> root is not an ipa managed user so it is purely your pam configuration. > I thought we were trying to figure out why your ipa users are not > handled properly. > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project >
I would like to thank you guys for your help in troubleshooting this. I managed to fix the issue. We had a custom jumpstart file creating our Solaris images and it made some configuration changes that broke the pam/kerberos interaction. I still don't know what exactly was the cause, but I re-installed on a Fresh Solaris 10 8/11 image and was able to get an ipa user to log in. For reference, here are the complete steps I had to take from installation of the machine to get it working. Hopefully someone else finds this useful or you can add it to your docs. This instructions assume a minimal console only Solaris install so we have to add some packages first. #pkgadd -d . SUNWbash #pkgadd -d . SUNWuiu8 #pkgadd -d . SUNWwgetr #pkgadd -d . SUNWwgetu #pkgadd -d . SUNWbind #pkgadd -d . SUNWntpr #pkgadd -d . SUNWntpu #pkgadd -d . SUNWman #pkgadd -d . SUNWdoc #pkgadd -d . SUNWtexi #pkgadd -d . SUNWsfdoc #pkgadd -d . SUNWsfman #pkgadd -d . SUNWsfinf #pkgadd -d . SUNWgcmn #pkgadd -d . SUNWsshcu #pkgadd -d . SUNWsshdr #pkgadd -d . SUNWsshdu #pkgadd -d . SUNWsshr #pkgadd -d . SUNWsshu Fix IP Setup #rm /etc/dhcp.e1000g0 #chmod u+w /etc/hosts #echo "10.21.19.17 ipaclient6-sandbox-atdev-van.ipadomain.net ipaclient6-sandbox-atdev-van loghost" >> /etc/hosts #echo "10.21.19.17 netmask 255.255.0.0" > /etc/hostname.e1000g0 #echo "ipaclient6-sandbox-atdev-van.ipadomain.net" > /etc/nodename #echo "ipadomain.net" > /etc/defaultdomain #echo "10.21.0.1" /etc/defaultrouter DNS Configuration This DNS configuration needs to be done no matter whether you used jumpstart or not. #vi /etc/resolv.conf Remove all existing lines and Set the following values domain ipadomain.net nameserver 10.21.19.20 Reboot to get the updated hostname and domainname and ip settings #reboot Enable SSH daemon #/lib/svc/method/sshd -c #svcadm enable ssh NSSwitch Configuration edit /etc/nsswitch.conf and make sure the following lines are set passwd: files ldap group: files ldap hosts: dns files Edit /etc/nsswitch.ldap and make sure the same following lines are set passwd: files ldap group: files ldap hosts: dns files Configure Client edit /etc/krb5/krb5.conf and set the following values --- snip --- [libdefaults] default_realm = IPADOMAIN.NET dns_lookup_kdc = true [realms] IPADOMAIN.NET = { kdc = ipadc1.ipadomain.net admin_server = ipadc1.ipadomain.net } [domain_realm] .ipadomain.net = IPADOMAIN.NET ipadomain.net = IPADOMAIN.NET [logging] default = FILE:/var/krb5/kdc.log kdc = FILE:/var/krb5/kdc.log kdc_rotate = { # How often to rotate kdc.log. Logs will get rotated no more # often than the period, and less often if the KDC is not used# frequently. period = 1d # how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...) version = 10 } [appdefaults] kinit = { renewable = true forwardable= true } --- snip --- First, synchronize the date on the Solaris client bash-3.00# ntpdate ipadc1.ipadomain.net On the Solaris machine setup the ldap configuration # ldapclient -v init -a domainName=ipadomain.net ipadc1.ipadomain.net On the freeIPA domain controller, enroll the host [root@ipadc1 ~]# ipa host-add --force --ip-address=10.21.19.17 ipaclient6-sandbox-atdev-van.ipadomain.net On the IPA server, get the keytab and copy it to the Solaris machine #rm /tmp/solaris.keytab [root@ipadc1 tmp]# ipa-getkeytab -s ipadc1 -p host/ipaclient6-sandbox-atdev-van.ipadomain.net -k /tmp/solaris.keytab [root@ipadc1 tmp]# scp solaris.keytab root@10.21.19.17:/etc/krb5/krb5.keytab After all this, I was able to login to my Solaris machine using one of my ipa user accounts -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project