On 04/20/2012 05:53 PM, Rob Crittenden wrote:
johan petersson wrote:

I need to add several Solaris 11 servers as clients to a Freeipa server
and wonder if there is anyone that have done so successfully?
The guide in freeipa documentation mentions Solaris 9 and 10 but nothing
on Solaris 11.
I have tried with the guide for Solaris 11 but do not get it to work
except for the kerberos configuration.

id testuser or su - testuser do not work but kinit testuser does.

What did you use to configure the Solaris 11 client, ldapinit?

Can you see any connections in the IPA LDAP server from this client? (on server in /var/log/dirsrv/slapd-YOUR-REALM/access, note this is buffered so it may take 30s to be seen).

I've tested with Solaris 11, using the same setup I used for Solaris 10 with almost success.

Before starting, edit /etc/nsswitch.ldap and replace "ldap" with "dns" from the hosts and ipnodes databases. Also remove "ldap" from the networks, protocols, rpc, netmasks, bootparams, publickey, services databases.

Perform step 1-5 in the docs: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10

Please note that there is a default DUAProfile with IPA that allows you to skip the manual configuration of ldapclient, and just do "ldapclient init ipa-server-fqdn". I don't understand why the documentation says to do a manual configuration of ldapclient. The example provided also does a lot of unnecessary attribute mapping.

I'm also using cn=groups,cn=compat for Solaris, and NOT cn=groups,cn=accounts like the documentation states.

Step 6 in the documentation does not work and apparently is not supported. All keytabs must be retreived using the ipa-getkeytab command.

Go to a IPA server and retreive a keytab with the ipa-getkeytab command:
$ ipa-getkeytab -s ipa01 -p host/solaris11.ix.test.com -k /tmp/solaris11.keytab

Copy the solaris11.keytab file from the IPA server to /etc/krb5/krb5.conf on the Solaris machine.

Login now works for me using SSH. The automounter works, looking up aliases for sendmail works, looking up netgroups works. Additional "serviceSearchDescriptor" entries must be added for the automounter,aliases, and sendmail aliases to work. Please see the attached profile.ldif file for details of the DUA config profile I'm using with Solaris clients using SSL.

SSL connection for the client also works, but you need to convert the certificate into PEM format and create a cert database using certutil that's placed in the /var/ldap directory. I'm using SSL connections on both Solaris 10 and 11 with success.

However I cannot log on to the console. Enabling debugging on pam tells me:

Apr 22 22:54:03 solaris11 login: [ID 179272 auth.debug] PAM-KRB5 (auth): attempt_krb5_auth: krb5_get_init_creds_password returns: Decrypt integrity check failed

There was an issue on Solaris 10 with incorrect configuration to allow aes256 support, only aes128 and downwars we're enabled by default. This does not seem to be the case for Solaris 11.

Does anyone else get the same decrypt failed issue?


dn: cn=solaris_authssl_test,ou=profile,dc=ix,dc=test,dc=com
objectClass: top
objectClass: DUAConfigProfile
cn: solaris_authssl_test
authenticationMethod: tls:simple
bindTimeLimit: 5
credentialLevel: proxy
defaultSearchBase: dc=ix,dc=test,dc=com
defaultSearchScope: one
defaultServerList: ipa01.ix.test.com ipa02.ix.test.com ipa03.ix.test.com
followReferrals: TRUE
objectclassMap: shadow:shadowAccount=posixAccount
objectclassMap: printers:sunPrinter=printerService
preferredServerList: ipa01.ix.test.com ipa02.ix.test.com
profileTTL: 6000
searchTimeLimit: 10
serviceSearchDescriptor: passwd:cn=users,cn=accounts,dc=ix,dc=test,dc=com
serviceSearchDescriptor: group:cn=groups,cn=compat,dc=ix,dc=test,dc=com
serviceSearchDescriptor: netgroup:cn=ng,cn=compat,dc=ix,dc=test,dc=com
serviceSearchDescriptor: ethers:cn=computers,cn=accounts,dc=ix,dc=test,dc=
serviceSearchDescriptor: automount:cn=svg1,cn=automount,dc=ix,dc=test,dc=c
serviceSearchDescriptor: auto_master:automountMapName=auto.master,cn=svg1,cn
serviceSearchDescriptor: aliases:ou=aliases,ou=test,dc=ix,dc=test,dc=com
serviceSearchDescriptor: printers:ou=printers,ou=test,dc=ix,dc=test,dc=c

Freeipa-users mailing list

Reply via email to