[Freeipa-users] Solaris 11 client

Tue, 10 Jan 2012 06:48:28 -0800 

Hi,
Has anybody successfully setup up a Solaris 11 client (SunOS solaris 5.11 11.0 i86pc i386 i86pc Solaris) with FreeIPA? 


I have FreeIPA 2.4.1 running on Fedora 16. I've successfully configured 
Fedora, Ubuntu, Mint and FreeBSD clients but for some reason Solaris 11 
isn't working.


The Solaris 11 box correctly 'sees' user details for example:

---

root@solaris:~# id exampleuser

uid=2001(exampleuser) gid=2001(exampleuser) 
groups=2001(exampleuser),199000001(ipausers)


root@solaris:~# finger exampleuser
Login name: exampleuser                 In real life: Example User
Directory: /home/exampleuser            Shell: /bin/bash
Never logged in.
No unread mail
No Plan.

---

I can successfully obtain a Kerberos ticket for the user. Eg:

---

root@solaris:~# kinit exampleuser
Password for exampleu...@home.lan:
root@solaris:~#

---

And PAM is configured (in /etc/pam.conf) to use Kerberos for authentication.

The Keytab looks normal to me:

---


   1 host/solaris.home....@home.lan (AES-256 CTS mode with 96-bit SHA-1 
HMAC)
   1 host/solaris.home....@home.lan (AES-128 CTS mode with 96-bit SHA-1 
HMAC)

   1 host/solaris.home....@home.lan (Triple DES cbc mode with HMAC/sha1)
   1 host/solaris.home....@home.lan (ArcFour with HMAC/md5)

   1 nfs/solaris.home....@home.lan (AES-256 CTS mode with 96-bit SHA-1 
HMAC)
   1 nfs/solaris.home....@home.lan (AES-128 CTS mode with 96-bit SHA-1 
HMAC)

   1 nfs/solaris.home....@home.lan (Triple DES cbc mode with HMAC/sha1)
   1 nfs/solaris.home....@home.lan (ArcFour with HMAC/md5)

---


Looking at the server logs I see the following. This looks normal to me, 
when running kinit exampleuser


---


Jan 10 22:38:56 rex.home.lan krb5kdc[12595](info): AS_REQ (4 etypes {18 
17 16 23}) 192.168.1.56: NEEDED_PREAUTH: exampleu...@home.lan for 
krbtgt/home....@home.lan, Additional pre-authentication required
Jan 10 22:39:03 rex.home.lan krb5kdc[12591](info): AS_REQ (4 etypes {18 
17 16 23}) 192.168.1.56: ISSUE: authtime 1326206343, etypes {rep=18 
tkt=18 ses=18}, exampleu...@home.lan for krbtgt/home....@home.lan


---


When attempting to authenticate (through the PAM stack) as exampleuser 
with the same password I see:


---


Jan 10 22:41:21 rex.home.lan krb5kdc[12592](info): preauth (timestamp) 
verify failure: Decrypt integrity check failed
Jan 10 22:41:21 rex.home.lan krb5kdc[12592](info): AS_REQ (4 etypes {18 
17 16 23}) 192.168.1.56: PREAUTH_FAILED: exampleu...@home.lan for 
krbtgt/home....@home.lan, Decrypt integrity check failed


---


This seems to suggest that either the password is wrong, but I know I'm 
typing the right password or there is a decryption error. I'm confused 
by the fact that kinit works but PAM doesn't. Any ideas?



--
Ian Chapman.

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users






















					Reply via email to