On Mar 14, 2013, at 6:38 AM, KodaK wrote:

> On Wed, Mar 13, 2013 at 3:39 PM, Luke Kearney <l...@kearney.jp> wrote:
>> Hello,
>> I have recently been working on integrating our solaris 10 fleet with 
>> FreeIPA. The first 'test' host went relatively smoothly and we recently 
>> created a new test host. Only this time it was more challenging to get the 
>> system working.
>> On our original test installation every step went almost exactly as per the 
>> documentation [ 
>> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html
>>  ]
>> On the second install we found that whilst we were able to retrieve user 
>> account information via LDAP we could not login via ssh and kerberos for any 
>> amount of trying. This was overcome by inserting the following line into 
>> pam.conf
>> other         account            sufficient              pam_ldap.so.1
>> Where is had not been needed on test host1.
>> To the extent it works and doesn't break something else this is all fine. I 
>> understand why it works as the information in ldap is needed to open the 
>> terminal session, why would one need this stanza but not the other?
> IIRC, the instructions have you pulling information from Kerberos.
> This explicitly allows ldap -- I would suspect that Kerberos isn't
> working correctly on the second host.  Check time first.

Thanks for that - NTP reports that both the kerberos master and the solaris 
client are indeed in sync. In all other respects kerberos seems to be working 
properly, a user can obtain a ticket and can use that same ticket to ssh to 
another host. 

> -- 
> The government is going to read our mail anyway, might as well make it
> tough for them.  GPG Public key ID:  B6A1A7C6

Freeipa-users mailing list

Reply via email to