[Freeipa-users] solaris 10 ad authentication happening with only one user

Ben .T.George Sun, 15 Mar 2015 03:06:31 -0700

Hi LIst,

i have successfully configured my solaris 10 with AD through IPA 4.1.2


the issue i am facing is,only one AD user can able to solaris

here is the getent passwd:

<skipped>
nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/:
*b...@infra.com:x:531001104:531001104:ben:/home/infra.com/ben
<http://infra.com/ben>:*
auth:x:643400008:643400008:auth auth:/home/auth:/bin/sh
shyam:x:643400007:643400007:shyam A:/export/home/shyam:/bin/bash
jude:x:643400006:643400006:jude joseph:/export/home/jude:/bin/bash
admin:x:643400000:643400000:Administrator:/home/admin:/bin/bash

user ben is from AD and can able to su to that user.i have tried with other
users and it's not happening.

here is my configuration file:

pam.conf

# login service (explicit because of pam_dial_auth)
#
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth sufficient         pam_krb5.so.1
login   auth required           pam_unix_cred.so.1
login   auth required           pam_unix_auth.so.1
login   auth required           pam_dial_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth required           pam_unix_cred.so.1
rlogin  auth required           pam_unix_auth.so.1
#
# Kerberized rlogin service
#
krlogin auth required           pam_unix_cred.so.1
krlogin auth required           pam_krb5.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh    auth required           pam_unix_cred.so.1
krsh    auth required           pam_krb5.so.1
#
# Kerberized telnet service
#
ktelnet auth required           pam_unix_cred.so.1
ktelnet auth required           pam_krb5.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth requisite          pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_unix_cred.so.1
ppp     auth required           pam_unix_auth.so.1
ppp     auth required           pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_cred.so.1
other   auth sufficient         pam_krb5.so.1
other   auth required           pam_unix_auth.so.1
other   auth sufficient         pam_ldap.so.1
# passwd command (explicit because of a different authentication module)
#
passwd  auth required           pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account requisite       pam_roles.so.1
other   account required        pam_unix_account.so.1
other   account required        pam_krb5.so.1
other   account sufficient      pam_ldap.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other   session required        pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
# Password construction requirements apply to all users.
# Remove force_check to have the traditional authorized administrator
# bypass of construction requirements.
other   password requisite      pam_authtok_check.so.1 force_check
other   password sufficient     pam_krb5.so.1
other   password required       pam_authtok_store.so.1

ldap_client_file:

#
# Do not edit this file manually; your changes will be lost.Please use
ldapclient (1M) instead.
#
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= 172.16.107.244
NS_LDAP_SEARCH_BASEDN= dc=solaris,dc=local
NS_LDAP_AUTH= simple
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=solaris,dc=local
NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=compat,dc=solaris,dc=local
NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount


nsswitch.conf:

# the following two lines obviate the "+" entry in /etc/passwd and
/etc/group.
passwd:     files ldap [NOTFOUND=return]
group:      files ldap [NOTFOUND=return]

# consult /etc "files" only if ldap is down.
hosts:      dns files

AD authentication is working some level and it restricted to only one user.

*b...@infra.com:x:531001104:531001104:ben:/home/infra.com/ben
<http://infra.com/ben>:*
auth:x:643400008:643400008:auth auth:/home/auth:/bin/sh
shyam:x:643400007:643400007:shyam A:/export/home/shyam:/bin/bash
jude:x:643400006:643400006:jude joseph:/export/home/jude:/bin/bash
admin:x:643400000:643400000:Administrator:/home/admin:/bin/bash

other than user "ben" all other users are local IPA users.

how can i troubleshot this issue

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] solaris 10 ad authentication happening with only one user

Reply via email to