[Freeipa-devel] Solaris 10 x86 client

Wed Jan 9 15:41:15 UTC 2008

On Wed, 2008-01-09 at 10:25 -0500, Rob Crittenden wrote:
> Simo Sorce wrote:
> > On Tue, 2008-01-08 at 23:33 -0500, Rob Crittenden wrote:
> >> Trying to get a Solaris 10 x86 client talking to my IPA server makes it 
> >> ever so clear why IPA is needed. It took me the better part of a day to 
> >> get it sort of working.
> >>
> >> The steps are still very rough around the edges so I'm not ready to 
> >> provide any documentation yet but I did run into some problems that I 
> >> need some guidance on.
> >>
> >> 1. Solaris 10 x86 (at least) doesn't support the key type aes256-cts. By 
> >> commenting this out in the IPA kdc.conf I was able to generate a usable 
> >> keytab. If this was there I got all sorts of errors. What is the impact, 
> >> if any, if we drop this. Or is there some other workaround? I tried 
> >> pulling just one enctype into the keytab, perhaps more than 1 is needed.
> > 
> > ipa-getkeytab should be run on the machine that will get the keytab, as
> > it selects only the locally supported encryption types.
> > Another way is to use it on a box where you customize the permitted
> > encryption types in krb5.conf to match what Solaris supports
> 
> Ok, so practically does this mean we'll need to install ipa-admintools 
> on all client machines? Or how will we provide an automated way to 
> provide keytabs to new client machines?

I think the keytab util is in the client tools, I put it there on
purpose.

> > 
> >> 2. We need to add shadowAccount to the default list of user objectclasses
> > 
> > No please, why would we ?
> 
> It is apparently required for non-local accounts on Solaris machines. 
> Login fails without this objectclass and works when it exists in the 
> entry for non-local accounts.

Bah, is there any chance there is a toggle to switch this requirement
off ?
Do they have the shadow target in nsswitch ? Maybe remove ldap from it ?

> So I have a local 'rcrit' account and I can login fine with ssh using my 
> kerberos password. My 'test' account from IPA fails when shadowAccount 
> isn't in the entry.

I hope it can be toggled, shadowAccount is not nice, and would add a lot
of parameters we simply ignore that control user accounts (in theory),
like expiration and other things. Adding support to synchronize those
fields would require a new module which I am not will to build just for
Solaris unless we have no other option.
Plus that objectclass sucks :)

> Hopefully this will easily translate into a working sparc Solaris 
> configuration too :-) I'm a little nervous about that since I can't as 
> easily revert the box.

I think testing on Solairs 10 x86 gets us reasonably close to assume
that once it works, the sparc version will work too.

Simo.

-- 
| Simo S Sorce |
| Sr.Soft.Eng. |
| Red Hat, Inc |
| New York, NY |