[Freeipa-devel] Solaris 10 x86 client
Rob Crittenden
rcritten at redhat.com
Wed Jan 9 15:25:04 UTC 2008
Simo Sorce wrote:
> On Tue, 2008-01-08 at 23:33 -0500, Rob Crittenden wrote:
>> Trying to get a Solaris 10 x86 client talking to my IPA server makes it
>> ever so clear why IPA is needed. It took me the better part of a day to
>> get it sort of working.
>>
>> The steps are still very rough around the edges so I'm not ready to
>> provide any documentation yet but I did run into some problems that I
>> need some guidance on.
>>
>> 1. Solaris 10 x86 (at least) doesn't support the key type aes256-cts. By
>> commenting this out in the IPA kdc.conf I was able to generate a usable
>> keytab. If this was there I got all sorts of errors. What is the impact,
>> if any, if we drop this. Or is there some other workaround? I tried
>> pulling just one enctype into the keytab, perhaps more than 1 is needed.
>
> ipa-getkeytab should be run on the machine that will get the keytab, as
> it selects only the locally supported encryption types.
> Another way is to use it on a box where you customize the permitted
> encryption types in krb5.conf to match what Solaris supports
Ok, so practically does this mean we'll need to install ipa-admintools
on all client machines? Or how will we provide an automated way to
provide keytabs to new client machines?
>
>> 2. We need to add shadowAccount to the default list of user objectclasses
>
> No please, why would we ?
It is apparently required for non-local accounts on Solaris machines.
Login fails without this objectclass and works when it exists in the
entry for non-local accounts.
So I have a local 'rcrit' account and I can login fine with ssh using my
kerberos password. My 'test' account from IPA fails when shadowAccount
isn't in the entry.
>
>> 3. There is no pam_mkhomedir for Solaris. I have a super-ugly hack in
>> place using the Linux-PAM-0.99.9.0 so it works but has problems like
>> zero error reporting.
>
> Not our concern in 1.0
Ok.
>> 4. I'm not entirely certain that the pam.conf I have is doing the right
>> thing. I'll see about cleaning it up and posting it for review.
>
> ok
>
>> I run Solaris in a VM so this may be part of the problem but I was
>> getting an error about a non-matching network address. This was likely
>> due to some NATing between my Solaris VM and my IPA VM. I worked around
>> it for the short term by adding no_addresses=true to the Solaris krb5.conf.
>
> we need to document these tweaks
Definitely!
>
>> I also haven't configured LDAP to use SSL. Right now it does anonymous
>> searches for things. I also don't have all the mappings in place, just
>> passwd and group.
>
> This is ok for now, SSL adds a lot of load and I think we shouldn't
> force people to use it by default for now.
Oh, ok. Simple is good then.
>
>> Anyway, the things that do work:
>>
>> 1. getent passwd and getent group
>> 2. id <user>
>> 3. local user login using Kerberos credentials
>> 4. non-local user login using Kerberos credentials
>> 5. automatic home directory creation (hacky)
>> 6. local user login using local credentails and no Kerberos password
>> lets me in
>
> Great, very good job, thanks!
Hopefully this will easily translate into a working sparc Solaris
configuration too :-) I'm a little nervous about that since I can't as
easily revert the box.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080109/f327c20b/attachment.bin>
More information about the Freeipa-devel
mailing list