On Mar 14, 2013, at 6:38 AM, KodaK wrote:

> On Wed, Mar 13, 2013 at 3:39 PM, Luke Kearney <l...@kearney.jp> wrote:
>> Hello,
>> 
>> I have recently been working on integrating our solaris 10 fleet with 
>> FreeIPA. The first 'test' host went relatively smoothly and we recently 
>> created a new test host. Only this time it was more challenging to get the 
>> system working.
>> 
>> On our original test installation every step went almost exactly as per the 
>> documentation [ 
>> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html
>>  ]
>> 
>> On the second install we found that whilst we were able to retrieve user 
>> account information via LDAP we could not login via ssh and kerberos for any 
>> amount of trying. This was overcome by inserting the following line into 
>> pam.conf
>> 
>> other         account            sufficient              pam_ldap.so.1
>> 
>> Where is had not been needed on test host1.
>> 
>> To the extent it works and doesn't break something else this is all fine. I 
>> understand why it works as the information in ldap is needed to open the 
>> terminal session, why would one need this stanza but not the other?
>> 
> 
> IIRC, the instructions have you pulling information from Kerberos.
> This explicitly allows ldap -- I would suspect that Kerberos isn't
> working correctly on the second host.  Check time first.
> 

Thanks for that - NTP reports that both the kerberos master and the solaris 
client are indeed in sync. In all other respects kerberos seems to be working 
properly, a user can obtain a ticket and can use that same ticket to ssh to 
another host. 


> 
> -- 
> The government is going to read our mail anyway, might as well make it
> tough for them.  GPG Public key ID:  B6A1A7C6


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to