LDAP sets domain in sssd.conf to servers hostname instead of domain.tld

[khartahk]

I'm trying to set up FreeIPA auth for FreeNAS. I've managed to set it up so that i can ssh into the FreeNAS using FreeIPA credentials and also using the ssh key in FreeIPA - but this last part only if I manualy fix the /usr/local/etc/sssd/sssd.conf file. I have to do the following:

services = ssh,nss,pam,sudo # here I add "ssh" -> this I can do via Auxiliary Parameters:
domains = domain.tld # change IPA to domain.tld

[ssh] #add this also just in case -> this I can do via Auxiliary Parameters:

[domain/IPA] #have to change "IPA" to "domain.tld", but after every save in GUI this changes back

Why is the GUI setting domain name to IPA? How or where do I need to make a change so that this stops or uses the correct domain.tld?

For now I've set up a post-init copy of the correct sssd.conf file and service sssd restart.

 

[dlavigne]

[domain/IPA] #have to change "IPA" to "domain.tld", but after every save in GUI this changes back

Where in the GUI are you setting that?

 

[khartahk]

As stated in my previous comment

if I manually fix the /usr/local/etc/sssd/sssd.conf file

I have to change this manually in /usr/local/etc/sssd/sssd.conf

I can provide the version that I get from when changing the settings in the GUI + the settings set in the GUI vs. the one where I manually change the sssd.conf file. I'll do this as soon as I get to the office.

 

[khartahk]

My GUI config:

NOT working sssd.conf file created by the previous GUI settings:

Code:

[sssd]
config_file_version = 2
full_name_format = %2$s\%1$s
re_expression = (((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))
services = ssh,nss,pam,sudo
domains = IPA


[nss]

[pam]

[sudo]

[ssh]

[domain/IPA]
description = IPA
enumerate = true
cache_credentials = true
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_schema = rfc2307
ldap_force_upper_case_realm = true
use_fully_qualified_names = false
ldap_uri = ldaps://ipa.kupi.lan
ldap_search_base = dc=kupi,dc=lan
ldap_user_search_base = cn=users,cn=accounts,dc=kupi,dc=lan
ldap_group_search_base = cn=groups,cn=accounts,dc=kupi,dc=lan
sudo_provider = ldap
ldap_sudo_search_base = ou=sudoers,dc=kupi,dc=lan
ldap_tls_cacert = /etc/certificates/CA/ipa.kupi.lan CA.crt
ldap_default_bind_dn = uid=jenkins,cn=sysaccounts,cn=etc,dc=kupi,dc=lan
ldap_default_authtok_type = password
ldap_default_authtok =  __REMOVEDFORSECURITY__

Workign sssd.conf file

Code:

[sssd]
config_file_version = 2
full_name_format = %2$s\%1$s
re_expression = (((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))
services = ssh,nss,pam,sudo
domains = kupi.lan

[nss]

[pam]

[sudo]

[ssh]

[domain/kupi.lan]
description = IPA
enumerate = true
cache_credentials = true
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_schema = rfc2307
ldap_force_upper_case_realm = true
use_fully_qualified_names = false
ldap_uri = ldaps://ipa.kupi.lan
ldap_search_base = dc=kupi,dc=lan
ldap_user_search_base = cn=users,cn=accounts,dc=kupi,dc=lan
ldap_group_search_base = cn=groups,cn=accounts,dc=kupi,dc=lan
sudo_provider = ldap
ldap_sudo_search_base = ou=sudoers,dc=kupi,dc=lan
ldap_tls_cacert = /etc/certificates/CA/ipa.kupi.lan CA.crt
ldap_default_bind_dn = uid=jenkins,cn=sysaccounts,cn=etc,dc=kupi,dc=lan
ldap_default_authtok_type = password
ldap_default_authtok = __REMOVEDFORSECURITY__

The only thing I have to really change are:
domains = IPA ->domains = kupi.lan
[domain/IPA] -> [domain/kupi.lan]

 

[Mystik Incarnate]

Holy crap khartahk, I think you identified the issue I was posting about here.

I'm going to make this adjustment.

To bring this over from the other thread: the result is that when the AD tries to bind it submits a auth request with no domain, so the domain auth request fails and is rejected, this causes the services to fail, and thus creates the problem of no AD integration.

I don't understand how nobody seems to be experiencing this.

 

[dlavigne]

Sounds like a bug. Please create a bug report at bugs.freenas.org and post the issue number here.

 

[khartahk]

I've created a bug report #17341
When something changes I'll report back here.