[Freeipa-users] Solaris 11 client

Sigbjorn Lie sigbjorn at nixtra.com
Sun Apr 22 22:17:05 UTC 2012


On 04/20/2012 05:53 PM, Rob Crittenden wrote:
> johan petersson wrote:
>> Hi,
>>
>> I need to add several Solaris 11 servers as clients to a Freeipa server
>> and wonder if there is anyone that have done so successfully?
>> The guide in freeipa documentation mentions Solaris 9 and 10 but nothing
>> on Solaris 11.
>> I have tried with the guide for Solaris 11 but do not get it to work
>> except for the kerberos configuration.
>>
>> id testuser or su - testuser do not work but kinit testuser does.
>
> What did you use to configure the Solaris 11 client, ldapinit?
>
> Can you see any connections in the IPA LDAP server from this client? 
> (on server in /var/log/dirsrv/slapd-YOUR-REALM/access, note this is 
> buffered so it may take 30s to be seen).
>

I've tested with Solaris 11, using the same setup I used for Solaris 10 
with almost success.

Before starting, edit /etc/nsswitch.ldap and replace "ldap" with "dns" 
from the hosts and ipnodes databases. Also remove "ldap" from the 
networks, protocols, rpc, netmasks, bootparams, publickey, services 
databases.

Perform step 1-5 in the docs: 
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10

Please note that there is a default DUAProfile with IPA that allows you 
to skip the manual configuration of ldapclient, and just do "ldapclient 
init ipa-server-fqdn". I don't understand why the documentation says to 
do a manual configuration of ldapclient. The example provided also does 
a lot of unnecessary attribute mapping.

I'm also using cn=groups,cn=compat for Solaris, and NOT 
cn=groups,cn=accounts like the documentation states.

Step 6 in the documentation does not work and apparently is not 
supported. All keytabs must be retreived using the ipa-getkeytab command.

Go to a IPA server and retreive a keytab with the ipa-getkeytab command:
$ ipa-getkeytab -s ipa01 -p host/solaris11.ix.test.com -k 
/tmp/solaris11.keytab

Copy the solaris11.keytab file from the IPA server to 
/etc/krb5/krb5.conf on the Solaris machine.

Login now works for me using SSH. The automounter works, looking up 
aliases for sendmail works, looking up netgroups works. Additional 
"serviceSearchDescriptor" entries must be added for the 
automounter,aliases, and sendmail aliases to work. Please see the 
attached profile.ldif file for details of the DUA config profile I'm 
using with Solaris clients using SSL.

SSL connection for the client also works, but you need to convert the 
certificate into PEM format and create a cert database using certutil 
that's placed in the /var/ldap directory. I'm using SSL connections on 
both Solaris 10 and 11 with success.



However I cannot log on to the console. Enabling debugging on pam tells me:

Apr 22 22:54:03 solaris11 login: [ID 179272 auth.debug] PAM-KRB5 (auth): 
attempt_krb5_auth: krb5_get_init_creds_password returns: Decrypt 
integrity check failed

There was an issue on Solaris 10 with incorrect configuration to allow 
aes256 support, only aes128 and downwars we're enabled by default. This 
does not seem to be the case for Solaris 11.

Does anyone else get the same decrypt failed issue?


Regards,
Siggi

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120423/9ca93591/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: profile.ldif
Type: text/x-ldif
Size: 1196 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120423/9ca93591/attachment.bin>


More information about the Freeipa-users mailing list