[Freeipa-users] Solaris client proxyDN logins not working

Wed, 13 Sep 2017 17:05:12 -0700 

Configuring a Solaris 11.3 system as a FreeIPA client. I've read various 
articles, mail list archives, and pages found on google trying to figure out 
how to properly make this work. So far, I've only gotten the ability to do su - 
u...@domain.tld and check getent passwd/group. This successfully works. The 
things that do not work are ssh and console logins. This is what I've tried so 
far:

Setting authenticationMethod to 'simple:tls'
  -> My service account never seems to work and the log says: "libsldap: 
Status: 53  Mesg: openConnection: simple bind failed - DSA is unwilling to 
perform"
  -> "libsldap: Status: 49  Mesg: openConnection: simple bind failed - Invalid 
credentials" - This isn't the case as I've tried the credentials multiple times 
using ldapsearch commands with success. My credentials for my users are correct 
since I can login to a CentOS 6 and CentOS 7 client perfectly fine.

These are the steps I took:

 -> Create host in IPA
 -> ipa-getkeytab and transferred it to the client
 -> Created nss database with CA certificate and placed it in /var/ldap with 
proper permissions
 -> Configured /etc/krb5/krb5.conf
 -> Configured nsswitch.conf to be files ldap
 -> Configured /etc/pam.d/* files accordingly
 -> Used ldapclient init on the client

Here is my kinit and ldap tests.

# kinit admin
Password for ad...@ipa.example.com: 
kinit:  no ktkt_warnd warning possible
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ad...@ipa.example.com

Valid starting     Expires            Service principal
09/13/17 16:22:29  09/14/17 16:22:29  krbtgt/ipa.example....@ipa.example.com
        renew until 09/20/17 16:22:29

# ldaplist -l passwd louis.abel
dn: uid=louis.abel,cn=users,cn=compat,dc=ipa,dc=example,dc=com
        cn: Louis Abel
        objectClass: posixAccount
        objectClass: top
        gidNumber: 1006800013
        gecos: Louis Abel
        uidNumber: 25439
        loginShell: /bin/bash
        homeDirectory: /home/louis.abel
        uid: louis.a...@ad.example.com
        uid: louis.abel

# ldaplist -l passwd louis.abel2
dn: uid=louis.abel2,cn=users,cn=compat,dc=ipa,dc=example,dc=com
        cn: Louis Abel
        objectClass: posixAccount
        objectClass: top
        gidNumber: 1006800001
        gecos: Louis Abel
        uidNumber: 1006800001
        loginShell: /bin/bash
        homeDirectory: /home/louis.abel2
        uid: louis.ab...@ipa.example.com
        uid: louis.abel2

dn: uid=louis.abel2,cn=users,cn=compat,dc=ipa,dc=example,dc=com
        cn: Louis Abel
        objectClass: posixAccount
        objectClass: ipaOverrideTarget
        objectClass: top
        gidNumber: 1006800001
        gecos: Louis Abel
        uidNumber: 1006800001
        ipaAnchorUUID: :IPA:ipa.example.com:8babb9a8-5aaf-11e7-9769-00505690319e
        loginShell: /bin/bash
        homeDirectory: /home/louis.abel2
        uid: louis.abel2

My pam configuration files:

/etc/pam.d/other

auth definitive         pam_user_policy.so.1
auth sufficient         pam_krb5.so.1
auth requisite          pam_authtok_get.so.1
auth required           pam_dhkeys.so.1
auth binding            pam_unix_auth.so.1 server_policy
auth required           pam_unix_cred.so.1
auth sufficient         pam_krb5.so.1
account requisite       pam_roles.so.1
account definitive      pam_user_policy.so.1
account binding         pam_unix_account.so.1 server_policy
account required        pam_unix_account.so.1
account required        pam_krb5.so.1
account required        pam_tsol_account.so.1
session definitive      pam_user_policy.so.1
session required        pam_unix_session.so.1
password definitive     pam_user_policy.so.1
password include        pam_authtok_common
password sufficient     pam_krb5.so.1
password required       pam_authtok_store.so.1 server_policy

/etc/pam.d/login

auth    requisite       pam_authtok_get.so.1
auth    required        pam_dhkeys.so.1
auth    required        pam_unix_cred.so.1
auth    sufficient      pam_krb5.so.1 try_first_pass
auth    required        pam_unix_auth.so.1 use_first_pass
auth    required        pam_dial_auth.so.1

# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= uid=solaris,cn=sysaccounts,cn=etc,dc=ipa,dc=example,dc=com
NS_LDAP_BINDPASSWD= removed
NS_LDAP_SERVERS= pentl01.ipa.example.com, pentl02.ipa.example.com, 
pentl03.ipa.example.com, sentl01.ipa.example.com, sentl02.ipa.example.com, 
sentl03.ipa.example.com
NS_LDAP_SEARCH_BASEDN= dc=ipa,dc=example,dc=com
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SEARCH_TIME= 15
NS_LDAP_CACHETTL= 6000
NS_LDAP_PROFILE= default solaris_authssl
NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=ipa,dc=example,dc=com
NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=compat,dc=ipa,dc=example,dc=com
NS_LDAP_SERVICE_SEARCH_DESC= netgroup:cn=ng,cn=compat,dc=ipa,dc=example,dc=com
NS_LDAP_SERVICE_SEARCH_DESC= 
ethers:cn=computers,cn=accounts,dc=ipa,dc=example,dc=com
NS_LDAP_SERVICE_SEARCH_DESC= sudoers:ou=sudoers,dc=ipa,dc=example,dc=com
NS_LDAP_BIND_TIME= 5
NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount
NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=posixaccount
NS_LDAP_OBJECTCLASSMAP= group:posixGroup=posixgroup

nsswitch changes:

passwd: files ldap [NOTFOUND=return]
group:  files ldap [NOTFOUND=return]

This is what I looked at:

https://www.redhat.com/archives/freeipa-users/2013-January/msg00021.html
https://www.redhat.com/archives/freeipa-users/2015-January/msg00017.html
http://etcfstab.com/oraclelinux/solaris_n_freeipa.html
https://mkosek.fedorapeople.org/publican_site/en-US/FreeIPA/3.3/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html

Anyone have better experience or any documentation that could help?
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to