Nathan Peters wrote: > Yes, we are trying to figure out why IPA users are not being handled > properly however > given that : > 1. the method you suggested to troubleshoot my Solaris 10 system, adding > pam_permit.so to the stack, will never work because Solaris does not > include pam_permit.so. > so therefore > 2. I had to come up with some different way to troubleshoot how or why > FreeIPA authorization is failing. > so therefore > 3. Lacking the module you suggested, I chose an alternative approach : > put the pam configuration to a default and prove that no logins were broken > and once the basic pam configuration was proven then I had to : > 4. I added the freeIPA components (kerberos) until something broke. In > this case, the ipa users were never able to login, so stating that > adding kerberos broke the whole pam stack so that not even a regular > user could login should have been a useful troubleshooting step. > > So... perhaps you could answer one of 2 things > 1. how do I troubleshoot a Solaris system without pam_permit.so? > and > 2. why would adding kerberos in the exact way that the manual stated > break my whole pam stack so that both regular users and freeipa users > could not login?
We don't have any in-house Solaris (or AIX or HP/ux for that matter) expertise which is why we no longer provide detailed documentation on how to configure non-Linux clients (what you found are really, really old). It's a no-win for us because we can't keep the docs updated, tested, etc. so they atrophy and generally just make people mad. On at least some of the pages there is a big fat warning (e.g. http://www.freeipa.org/page/FreeIPAv1:ConfiguringSolarisClients). >From the Solaris perspective this is just Kerberos authentication. The OS docs should provide the necessary details. This looks like a good place to start: http://docs.oracle.com/cd/E23824_01/html/821-1456/setup-148.html#setup-341 (though it's Solaris 11, not 10). This is a blog I found on configuring Solaris 10 against an AD server which is a reasonable parallel: http://blog.scottlowe.org/2006/08/15/solaris-10-and-active-directory-integration/ Here is something contributed by another IPA user, again for Solaris 11: https://www.redhat.com/archives/freeipa-users/2013-January/msg00021.html rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project