>> Perform step 1-5 in the docs:
>> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Conf
>> iguring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10
>> Please note that there is a default DUAProfile with IPA that allows you
>> to skip the manual configuration of ldapclient, and just do "ldapclient init 
>> ipa-server-fqdn". I
>> don't understand why the documentation says to do a manual configuration of 
>> ldapclient. The
>> example provided also does a lot of unnecessary attribute mapping.
> The documentation includes a manual configuration so one can do it if
> desired.

The documentation includes only the manual configuration. Using a DUAProfile is 
easier both for
installing, and maintaining the Solaris clients as they will re-read 
configuration from the DUA
profile periodically. Manual configuration should be avoided if possible.

Do you want me to open a DOC BUG to have this changed?

AND include a more functional DUAProfile by default configuring the clients for 
ethers and
automount support as well.

Do you want me to open a ticket for this? the profile I send in the previous 
email can be used as
a template.

>> However I cannot log on to the console. Enabling debugging on pam tells me:
>> Apr 22 22:54:03 solaris11 login: [ID 179272 auth.debug] PAM-KRB5 (auth):
>> attempt_krb5_auth: krb5_get_init_creds_password returns: Decrypt
>> integrity check failed
>> There was an issue on Solaris 10 with incorrect configuration to allow
>> aes256 support, only aes128 and downwars we're enabled by default. This does 
>> not seem to be the
>> case for Solaris 11.
>> Does anyone else get the same decrypt failed issue?
> I tested Solaris 10 x86 many moons ago and IIRC console login worked for me.

Yes, Solaris 10 works just fine for console login, both x86 and sparc. This 
seem to be an issue in
Solaris 11. It could be a configuration error, I just haven't had time to look 
into it yet. We do
not use Solaris 11 in production as per today.


Freeipa-users mailing list

Reply via email to