please excuse me for that silly typo in the letter. The typo doesn`t exist either in /etc/pam.d/system or /etc/pam.d/sshd - in those files I typed ignore_unknown_user. I'll try ignore_authinfo_unavail to see if it prevents me from being locked out of the machine. Here are the log files: sssd_eurosel.az.log: https://cloud.mail.ru/public/1e803a00989e%2Fsssd_eurosel.az.log sssd_nss.log: https://cloud.mail.ru/public/ae41ae3b44b6%2Fsssd_nss.log sssd_pam.log: https://cloud.mail.ru/public/85d311ec1d4e%2Fsssd_pam.log krb5_child.log: https://cloud.mail.ru/public/c0e6712b7f1b%2Fkrb5_child.log ldap_child.log: https://cloud.mail.ru/public/d9b0b1eb0da6%2Fldap_child.log sssd_log: https://cloud.mail.ru/public/d4032b8e6645%2Fsssd.log 16-Oct-14 14:57, Lukas Slebodnik пишет: On (16/10/14 13:04), Orkhan Gasimov wrote: OK, back to FreeIPA - FreeBSD setup. I changed my setup: instead of 2 VMs now I have 4 VMs: 1: DNS server - set up as shown by Rajnesh Kumar Siwal in http://www.youtube.com/watch?v=0SmiwFoHVeIindex=4list=PLdKXnZQzEG-KmtKq-LelPn5RTKfJig0Wc 2 and 3: IPA server IPA linux client - set up as shown by Rajnesh Kumar Siwal in http://www.youtube.com/watch?v=_zlcxjkbayk 4: IPA BSD client - set up as described in the post at FreeBSD forums. Results: 1) my IPA linux client interacts fine with the IPA server; 2) my IPA BSD client also interacts with the IPA server: it sees IPA users when issuing getent passwd or getent shadow. (Previously when I used just 2 VMs and no DNS server, that didn`t happen.) Problems after I start sssd on the FreeBSD client: 1) I can`t ssh into my IPA BSD client either as an IPA user (rsiwal) or local
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On (17/10/14 12:01), Alexander Bokovoy wrote: Didn`t find a solution yet. But I think this is caused by lack of proper configuration of Kerberos on my FreeBSD client. On my Linux client I found such a configuration in /etc/krb5.conf file. However, there's no such file on my FreeBSD client, as the post on FreeBSD forums didn't say anything about such a file. I'll do some more checks and share the results here. Well, follow your Kerberos library defaults. By default FreeBSD is built with Heimdal so if your system uses Heimdal and SSSD is build against It is true that default Kerberos library on FreeBSD is Heimdal. It is stored in default paths (/usr/bin, /usr/lib). SSSD does not work with Heimdal, therefore it is linked with MIT krb5 = 1.10 on FreeBSD, which is stored in (/usr/local/bin, /usr/local/lib) LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
This idea is great, it would be invaluable for many people trying to integrate FreeBSD with FreeIPA. Currently there's only one post about this at FreeBSD forums, but it's not detailed and tells nothing about many cavets of the process. You would have helped a lot of people to avoid frustration. 17-Oct-14 14:01, Alexander Bokovoy пишет: See ipa-advise tool on IPA server. Currently it only provides you with config-freebsd-nss-pam-ldapd advise to configure FreeBSD with nss-pam-ldapd, but we can extend that to have SSSD covered too. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
Unfortunately, putting that line in /etc/pam.d/system prevents me from being able to locally login to the BSD client. At the same time, the same line in /etc/pam.d/sshd or /etc/pam.d/login doesn't give unexpected behaviours. Bug, bug, bug... 17-Oct-14 14:15, Lukas Slebodnik пишет: I would reccomend to have next line in /etc/pam.d/system and /etc/pam.d/sshd. Without this line, access control will not work. (HBAC) account required /usr/local/lib/pam_sss.so ignore_unknown_user ignore_authinfo_unavail -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On 10/17/2014 01:01 PM, Orkhan Gasimov wrote: That format is not simple for me, as I'm not a programmer. But after I check, double-check and triple-check my FreeBSD - FreeIPA integration via SSSD and assure that it works without unexpected behaviors, I'll probably write a HOW-TO on this process and post it at FreeBSD forums. Thanks! Would you consider also adding the HOWTO to http://www.freeipa.org/page/HowTos so that other people can follow your steps? I'll then share the link to my post here, so that: 1) FreeIPA community could also check the post for any errors; 2) someone more prepared could translate the whole process into the format appropriate for the ipa-advise tool. 17-Oct-14 15:37, Alexander Bokovoy пишет: FreeIPA is an open source project where anyone can contribute in their areas of interest. You are welcome to contribute recipes for FreeBSD. The code is around https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/advise/plugins/legacy_clients.py As you can see, most recipes are structured in easy way and adding new is as simple as adding new class definition there. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
Of course! But for now I'm in process of checking my integration and there are some things I don't like. First and foremost, any change on the IPA server is not automatically reflected on the BSD client. Only after SSSD is manually restarted on the client, something like it's cache is cleared happens and new rules apply. For now I'm not even checking something complex like sudo rule groups with host groups, it's just a simple sudo rule for a single user. I hope for collaboration with other interested people to find a stable solution for FreeIPA - FreeBSD interaction via SSSD, so that as a result of all this effort a well-detailed tutorial could be written and shared with all *nix users. 17-Oct-14 16:17, Martin Kosek пишет: On 10/17/2014 01:01 PM, Orkhan Gasimov wrote: That format is not simple for me, as I'm not a programmer. But after I check, double-check and triple-check my FreeBSD - FreeIPA integration via SSSD and assure that it works without unexpected behaviors, I'll probably write a HOW-TO on this process and post it at FreeBSD forums. Thanks! Would you consider also adding the HOWTO to http://www.freeipa.org/page/HowTos so that other people can follow your steps? I'll then share the link to my post here, so that: 1) FreeIPA community could also check the post for any errors; 2) someone more prepared could translate the whole process into the format appropriate for the ipa-advise tool. 17-Oct-14 15:37, Alexander Bokovoy пишет: FreeIPA is an open source project where anyone can contribute in their areas of interest. You are welcome to contribute recipes for FreeBSD. The code is around https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/advise/plugins/legacy_clients.py As you can see, most recipes are structured in easy way and adding new is as simple as adding new class definition there. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On (17/10/14 15:44), Orkhan Gasimov wrote: Unfortunately, putting that line in /etc/pam.d/system prevents me from being able to locally login to the BSD client. At the same time, the same line in /etc/pam.d/sshd or /etc/pam.d/login doesn't give unexpected behaviours. Bug, bug, bug... It works for me with FreeBSD 9.3. It is possible that your pam stack is misconfigured. Which version of FreBSD do you use? Could you send me all files from /etc/pam.d/? LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On 10/17/2014 01:28 PM, Orkhan Gasimov wrote: Of course! But for now I'm in process of checking my integration and there are some things I don't like. First and foremost, any change on the IPA server is not automatically reflected on the BSD client. Only after SSSD is manually restarted on the client, something like it's cache is cleared happens and new rules apply. For now I'm not even checking something complex like sudo rule groups with host groups, it's just a simple sudo rule for a single user. I hope for collaboration with other interested people to find a stable solution for FreeIPA - FreeBSD interaction via SSSD, so that as a result of all this effort a well-detailed tutorial could be written and shared with all *nix users. +1. Or, even better approach would be if ipa-client-install script gets ported some nice day to FreeBSD so that sssdassorted services do not need to be configured automatically and can use autodiscover features of ipa-client-install. But this is even farther future :-) 17-Oct-14 16:17, Martin Kosek пишет: On 10/17/2014 01:01 PM, Orkhan Gasimov wrote: That format is not simple for me, as I'm not a programmer. But after I check, double-check and triple-check my FreeBSD - FreeIPA integration via SSSD and assure that it works without unexpected behaviors, I'll probably write a HOW-TO on this process and post it at FreeBSD forums. Thanks! Would you consider also adding the HOWTO to http://www.freeipa.org/page/HowTos so that other people can follow your steps? I'll then share the link to my post here, so that: 1) FreeIPA community could also check the post for any errors; 2) someone more prepared could translate the whole process into the format appropriate for the ipa-advise tool. 17-Oct-14 15:37, Alexander Bokovoy пишет: FreeIPA is an open source project where anyone can contribute in their areas of interest. You are welcome to contribute recipes for FreeBSD. The code is around https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/advise/plugins/legacy_clients.py As you can see, most recipes are structured in easy way and adding new is as simple as adding new class definition there. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On (17/10/14 16:28), Orkhan Gasimov wrote: Of course! But for now I'm in process of checking my integration and there are some things I don't like. First and foremost, any change on the IPA server is not automatically reflected on the BSD client. sssd uses few levels of caches. If you want to have up-to-date data you need to invalidate sssd cache (sss_cache -UG). Details are in man sss_cache. It is not related to FreeBSD. The same behaviour is on LInux. If user authenticates to machine with sssd then fresh data is downloaded from server. That's the only exception. Only after SSSD is manually restarted on the client, something like it's cache is cleared happens and new rules apply. For now I'm not even checking something complex like sudo rule groups with host groups, it's just a simple sudo rule for a single user. sudo is much more tricky about up-to-date data. sssd uses peridic tasks for refreshing rules. It is not possible to invalidate sudo rules with tool sss_cache. Detail description of sudo rules caching mechanism is in manual page man sssd-sudo - THE SUDO RULE CACHING MECHANISM LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
I found another solution (currently checked it only for adding/deleting a sudo rule for a user, and also enabling/disabling a user) - add to the [domain] section of the sssd.conf file: entry_cache_timeout = 5. 17-Oct-14 16:39, Lukas Slebodnik пишет: sssd uses few levels of caches. If you want to have up-to-date data you need to invalidate sssd cache (sss_cache -UG). -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
OK, back to FreeIPA - FreeBSD setup. I changed my setup: instead of 2 VMs now I have 4 VMs: 1: DNS server - set up as shown by Rajnesh Kumar Siwal in http://www.youtube.com/watch?v=0SmiwFoHVeIindex=4list=PLdKXnZQzEG-KmtKq-LelPn5RTKfJig0Wc 2 and 3: IPA server IPA linux client - set up as shown by Rajnesh Kumar Siwal in http://www.youtube.com/watch?v=_zlcxjkbayk 4: IPA BSD client - set up as described in the post at FreeBSD forums. Results: 1) my IPA linux client interacts fine with the IPA server; 2) my IPA BSD client also interacts with the IPA server: it sees IPA users when issuing getent passwd or getent shadow. (Previously when I used just 2 VMs and no DNS server, that didn`t happen.) Problems after I start sssd on the FreeBSD client: 1) I can`t ssh into my IPA BSD client either as an IPA user (rsiwal) or local user (root); 2) if I restart my IPA BSD client, I also can`t login to it locally as either root or rsiwal. I get totally locked out of the machine. FreeBSD displays some errors on the screen when using: 1) SSH: https://cloud.mail.ru/public/888b415dac43%2Fssh_error_IPA_user_and_root.JPG 2) local login: https://cloud.mail.ru/public/3399c5b67c33%2Flogin_error_root_and_IPA_user.JPG FreeBSD complains about line 19 in /etc/pam.d/system. That line reads: account required /usr/local/lib/pam_sss.so ignore unknown user The file pam_sss.so exists on my FreeBSD machine in the specified location. Deleting ignore unknown user from that line doesn`t help. Changing the position of that line so that it preceeds account required pam_unix.so also gives no result. Please help me to understand, what can I do in such a situation? Is it a bug in pam_sss.so? 15-Oct-14 06:14, Fraser Tweedale пишет: On Tue, Oct 14, 2014 at 03:13:06PM +0200, Lukas Slebodnik wrote: On (14/10/14 17:48), Fraser Tweedale wrote: On Tue, Oct 14, 2014 at 12:34:09PM +0500, Orkhan Gasimov wrote: With help from Alexander Bokovoy I found correct log destinations: sssd-domain-log: https://cloud.mail.ru/public/1e803a00989e%2Fsssd_eurosel.az.log sssd-nss-log: https://cloud.mail.ru/public/ae41ae3b44b6%2Fsssd_nss.log These files are from my second Fedora - FreeBSD setup, they have different domain name, but everything else is identical. Interestingly enough, there are lines in sssd_nss.log telling that there are no users or groups in the domain. But as I said, I can ssh to the IPA server as an IPA user. Hi Orkhan, Thanks for the logs. What were their actual locations? I'm going to try and reproduce your setup and see whether I get the same outcome. I have been building and installing the ports as indicated in the forum post, and one thing I have noticed is that there are a lot of configuration options on some of the important ports - perhaps there was an important option that the author forgot to mention. You needn't build sssd from ports. You can install sssd with pkg utility. The only necessary step is to build openldap client with SASL support, because default version of openldap client is build without SASL support. sssd cannot initialize ipa_provider with openldap libraries without SASL support. On the other hand, {ldap,krb5,ad} providers can be used without any problem. The steps, how to build openldap client with SASL support, are described in freebsd forum. It is the end of the day for me, but sssd is now installed so I should let you know tomorrow whether I am running into the same issues as you, or whether I find success. (As a side node: once I get to a working setup I will create and publish a pkg(8) repo with the needed ports built with the correct options and make.conf variables. This should make it easier and certainly quicker to use FreeBSD as a FreeIPA client.) I am not sure what you are trying to do. Everything is described on forum. If there isn't something clear feel free to send rephrased(updated) version of howto. I can contact an author of that post. Since there are non-default options and make variables to be set, is it not desirable that there be a pkg(8) repository people can use to install the packages needed for ipa integration? I think it is desirable. It is easy to thanks to ports-mgmt/poudriere. Fraser LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On (16/10/14 13:04), Orkhan Gasimov wrote: OK, back to FreeIPA - FreeBSD setup. I changed my setup: instead of 2 VMs now I have 4 VMs: 1: DNS server - set up as shown by Rajnesh Kumar Siwal in http://www.youtube.com/watch?v=0SmiwFoHVeIindex=4list=PLdKXnZQzEG-KmtKq-LelPn5RTKfJig0Wc 2 and 3: IPA server IPA linux client - set up as shown by Rajnesh Kumar Siwal in http://www.youtube.com/watch?v=_zlcxjkbayk 4: IPA BSD client - set up as described in the post at FreeBSD forums. Results: 1) my IPA linux client interacts fine with the IPA server; 2) my IPA BSD client also interacts with the IPA server: it sees IPA users when issuing getent passwd or getent shadow. (Previously when I used just 2 VMs and no DNS server, that didn`t happen.) Problems after I start sssd on the FreeBSD client: 1) I can`t ssh into my IPA BSD client either as an IPA user (rsiwal) or local user (root); 2) if I restart my IPA BSD client, I also can`t login to it locally as either root or rsiwal. I get totally locked out of the machine. FreeBSD displays some errors on the screen when using: 1) SSH: https://cloud.mail.ru/public/888b415dac43%2Fssh_error_IPA_user_and_root.JPG 2) local login: https://cloud.mail.ru/public/3399c5b67c33%2Flogin_error_root_and_IPA_user.JPG FreeBSD complains about line 19 in /etc/pam.d/system. That line reads: account required /usr/local/lib/pam_sss.so ignore unknown user ^^^ it should we one word connected with underscores _ See details in: man pam_sss - OPTIONS It would be good to use also argument ignore_authinfo_unavail in pam system config otherwise you will not be able to connect as local user if sssd will be down. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
Please excuse me for that silly typo in the letter. The typo doesn`t exist either in /etc/pam.d/system or /etc/pam.d/sshd - in those files I typed ignore_unknown_user. I'll try ignore_authinfo_unavail to see if it prevents me from being locked out of the machine. Here are the log files: sssd_eurosel.az.log: https://cloud.mail.ru/public/1e803a00989e%2Fsssd_eurosel.az.log sssd_nss.log: https://cloud.mail.ru/public/ae41ae3b44b6%2Fsssd_nss.log sssd_pam.log: https://cloud.mail.ru/public/85d311ec1d4e%2Fsssd_pam.log krb5_child.log: https://cloud.mail.ru/public/c0e6712b7f1b%2Fkrb5_child.log ldap_child.log: https://cloud.mail.ru/public/d9b0b1eb0da6%2Fldap_child.log sssd_log: https://cloud.mail.ru/public/d4032b8e6645%2Fsssd.log 16-Oct-14 14:57, Lukas Slebodnik пишет: On (16/10/14 13:04), Orkhan Gasimov wrote: OK, back to FreeIPA - FreeBSD setup. I changed my setup: instead of 2 VMs now I have 4 VMs: 1: DNS server - set up as shown by Rajnesh Kumar Siwal in http://www.youtube.com/watch?v=0SmiwFoHVeIindex=4list=PLdKXnZQzEG-KmtKq-LelPn5RTKfJig0Wc 2 and 3: IPA server IPA linux client - set up as shown by Rajnesh Kumar Siwal in http://www.youtube.com/watch?v=_zlcxjkbayk 4: IPA BSD client - set up as described in the post at FreeBSD forums. Results: 1) my IPA linux client interacts fine with the IPA server; 2) my IPA BSD client also interacts with the IPA server: it sees IPA users when issuing getent passwd or getent shadow. (Previously when I used just 2 VMs and no DNS server, that didn`t happen.) Problems after I start sssd on the FreeBSD client: 1) I can`t ssh into my IPA BSD client either as an IPA user (rsiwal) or local user (root); 2) if I restart my IPA BSD client, I also can`t login to it locally as either root or rsiwal. I get totally locked out of the machine. FreeBSD displays some errors on the screen when using: 1) SSH: https://cloud.mail.ru/public/888b415dac43%2Fssh_error_IPA_user_and_root.JPG 2) local login: https://cloud.mail.ru/public/3399c5b67c33%2Flogin_error_root_and_IPA_user.JPG FreeBSD complains about line 19 in /etc/pam.d/system. That line reads: account required /usr/local/lib/pam_sss.so ignore unknown user ^^^ it should we one word connected with underscores _ See details in: man pam_sss - OPTIONS It would be good to use also argument ignore_authinfo_unavail in pam system config otherwise you will not be able to connect as local user if sssd will be down. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
Here`s what I have at the end of the day after various checks. SSH-ing as existing IPA user rsiwal to my FreeBSD client fails. The same user can SSH or locally login to my Linux client. If I create a new user in IPA, he can`t initially SSH into FreeBSD client. BSD says: password expired, but doesn`t take new password. The same new user can SSH into my Linux client. Linux says: password expired and allows to set a new password with a message: All authentication tokens updated successfully. After I set a new password for my newly created user via Linux, I can SSH into my BSD client as that user. Using this hack I can create new users in IPA, SSH into Linux to change their passwords and then use those new users to SSH into FreeBSD. At the same time I cannot locally login to my FreeBSD host as either IPA user or local user. I think there`s something wrong with Kerberos setup on my FreeBSD client. I suspect that because both /etc/pam.d/system and /etc/pam.d/sshd files on the BSD client have a string: password sufficient /usr/local/lib/pam_sss.so use_authtok but BSD doesn`t let update authentication tokens when trying to change expired password for a new user. There was minimal info about Kerberos setup on FreeBSD client in the post at FreeBSD forums. Just this: create a keytab on the IPA server and copy it to /etc/krb5.keytab on the FreeBSD client. Someone here wrote that he can contact the author of that post. If so, please tell the author to spend a couple of hours to: 1) check everything he advised on a blank setup with VMs; 2) provide more details about correct sequence of actions. Any help will be highly appreciated! 16-Oct-14 15:13, Orkhan Gasimov пишет: Please excuse me for that silly typo in the letter. The typo doesn`t exist either in /etc/pam.d/system or /etc/pam.d/sshd - in those files I typed ignore_unknown_user. I'll try ignore_authinfo_unavail to see if it prevents me from being locked out of the machine. Here are the log files: sssd_eurosel.az.log: https://cloud.mail.ru/public/1e803a00989e%2Fsssd_eurosel.az.log sssd_nss.log: https://cloud.mail.ru/public/ae41ae3b44b6%2Fsssd_nss.log sssd_pam.log: https://cloud.mail.ru/public/85d311ec1d4e%2Fsssd_pam.log krb5_child.log: https://cloud.mail.ru/public/c0e6712b7f1b%2Fkrb5_child.log ldap_child.log: https://cloud.mail.ru/public/d9b0b1eb0da6%2Fldap_child.log sssd_log: https://cloud.mail.ru/public/d4032b8e6645%2Fsssd.log 16-Oct-14 14:57, Lukas Slebodnik пишет: On (16/10/14 13:04), Orkhan Gasimov wrote: OK, back to FreeIPA - FreeBSD setup. I changed my setup: instead of 2 VMs now I have 4 VMs: 1: DNS server - set up as shown by Rajnesh Kumar Siwal in http://www.youtube.com/watch?v=0SmiwFoHVeIindex=4list=PLdKXnZQzEG-KmtKq-LelPn5RTKfJig0Wc 2 and 3: IPA server IPA linux client - set up as shown by Rajnesh Kumar Siwal in http://www.youtube.com/watch?v=_zlcxjkbayk 4: IPA BSD client - set up as described in the post at FreeBSD forums. Results: 1) my IPA linux client interacts fine with the IPA server; 2) my IPA BSD client also interacts with the IPA server: it sees IPA users when issuing getent passwd or getent shadow. (Previously when I used just 2 VMs and no DNS server, that didn`t happen.) Problems after I start sssd on the FreeBSD client: 1) I can`t ssh into my IPA BSD client either as an IPA user (rsiwal) or local user (root); 2) if I restart my IPA BSD client, I also can`t login to it locally as either root or rsiwal. I get totally locked out of the machine. FreeBSD displays some errors on the screen when using: 1) SSH: https://cloud.mail.ru/public/888b415dac43%2Fssh_error_IPA_user_and_root.JPG 2) local login: https://cloud.mail.ru/public/3399c5b67c33%2Flogin_error_root_and_IPA_user.JPG FreeBSD complains about line 19 in /etc/pam.d/system. That line reads: account required /usr/local/lib/pam_sss.so ignore unknown user ^^^ it should we one word connected with underscores _ See details in: man pam_sss - OPTIONS It would be good to use also argument ignore_authinfo_unavail in pam system config otherwise you will not be able to connect as local user if sssd will be down. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On Tue, 14 Oct 2014, Orkhan Gasimov wrote: Thanks to both of you for the interest. Here`s the info you asked: 1. Putting debug_level = 7 either in [domain] or/and [nss] section of the /usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log file located at /var/log/sssd/sssd.log is only populated with data when I make some errors in sssd.conf sssd process fails to start. But that`s the case only if I deliberately introduce some errors; with current configuration sssd starts successfully. SSSD writes separate log files per each section, so you need to look at /var/log/sssd/sssd_mydomain.com.log for [domain/mydomain.com] and /var/log/sssd/sssd_nss.log for nss section. 3. The users created at the IPA server can`t locally log in to the server, but it`s possible to ssh to the server as an IPA user from the FreeBSD host. However, there are some interesting behaviors (again, this is what happens when just following the IPA Quick Start Quide for the server side the post from FreeBSD forums for the client side): - home directories are not automatically created on the IPA server; - id command output shows correct uid, but the group of any IPA user doesn`t show as ipausers - instead, the group name is the same as username, + something like context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023. In FreeIPA in Fedora we switched off ipausers being a POSIX group. FreeIPA supports POSIX and non-POSIX groups; the latter is for grouping purposes as groups can be nested in FreeIPA. 'ipausers' is the group every user is a member of but it is not a POSIX group anymore so it has less effect on performance in large deployments (tens of thousands users in the same group). So it is expected. The group named as a username is a user-private group which is maintained automatically per each user. It has the same GID as user's UID. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
With help from Alexander Bokovoy I found correct log destinations: sssd-domain-log: https://cloud.mail.ru/public/1e803a00989e%2Fsssd_eurosel.az.log sssd-nss-log: https://cloud.mail.ru/public/ae41ae3b44b6%2Fsssd_nss.log These files are from my second Fedora - FreeBSD setup, they have different domain name, but everything else is identical. Interestingly enough, there are lines in sssd_nss.log telling that there are no users or groups in the domain. But as I said, I can ssh to the IPA server as an IPA user. 14-Oct-14 00:32, Lukas Slebodnik пишет: On (13/10/14 20:33), Jakub Hrozek wrote: On Mon, Oct 13, 2014 at 10:10:12PM +0400, Орхан Касумов wrote: Good day to everybody. There`s a post on how to make a FreeBSD client work with a FreeIPA server: https://forums.freebsd.org/viewtopic.php?f=39t=46526p=260146#p260146 For some reason the instructions in that post don`t lead to a working solution. Getent passwd/group return no data from the IPA server, although ldapsearch works fine. I followed the instructions exactly (+ configured ldap.conf started sssd) and didn`t get errors anywhere, all steps completed successfully. My setup: 2 VMs, one is the FreeIPA server (on Fedora 20), the other is a FreeBSD client (on FreeBSD 10.0). IPA server is configured as written in the IPA Quick Start Quide, it has no integrated DNS server. Both VMs have identical /etc/hosts file: ::1localhost 127.0.0.1 localhost 192.168.1.10 ipa1.mydomain.com ipa1 192.168.1.30 bsd1.mydomain.com bsd1 Seems like some instructions in etc/nsswitch.conf file, like group: files sss and passwd: files sss have no effect. Does anybody tried this setup, what could be wrong with it? I can provide outputs of any commands if necessary. If I shouldn`t have asked this question here, please advise me where to ask. Any hint on what to do will be highly appreciated! Hi, I think SSSD logs would be the best start.. Put debug_level=7 into the [domain] section, restart SSSD and then check out /var/log/sssd/*.log debug_level = 7 can be put into nss section as well. Could you share your sssd configuration file /usr/local/etc/sssd.conf? LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
With help from Alexander Bokovoy I found correct log destinations: sssd-domain-log:https://cloud.mail.ru/public/1e803a00989e%2Fsssd_eurosel.az.log sssd-nss-log:https://cloud.mail.ru/public/ae41ae3b44b6%2Fsssd_nss.log These files are from my second Fedora - FreeBSD setup, they have different domain name, but everything else is identical. Interestingly enough, there are lines in sssd_nss.log telling that there are no users or groups in the domain. But as I said, I can ssh to the IPA server as an IPA user. 14-Oct-14 10:23, Orkhan Gasimov пишет: Thanks to both of you for the interest. Here`s the info you asked: 1. Putting debug_level = 7 either in [domain] or/and [nss] section of the /usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log file located at /var/log/sssd/sssd.log is only populated with data when I make some errors in sssd.conf sssd process fails to start. But that`s the case only if I deliberately introduce some errors; with current configuration sssd starts successfully. 2. My original sssd.conf (without debugs) is as follows (exact copy of what was shown in the post at FreeBSD forums): - [domain/mydomain.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = mydomain.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa1.mydomain.com chpass_provider = ipa ipa_server = _srv_ #our FreeIPA server has DNS SRV entries ldap_tls_cacert = /etc/ssl/ca.crt enumerate = True #to enumerate users and groups [sssd] enumerate = True services = nss, pam, sudo config_file_version = 2 domains = mydomain.com [nss] [pam] [sudo] - Interestingly enough the [nss] section is empty, just as shown in the post at FreeBSD forums. 3. The users created at the IPA server can`t locally log in to the server, but it`s possible to ssh to the server as an IPA user from the FreeBSD host. However, there are some interesting behaviors (again, this is what happens when just following the IPA Quick Start Quide for the server side the post from FreeBSD forums for the client side): - home directories are not automatically created on the IPA server; - id command output shows correct uid, but the group of any IPA user doesn`t show as ipausers - instead, the group name is the same as username, + something like context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023. 4. Here is the list of snapshots taken from my FreeBSD VM when I installed necessary ports, maybe these snapshots will provide some additional info on sssd behavior: clean_install starting_sssd_install krb5_choice_added_LDAP openldap24-sasl-client_choice_added_FETCH_GSSAPI cyrus-sasl2_choice_defaults bind_choice_added_GSSAPI_MIT sssd_installation_finished sudo_installed_with_INSULTS_LDAP_SSSD cyrus-sasl2-gssapi_choice_added_MIT all_ports_installed_directories_created all_configs_applied_sssd_started 14-Oct-14 00:32, Lukas Slebodnik пишет: On (13/10/14 20:33), Jakub Hrozek wrote: On Mon, Oct 13, 2014 at 10:10:12PM +0400, Орхан Касумов wrote: Good day to everybody. There`s a post on how to make a FreeBSD client work with a FreeIPA server: https://forums.freebsd.org/viewtopic.php?f=39t=46526p=260146#p260146 For some reason the instructions in that post don`t lead to a working solution. Getent passwd/group return no data from the IPA server, although ldapsearch works fine. I followed the instructions exactly (+ configured ldap.conf started sssd) and didn`t get errors anywhere, all steps completed successfully. My setup: 2 VMs, one is the FreeIPA server (on Fedora 20), the other is a FreeBSD client (on FreeBSD 10.0). IPA server is configured as written in the IPA Quick Start Quide, it has no integrated DNS server. Both VMs have identical /etc/hosts file: ::1localhost 127.0.0.1 localhost 192.168.1.10 ipa1.mydomain.com ipa1 192.168.1.30 bsd1.mydomain.com bsd1 Seems like some instructions in etc/nsswitch.conf file, like group: files sss and passwd: files sss have no effect. Does anybody tried this setup, what could be wrong with it? I can provide outputs of any commands if necessary. If I shouldn`t have asked this question here, please advise me where to ask. Any hint on what to do will be highly appreciated! Hi, I think SSSD logs would be the best start.. Put debug_level=7 into the [domain] section, restart SSSD and then check out /var/log/sssd/*.log debug_level = 7 can be put into nss section as well. Could you share your sssd configuration file /usr/local/etc/sssd.conf? LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On Tue, Oct 14, 2014 at 12:34:09PM +0500, Orkhan Gasimov wrote: With help from Alexander Bokovoy I found correct log destinations: sssd-domain-log: https://cloud.mail.ru/public/1e803a00989e%2Fsssd_eurosel.az.log sssd-nss-log: https://cloud.mail.ru/public/ae41ae3b44b6%2Fsssd_nss.log These files are from my second Fedora - FreeBSD setup, they have different domain name, but everything else is identical. Interestingly enough, there are lines in sssd_nss.log telling that there are no users or groups in the domain. But as I said, I can ssh to the IPA server as an IPA user. Hi Orkhan, Thanks for the logs. What were their actual locations? I'm going to try and reproduce your setup and see whether I get the same outcome. I have been building and installing the ports as indicated in the forum post, and one thing I have noticed is that there are a lot of configuration options on some of the important ports - perhaps there was an important option that the author forgot to mention. It is the end of the day for me, but sssd is now installed so I should let you know tomorrow whether I am running into the same issues as you, or whether I find success. (As a side node: once I get to a working setup I will create and publish a pkg(8) repo with the needed ports built with the correct options and make.conf variables. This should make it easier and certainly quicker to use FreeBSD as a FreeIPA client.) Cheers, Fraser 14-Oct-14 00:32, Lukas Slebodnik пишет: On (13/10/14 20:33), Jakub Hrozek wrote: On Mon, Oct 13, 2014 at 10:10:12PM +0400, Орхан Касумов wrote: Good day to everybody. There`s a post on how to make a FreeBSD client work with a FreeIPA server: https://forums.freebsd.org/viewtopic.php?f=39t=46526p=260146#p260146 For some reason the instructions in that post don`t lead to a working solution. Getent passwd/group return no data from the IPA server, although ldapsearch works fine. I followed the instructions exactly (+ configured ldap.conf started sssd) and didn`t get errors anywhere, all steps completed successfully. My setup: 2 VMs, one is the FreeIPA server (on Fedora 20), the other is a FreeBSD client (on FreeBSD 10.0). IPA server is configured as written in the IPA Quick Start Quide, it has no integrated DNS server. Both VMs have identical /etc/hosts file: ::1localhost 127.0.0.1 localhost 192.168.1.10 ipa1.mydomain.com ipa1 192.168.1.30 bsd1.mydomain.com bsd1 Seems like some instructions in etc/nsswitch.conf file, like group: files sss and passwd: files sss have no effect. Does anybody tried this setup, what could be wrong with it? I can provide outputs of any commands if necessary. If I shouldn`t have asked this question here, please advise me where to ask. Any hint on what to do will be highly appreciated! Hi, I think SSSD logs would be the best start.. Put debug_level=7 into the [domain] section, restart SSSD and then check out /var/log/sssd/*.log debug_level = 7 can be put into nss section as well. Could you share your sssd configuration file /usr/local/etc/sssd.conf? LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On Tue, 14 Oct 2014, Orkhan Gasimov wrote: With help from Alexander Bokovoy I found correct log destinations: sssd-domain-log:https://cloud.mail.ru/public/1e803a00989e%2Fsssd_eurosel.az.log sssd-nss-log:https://cloud.mail.ru/public/ae41ae3b44b6%2Fsssd_nss.log These files are from my second Fedora - FreeBSD setup, they have different domain name, but everything else is identical. Interestingly enough, there are lines in sssd_nss.log telling that there are no users or groups in the domain. But as I said, I can ssh to the IPA server as an IPA user. You have basic problem of DNS resolution at the FreeBSD client side: (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [request_watch_destructor] (0x0400): Deleting request watch (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [resolve_srv_done] (0x0020): SRV query failed: [Domain name not found] (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [fo_set_port_status] (0x0100): Marking port 0 of server '(no name)' as 'not working' (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'not resolved' (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [be_resolve_server_process] (0x0080): Couldn't resolve server (SRV lookup meta-server), resolver returned (5) ... (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [fo_set_port_status] (0x0100): Marking port 0 of server '(no name)' as 'not working' (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'not resolved' (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [be_resolve_server_process] (0x0080): Couldn't resolve server (SRV lookup meta-server), resolver returned (5) (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [be_resolve_server_process] (0x1000): Trying with the next one! (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [get_port_status] (0x1000): Port status of port 0 for server '(no name)' is 'not working' (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [fo_resolve_service_send] (0x0020): No available servers for service 'IPA' (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [be_resolve_server_done] (0x1000): Server resolution failed: 5 (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error]) (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks. Make sure your DNS infrastructure is actually working. Run following on FreeBSD side: dig SRV _ldap._tcp.eurosel.az dig SRV _kerberos._tcp.eurosel.az and fix either your resolver or DNS server to properly resolve SRV records for IPA domain (assuming eurosel.az is your IPA domain). -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
Thanks for taking time to find a solution. 1. Location of log files is /var/log/sssd , I just didn`t know that each section of sssd.conf file produced its own log file: /var/log/sssd/sssd_your.domain.log /var/log/sssd/sssd_nss.log 2. For the client side, here again the list of snapshots taken from my FreeBSD VM when I installed necessary ports, maybe these snapshots will provide some additional info on sssd behavior: clean_install starting_sssd_install krb5_choice_added_LDAP openldap24-sasl-client_choice_added_FETCH_GSSAPI cyrus-sasl2_choice_defaults bind_choice_added_GSSAPI_MIT sssd_installation_finished sudo_installed_with_INSULTS_LDAP_SSSD cyrus-sasl2-gssapi_choice_added_MIT all_ports_installed_directories_created all_configs_applied_sssd_started 3. For the server side, one thing that I had to do differently when adding the client to the server, is I used the --force option, as the server complained about the host not having a DNS A record (I don`t run DNS server on IPA server). 14-Oct-14 12:48, Fraser Tweedale пишет: On Tue, Oct 14, 2014 at 12:34:09PM +0500, Orkhan Gasimov wrote: With help from Alexander Bokovoy I found correct log destinations: sssd-domain-log: https://cloud.mail.ru/public/1e803a00989e%2Fsssd_eurosel.az.log sssd-nss-log: https://cloud.mail.ru/public/ae41ae3b44b6%2Fsssd_nss.log These files are from my second Fedora - FreeBSD setup, they have different domain name, but everything else is identical. Interestingly enough, there are lines in sssd_nss.log telling that there are no users or groups in the domain. But as I said, I can ssh to the IPA server as an IPA user. Hi Orkhan, Thanks for the logs. What were their actual locations? I'm going to try and reproduce your setup and see whether I get the same outcome. I have been building and installing the ports as indicated in the forum post, and one thing I have noticed is that there are a lot of configuration options on some of the important ports - perhaps there was an important option that the author forgot to mention. It is the end of the day for me, but sssd is now installed so I should let you know tomorrow whether I am running into the same issues as you, or whether I find success. (As a side node: once I get to a working setup I will create and publish a pkg(8) repo with the needed ports built with the correct options and make.conf variables. This should make it easier and certainly quicker to use FreeBSD as a FreeIPA client.) Cheers, Fraser 14-Oct-14 00:32, Lukas Slebodnik пишет: On (13/10/14 20:33), Jakub Hrozek wrote: On Mon, Oct 13, 2014 at 10:10:12PM +0400, Орхан Касумов wrote: Good day to everybody. There`s a post on how to make a FreeBSD client work with a FreeIPA server: https://forums.freebsd.org/viewtopic.php?f=39t=46526p=260146#p260146 For some reason the instructions in that post don`t lead to a working solution. Getent passwd/group return no data from the IPA server, although ldapsearch works fine. I followed the instructions exactly (+ configured ldap.conf started sssd) and didn`t get errors anywhere, all steps completed successfully. My setup: 2 VMs, one is the FreeIPA server (on Fedora 20), the other is a FreeBSD client (on FreeBSD 10.0). IPA server is configured as written in the IPA Quick Start Quide, it has no integrated DNS server. Both VMs have identical /etc/hosts file: ::1localhost 127.0.0.1 localhost 192.168.1.10 ipa1.mydomain.com ipa1 192.168.1.30 bsd1.mydomain.com bsd1 Seems like some instructions in etc/nsswitch.conf file, like group: files sss and passwd: files sss have no effect. Does anybody tried this setup, what could be wrong with it? I can provide outputs of any commands if necessary. If I shouldn`t have asked this question here, please advise me where to ask. Any hint on what to do will be highly appreciated! Hi, I think SSSD logs would be the best start.. Put debug_level=7 into the [domain] section, restart SSSD and then check out /var/log/sssd/*.log debug_level = 7 can be put into nss section as well. Could you share your sssd configuration file /usr/local/etc/sssd.conf? LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On (14/10/14 10:23), Orkhan Gasimov wrote: Thanks to both of you for the interest. Here`s the info you asked: 1. Putting debug_level = 7 either in [domain] or/and [nss] section of the /usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log file located at /var/log/sssd/sssd.log is only populated with data when I make some errors in sssd.conf sssd process fails to start. But that`s the case only if I deliberately introduce some errors; with current configuration sssd starts successfully. 2. My original sssd.conf (without debugs) is as follows (exact copy of what was shown in the post at FreeBSD forums): - [domain/mydomain.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = mydomain.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa1.mydomain.com chpass_provider = ipa ipa_server = _srv_ #our FreeIPA server has DNS SRV entries [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.eurosel.az' ... [resolve_srv_done] (0x0020): SRV query failed: [Domain name not found] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'not resolved' [be_resolve_server_process] (0x0080): Couldn't resolve server (SRV lookup meta-server), resolver returned (5) DNS discovery of IPA server failed, becuase you just configured few hostnames in /etc/hosts You can add IP address or hostname to the option ipa_server e.g. ipa_server = _srv_, vm-120.eurosel.az BTW In my opinion, it is better to have comment before the optiona and not on the same line :-) LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
I suspected that problems could arise with DNS, and here they are... In fact, this entire string: ipa_server = _srv_ #our FreeIPA server has DNS SRV entries was taken as-is from the how-to on FreeBSD forums. First I commented it out, because was unsure sure if it was appropriate for my simple setup with just 2 VMs and and a bunch of records in /etc/hosts file. After starting sssd, I could get no IPA data withgetent passwd or getent group commands. They I uncommented it and restarted sssd, but things remained the same. Now your advice is: ...add IP address or hostname to the option ipa_server, but you use an arbitrary name like vm-120.eurosel.az. Could you please explain which host`s FQDN I should put there? If I use ipa1.eurosel.az, then sssd won`t start (complains about ...Looping detected inside krb5_get_in_tkt...). If it MUST be a DNS server, then everything changes. And the question then becomes: is it possible to set up a test FreeIPA client-server interaction using only 2 VMs and proper records in /etc/hosts instead of a DNS server? Or one MUST add a third VM and make it a DNS server to facilitate client-server interaction? 14-Oct-14 12:58, Lukas Slebodnik пишет: On (14/10/14 10:23), Orkhan Gasimov wrote: Thanks to both of you for the interest. Here`s the info you asked: 1. Putting debug_level = 7 either in [domain] or/and [nss] section of the /usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log file located at /var/log/sssd/sssd.log is only populated with data when I make some errors in sssd.conf sssd process fails to start. But that`s the case only if I deliberately introduce some errors; with current configuration sssd starts successfully. 2. My original sssd.conf (without debugs) is as follows (exact copy of what was shown in the post at FreeBSD forums): - [domain/mydomain.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = mydomain.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa1.mydomain.com chpass_provider = ipa ipa_server = _srv_ #our FreeIPA server has DNS SRV entries [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.eurosel.az' ... [resolve_srv_done] (0x0020): SRV query failed: [Domain name not found] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'not resolved' [be_resolve_server_process] (0x0080): Couldn't resolve server (SRV lookup meta-server), resolver returned (5) DNS discovery of IPA server failed, becuase you just configured few hostnames in /etc/hosts You can add IP address or hostname to the option ipa_server e.g. ipa_server = _srv_, vm-120.eurosel.az BTW In my opinion, it is better to have comment before the optiona and not on the same line :-) LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
I tried to avoid setting up a third VM to serve as a DNS server for my test scenario. Thought it would be possible to set up working FreeIPA client-server interaction with just 2 VMs correct hostnames /etc/hosts files in them. Do I correctly understand your idea that it`s a MUST to set up a DNS server to facilitate FreeIPA client-server interaction? Or there`s a way to do it with just 2 VMs and no DNS server? 14-Oct-14 12:50, Alexander Bokovoy пишет: On Tue, 14 Oct 2014, Orkhan Gasimov wrote: With help from Alexander Bokovoy I found correct log destinations: sssd-domain-log:https://cloud.mail.ru/public/1e803a00989e%2Fsssd_eurosel.az.log sssd-nss-log:https://cloud.mail.ru/public/ae41ae3b44b6%2Fsssd_nss.log These files are from my second Fedora - FreeBSD setup, they have different domain name, but everything else is identical. Interestingly enough, there are lines in sssd_nss.log telling that there are no users or groups in the domain. But as I said, I can ssh to the IPA server as an IPA user. You have basic problem of DNS resolution at the FreeBSD client side: (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [request_watch_destructor] (0x0400): Deleting request watch (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [resolve_srv_done] (0x0020): SRV query failed: [Domain name not found] (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [fo_set_port_status] (0x0100): Marking port 0 of server '(no name)' as 'not working' (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'not resolved' (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [be_resolve_server_process] (0x0080): Couldn't resolve server (SRV lookup meta-server), resolver returned (5) ... (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [fo_set_port_status] (0x0100): Marking port 0 of server '(no name)' as 'not working' (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'not resolved' (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [be_resolve_server_process] (0x0080): Couldn't resolve server (SRV lookup meta-server), resolver returned (5) (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [be_resolve_server_process] (0x1000): Trying with the next one! (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [get_port_status] (0x1000): Port status of port 0 for server '(no name)' is 'not working' (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [fo_resolve_service_send] (0x0020): No available servers for service 'IPA' (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [be_resolve_server_done] (0x1000): Server resolution failed: 5 (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error]) (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks. Make sure your DNS infrastructure is actually working. Run following on FreeBSD side: dig SRV _ldap._tcp.eurosel.az dig SRV _kerberos._tcp.eurosel.az and fix either your resolver or DNS server to properly resolve SRV records for IPA domain (assuming eurosel.az is your IPA domain). -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On 14.10.2014 11:49, Orkhan Gasimov wrote: I suspected that problems could arise with DNS, and here they are... In fact, this entire string: ipa_server = _srv_ #our FreeIPA server has DNS SRV entries was taken as-is from the how-to on FreeBSD forums. First I commented it out, because was unsure sure if it was appropriate for my simple setup with just 2 VMs and and a bunch of records in /etc/hosts file. After starting sssd, I could get no IPA data withgetent passwd or getent group commands. They I uncommented it and restarted sssd, but things remained the same. Now your advice is: ...add IP address or hostname to the option ipa_server, but you use an arbitrary name like vm-120.eurosel.az. Could you please explain which host`s FQDN I should put there? If I use ipa1.eurosel.az, then sssd won`t start (complains about ...Looping detected inside krb5_get_in_tkt...). If it MUST be a DNS server, then everything changes. And the question then becomes: is it possible to set up a test FreeIPA client-server interaction using only 2 VMs and proper records in /etc/hosts instead of a DNS server? Or one MUST add a third VM and make it a DNS server to facilitate client-server interaction? IPA theoretically can work without DNS records but it requires very careful configuration on clients and is strongly discouraged. If you want to do quick dirty test, do this: $ ipa-server-install --setup-dns --forwarder ip address of your *existing* DNS server + specify IPA domain name which is sub-domain of you existing domain (e.g. ipa.eurosel.az) + change /etc/resolv.conf on *all* clients to point to IPA server *This is a dirty trick* and it will not work unless all your clients has the IPA server in resolv.conf. It will most likely break when you try to use AD trust with AD clients etc. *In production environment* you should add NS records for ipa.eurosel.az domain to the parent DNS zone to create proper delegation. In that case you don't need to fiddle with resolv.conf on all clients. Let me know if you need further assistance. Petr^2 Spacek 14-Oct-14 12:58, Lukas Slebodnik пишет: On (14/10/14 10:23), Orkhan Gasimov wrote: Thanks to both of you for the interest. Here`s the info you asked: 1. Putting debug_level = 7 either in [domain] or/and [nss] section of the /usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log file located at /var/log/sssd/sssd.log is only populated with data when I make some errors in sssd.conf sssd process fails to start. But that`s the case only if I deliberately introduce some errors; with current configuration sssd starts successfully. 2. My original sssd.conf (without debugs) is as follows (exact copy of what was shown in the post at FreeBSD forums): - [domain/mydomain.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = mydomain.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa1.mydomain.com chpass_provider = ipa ipa_server = _srv_ #our FreeIPA server has DNS SRV entries [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.eurosel.az' ... [resolve_srv_done] (0x0020): SRV query failed: [Domain name not found] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'not resolved' [be_resolve_server_process] (0x0080): Couldn't resolve server (SRV lookup meta-server), resolver returned (5) DNS discovery of IPA server failed, becuase you just configured few hostnames in /etc/hosts You can add IP address or hostname to the option ipa_server e.g. ipa_server = _srv_, vm-120.eurosel.az BTW In my opinion, it is better to have comment before the optiona and not on the same line :-) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On Tue, 14 Oct 2014, Orkhan Gasimov wrote: I tried to avoid setting up a third VM to serve as a DNS server for my test scenario. Thought it would be possible to set up working FreeIPA client-server interaction with just 2 VMs correct hostnames /etc/hosts files in them. Many applications rely on service discovery based on DNS. In particular, SSSD uses this approach if you don't set explicitly servers for LDAP, Kerberos, IPA, etc. See sssd-ldap(5), sssd-krb5(5), sssd-ipa(5), section 'SERVICE DISCOVERY'. The mechanism is described in RFC 2782. It becomes even more important for cases like integration with Active Directory where AD side relies on DNS service discovery unconditionally. IPA has integrated DNS server, all you needed to do is to run 'ipa-server-install --setup-dns' or 'ipa-dns-install' afterwards. If you don't want to use IPA-provided DNS server, at the end of ipa-server-install a sample DNS zone was generated to show what records need to be added to your DNS zone. Do I correctly understand your idea that it`s a MUST to set up a DNS server to facilitate FreeIPA client-server interaction? Or there`s a way to do it with just 2 VMs and no DNS server? Use integrated DNS server in FreeIPA server, this is supported way of doing it. FreeIPA then will make it manageable through its tools -- be it command line interface or web UI. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
I`ll try such a test setup, then share information about results. 14-Oct-14 15:04, Petr Spacek пишет: On 14.10.2014 11:49, Orkhan Gasimov wrote: I suspected that problems could arise with DNS, and here they are... In fact, this entire string: ipa_server = _srv_ #our FreeIPA server has DNS SRV entries was taken as-is from the how-to on FreeBSD forums. First I commented it out, because was unsure sure if it was appropriate for my simple setup with just 2 VMs and and a bunch of records in /etc/hosts file. After starting sssd, I could get no IPA data withgetent passwd or getent group commands. They I uncommented it and restarted sssd, but things remained the same. Now your advice is: ...add IP address or hostname to the option ipa_server, but you use an arbitrary name like vm-120.eurosel.az. Could you please explain which host`s FQDN I should put there? If I use ipa1.eurosel.az, then sssd won`t start (complains about ...Looping detected inside krb5_get_in_tkt...). If it MUST be a DNS server, then everything changes. And the question then becomes: is it possible to set up a test FreeIPA client-server interaction using only 2 VMs and proper records in /etc/hosts instead of a DNS server? Or one MUST add a third VM and make it a DNS server to facilitate client-server interaction? IPA theoretically can work without DNS records but it requires very careful configuration on clients and is strongly discouraged. If you want to do quick dirty test, do this: $ ipa-server-install --setup-dns --forwarder ip address of your *existing* DNS server + specify IPA domain name which is sub-domain of you existing domain (e.g. ipa.eurosel.az) + change /etc/resolv.conf on *all* clients to point to IPA server *This is a dirty trick* and it will not work unless all your clients has the IPA server in resolv.conf. It will most likely break when you try to use AD trust with AD clients etc. *In production environment* you should add NS records for ipa.eurosel.az domain to the parent DNS zone to create proper delegation. In that case you don't need to fiddle with resolv.conf on all clients. Let me know if you need further assistance. Petr^2 Spacek 14-Oct-14 12:58, Lukas Slebodnik пишет: On (14/10/14 10:23), Orkhan Gasimov wrote: Thanks to both of you for the interest. Here`s the info you asked: 1. Putting debug_level = 7 either in [domain] or/and [nss] section of the /usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log file located at /var/log/sssd/sssd.log is only populated with data when I make some errors in sssd.conf sssd process fails to start. But that`s the case only if I deliberately introduce some errors; with current configuration sssd starts successfully. 2. My original sssd.conf (without debugs) is as follows (exact copy of what was shown in the post at FreeBSD forums): - [domain/mydomain.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = mydomain.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa1.mydomain.com chpass_provider = ipa ipa_server = _srv_ #our FreeIPA server has DNS SRV entries [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.eurosel.az' ... [resolve_srv_done] (0x0020): SRV query failed: [Domain name not found] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'not resolved' [be_resolve_server_process] (0x0080): Couldn't resolve server (SRV lookup meta-server), resolver returned (5) DNS discovery of IPA server failed, becuase you just configured few hostnames in /etc/hosts You can add IP address or hostname to the option ipa_server e.g. ipa_server = _srv_, vm-120.eurosel.az BTW In my opinion, it is better to have comment before the optiona and not on the same line :-) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On 14.10.2014 11:49, Orkhan Gasimov wrote: I suspected that problems could arise with DNS, and here they are... In fact, this entire string: ipa_server = _srv_ #our FreeIPA server has DNS SRV entries was taken as-is from the how-to on FreeBSD forums. First I commented it out, because was unsure sure if it was appropriate for my simple setup with just 2 VMs and and a bunch of records in /etc/hosts file. After starting sssd, I could get no IPA data withgetent passwd or getent group commands. They I uncommented it and restarted sssd, but things remained the same. Now your advice is: ...add IP address or hostname to the option ipa_server, but you use an arbitrary name like vm-120.eurosel.az. Could you please explain which host`s FQDN I should put there? If I use ipa1.eurosel.az, then sssd won`t start (complains about ...Looping detected inside krb5_get_in_tkt...). If it MUST be a DNS server, then everything changes. And the question then becomes: is it possible to set up a test FreeIPA client-server interaction using only 2 VMs and proper records in /etc/hosts instead of a DNS server? Or one MUST add a third VM and make it a DNS server to facilitate client-server interaction? IPA theoretically can work without DNS records but it requires very careful configuration on clients and is strongly discouraged. If you want to do quick dirty test, do this: $ ipa-server-install --setup-dns --forwarder ip address of your *existing* DNS server + specify IPA domain name which is sub-domain of you existing domain (e.g. ipa.eurosel.az) + change /etc/resolv.conf on *all* clients to point to IPA server *This is a dirty trick* and it will not work unless all your clients has the IPA server in resolv.conf. It will most likely break when you try to use AD trust with AD clients etc. *In production environment* you should add NS records for ipa.eurosel.az domain to the parent DNS zone to create proper delegation. In that case you don't need to fiddle with resolv.conf on all clients. Let me know if you need further assistance. Petr^2 Spacek 14-Oct-14 12:58, Lukas Slebodnik пишет: On (14/10/14 10:23), Orkhan Gasimov wrote: Thanks to both of you for the interest. Here`s the info you asked: 1. Putting debug_level = 7 either in [domain] or/and [nss] section of the /usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log file located at /var/log/sssd/sssd.log is only populated with data when I make some errors in sssd.conf sssd process fails to start. But that`s the case only if I deliberately introduce some errors; with current configuration sssd starts successfully. 2. My original sssd.conf (without debugs) is as follows (exact copy of what was shown in the post at FreeBSD forums): - [domain/mydomain.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = mydomain.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa1.mydomain.com chpass_provider = ipa ipa_server = _srv_ #our FreeIPA server has DNS SRV entries [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.eurosel.az' ... [resolve_srv_done] (0x0020): SRV query failed: [Domain name not found] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'not resolved' [be_resolve_server_process] (0x0080): Couldn't resolve server (SRV lookup meta-server), resolver returned (5) DNS discovery of IPA server failed, becuase you just configured few hostnames in /etc/hosts You can add IP address or hostname to the option ipa_server e.g. ipa_server = _srv_, vm-120.eurosel.az BTW In my opinion, it is better to have comment before the optiona and not on the same line :-) -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
I need further assistance with this moment: specify IPA domain name which is sub-domain of you existing domain (e.g. ipa.eurosel.az) . Currently my FreeIPA server's hostname is ipa1.eurosel.az, and client's hostname is bsd1.eurosel.az. So when running this command: ipa-server-install --setup-dns --forwarder ip address of your *existing* DNS server, the installation program detects the hostname of the VM (ipa1.eurosel.az) and offers it as IPA server FQDN; then it offers eurosel.az as the domain name. I can make changes right during the installation process (FQDN = ipa1.ipa.eurosel.az domain = ipa.eurosel.az), but then there will be a conflict with the real hostname and records in the /etc/hosts file. On the other hand, if I change the hostname of the server VM to ipa1.ipa.eurosel.az prior to running the IPA installation program, then the installation program will offer my server an FQDN of ipa1.ipa.eurosel.az and a domain name of ipa.eurosel.az. But doesn`t it mean that my client`s hostname should also be changed to bsd1.ipa.eurosel.az? I`d like to avoid this, because in production I won`t be able to change the domain part of FQDN for hundreds of clients. Please don`t hesitate to explain a little clearer. 14-Oct-14 16:29, Petr Spacek пишет: On 14.10.2014 11:49, Orkhan Gasimov wrote: I suspected that problems could arise with DNS, and here they are... In fact, this entire string: ipa_server = _srv_ #our FreeIPA server has DNS SRV entries was taken as-is from the how-to on FreeBSD forums. First I commented it out, because was unsure sure if it was appropriate for my simple setup with just 2 VMs and and a bunch of records in /etc/hosts file. After starting sssd, I could get no IPA data withgetent passwd or getent group commands. They I uncommented it and restarted sssd, but things remained the same. Now your advice is: ...add IP address or hostname to the option ipa_server, but you use an arbitrary name like vm-120.eurosel.az. Could you please explain which host`s FQDN I should put there? If I use ipa1.eurosel.az, then sssd won`t start (complains about ...Looping detected inside krb5_get_in_tkt...). If it MUST be a DNS server, then everything changes. And the question then becomes: is it possible to set up a test FreeIPA client-server interaction using only 2 VMs and proper records in /etc/hosts instead of a DNS server? Or one MUST add a third VM and make it a DNS server to facilitate client-server interaction? IPA theoretically can work without DNS records but it requires very careful configuration on clients and is strongly discouraged. If you want to do quick dirty test, do this: $ ipa-server-install --setup-dns --forwarder ip address of your *existing* DNS server + specify IPA domain name which is sub-domain of you existing domain (e.g. ipa.eurosel.az) + change /etc/resolv.conf on *all* clients to point to IPA server *This is a dirty trick* and it will not work unless all your clients has the IPA server in resolv.conf. It will most likely break when you try to use AD trust with AD clients etc. *In production environment* you should add NS records for ipa.eurosel.az domain to the parent DNS zone to create proper delegation. In that case you don't need to fiddle with resolv.conf on all clients. Let me know if you need further assistance. Petr^2 Spacek 14-Oct-14 12:58, Lukas Slebodnik пишет: On (14/10/14 10:23), Orkhan Gasimov wrote: Thanks to both of you for the interest. Here`s the info you asked: 1. Putting debug_level = 7 either in [domain] or/and [nss] section of the /usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log file located at /var/log/sssd/sssd.log is only populated with data when I make some errors in sssd.conf sssd process fails to start. But that`s the case only if I deliberately introduce some errors; with current configuration sssd starts successfully. 2. My original sssd.conf (without debugs) is as follows (exact copy of what was shown in the post at FreeBSD forums): - [domain/mydomain.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = mydomain.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa1.mydomain.com chpass_provider = ipa ipa_server = _srv_ #our FreeIPA server has DNS SRV entries [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.eurosel.az' ... [resolve_srv_done] (0x0020): SRV query failed: [Domain name not found] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'not resolved' [be_resolve_server_process] (0x0080): Couldn't resolve server (SRV lookup meta-server), resolver returned (5) DNS discovery of IPA server failed, becuase you just configured few hostnames in /etc/hosts You can add IP address or hostname to the option ipa_server e.g. ipa_server = _srv_, vm-120.eurosel.az BTW In my opinion, it is better to have
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On 14.10.2014 13:48, Orkhan Gasimov wrote: I need further assistance with this moment: specify IPA domain name which is sub-domain of you existing domain (e.g. ipa.eurosel.az) . Currently my FreeIPA server's hostname is ipa1.eurosel.az, and client's hostname is bsd1.eurosel.az. So when running this command: ipa-server-install --setup-dns --forwarder ip address of your *existing* DNS server, the installation program detects the hostname of the VM (ipa1.eurosel.az) and offers it as IPA server FQDN; then it offers eurosel.az as the domain name. I can make changes right during the installation process (FQDN = ipa1.ipa.eurosel.az domain = ipa.eurosel.az), but then there will be a conflict with the real hostname and records in the /etc/hosts file. On the other hand, if I change the hostname of the server VM to ipa1.ipa.eurosel.az prior to running the IPA installation program, then the installation program will offer my server an FQDN of ipa1.ipa.eurosel.az and a domain name of ipa.eurosel.az. But doesn`t it mean that my client`s hostname should also be changed to bsd1.ipa.eurosel.az? I`d like to avoid this, because in production I won`t be able to change the domain part of FQDN for hundreds of clients. Clients don't need to be in the same domain as IPA. The IPA domain in DNS is necessary to store 'metadata' like SRV and TXT records etc. You can even experiment with IPA servers which are not in the IPA domain but I'm not sure how much it was tested. Alexander can add more details about records required for AD integration and how it should work with clients which are not in the IPA domain. Petr^2 Spacek 14-Oct-14 16:29, Petr Spacek пишет: On 14.10.2014 11:49, Orkhan Gasimov wrote: I suspected that problems could arise with DNS, and here they are... In fact, this entire string: ipa_server = _srv_ #our FreeIPA server has DNS SRV entries was taken as-is from the how-to on FreeBSD forums. First I commented it out, because was unsure sure if it was appropriate for my simple setup with just 2 VMs and and a bunch of records in /etc/hosts file. After starting sssd, I could get no IPA data withgetent passwd or getent group commands. They I uncommented it and restarted sssd, but things remained the same. Now your advice is: ...add IP address or hostname to the option ipa_server, but you use an arbitrary name like vm-120.eurosel.az. Could you please explain which host`s FQDN I should put there? If I use ipa1.eurosel.az, then sssd won`t start (complains about ...Looping detected inside krb5_get_in_tkt...). If it MUST be a DNS server, then everything changes. And the question then becomes: is it possible to set up a test FreeIPA client-server interaction using only 2 VMs and proper records in /etc/hosts instead of a DNS server? Or one MUST add a third VM and make it a DNS server to facilitate client-server interaction? IPA theoretically can work without DNS records but it requires very careful configuration on clients and is strongly discouraged. If you want to do quick dirty test, do this: $ ipa-server-install --setup-dns --forwarder ip address of your *existing* DNS server + specify IPA domain name which is sub-domain of you existing domain (e.g. ipa.eurosel.az) + change /etc/resolv.conf on *all* clients to point to IPA server *This is a dirty trick* and it will not work unless all your clients has the IPA server in resolv.conf. It will most likely break when you try to use AD trust with AD clients etc. *In production environment* you should add NS records for ipa.eurosel.az domain to the parent DNS zone to create proper delegation. In that case you don't need to fiddle with resolv.conf on all clients. Let me know if you need further assistance. Petr^2 Spacek 14-Oct-14 12:58, Lukas Slebodnik пишет: On (14/10/14 10:23), Orkhan Gasimov wrote: Thanks to both of you for the interest. Here`s the info you asked: 1. Putting debug_level = 7 either in [domain] or/and [nss] section of the /usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log file located at /var/log/sssd/sssd.log is only populated with data when I make some errors in sssd.conf sssd process fails to start. But that`s the case only if I deliberately introduce some errors; with current configuration sssd starts successfully. 2. My original sssd.conf (without debugs) is as follows (exact copy of what was shown in the post at FreeBSD forums): - [domain/mydomain.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = mydomain.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa1.mydomain.com chpass_provider = ipa ipa_server = _srv_ #our FreeIPA server has DNS SRV entries [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.eurosel.az' ... [resolve_srv_done] (0x0020): SRV query failed: [Domain name not found] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'not resolved'
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
So which way do I go? 1) Change the server VM`s hostname from ipa1.eurosel.az to ipa1.ipa.eurosel.az prior to issuing IPA installation command 2) or leave my hostname and contents of /etc/hosts file intact and specify a different FQDN and domain part of the IPA server after issuing IPA installation command? Yes, I know - this is a question Homer Simpson would ask. 14-Oct-14 17:43, Petr Spacek пишет: On 14.10.2014 13:48, Orkhan Gasimov wrote: I need further assistance with this moment: specify IPA domain name which is sub-domain of you existing domain (e.g. ipa.eurosel.az) . Currently my FreeIPA server's hostname is ipa1.eurosel.az, and client's hostname is bsd1.eurosel.az. So when running this command: ipa-server-install --setup-dns --forwarder ip address of your *existing* DNS server, the installation program detects the hostname of the VM (ipa1.eurosel.az) and offers it as IPA server FQDN; then it offers eurosel.az as the domain name. I can make changes right during the installation process (FQDN = ipa1.ipa.eurosel.az domain = ipa.eurosel.az), but then there will be a conflict with the real hostname and records in the /etc/hosts file. On the other hand, if I change the hostname of the server VM to ipa1.ipa.eurosel.az prior to running the IPA installation program, then the installation program will offer my server an FQDN of ipa1.ipa.eurosel.az and a domain name of ipa.eurosel.az. But doesn`t it mean that my client`s hostname should also be changed to bsd1.ipa.eurosel.az? I`d like to avoid this, because in production I won`t be able to change the domain part of FQDN for hundreds of clients. Clients don't need to be in the same domain as IPA. The IPA domain in DNS is necessary to store 'metadata' like SRV and TXT records etc. You can even experiment with IPA servers which are not in the IPA domain but I'm not sure how much it was tested. Alexander can add more details about records required for AD integration and how it should work with clients which are not in the IPA domain. Petr^2 Spacek 14-Oct-14 16:29, Petr Spacek пишет: On 14.10.2014 11:49, Orkhan Gasimov wrote: I suspected that problems could arise with DNS, and here they are... In fact, this entire string: ipa_server = _srv_ #our FreeIPA server has DNS SRV entries was taken as-is from the how-to on FreeBSD forums. First I commented it out, because was unsure sure if it was appropriate for my simple setup with just 2 VMs and and a bunch of records in /etc/hosts file. After starting sssd, I could get no IPA data withgetent passwd or getent group commands. They I uncommented it and restarted sssd, but things remained the same. Now your advice is: ...add IP address or hostname to the option ipa_server, but you use an arbitrary name like vm-120.eurosel.az. Could you please explain which host`s FQDN I should put there? If I use ipa1.eurosel.az, then sssd won`t start (complains about ...Looping detected inside krb5_get_in_tkt...). If it MUST be a DNS server, then everything changes. And the question then becomes: is it possible to set up a test FreeIPA client-server interaction using only 2 VMs and proper records in /etc/hosts instead of a DNS server? Or one MUST add a third VM and make it a DNS server to facilitate client-server interaction? IPA theoretically can work without DNS records but it requires very careful configuration on clients and is strongly discouraged. If you want to do quick dirty test, do this: $ ipa-server-install --setup-dns --forwarder ip address of your *existing* DNS server + specify IPA domain name which is sub-domain of you existing domain (e.g. ipa.eurosel.az) + change /etc/resolv.conf on *all* clients to point to IPA server *This is a dirty trick* and it will not work unless all your clients has the IPA server in resolv.conf. It will most likely break when you try to use AD trust with AD clients etc. *In production environment* you should add NS records for ipa.eurosel.az domain to the parent DNS zone to create proper delegation. In that case you don't need to fiddle with resolv.conf on all clients. Let me know if you need further assistance. Petr^2 Spacek 14-Oct-14 12:58, Lukas Slebodnik пишет: On (14/10/14 10:23), Orkhan Gasimov wrote: Thanks to both of you for the interest. Here`s the info you asked: 1. Putting debug_level = 7 either in [domain] or/and [nss] section of the /usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log file located at /var/log/sssd/sssd.log is only populated with data when I make some errors in sssd.conf sssd process fails to start. But that`s the case only if I deliberately introduce some errors; with current configuration sssd starts successfully. 2. My original sssd.conf (without debugs) is as follows (exact copy of what was shown in the post at FreeBSD forums): - [domain/mydomain.com] cache_credentials = True krb5_store_password_if_offline
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On Tue, 14 Oct 2014, Orkhan Gasimov wrote: So which way do I go? 1) Change the server VM`s hostname from ipa1.eurosel.az to ipa1.ipa.eurosel.az prior to issuing IPA installation command 2) or leave my hostname and contents of /etc/hosts file intact and specify a different FQDN and domain part of the IPA server after issuing IPA installation command? Yes, I know - this is a question Homer Simpson would ask. Allocate ipa.eurosel.az domain zone to FreeIPA and install FreeIPA with integrated DNS. Essentially, (1), with domain=ipa.eurosel.az, realm IPA.EUROSEL.AZ. If you want later to see how this setup scales, all you would need to do is to make sure the other clients would use ipa1.ipa.eurosel.az as a resolver. 14-Oct-14 17:43, Petr Spacek пишет: On 14.10.2014 13:48, Orkhan Gasimov wrote: I need further assistance with this moment: specify IPA domain name which is sub-domain of you existing domain (e.g. ipa.eurosel.az) . Currently my FreeIPA server's hostname is ipa1.eurosel.az, and client's hostname is bsd1.eurosel.az. So when running this command: ipa-server-install --setup-dns --forwarder ip address of your *existing* DNS server, the installation program detects the hostname of the VM (ipa1.eurosel.az) and offers it as IPA server FQDN; then it offers eurosel.az as the domain name. I can make changes right during the installation process (FQDN = ipa1.ipa.eurosel.az domain = ipa.eurosel.az), but then there will be a conflict with the real hostname and records in the /etc/hosts file. On the other hand, if I change the hostname of the server VM to ipa1.ipa.eurosel.az prior to running the IPA installation program, then the installation program will offer my server an FQDN of ipa1.ipa.eurosel.az and a domain name of ipa.eurosel.az. But doesn`t it mean that my client`s hostname should also be changed to bsd1.ipa.eurosel.az? I`d like to avoid this, because in production I won`t be able to change the domain part of FQDN for hundreds of clients. Clients don't need to be in the same domain as IPA. The IPA domain in DNS is necessary to store 'metadata' like SRV and TXT records etc. You can even experiment with IPA servers which are not in the IPA domain but I'm not sure how much it was tested. Alexander can add more details about records required for AD integration and how it should work with clients which are not in the IPA domain. Petr^2 Spacek 14-Oct-14 16:29, Petr Spacek пишет: On 14.10.2014 11:49, Orkhan Gasimov wrote: I suspected that problems could arise with DNS, and here they are... In fact, this entire string: ipa_server = _srv_ #our FreeIPA server has DNS SRV entries was taken as-is from the how-to on FreeBSD forums. First I commented it out, because was unsure sure if it was appropriate for my simple setup with just 2 VMs and and a bunch of records in /etc/hosts file. After starting sssd, I could get no IPA data withgetent passwd or getent group commands. They I uncommented it and restarted sssd, but things remained the same. Now your advice is: ...add IP address or hostname to the option ipa_server, but you use an arbitrary name like vm-120.eurosel.az. Could you please explain which host`s FQDN I should put there? If I use ipa1.eurosel.az, then sssd won`t start (complains about ...Looping detected inside krb5_get_in_tkt...). If it MUST be a DNS server, then everything changes. And the question then becomes: is it possible to set up a test FreeIPA client-server interaction using only 2 VMs and proper records in /etc/hosts instead of a DNS server? Or one MUST add a third VM and make it a DNS server to facilitate client-server interaction? IPA theoretically can work without DNS records but it requires very careful configuration on clients and is strongly discouraged. If you want to do quick dirty test, do this: $ ipa-server-install --setup-dns --forwarder ip address of your *existing* DNS server + specify IPA domain name which is sub-domain of you existing domain (e.g. ipa.eurosel.az) + change /etc/resolv.conf on *all* clients to point to IPA server *This is a dirty trick* and it will not work unless all your clients has the IPA server in resolv.conf. It will most likely break when you try to use AD trust with AD clients etc. *In production environment* you should add NS records for ipa.eurosel.az domain to the parent DNS zone to create proper delegation. In that case you don't need to fiddle with resolv.conf on all clients. Let me know if you need further assistance. Petr^2 Spacek 14-Oct-14 12:58, Lukas Slebodnik пишет: On (14/10/14 10:23), Orkhan Gasimov wrote: Thanks to both of you for the interest. Here`s the info you asked: 1. Putting debug_level = 7 either in [domain] or/and [nss] section of the /usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log file located at /var/log/sssd/sssd.log is only populated with data when I make some errors in sssd.conf sssd process fails to start. But
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On 14.10.2014 15:06, Alexander Bokovoy wrote: On Tue, 14 Oct 2014, Orkhan Gasimov wrote: So which way do I go? 1) Change the server VM`s hostname from ipa1.eurosel.az to ipa1.ipa.eurosel.az prior to issuing IPA installation command 2) or leave my hostname and contents of /etc/hosts file intact and specify a different FQDN and domain part of the IPA server after issuing IPA installation command? Yes, I know - this is a question Homer Simpson would ask. Allocate ipa.eurosel.az domain zone to FreeIPA and install FreeIPA with integrated DNS. Essentially, (1), with domain=ipa.eurosel.az, realm IPA.EUROSEL.AZ. If you want later to see how this setup scales, all you would need to do is to make sure the other clients would use ipa1.ipa.eurosel.az as a resolver. Again - in production it is unnecessary to change resolv.conf if you have proper NS records in place. Petr^2 Spacek 14-Oct-14 17:43, Petr Spacek пишет: On 14.10.2014 13:48, Orkhan Gasimov wrote: I need further assistance with this moment: specify IPA domain name which is sub-domain of you existing domain (e.g. ipa.eurosel.az) . Currently my FreeIPA server's hostname is ipa1.eurosel.az, and client's hostname is bsd1.eurosel.az. So when running this command: ipa-server-install --setup-dns --forwarder ip address of your *existing* DNS server, the installation program detects the hostname of the VM (ipa1.eurosel.az) and offers it as IPA server FQDN; then it offers eurosel.az as the domain name. I can make changes right during the installation process (FQDN = ipa1.ipa.eurosel.az domain = ipa.eurosel.az), but then there will be a conflict with the real hostname and records in the /etc/hosts file. On the other hand, if I change the hostname of the server VM to ipa1.ipa.eurosel.az prior to running the IPA installation program, then the installation program will offer my server an FQDN of ipa1.ipa.eurosel.az and a domain name of ipa.eurosel.az. But doesn`t it mean that my client`s hostname should also be changed to bsd1.ipa.eurosel.az? I`d like to avoid this, because in production I won`t be able to change the domain part of FQDN for hundreds of clients. Clients don't need to be in the same domain as IPA. The IPA domain in DNS is necessary to store 'metadata' like SRV and TXT records etc. You can even experiment with IPA servers which are not in the IPA domain but I'm not sure how much it was tested. Alexander can add more details about records required for AD integration and how it should work with clients which are not in the IPA domain. Petr^2 Spacek 14-Oct-14 16:29, Petr Spacek пишет: On 14.10.2014 11:49, Orkhan Gasimov wrote: I suspected that problems could arise with DNS, and here they are... In fact, this entire string: ipa_server = _srv_ #our FreeIPA server has DNS SRV entries was taken as-is from the how-to on FreeBSD forums. First I commented it out, because was unsure sure if it was appropriate for my simple setup with just 2 VMs and and a bunch of records in /etc/hosts file. After starting sssd, I could get no IPA data withgetent passwd or getent group commands. They I uncommented it and restarted sssd, but things remained the same. Now your advice is: ...add IP address or hostname to the option ipa_server, but you use an arbitrary name like vm-120.eurosel.az. Could you please explain which host`s FQDN I should put there? If I use ipa1.eurosel.az, then sssd won`t start (complains about ...Looping detected inside krb5_get_in_tkt...). If it MUST be a DNS server, then everything changes. And the question then becomes: is it possible to set up a test FreeIPA client-server interaction using only 2 VMs and proper records in /etc/hosts instead of a DNS server? Or one MUST add a third VM and make it a DNS server to facilitate client-server interaction? IPA theoretically can work without DNS records but it requires very careful configuration on clients and is strongly discouraged. If you want to do quick dirty test, do this: $ ipa-server-install --setup-dns --forwarder ip address of your *existing* DNS server + specify IPA domain name which is sub-domain of you existing domain (e.g. ipa.eurosel.az) + change /etc/resolv.conf on *all* clients to point to IPA server *This is a dirty trick* and it will not work unless all your clients has the IPA server in resolv.conf. It will most likely break when you try to use AD trust with AD clients etc. *In production environment* you should add NS records for ipa.eurosel.az domain to the parent DNS zone to create proper delegation. In that case you don't need to fiddle with resolv.conf on all clients. Let me know if you need further assistance. Petr^2 Spacek 14-Oct-14 12:58, Lukas Slebodnik пишет: On (14/10/14 10:23), Orkhan Gasimov wrote: Thanks to both of you for the interest. Here`s the info you asked: 1. Putting debug_level = 7 either in [domain] or/and [nss] section of the /usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log file located at
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
Ok, friends, you helped me to understand one thing. My test scenario with 2 VMs and no DNS server introduces problems with DNS resolution, which seems to be almost necessary. So now I have 2 tasks: 1) properly configure IPA server to work with DNS; 2) make a FreeBSD host (which is a non-native client for FreeIPA) join an IPA domain. As problems of the first task can be errantly considered to be problems of the second task, I'll change my approach. First I'll try to set up a Fedora FreeIPA server with DNS and add a native Fedora FreeIPA client to it. (I guess a Fedora client: 1) should be easier to set up; 2) is guaranteed to work if configured properly.) Then I'll try to add a FreeBSD client to my working setup and see if the post at FreeBSD forums leads to a working solution. I'll share the results with you, however it may take some time before I set up a working Fedora IPA server - Fedora IPA client setup. If you have any links to proved-to-work tutorials (either in text or video format), please share. Отправлено от Blue Mail На 23:47, 14.10.2014, в 23:47, Petr Spacek pspa...@redhat.com написал:пOn 14.10.2014 15:06, Alexander Bokovoy wrote: On Tue, 14 Oct 2014, Orkhan Gasimov wrote: So which way do I go? 1) Change the server VM`s hostname from ipa1.eurosel.az to ipa1.ipa.eurosel.az prior to issuing IPA installation command 2) or leave my hostname and contents of /etc/hosts file intact and specify a different FQDN and domain part of the IPA server after issuing IPA installation command? Yes, I know - this is a question Homer Simpson would ask. Allocate ipa.eurosel.az domain zone to FreeIPA and install FreeIPA with integrated DNS. Essentially, (1), with domain=ipa.eurosel.az, realm IPA.EUROSEL.AZ. If you want later to see how this setup scales, all you would need to do is to make sure the other clients would use ipa1.ipa.eurosel.az as a resolver. Again - in production it is unnecessary to change resolv.conf if you have proper NS records in place. Petr^2 Spacek 14-Oct-14 17:43, Petr Spacek пишет: On 14.10.2014 13:48, Orkhan Gasimov wrote: I need further assistance with this moment: specify IPA domain name which is sub-domain of you existing domain (e.g. ipa.eurosel.az) . Currently my FreeIPA server's hostname is ipa1.eurosel.az, and client's hostname is bsd1.eurosel.az. So when running this command: ipa-server-install --setup-dns --forwarder ip address of your *existing* DNS server, the installation program detects the hostname of the VM (ipa1.eurosel.az) and offers it as IPA server FQDN; then it offers eurosel.az as the domain name. I can make changes right during the installation process (FQDN = ipa1.ipa.eurosel.az domain = ipa.eurosel.az), but then there will be a conflict with the real hostname and records in the /etc/hosts file. On the other hand, if I change the hostname of the server VM to ipa1.ipa.eurosel.az prior to running the IPA installation program, then the installation program will offer my server an FQDN of ipa1.ipa.eurosel.az and a domain name of ipa.eurosel.az. But doesn`t it mean that my client`s hostname should also be changed to bsd1.ipa.eurosel.az? I`d like to avoid this, because in production I won`t be able to change the domain part of FQDN for hundreds of clients. Clients don't need to be in the same domain as IPA. The IPA domain in DNS is necessary to store 'metadata' like SRV and TXT records etc. You can even experiment with IPA servers which are not in the IPA domain but I'm not sure how much it was tested. Alexander can add more details about records required for AD integration and how it should work with clients which are not in the IPA domain. Petr^2 Spacek 14-Oct-14 16:29, Petr Spacek пишет: On 14.10.2014 11:49, Orkhan Gasimov wrote: I suspected that problems could arise with DNS, and here they are... In fact, this entire string: ipa_server = _srv_ #our FreeIPA server has DNS SRV entries was taken as-is from the how-to on FreeBSD forums. First I commented it out, because was unsure sure if it was appropriate for my simple setup with just 2 VMs and and a bunch of records in /etc/hosts file. After starting sssd, I could get no IPA data withgetent passwd or getent group commands. They I uncommented it and restarted sssd, but things remained the same. Now your advice is: ...add IP address or hostname to the option ipa_server, but you use an arbitrary name like vm-120.eurosel.az. Could you please explain which host`s FQDN I should put there? If I use ipa1.eurosel.az, then sssd won`t start (complains about ...Looping detected inside krb5_get_in_tkt...). If it MUST be a DNS server, then everything changes. And the question then becomes: is it possible to set up a test FreeIPA client-server interaction using only 2 VMs and proper records in /etc/hosts instead of a DNS server? Or one MUST add a third VM and make it a DNS server to facilitate client-server interaction? IPA
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On Tue, Oct 14, 2014 at 03:13:06PM +0200, Lukas Slebodnik wrote: On (14/10/14 17:48), Fraser Tweedale wrote: On Tue, Oct 14, 2014 at 12:34:09PM +0500, Orkhan Gasimov wrote: With help from Alexander Bokovoy I found correct log destinations: sssd-domain-log: https://cloud.mail.ru/public/1e803a00989e%2Fsssd_eurosel.az.log sssd-nss-log: https://cloud.mail.ru/public/ae41ae3b44b6%2Fsssd_nss.log These files are from my second Fedora - FreeBSD setup, they have different domain name, but everything else is identical. Interestingly enough, there are lines in sssd_nss.log telling that there are no users or groups in the domain. But as I said, I can ssh to the IPA server as an IPA user. Hi Orkhan, Thanks for the logs. What were their actual locations? I'm going to try and reproduce your setup and see whether I get the same outcome. I have been building and installing the ports as indicated in the forum post, and one thing I have noticed is that there are a lot of configuration options on some of the important ports - perhaps there was an important option that the author forgot to mention. You needn't build sssd from ports. You can install sssd with pkg utility. The only necessary step is to build openldap client with SASL support, because default version of openldap client is build without SASL support. sssd cannot initialize ipa_provider with openldap libraries without SASL support. On the other hand, {ldap,krb5,ad} providers can be used without any problem. The steps, how to build openldap client with SASL support, are described in freebsd forum. It is the end of the day for me, but sssd is now installed so I should let you know tomorrow whether I am running into the same issues as you, or whether I find success. (As a side node: once I get to a working setup I will create and publish a pkg(8) repo with the needed ports built with the correct options and make.conf variables. This should make it easier and certainly quicker to use FreeBSD as a FreeIPA client.) I am not sure what you are trying to do. Everything is described on forum. If there isn't something clear feel free to send rephrased(updated) version of howto. I can contact an author of that post. Since there are non-default options and make variables to be set, is it not desirable that there be a pkg(8) repository people can use to install the packages needed for ipa integration? I think it is desirable. It is easy to thanks to ports-mgmt/poudriere. Fraser LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
Good day to everybody. There`s a post on how to make a FreeBSD client work with a FreeIPA server: https://forums.freebsd.org/viewtopic.php?f=39t=46526p=260146#p260146 For some reason the instructions in that post don`t lead to a working solution. Getent passwd/group return no data from the IPA server, although ldapsearch works fine. I followed the instructions exactly (+ configured ldap.conf started sssd) and didn`t get errors anywhere, all steps completed successfully. My setup: 2 VMs, one is the FreeIPA server (on Fedora 20), the other is a FreeBSD client (on FreeBSD 10.0). IPA server is configured as written in the IPA Quick Start Quide, it has no integrated DNS server. Both VMs have identical /etc/hosts file: ::1 localhost 127.0.0.1 localhost 192.168.1.10 ipa1.mydomain.com ipa1 192.168.1.30 bsd1.mydomain.com bsd1 Seems like some instructions in etc/nsswitch.conf file, like group: files sss and passwd: files sss have no effect. Does anybody tried this setup, what could be wrong with it? I can provide outputs of any commands if necessary. If I shouldn`t have asked this question here, please advise me where to ask. Any hint on what to do will be highly appreciated!-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On Mon, Oct 13, 2014 at 10:10:12PM +0400, Орхан Касумов wrote: Good day to everybody. There`s a post on how to make a FreeBSD client work with a FreeIPA server: https://forums.freebsd.org/viewtopic.php?f=39t=46526p=260146#p260146 For some reason the instructions in that post don`t lead to a working solution. Getent passwd/group return no data from the IPA server, although ldapsearch works fine. I followed the instructions exactly (+ configured ldap.conf started sssd) and didn`t get errors anywhere, all steps completed successfully. My setup: 2 VMs, one is the FreeIPA server (on Fedora 20), the other is a FreeBSD client (on FreeBSD 10.0). IPA server is configured as written in the IPA Quick Start Quide, it has no integrated DNS server. Both VMs have identical /etc/hosts file: ::1 localhost 127.0.0.1 localhost 192.168.1.10 ipa1.mydomain.com ipa1 192.168.1.30 bsd1.mydomain.com bsd1 Seems like some instructions in etc/nsswitch.conf file, like group: files sss and passwd: files sss have no effect. Does anybody tried this setup, what could be wrong with it? I can provide outputs of any commands if necessary. If I shouldn`t have asked this question here, please advise me where to ask. Any hint on what to do will be highly appreciated! Hi, I think SSSD logs would be the best start.. Put debug_level=7 into the [domain] section, restart SSSD and then check out /var/log/sssd/*.log -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On (13/10/14 20:33), Jakub Hrozek wrote: On Mon, Oct 13, 2014 at 10:10:12PM +0400, Орхан Касумов wrote: Good day to everybody. There`s a post on how to make a FreeBSD client work with a FreeIPA server: https://forums.freebsd.org/viewtopic.php?f=39t=46526p=260146#p260146 For some reason the instructions in that post don`t lead to a working solution. Getent passwd/group return no data from the IPA server, although ldapsearch works fine. I followed the instructions exactly (+ configured ldap.conf started sssd) and didn`t get errors anywhere, all steps completed successfully. My setup: 2 VMs, one is the FreeIPA server (on Fedora 20), the other is a FreeBSD client (on FreeBSD 10.0). IPA server is configured as written in the IPA Quick Start Quide, it has no integrated DNS server. Both VMs have identical /etc/hosts file: ::1 localhost 127.0.0.1 localhost 192.168.1.10 ipa1.mydomain.com ipa1 192.168.1.30 bsd1.mydomain.com bsd1 Seems like some instructions in etc/nsswitch.conf file, like group: files sss and passwd: files sss have no effect. Does anybody tried this setup, what could be wrong with it? I can provide outputs of any commands if necessary. If I shouldn`t have asked this question here, please advise me where to ask. Any hint on what to do will be highly appreciated! Hi, I think SSSD logs would be the best start.. Put debug_level=7 into the [domain] section, restart SSSD and then check out /var/log/sssd/*.log debug_level = 7 can be put into nss section as well. Could you share your sssd configuration file /usr/local/etc/sssd.conf? LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
Thanks to both of you for the interest. Here`s the info you asked: 1. Putting debug_level = 7 either in [domain] or/and [nss] section of the /usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log file located at /var/log/sssd/sssd.log is only populated with data when I make some errors in sssd.conf sssd process fails to start. But that`s the case only if I deliberately introduce some errors; with current configuration sssd starts successfully. 2. My original sssd.conf (without debugs) is as follows (exact copy of what was shown in the post at FreeBSD forums): - [domain/mydomain.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = mydomain.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa1.mydomain.com chpass_provider = ipa ipa_server = _srv_ #our FreeIPA server has DNS SRV entries ldap_tls_cacert = /etc/ssl/ca.crt enumerate = True #to enumerate users and groups [sssd] enumerate = True services = nss, pam, sudo config_file_version = 2 domains = mydomain.com [nss] [pam] [sudo] - Interestingly enough the [nss] section is empty, just as shown in the post at FreeBSD forums. 3. The users created at the IPA server can`t locally log in to the server, but it`s possible to ssh to the server as an IPA user from the FreeBSD host. However, there are some interesting behaviors (again, this is what happens when just following the IPA Quick Start Quide for the server side the post from FreeBSD forums for the client side): - home directories are not automatically created on the IPA server; - id command output shows correct uid, but the group of any IPA user doesn`t show as ipausers - instead, the group name is the same as username, + something like context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023. 4. Here is the list of snapshots taken from my FreeBSD VM when I installed necessary ports, maybe these snapshots will provide some additional info on sssd behavior: clean_install starting_sssd_install krb5_choice_added_LDAP openldap24-sasl-client_choice_added_FETCH_GSSAPI cyrus-sasl2_choice_defaults bind_choice_added_GSSAPI_MIT sssd_installation_finished sudo_installed_with_INSULTS_LDAP_SSSD cyrus-sasl2-gssapi_choice_added_MIT all_ports_installed_directories_created all_configs_applied_sssd_started 14-Oct-14 00:32, Lukas Slebodnik пишет: On (13/10/14 20:33), Jakub Hrozek wrote: On Mon, Oct 13, 2014 at 10:10:12PM +0400, Орхан Касумов wrote: Good day to everybody. There`s a post on how to make a FreeBSD client work with a FreeIPA server: https://forums.freebsd.org/viewtopic.php?f=39t=46526p=260146#p260146 For some reason the instructions in that post don`t lead to a working solution. Getent passwd/group return no data from the IPA server, although ldapsearch works fine. I followed the instructions exactly (+ configured ldap.conf started sssd) and didn`t get errors anywhere, all steps completed successfully. My setup: 2 VMs, one is the FreeIPA server (on Fedora 20), the other is a FreeBSD client (on FreeBSD 10.0). IPA server is configured as written in the IPA Quick Start Quide, it has no integrated DNS server. Both VMs have identical /etc/hosts file: ::1localhost 127.0.0.1 localhost 192.168.1.10 ipa1.mydomain.com ipa1 192.168.1.30 bsd1.mydomain.com bsd1 Seems like some instructions in etc/nsswitch.conf file, like group: files sss and passwd: files sss have no effect. Does anybody tried this setup, what could be wrong with it? I can provide outputs of any commands if necessary. If I shouldn`t have asked this question here, please advise me where to ask. Any hint on what to do will be highly appreciated! Hi, I think SSSD logs would be the best start.. Put debug_level=7 into the [domain] section, restart SSSD and then check out /var/log/sssd/*.log debug_level = 7 can be put into nss section as well. Could you share your sssd configuration file /usr/local/etc/sssd.conf? LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project