[Freeipa-devel] Solaris 10 x86 client
Rob Crittenden
rcritten at redhat.com
Wed Jan 9 04:33:41 UTC 2008
Trying to get a Solaris 10 x86 client talking to my IPA server makes it
ever so clear why IPA is needed. It took me the better part of a day to
get it sort of working.
The steps are still very rough around the edges so I'm not ready to
provide any documentation yet but I did run into some problems that I
need some guidance on.
1. Solaris 10 x86 (at least) doesn't support the key type aes256-cts. By
commenting this out in the IPA kdc.conf I was able to generate a usable
keytab. If this was there I got all sorts of errors. What is the impact,
if any, if we drop this. Or is there some other workaround? I tried
pulling just one enctype into the keytab, perhaps more than 1 is needed.
2. We need to add shadowAccount to the default list of user objectclasses
3. There is no pam_mkhomedir for Solaris. I have a super-ugly hack in
place using the Linux-PAM-0.99.9.0 so it works but has problems like
zero error reporting.
4. I'm not entirely certain that the pam.conf I have is doing the right
thing. I'll see about cleaning it up and posting it for review.
I run Solaris in a VM so this may be part of the problem but I was
getting an error about a non-matching network address. This was likely
due to some NATing between my Solaris VM and my IPA VM. I worked around
it for the short term by adding no_addresses=true to the Solaris krb5.conf.
I also haven't configured LDAP to use SSL. Right now it does anonymous
searches for things. I also don't have all the mappings in place, just
passwd and group.
Anyway, the things that do work:
1. getent passwd and getent group
2. id <user>
3. local user login using Kerberos credentials
4. non-local user login using Kerberos credentials
5. automatic home directory creation (hacky)
6. local user login using local credentails and no Kerberos password
lets me in
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080108/5be342c8/attachment.bin>
More information about the Freeipa-devel
mailing list