[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server



Here`s what I have at the end of the day after various checks.

SSH-ing as existing IPA user "rsiwal" to my FreeBSD client fails.
The same user can SSH or locally login to my Linux client.
If I create a new user in IPA, he can`t initially SSH into FreeBSD client.
BSD says: "password expired", but doesn`t take new password.
The same new user can SSH into my Linux client.
Linux says: "password expired" and allows to set a new password with a message: "All authentication tokens updated successfully." After I set a new password for my newly created user via Linux, I can SSH into my BSD client as that user. Using this hack I can create new users in IPA, SSH into Linux to change their passwords and then use those new users to SSH into FreeBSD. At the same time I cannot locally login to my FreeBSD host as either IPA user or local user.

I think there`s something wrong with Kerberos setup on my FreeBSD client. I suspect that because both /etc/pam.d/system and /etc/pam.d/sshd files on the BSD client have a string:
password  sufficient  /usr/local/lib/pam_sss.so use_authtok
but BSD doesn`t let update authentication tokens when trying to change expired password for a new user.

There was minimal info about Kerberos setup on FreeBSD client in the post at FreeBSD forums. Just this: "create a keytab on the IPA server and copy it to /etc/krb5.keytab" on the FreeBSD client.

Someone here wrote that he can contact the author of that post. If so, please tell the author to spend a couple of hours to:
1) check everything he advised on a blank setup with VMs;
2) provide more details about correct sequence of actions.

Any help will be highly appreciated!

16-Oct-14 15:13, Orkhan Gasimov пишет:
Please excuse me for that silly typo in the letter. The typo doesn`t exist either in /etc/pam.d/system or /etc/pam.d/sshd - in those files I typed "ignore_unknown_user".

I'll try "ignore_authinfo_unavail" to see if it prevents me from being locked out of the machine.

Here are the log files:

sssd_eurosel.az.log: https://cloud.mail.ru/public/1e803a00989e%2Fsssd_eurosel.az.log
sssd_nss.log: https://cloud.mail.ru/public/ae41ae3b44b6%2Fsssd_nss.log
sssd_pam.log: https://cloud.mail.ru/public/85d311ec1d4e%2Fsssd_pam.log
krb5_child.log: https://cloud.mail.ru/public/c0e6712b7f1b%2Fkrb5_child.log ldap_child.log: https://cloud.mail.ru/public/d9b0b1eb0da6%2Fldap_child.log
sssd_log: https://cloud.mail.ru/public/d4032b8e6645%2Fsssd.log


16-Oct-14 14:57, Lukas Slebodnik пишет:
On (16/10/14 13:04), Orkhan Gasimov wrote:
OK, back to FreeIPA - FreeBSD setup.
I changed my setup: instead of 2 VMs now I have 4 VMs:

1: DNS server - set up as shown by Rajnesh Kumar Siwal in http://www.youtube.com/watch?v=0SmiwFoHVeI&index=4&list=PLdKXnZQzEG-KmtKq-LelPn5RTKfJig0Wc

2 and 3: IPA server & IPA linux client - set up as shown by Rajnesh Kumar
Siwal in http://www.youtube.com/watch?v=_zlcxjkbayk

4: IPA BSD client - set up as described in the post at FreeBSD forums.


Results:

1) my IPA linux client interacts fine with the IPA server;

2) my IPA BSD client also interacts with the IPA server: it sees IPA users when issuing "getent passwd" or "getent shadow". (Previously when I used just
2 VMs and no DNS server, that didn`t happen.)

Problems after I start sssd on the FreeBSD client:

1) I can`t ssh into my IPA BSD client either as an IPA user (rsiwal) or local
user (root);

2) if I restart my IPA BSD client, I also can`t login to it locally as either
"root" or "rsiwal". I get totally locked out of the machine.

FreeBSD displays some errors on the screen when using:

1) SSH:
https://cloud.mail.ru/public/888b415dac43%2Fssh_error_IPA_user_and_root.JPG

2) local login:
https://cloud.mail.ru/public/3399c5b67c33%2Flogin_error_root_and_IPA_user.JPG

FreeBSD complains about line 19 in /etc/pam.d/system. That line reads:
account  required  /usr/local/lib/pam_sss.so ignore unknown user
^^^^^^^^^^^^^^^^^^^
it should we one word connected with underscores "_"

See details in:
     man pam_sss -> OPTIONS

It would be good to use also argument ignore_authinfo_unavail
in pam system config otherwise you will not be able to connect as local user
if sssd will be down.

LS




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]