[Freeipa-users] Solaris 11 client

Simo Sorce simo at redhat.com
Mon Apr 23 13:00:28 UTC 2012 

On Mon, 2012-04-23 at 10:44 +0200, Sigbjorn Lie wrote:
> >> Perform step 1-5 in the docs:
> >> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Conf
> >> iguring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10
> >>
> >> Please note that there is a default DUAProfile with IPA that allows you
> >> to skip the manual configuration of ldapclient, and just do "ldapclient init ipa-server-fqdn". I
> >> don't understand why the documentation says to do a manual configuration of ldapclient. The
> >> example provided also does a lot of unnecessary attribute mapping.
> >
> > The documentation includes a manual configuration so one can do it if
> > desired.
> >
> 
> The documentation includes only the manual configuration. Using a DUAProfile is easier both for
> installing, and maintaining the Solaris clients as they will re-read configuration from the DUA
> profile periodically. Manual configuration should be avoided if possible.
> 
> Do you want me to open a DOC BUG to have this changed?

Please do.

> AND include a more functional DUAProfile by default configuring the clients for ethers and
> automount support as well.
> 
> Do you want me to open a ticket for this? the profile I send in the previous email can be used as
> a template.

Yes please.


> >> However I cannot log on to the console. Enabling debugging on pam tells me:
> >>
> >>
> >> Apr 22 22:54:03 solaris11 login: [ID 179272 auth.debug] PAM-KRB5 (auth):
> >> attempt_krb5_auth: krb5_get_init_creds_password returns: Decrypt
> >> integrity check failed
> >>
> >> There was an issue on Solaris 10 with incorrect configuration to allow
> >> aes256 support, only aes128 and downwars we're enabled by default. This does not seem to be the
> >> case for Solaris 11.
> >>
> >> Does anyone else get the same decrypt failed issue?
> >>
> >
> > I tested Solaris 10 x86 many moons ago and IIRC console login worked for me.
> >
> 
> Yes, Solaris 10 works just fine for console login, both x86 and sparc. This seem to be an issue in
> Solaris 11. It could be a configuration error, I just haven't had time to look into it yet. We do
> not use Solaris 11 in production as per today.

Do you see anything special on the KDC side when you get that error in
the console ?

Do you play with enctypes when you obtain the system keytab ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list