Hoping that someone had some insight that might get me unstuck here. FreeBSD 15 working with openldap and sssd2. When I am using pam_ldap I can authenticate ldap users, however when I swap in pam_sss, I'm getting this error. login[3327]: Request to sssd failed. Unexpected format of the server credential message.

heston76: is that it for logs?

is there a way to get the fn+up arrow/fn+down arrow brightness controls to work on commandline?

bz, For the text vt console? For X Windows? (I build this feature myself on my Devuan laptop. For both.)

vt console

i have a dell latitude 3180 laptop

i just installed freebsd 15 on it the other day most stuff is working so far, just had to set hint.sdhci_pci.0.disabled="1" in /boot/device.hints to get around a boot loop problem caused by the microsd card reader

and theres a bunch of weird acpi warnings that ive just been ignoring

i think ive always had issues getting volume and brightness keys to work on regular vt console in the past i just forget what i did to fix it in the past

I run FreeBSD headless on most machines but I have not personally run it on laptops. But...

on both linux and bsd

My understanding is that there is a backlight driver. man.freebsd.org/cgi/man.cgi?query=backlight&apropos=0&sektion=8

its gotten a lot better with laptop support over the years

definitely improved since the last time i tried running it on a laptop

I don't have /dev/backlight/* so I assume a kernel module needs to be loaded for it.

yeah i can set the backlight with the backlight command so the driver works fine, its just the fn key combinations on the keyboard dont work

maybe i have to manually bind them somehow

i think the fn key in general is not working

when i run show key and press fn or any fn key combinations nothing appears

might need to enable usbhid

rtprio: I turned up the debug logs and this is what I can gather from the pam logs. pastebin.com/wmk4KVBy

bz, My network dropped out entirely between then and now. Usually those are ACPI events. I don't know how that works on FreeBSD but I wrote this article for use on Devuan/Debian. proulx.com/~bob/doc/thinkpad-x220-l…keys/thinkpad-x220-laptop-keys.html

I am not saying that will help directly. But maybe some ideas from there can be applied and then doing it on FreeBSD.

heres my dmesg output

i think im missing some firmware but im not sure what to install

heston76: that is not that helpful eh

i would turn to wireshark, if it were my system

probably a lot quicker than the logs

So I added “scrub in all” to my pf rules, I added it below “set skip on lo0” and above all my pass and block rules. But its giving me a syntax error that “Rules must be in order”. But it seems like they are in order?

hi. i have a question about the "tabs" utility. i _think_ it doesn't comply with posix, specifically for the form "tabs n1,n2...", for instance with this command line: tabs 8; printf '\tx\tx\tx\n'; tabs 8,16,24,32; printf '\tx\tx\tx\n'

"tabs 8" resets it to normal every 8 chars, then it prints <tab>"x" 3 times, then sets the tabs with these values, then tries it again. as far as i can tell, according to posix the two lines should print the "x"s at the same columns, but they're not.

ncurses seems to behave the same, and as far as i can tell freebsd's tabs and ncurses ones are independent of eachother.

tabs was added to freebsd in 2002, to conform with SUSv3 from 2001. the spec then looks identical to today (i do have the susv3 pdf's). today it's: pubs.opengroup.org/onlinepubs/9799919799/utilities/tabs.html

note specifically the note "The phrase "tab-stop position N" shall be taken to mean that, from the start of a line of output, tabbing to position N shall cause the next character output to be in the (N+1)th column position on that line."

and the spec for the argument n1,n2,... is: "A single command line argument that consists of one or more tab-stop values (n) separated by a separator character (sep) which is either a <comma> or a <blank> character."

which uses they same language of "tab stops"

correction, the first command at my example above should have been "tabs -8" or just "tabs" (both reset it to every 8 columns, but "tabs 8" sets a single tab stop)

"ncurses seems to behave the same" <-- ie "tabs" which ships with ncurses, which was tested on ubuntu.

rtprio: Yeha, not much, and the tcpdump will just show me what we know. It's not happy with the credintial format that pam_ldap has no issues with. Same format that is documented sssd.io/docs/ldap/ldap-introduction.html & docs.freebsd.org/en/books/handbook/network-servers/#network-ldap . I may end up looking at going kerberos for pam. I've got nss configured to use sss and lookups with id user are bringing back valid results from the d

avih: tabs(1) "This uses the terminfo clear_all_tabs and set_tab capabilities." so I guess it depends on your terminal emulator and the ncurses version can only use the same interface

nimaje: thanks. mind checking it with your terminal? also, mind reading the spec and tell me what you think that command should do? it's possible i'm misinterpreting the spec...

it is a valid point though that the freebsd tabs does end up using ncurses, so they're not completely separate. another hypothesis i had is that today's terminal emulators don't interpret "st" correctly.

but first thing first: someone to reproduce my results, and second opinion on whether these result do or don't comply with posix

nimaje: do you know whether frebsd uses up to date ncurses from invisible-island? or does it maintain its own version?

+e

ok, tabs -d shows that it doesn't behave like posix specifies 'The phrase "tab-stop position N" shall be taken to mean that, from the start of a line of output, tabbing to position N shall cause the next character output to be in the (N+1)th column position on that line.' for the explicite tablist case, it puts the markers on the Nth position, instead of on the (N+1)th position

huh, your tabs supports -d? i tried with freebsd 12 which doesn't support it (on ubuntu it is supported)

and yeah, assuming by "tabd -d" you mean "tabs -d 8,16,..." then yeah, that's what i mean, and on ubuntu which has -d it does show too

tabs*

nimaje: fwiw, another hypothesis i had is that the language in susv2 is less clear, and it doesn't doesn't have that (N+1)th comment, but it does say that column count starts at 1. so i'm thinking maybe someone implemented it according to susv2 rather than susv3, and no one tested it for conformance or noticed it since then?

well, the language in susv2 IS less clear. I do have the pdf. the hypothesis is that they implemented it without looking at susv3

the earliest susv3 copy i have is from december 2001, and it already has the N+1 comment.

rtprio: Well, I found machting symptoms here, last issue on the list. sssd.io/troubleshooting/ldap_provider.html Added ldap_id_use_start_tls = true and restarted, but no change. The tcpdump was also interesting, in that it demonstrated that there was no attempt to connect to ldap when trying to authenticate.

GoSox: before scrub only X=... and then set ... ? is the error pointing to the scrub-line? does the config work without the scrub-line?

GoSox, Typical pfctl error message emit this message: Rules must be in order: options, ethernet, normalization, queueing, translation, filtering

Interesting that it does not mention Macros nor Tables there.

perhaps those are just shell expansions that need to come anytime before they are referred to

at the top of my /etc/pf.conf, i put: ## macros -> tables -> options -> traffic normalization -> queueing -> translation (NAT) -> packet filtering

scrub is in the traffic normalization section, after set skip on lo, and before nat and rdr rules

heston76: the ldap server is freebsd?

rtprio: Yeah, openldap FreeBSD 15 as well

I know it's got to be something simple that I am just overlooking.

what happened to the intel-backlight package?

im still trying to get the brightness keys to work in console mode on this dell laptop

also the screen doesn't blank or go to sleep when i close the laptop lid

i figure it has something to do with the acpi errors i saw in dmesg, probably missing firmware of some kind but im not sure what to look for

ridcully: yes the error does point to the scrub line and it does work fine with the scrub line commented out. Maybe its the tables, the tables are defined after the scrub, ill try rearranging that

GoSox, Post your pf.conf file to a pastebin for us to review?

It would appear I somehow botched my 15.0 upgrade of this machine such that I get `ld-elf.so.1: Shared object "libssl.so.35" not found, required by "openssl"` Is there a simple way to just untar a new userland set of binaries and libraries onto the volume

i.e. fetching `download.freebsd.org/releases/amd64/15.0-RELEASE/base.txz`

rtyler, you were updating your 15 install or you were upgrading to *15*?

upgrading to 15

what does freebsd-update do?

hm

it complains xD because it needs libssl, surprisingly fetch was able to fetch base.txz from HTTPs so that must be statically linked

hmm, i don't know what would be the best to do, sorry

I just did a zfs snapshot, I think I'm gonna give unpacking base.txz a try :)

_what could possibly go wrong_

good luck, hehe

i wonder if snapshot would be as good as a boot environment

that seems to have put the missing files into the right place for at least `freebsd-update fetch` to run correctly now

i see

basically `tar -k -C / -zxvf base.txz`

is there a preferred pastebin fo rthis sub?

hmmm, pkg0.syd.freebsd.org/FreeBSD:15:amd64/latest = 403

rwp and anyone else who is interested, these are my firewall rules:

line 3, the ‘scrub in all’ is commented out because it complains about order

also line 13 is commented out but thats unrelated

i’m not on the servers right now but based on what ive seen, it might just be a matter of putting the tables above the scrub line

nope putting the tables above the scrub still gives the order error. What does the “set skip on lo0” line actually do?

the google says its needed for network function, guess ill try putting scrub above that

nope still complaining about the order. I have no idea where this thing wants the scrub rule to go