On 01/07/2015 06:36 AM, Ben .T.George wrote:

If i check IPA client machine enrolled with ipa-client, the krb5.conf file looks like below:

[root@kwttestmrbs001 krb5.include.d]# more /etc/krb5.conf
#File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

  default_realm = SOLIPA.LOCAL
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes

    pkinit_anchors = FILE:/etc/ipa/ca.crt

  .solipa.local = SOLIPA.LOCAL
  solipa.local = SOLIPA.LOCAL

and the includedir /var/lib/sss/pubconf/krb5.include.d/ is including :

[root@kwttestmrbs001 krb5.include.d]# more domain_realm_solipa_local
.kwttestdc.com <http://kwttestdc.com> = KWTTESTDC.COM <http://KWTTESTDC.COM> kwttestdc.com <http://kwttestdc.com> = KWTTESTDC.COM <http://KWTTESTDC.COM>

anyone please help me to prepare proper krb5.conf file for solaris box

IPA Server is : kwtpocpbis01.solipa.local
Solaris (client) : kwttestsolaris10.solipa.local
Active Directory: kwttestdc001.kwttestdc.com <http://kwttestdc001.kwttestdc.com>


On Wed, Jan 7, 2015 at 2:11 PM, Ben .T.George <bentech4...@gmail.com <mailto:bentech4...@gmail.com>> wrote:

    Hi List

    correct me if i am wrong.

    currently my client krb5.conf holding AD details. and my client is

    here is my file.

    bash-3.2# more /etc/krb5/krb5.conf
    default_realm = KWTTESTDC.COM <http://KWTTESTDC.COM>

    kdc = kwttestdc001.kwttestdc.com:88
    admin_server = kwttestdc001.kwttestdc.com:749

    .kwttestdc.com <http://kwttestdc.com> = KWTTESTDC.COM
    kwttestdc.com <http://kwttestdc.com> = KWTTESTDC.COM

    default = FILE:/var/krb5/kdc.log
    kdc = FILE:/var/krb5/kdc.log
    kdc_rotate = {
            period = 1d
            versions = 10

    kinit = {
    renewable = true
    forwardable= true

    please anyone varify this is right or wrong


OK, there seems to be a confusion at least on my side.
I see several option in this situation.

Option 1: You use your Solaris box with AD directly.
I do not think this is what you are trying to do. AFAIR you are trying to connect it to IPA and use trusts. But direct connection should be possible.

Option 2: Connect Solaris to IPA while it is in trust with AD
In this case you need to use LDAP for authentication and identity lookup and point your client to compat tree. You can't use Kerberos. Kerberos on Solaris does not know anything about the trust. If you make it use Kerberos from IPA then you would be able to use only users from IPA. If you need to use kerberos then we return to option 1.

Option 3. Create a split brain configuration: authentication using kerberos will go to AD directly while identity will come from IPA's compat tree. This is potentially possible but this is an uncharted and not recommended territory.

Option 4: Try to build SSSD for Solaris.
If it were easy we would have done it ourselves but patches are always welcome . :-)

Option 5: Stop using Solaris.

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to