Sigbjorn Lie wrote:
On 04/20/2012 05:53 PM, Rob Crittenden wrote:
johan petersson wrote:

I need to add several Solaris 11 servers as clients to a Freeipa server
and wonder if there is anyone that have done so successfully?
The guide in freeipa documentation mentions Solaris 9 and 10 but nothing
on Solaris 11.
I have tried with the guide for Solaris 11 but do not get it to work
except for the kerberos configuration.

id testuser or su - testuser do not work but kinit testuser does.

What did you use to configure the Solaris 11 client, ldapinit?

Can you see any connections in the IPA LDAP server from this client?
(on server in /var/log/dirsrv/slapd-YOUR-REALM/access, note this is
buffered so it may take 30s to be seen).

I've tested with Solaris 11, using the same setup I used for Solaris 10
with almost success.

Before starting, edit /etc/nsswitch.ldap and replace "ldap" with "dns"
from the hosts and ipnodes databases. Also remove "ldap" from the
networks, protocols, rpc, netmasks, bootparams, publickey, services

Perform step 1-5 in the docs:

Please note that there is a default DUAProfile with IPA that allows you
to skip the manual configuration of ldapclient, and just do "ldapclient
init ipa-server-fqdn". I don't understand why the documentation says to
do a manual configuration of ldapclient. The example provided also does
a lot of unnecessary attribute mapping.

The documentation includes a manual configuration so one can do it if desired.

I'm also using cn=groups,cn=compat for Solaris, and NOT
cn=groups,cn=accounts like the documentation states.

Step 6 in the documentation does not work and apparently is not
supported. All keytabs must be retreived using the ipa-getkeytab command.

Go to a IPA server and retreive a keytab with the ipa-getkeytab command:
$ ipa-getkeytab -s ipa01 -p host/ -k

Copy the solaris11.keytab file from the IPA server to
/etc/krb5/krb5.conf on the Solaris machine.

Yes, we noticed this as well. This will be fixed when the updated 2.2 documentation gets released.

Login now works for me using SSH. The automounter works, looking up
aliases for sendmail works, looking up netgroups works. Additional
"serviceSearchDescriptor" entries must be added for the
automounter,aliases, and sendmail aliases to work. Please see the
attached profile.ldif file for details of the DUA config profile I'm
using with Solaris clients using SSL.

SSL connection for the client also works, but you need to convert the
certificate into PEM format and create a cert database using certutil
that's placed in the /var/ldap directory. I'm using SSL connections on
both Solaris 10 and 11 with success.

However I cannot log on to the console. Enabling debugging on pam tells me:

Apr 22 22:54:03 solaris11 login: [ID 179272 auth.debug] PAM-KRB5 (auth):
attempt_krb5_auth: krb5_get_init_creds_password returns: Decrypt
integrity check failed

There was an issue on Solaris 10 with incorrect configuration to allow
aes256 support, only aes128 and downwars we're enabled by default. This
does not seem to be the case for Solaris 11.

Does anyone else get the same decrypt failed issue?

I tested Solaris 10 x86 many moons ago and IIRC console login worked for me.


Freeipa-users mailing list

Reply via email to