Hello folks,

I'm setting up an IPA-server instance aimed to be used primarily for Linux/Unix clients ssh authentication (with kerberos). I've managed to successfully set up debian clients (via sssd and also on older debians, through libnss and pam_krb5). But for some reason I can't authenticate ssh on Solaris10 clients.
On the Solaris box, I've followed the steps outiined here:
http://www.freeipa.org/page/ConfiguringUnixClients
and the nss part works fine (things like getent [group | passwd] and id <user> work), but unfortunaltely, the ssh user authentication fails with an error: sshd auth.error PAM-KRB5 (auth): krb5_verify_init_creds failed: No such file or directory


On the solaris clients, does there need to be a keytab in /etc/krb5/ directory copied over from the IPA server? (I didn't have to set up a keytab file fo the legacy debian clients, and in the solaris-clients doc previously mentioned, there's no mention of it). Well, since I read somewhere the keytab file need to be there, I copied it over from the IPA server to the solaris clients, Then I get a different error:
PAM-KRB5 (auth): krb5_verify_init_creds failed: Key table entry not found

This error seems to indicate that there isn't an matching entry found in the keytab file, so I added an entry for the solaris client, but I'm still getting the same 'Key table entry not found' error (it could be the entry I added is wrong, of course). But, for now, just want to be sure: On the solaris clients, do I need an /etc/krb5/krb5.keytab file? (if yes, why not in the non-sssd Debian hosts then?)

Thanks in advance,
--

*Gerardo Padierna Nanclares*
Técnico de Sistemas (grupo ASL) - [Fujitsu / Logware]
Servicio de Sistemas de la Información (DGTI) - Generalitat Valenciana
C/.Castan Tobeñas 77 – 46018 Valencia – Edificio A
Tel: 961 208973
Email: asl.gera...@gmail.com <mailto:asl.gera...@gmail.com>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to