Nathan Peters wrote:
> Yes, we are trying to figure out why IPA users are not being handled
> properly however
> given that :
> 1. the method you suggested to troubleshoot my Solaris 10 system, adding
> to the stack, will never work because Solaris does not
> include
> so therefore
> 2. I had to come up with some different way to troubleshoot how or why
> FreeIPA authorization is failing.
> so therefore
> 3. Lacking the module you suggested, I chose an alternative approach :
> put the pam configuration to a default and prove that no logins were broken
> and once the basic pam configuration was proven then I had to :
> 4. I added the freeIPA components (kerberos) until something broke.  In
> this case, the ipa users were never able to login, so stating that
> adding kerberos broke the whole pam stack so that not even a regular
> user could login should have been a useful troubleshooting step.
> So... perhaps you could answer one of 2 things
> 1. how do I troubleshoot a Solaris system without
> and
> 2. why would adding kerberos in the exact way that the manual stated
> break my whole pam stack so that both regular users and freeipa users
> could not login?

We don't have any in-house Solaris (or AIX or HP/ux for that matter)
expertise which is why we no longer provide detailed documentation on
how to configure non-Linux clients (what you found are really, really
old). It's a no-win for us because we can't keep the docs updated,
tested, etc. so they atrophy and generally just make people mad. On at
least some of the pages there is a big fat warning (e.g.

>From the Solaris perspective this is just Kerberos authentication. The
OS docs should provide the necessary details. This looks like a good
place to start:
(though it's Solaris 11, not 10).

This is a blog I found on configuring Solaris 10 against an AD server
which is a reasonable parallel:

Here is something contributed by another IPA user, again for Solaris 11:


Manage your subscription for the Freeipa-users mailing list:
Go To for more info on the project

Reply via email to