[Freeipa-devel] Solaris 10 x86 client

Wed Jan 9 15:25:04 UTC 2008

Simo Sorce wrote:
> On Tue, 2008-01-08 at 23:33 -0500, Rob Crittenden wrote:
>> Trying to get a Solaris 10 x86 client talking to my IPA server makes it 
>> ever so clear why IPA is needed. It took me the better part of a day to 
>> get it sort of working.
>>
>> The steps are still very rough around the edges so I'm not ready to 
>> provide any documentation yet but I did run into some problems that I 
>> need some guidance on.
>>
>> 1. Solaris 10 x86 (at least) doesn't support the key type aes256-cts. By 
>> commenting this out in the IPA kdc.conf I was able to generate a usable 
>> keytab. If this was there I got all sorts of errors. What is the impact, 
>> if any, if we drop this. Or is there some other workaround? I tried 
>> pulling just one enctype into the keytab, perhaps more than 1 is needed.
> 
> ipa-getkeytab should be run on the machine that will get the keytab, as
> it selects only the locally supported encryption types.
> Another way is to use it on a box where you customize the permitted
> encryption types in krb5.conf to match what Solaris supports

Ok, so practically does this mean we'll need to install ipa-admintools 
on all client machines? Or how will we provide an automated way to 
provide keytabs to new client machines?

> 
>> 2. We need to add shadowAccount to the default list of user objectclasses
> 
> No please, why would we ?

It is apparently required for non-local accounts on Solaris machines. 
Login fails without this objectclass and works when it exists in the 
entry for non-local accounts.

So I have a local 'rcrit' account and I can login fine with ssh using my 
kerberos password. My 'test' account from IPA fails when shadowAccount 
isn't in the entry.

> 
>> 3. There is no pam_mkhomedir for Solaris. I have a super-ugly hack in 
>> place using the Linux-PAM-0.99.9.0 so it works but has problems like 
>> zero error reporting.
> 
> Not our concern in 1.0

Ok.

>> 4. I'm not entirely certain that the pam.conf I have is doing the right 
>> thing. I'll see about cleaning it up and posting it for review.
> 
> ok
> 
>> I run Solaris in a VM so this may be part of the problem but I was 
>> getting an error about a non-matching network address. This was likely 
>> due to some NATing between my Solaris VM and my IPA VM. I worked around 
>> it for the short term by adding no_addresses=true to the Solaris krb5.conf.
> 
> we need to document these tweaks

Definitely!

> 
>> I also haven't configured LDAP to use SSL. Right now it does anonymous 
>> searches for things. I also don't have all the mappings in place, just 
>> passwd and group.
> 
> This is ok for now, SSL adds a lot of load and I think we shouldn't
> force people to use it by default for now.

Oh, ok. Simple is good then.

> 
>> Anyway, the things that do work:
>>
>> 1. getent passwd and getent group
>> 2. id <user>
>> 3. local user login using Kerberos credentials
>> 4. non-local user login using Kerberos credentials
>> 5. automatic home directory creation (hacky)
>> 6. local user login using local credentails and no Kerberos password 
>> lets me in
> 
> Great, very good job, thanks!

Hopefully this will easily translate into a working sparc Solaris 
configuration too :-) I'm a little nervous about that since I can't as 
easily revert the box.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080109/f327c20b/attachment.bin>