On Mon, 2012-04-23 at 10:44 +0200, Sigbjorn Lie wrote: > >> Perform step 1-5 in the docs: > >> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Conf > >> iguring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10 > >> > >> Please note that there is a default DUAProfile with IPA that allows you > >> to skip the manual configuration of ldapclient, and just do "ldapclient > >> init ipa-server-fqdn". I > >> don't understand why the documentation says to do a manual configuration > >> of ldapclient. The > >> example provided also does a lot of unnecessary attribute mapping. > > > > The documentation includes a manual configuration so one can do it if > > desired. > > > > The documentation includes only the manual configuration. Using a DUAProfile > is easier both for > installing, and maintaining the Solaris clients as they will re-read > configuration from the DUA > profile periodically. Manual configuration should be avoided if possible. > > Do you want me to open a DOC BUG to have this changed?
Please do. > AND include a more functional DUAProfile by default configuring the clients > for ethers and > automount support as well. > > Do you want me to open a ticket for this? the profile I send in the previous > email can be used as > a template. Yes please. > >> However I cannot log on to the console. Enabling debugging on pam tells me: > >> > >> > >> Apr 22 22:54:03 solaris11 login: [ID 179272 auth.debug] PAM-KRB5 (auth): > >> attempt_krb5_auth: krb5_get_init_creds_password returns: Decrypt > >> integrity check failed > >> > >> There was an issue on Solaris 10 with incorrect configuration to allow > >> aes256 support, only aes128 and downwars we're enabled by default. This > >> does not seem to be the > >> case for Solaris 11. > >> > >> Does anyone else get the same decrypt failed issue? > >> > > > > I tested Solaris 10 x86 many moons ago and IIRC console login worked for me. > > > > Yes, Solaris 10 works just fine for console login, both x86 and sparc. This > seem to be an issue in > Solaris 11. It could be a configuration error, I just haven't had time to > look into it yet. We do > not use Solaris 11 in production as per today. Do you see anything special on the KDC side when you get that error in the console ? Do you play with enctypes when you obtain the system keytab ? Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users