On 04/23/2012 03:00 PM, Simo Sorce wrote:
On Mon, 2012-04-23 at 10:44 +0200, Sigbjorn Lie wrote:
Perform step 1-5 in the docs:

Please note that there is a default DUAProfile with IPA that allows you
to skip the manual configuration of ldapclient, and just do "ldapclient init 
ipa-server-fqdn". I
don't understand why the documentation says to do a manual configuration of 
ldapclient. The
example provided also does a lot of unnecessary attribute mapping.
The documentation includes a manual configuration so one can do it if

The documentation includes only the manual configuration. Using a DUAProfile is 
easier both for
installing, and maintaining the Solaris clients as they will re-read 
configuration from the DUA
profile periodically. Manual configuration should be avoided if possible.

Do you want me to open a DOC BUG to have this changed?
Please do.

Please see: https://bugzilla.redhat.com/show_bug.cgi?id=815533

AND include a more functional DUAProfile by default configuring the clients for 
ethers and
automount support as well.

Do you want me to open a ticket for this? the profile I send in the previous 
email can be used as
a template.
Yes please.

Please see: https://bugzilla.redhat.com/show_bug.cgi?id=815515

However I cannot log on to the console. Enabling debugging on pam tells me:

Apr 22 22:54:03 solaris11 login: [ID 179272 auth.debug] PAM-KRB5 (auth):
attempt_krb5_auth: krb5_get_init_creds_password returns: Decrypt
integrity check failed

There was an issue on Solaris 10 with incorrect configuration to allow
aes256 support, only aes128 and downwars we're enabled by default. This does 
not seem to be the
case for Solaris 11.

Does anyone else get the same decrypt failed issue?

I tested Solaris 10 x86 many moons ago and IIRC console login worked for me.

Yes, Solaris 10 works just fine for console login, both x86 and sparc. This 
seem to be an issue in
Solaris 11. It could be a configuration error, I just haven't had time to look 
into it yet. We do
not use Solaris 11 in production as per today.
Do you see anything special on the KDC side when you get that error in
the console ?

Do you play with enctypes when you obtain the system keytab ?

I did not look at the KDC logs. And yes, I did try to limit the enc types to 3des and below, it still did not work.

I will have to visit this again later.


Freeipa-users mailing list

Reply via email to