Hi,

Now that I have my FreeIPA server working in my setup, I'd like to configure my Proxmox server as an IPA client; both for UNIX users and its web/API.

As you might be aware, ipa-client-install is only in sid, and it seems to be problematic. I'm posting everything I'm doing to keep this documented.

$ apt install sudo
$ apt install bind9utils certmonger curl krb5-user libcurl3 libnss3-tools libnss-sss libpam-sss libsasl2-modules-gssapi-mit libsss-sudo libxmlrpc-core-c3 oddjob-mkhomedir python-dnspython python-gssapi python-ldap sssd libbasicobjects0 libcollection4 libcurl3-nss libini-config5 libref-array1 gnupg2 python-cffi python-cryptography python-custodia python-dbus python-jwcrypto python-libipa-hbac python-lxml python-memcache python-netaddr python-netifaces python-nss python-pyasn1 python-qrcode python-setuptools python-usb python-yubico dnsutils keyutils python-requests

$ wget http://ftp.de.debian.org/debian/pool/main/f/freeipa/freeipa-client_4.4.4-4_amd64.deb http://ftp.de.debian.org/debian/pool/main/f/freeipa/freeipa-common_4.4.4-4_all.deb http://ftp.de.debian.org/debian/pool/main/f/freeipa/python-ipaclient_4.4.4-4_all.deb http://ftp.de.debian.org/debian/pool/main/f/freeipa/python-ipalib_4.4.4-4_all.deb
$ dpkg -i *.deb

$ ipa-client-install -N --mkhomedir

This all seems to work successfully, the server appears on the FreeIPA web console and even:

$ sss_ssh_authorizedkeys $MY_IPA_USER

works! But ssh, sudo don't work. However if I patch /etc/sssd/sssd.conf and add nss and pam to [sssd] services, ssh, console login and sudo work!

Questions:

1) Is there anything problematic in my procedure?

2) Whom should I report a bug so /etc/sssd/sssd.conf is generated correctly? I'm guessing Debian...

3) Proxmox supposedly uses PAM for its web/API auth, but it ignores my user. It supports LDAP for authentication, though... Would you recommend using LDAP or trying to coerce PAM into working for IPA?

Cheers,

Álex

___

{~._.~}

( Y )

()~*~() mail: alex at corcoles dot net

(_)-(_) http://alex.corcoles.net/