>> Perform step 1-5 in the docs:
>> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Conf
>> iguring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10
>>
>> Please note that there is a default DUAProfile with IPA that allows you
>> to skip the manual configuration of ldapclient, and just do "ldapclient init 
>> ipa-server-fqdn". I
>> don't understand why the documentation says to do a manual configuration of 
>> ldapclient. The
>> example provided also does a lot of unnecessary attribute mapping.
>
> The documentation includes a manual configuration so one can do it if
> desired.
>

The documentation includes only the manual configuration. Using a DUAProfile is 
easier both for
installing, and maintaining the Solaris clients as they will re-read 
configuration from the DUA
profile periodically. Manual configuration should be avoided if possible.

Do you want me to open a DOC BUG to have this changed?

AND include a more functional DUAProfile by default configuring the clients for 
ethers and
automount support as well.

Do you want me to open a ticket for this? the profile I send in the previous 
email can be used as
a template.



>> However I cannot log on to the console. Enabling debugging on pam tells me:
>>
>>
>> Apr 22 22:54:03 solaris11 login: [ID 179272 auth.debug] PAM-KRB5 (auth):
>> attempt_krb5_auth: krb5_get_init_creds_password returns: Decrypt
>> integrity check failed
>>
>> There was an issue on Solaris 10 with incorrect configuration to allow
>> aes256 support, only aes128 and downwars we're enabled by default. This does 
>> not seem to be the
>> case for Solaris 11.
>>
>> Does anyone else get the same decrypt failed issue?
>>
>
> I tested Solaris 10 x86 many moons ago and IIRC console login worked for me.
>

Yes, Solaris 10 works just fine for console login, both x86 and sparc. This 
seem to be an issue in
Solaris 11. It could be a configuration error, I just haven't had time to look 
into it yet. We do
not use Solaris 11 in production as per today.



Regards,
Siggi


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to