I realize this thread is a few weeks old now but hopefully by posting this someone, maybe OP, will see this and find it useful...
I'm running FreeIPA on a Redhat server and authenticating a mix of clients: Redhat, Fedora and Ubuntu. I've gotten this to work on Ubuntu using the following configuration files (sensitive information redacted).
/etc/sssd/sssd.conf:
The majority of this file was generated using the "ipa-client-install" command. I then modified the "ipa_server" line to remove "_srv_," and added the "ipa_hostname =" line.
Code:
[domain/example.domain.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = example.domain.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = hostname.example.domain.com
chpass_provider = ipa
ipa_server = ipaserver.example.domain.com
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, pam, ssh
config_file_version = 2
domains = example.domain.com
[nss]
[pam]
[sudo]
[autofs]
[ssh]
/etc/nsswitch.conf:
The below file is incomplete and probably still contains a lot of unecessary information since I'm still working on migrating from our old LDAP server to IPA but the above file is currently in production and working.
Code:
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
# pre_auth-client-config # passwd: compat
passwd: files sss
#passwd: files ldap [NOTFOUND=return] db
# pre_auth-client-config # group: compat
group: files sss
#group: files ldap [NOTFOUND=return] db
# pre_auth-client-config # shadow: compat
shadow: files ldap [NOTFOUND=return] db
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
# pre_auth-client-config # netgroup: nis
netgroup: nis sss
If there are any other file examples that might be useful to anyone trying to solve this issue, I'm happy to post them. I believe these are the only really relevant ones. I've also got the following ldap/ipa/auth packages installed, not all of them may be necessary as I'm currently migrating from using openLDAP to IPA:
- freeipa-client
- nscd
- nslcd
- libnss-ldapd
- libpam-ldapd
- nss-updatedb
- libnss-db
- libpam-ccreds
EDIT:
OH! I also forgot to mention that we have the following line in /etc/pam.d/common-account:
Code:
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
and the a file in /usr/share/pam-configs/my_mkhomedir containing the following:
Code:
Name: activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
Session:
required pam_mkhomedir.so umask=0022 skel=/etc/skel
EDIT2:
Some additional notes...
After further testing, it looks like the ipa-client-install does not properly modify the pam.d/common-* files. You need to make sure that each file is calling "pam_sss.so". I've included the pam_sss.so lines from my files below for reference:
/etc/pam.d/common-auth:
Code:
auth [success=4 default=ignore] pam_sss.so use_first_pass
/etc/pam.d/common-account (NOTE, this file also had a "pam_localuser.so" line which I've included for completeness):
Code:
account sufficient pam_localuser.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
/etc/pam.d/common-password:
Code:
password sufficient pam_sss.so
/etc/pam.d/common-session:
Code:
session optional pam_sss.so