[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-users] AD trust users cannot login to Solaris



On Mon, 16 Mar 2015, nathan nathanpeters com wrote:
and put IPA's ca.crt (available on any IPA machine at /etc/ipa/ca.crt)
into /var/ldap's database with certutil:
   # certutil -A -a -i ca.crt -n CA -t CT -d /var/ldap

Ok, following your advice I installed the SUNWtlsu package (prepares rant
about how the top 3 pages of google results didn't tell me which darn
package certutil was actually in) and now I have certutil on the system.
I copied the ca.crt file from my FreeIPA controller to the /tmp directory
on Solaris, and then ran
#certutil -A -a -i /tmp/ca.crt -n CA -t CT -d /var/ldap

It worked!  The difference was that running that certutil command creates
/var/ldap/secmod.db.  secmod.db is required for tls to work.  Without
secmod.db existing, you can use simple, but not tls:simple.

So I can now login with both AD and FreeIPA users on this machine, get the
correct shell, correct home directory, and the ability to sudo.

However...

I can only do this through SSH.  I have run into some really strange
Solaris behavior when I try to login through console. I added the
following entries to my /etc/pam.conf

login   auth sufficient         pam_ldap.so.1
login   auth sufficient         pam_krb5.so.1

Apparently, Solaris has a total name limit of 31 characters, that only
applies to the [login] section and not to the [other] section.

So if I ssh I can login with a user named
'someusernames subdomain1 topleveldom net' (AD user)

However, if I console login, my pam logs indicate that it is being chopped
down to 'someusernames subdomain1 toplev' before being passed onto ldap.
This causes ldap to throw the following error:

/usr/lib/security/pam_ldap.so.1 returned System error

I created a really short AD username called
'abc subdomain1 topleveldom net' which just barely fit in 31 characters
and it could login fine.

So my next question is (and I know you guys are not Solaris experts, but
any help is appreciated) : Is there a way to set the default domain so
that AD users do not have to type their domain suffix?  Currently, it is
backward and ipa users can login as 'ipauser1' without a suffix, but AD
users have to type their suffix.

I know this can be done in Linux with sssd.conf and I have that working
for Linux clients, but with no sssd on Solaris, I'm pulling my hair out
trying to figure out how to do this.

I have already tried setting the default_domain and default_realm flags in
/etc/krb5/krb5.conf but that doesn't work at all because AD users are
authenticated through LDAP.  I also tried the ldapclient init with ' -a
domainName=addomain.net' but that did not work either.

Is there even a way to do this in Solaris for LDAP users?  Without the
ability to skip the domain name for AD users, I am stuck with either no
console login for AD for having all AD users with only 3 character names
due to the length of the fqdn.
The best collection of Solaris bug numbers in this area is this blog
post by Casper Dik who is member of Solaris engineering team:
https://blogs.oracle.com/casper/entry/solaris_11_2_no_limits

We don't have much space in the compat tree here to handle name aliases
because in SSSD case there is SSSD at the client that can unwrap the
name to its fully qualified form before asking IPA master for the name
resolution. In the compat tree we get what we get from a client in the
form of an LDAP request.

Theoretically there is possibility that short names would work with
FreeIPA 4.1 where we have support for ID views -- one could define ID
override for AD user in a solaris-specific ID view but this is only
possible in RHEL7.1 and Fedora 21.

--
/ Alexander Bokovoy


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]