[Freeipa-users] Solaris 11 client

Sun Apr 22 23:31:48 UTC 2012

Sigbjorn Lie wrote:
> On 04/20/2012 05:53 PM, Rob Crittenden wrote:
>> johan petersson wrote:
>>> Hi,
>>>
>>> I need to add several Solaris 11 servers as clients to a Freeipa server
>>> and wonder if there is anyone that have done so successfully?
>>> The guide in freeipa documentation mentions Solaris 9 and 10 but nothing
>>> on Solaris 11.
>>> I have tried with the guide for Solaris 11 but do not get it to work
>>> except for the kerberos configuration.
>>>
>>> id testuser or su - testuser do not work but kinit testuser does.
>>
>> What did you use to configure the Solaris 11 client, ldapinit?
>>
>> Can you see any connections in the IPA LDAP server from this client?
>> (on server in /var/log/dirsrv/slapd-YOUR-REALM/access, note this is
>> buffered so it may take 30s to be seen).
>>
>
> I've tested with Solaris 11, using the same setup I used for Solaris 10
> with almost success.
>
> Before starting, edit /etc/nsswitch.ldap and replace "ldap" with "dns"
> from the hosts and ipnodes databases. Also remove "ldap" from the
> networks, protocols, rpc, netmasks, bootparams, publickey, services
> databases.
>
> Perform step 1-5 in the docs:
> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10
>
> Please note that there is a default DUAProfile with IPA that allows you
> to skip the manual configuration of ldapclient, and just do "ldapclient
> init ipa-server-fqdn". I don't understand why the documentation says to
> do a manual configuration of ldapclient. The example provided also does
> a lot of unnecessary attribute mapping.

The documentation includes a manual configuration so one can do it if 
desired.

> I'm also using cn=groups,cn=compat for Solaris, and NOT
> cn=groups,cn=accounts like the documentation states.
>
> Step 6 in the documentation does not work and apparently is not
> supported. All keytabs must be retreived using the ipa-getkeytab command.
>
> Go to a IPA server and retreive a keytab with the ipa-getkeytab command:
> $ ipa-getkeytab -s ipa01 -p host/solaris11.ix.test.com -k
> /tmp/solaris11.keytab
>
> Copy the solaris11.keytab file from the IPA server to
> /etc/krb5/krb5.conf on the Solaris machine.

Yes, we noticed this as well. This will be fixed when the updated 2.2 
documentation gets released.

>
> Login now works for me using SSH. The automounter works, looking up
> aliases for sendmail works, looking up netgroups works. Additional
> "serviceSearchDescriptor" entries must be added for the
> automounter,aliases, and sendmail aliases to work. Please see the
> attached profile.ldif file for details of the DUA config profile I'm
> using with Solaris clients using SSL.
>
> SSL connection for the client also works, but you need to convert the
> certificate into PEM format and create a cert database using certutil
> that's placed in the /var/ldap directory. I'm using SSL connections on
> both Solaris 10 and 11 with success.
>
>
>
> However I cannot log on to the console. Enabling debugging on pam tells me:
>
> Apr 22 22:54:03 solaris11 login: [ID 179272 auth.debug] PAM-KRB5 (auth):
> attempt_krb5_auth: krb5_get_init_creds_password returns: Decrypt
> integrity check failed
>
> There was an issue on Solaris 10 with incorrect configuration to allow
> aes256 support, only aes128 and downwars we're enabled by default. This
> does not seem to be the case for Solaris 11.
>
> Does anyone else get the same decrypt failed issue?

I tested Solaris 10 x86 many moons ago and IIRC console login worked for me.

rob