[Freeipa-devel] Solaris 10 x86 client

Rob Crittenden rcritten at redhat.com
Wed Jan 9 04:33:41 UTC 2008 

Trying to get a Solaris 10 x86 client talking to my IPA server makes it 
ever so clear why IPA is needed. It took me the better part of a day to 
get it sort of working.

The steps are still very rough around the edges so I'm not ready to 
provide any documentation yet but I did run into some problems that I 
need some guidance on.

1. Solaris 10 x86 (at least) doesn't support the key type aes256-cts. By 
commenting this out in the IPA kdc.conf I was able to generate a usable 
keytab. If this was there I got all sorts of errors. What is the impact, 
if any, if we drop this. Or is there some other workaround? I tried 
pulling just one enctype into the keytab, perhaps more than 1 is needed.

2. We need to add shadowAccount to the default list of user objectclasses

3. There is no pam_mkhomedir for Solaris. I have a super-ugly hack in 
place using the Linux-PAM-0.99.9.0 so it works but has problems like 
zero error reporting.

4. I'm not entirely certain that the pam.conf I have is doing the right 
thing. I'll see about cleaning it up and posting it for review.

I run Solaris in a VM so this may be part of the problem but I was 
getting an error about a non-matching network address. This was likely 
due to some NATing between my Solaris VM and my IPA VM. I worked around 
it for the short term by adding no_addresses=true to the Solaris krb5.conf.

I also haven't configured LDAP to use SSL. Right now it does anonymous 
searches for things. I also don't have all the mappings in place, just 
passwd and group.

Anyway, the things that do work:

1. getent passwd and getent group
2. id <user>
3. local user login using Kerberos credentials
4. non-local user login using Kerberos credentials
5. automatic home directory creation (hacky)
6. local user login using local credentails and no Kerberos password 
lets me in

rob

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080108/5be342c8/attachment.bin>

More information about the Freeipa-devel mailing list