Hi,

Has anybody successfully setup up a Solaris 11 client (SunOS solaris 5.11 11.0 i86pc i386 i86pc Solaris) with FreeIPA?


I have FreeIPA 2.4.1 running on Fedora 16. I've successfully configured Fedora, Ubuntu, Mint and FreeBSD clients but for some reason Solaris 11 isn't working.

The Solaris 11 box correctly 'sees' user details for example:

---

root@solaris:~# id exampleuser
uid=2001(exampleuser) gid=2001(exampleuser) groups=2001(exampleuser),199000001(ipausers)

root@solaris:~# finger exampleuser
Login name: exampleuser                 In real life: Example User
Directory: /home/exampleuser            Shell: /bin/bash
Never logged in.
No unread mail
No Plan.

---

I can successfully obtain a Kerberos ticket for the user. Eg:

---

root@solaris:~# kinit exampleuser
Password for exampleu...@home.lan:
root@solaris:~#

---

And PAM is configured (in /etc/pam.conf) to use Kerberos for authentication.

The Keytab looks normal to me:

---

1 host/solaris.home....@home.lan (AES-256 CTS mode with 96-bit SHA-1 HMAC) 1 host/solaris.home....@home.lan (AES-128 CTS mode with 96-bit SHA-1 HMAC)
   1 host/solaris.home....@home.lan (Triple DES cbc mode with HMAC/sha1)
   1 host/solaris.home....@home.lan (ArcFour with HMAC/md5)
1 nfs/solaris.home....@home.lan (AES-256 CTS mode with 96-bit SHA-1 HMAC) 1 nfs/solaris.home....@home.lan (AES-128 CTS mode with 96-bit SHA-1 HMAC)
   1 nfs/solaris.home....@home.lan (Triple DES cbc mode with HMAC/sha1)
   1 nfs/solaris.home....@home.lan (ArcFour with HMAC/md5)

---

Looking at the server logs I see the following. This looks normal to me, when running kinit exampleuser

---

Jan 10 22:38:56 rex.home.lan krb5kdc[12595](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.1.56: NEEDED_PREAUTH: exampleu...@home.lan for krbtgt/home....@home.lan, Additional pre-authentication required Jan 10 22:39:03 rex.home.lan krb5kdc[12591](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.1.56: ISSUE: authtime 1326206343, etypes {rep=18 tkt=18 ses=18}, exampleu...@home.lan for krbtgt/home....@home.lan

---

When attempting to authenticate (through the PAM stack) as exampleuser with the same password I see:

---

Jan 10 22:41:21 rex.home.lan krb5kdc[12592](info): preauth (timestamp) verify failure: Decrypt integrity check failed Jan 10 22:41:21 rex.home.lan krb5kdc[12592](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.1.56: PREAUTH_FAILED: exampleu...@home.lan for krbtgt/home....@home.lan, Decrypt integrity check failed

---

This seems to suggest that either the password is wrong, but I know I'm typing the right password or there is a decryption error. I'm confused by the fact that kinit works but PAM doesn't. Any ideas?


--
Ian Chapman.

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to