I'm not sure if this will help (not being a Solaris shop), but when we rolled out IPA in our environment, I had some trouble with ssh and kerberos auth working correctly. As it turned out, the fix was adding reverse lookup records (PTR) in the DNS for all the servers.
-Mike -----Original Message----- >From: Luke Kearney <l...@kearney.jp> >Sent: Mar 13, 2013 4:39 PM >To: Freeipafirstname.lastname@example.org >Subject: [Freeipa-users] Solaris Clients > >Hello, > >I have recently been working on integrating our solaris 10 fleet with FreeIPA. >The first 'test' host went relatively smoothly and we recently created a new >test host. Only this time it was more challenging to get the system working. > >On our original test installation every step went almost exactly as per the >documentation [ >http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html > ] > >On the second install we found that whilst we were able to retrieve user >account information via LDAP we could not login via ssh and kerberos for any >amount of trying. This was overcome by inserting the following line into >pam.conf > >other account sufficient pam_ldap.so.1 > >Where is had not been needed on test host1. > >To the extent it works and doesn't break something else this is all fine. I >understand why it works as the information in ldap is needed to open the >terminal session, why would one need this stanza but not the other? > >If anyone can shed any light on this I would be most appreciative. > >Thanks > >_______________________________________________ >Freeipa-users mailing list >Freeipaemail@example.com >https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users