Configuring a Solaris 11.3 system as a FreeIPA client. I've read various articles, mail list archives, and pages found on google trying to figure out how to properly make this work. So far, I've only gotten the ability to do su - u...@domain.tld and check getent passwd/group. This successfully works. The things that do not work are ssh and console logins. This is what I've tried so far:
Setting authenticationMethod to 'simple:tls' -> My service account never seems to work and the log says: "libsldap: Status: 53 Mesg: openConnection: simple bind failed - DSA is unwilling to perform" -> "libsldap: Status: 49 Mesg: openConnection: simple bind failed - Invalid credentials" - This isn't the case as I've tried the credentials multiple times using ldapsearch commands with success. My credentials for my users are correct since I can login to a CentOS 6 and CentOS 7 client perfectly fine. These are the steps I took: -> Create host in IPA -> ipa-getkeytab and transferred it to the client -> Created nss database with CA certificate and placed it in /var/ldap with proper permissions -> Configured /etc/krb5/krb5.conf -> Configured nsswitch.conf to be files ldap -> Configured /etc/pam.d/* files accordingly -> Used ldapclient init on the client Here is my kinit and ldap tests. # kinit admin Password for ad...@ipa.example.com: kinit: no ktkt_warnd warning possible # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ad...@ipa.example.com Valid starting Expires Service principal 09/13/17 16:22:29 09/14/17 16:22:29 krbtgt/ipa.example....@ipa.example.com renew until 09/20/17 16:22:29 # ldaplist -l passwd louis.abel dn: uid=louis.abel,cn=users,cn=compat,dc=ipa,dc=example,dc=com cn: Louis Abel objectClass: posixAccount objectClass: top gidNumber: 1006800013 gecos: Louis Abel uidNumber: 25439 loginShell: /bin/bash homeDirectory: /home/louis.abel uid: louis.a...@ad.example.com uid: louis.abel # ldaplist -l passwd louis.abel2 dn: uid=louis.abel2,cn=users,cn=compat,dc=ipa,dc=example,dc=com cn: Louis Abel objectClass: posixAccount objectClass: top gidNumber: 1006800001 gecos: Louis Abel uidNumber: 1006800001 loginShell: /bin/bash homeDirectory: /home/louis.abel2 uid: louis.ab...@ipa.example.com uid: louis.abel2 dn: uid=louis.abel2,cn=users,cn=compat,dc=ipa,dc=example,dc=com cn: Louis Abel objectClass: posixAccount objectClass: ipaOverrideTarget objectClass: top gidNumber: 1006800001 gecos: Louis Abel uidNumber: 1006800001 ipaAnchorUUID: :IPA:ipa.example.com:8babb9a8-5aaf-11e7-9769-00505690319e loginShell: /bin/bash homeDirectory: /home/louis.abel2 uid: louis.abel2 My pam configuration files: /etc/pam.d/other auth definitive pam_user_policy.so.1 auth sufficient pam_krb5.so.1 auth requisite pam_authtok_get.so.1 auth required pam_dhkeys.so.1 auth binding pam_unix_auth.so.1 server_policy auth required pam_unix_cred.so.1 auth sufficient pam_krb5.so.1 account requisite pam_roles.so.1 account definitive pam_user_policy.so.1 account binding pam_unix_account.so.1 server_policy account required pam_unix_account.so.1 account required pam_krb5.so.1 account required pam_tsol_account.so.1 session definitive pam_user_policy.so.1 session required pam_unix_session.so.1 password definitive pam_user_policy.so.1 password include pam_authtok_common password sufficient pam_krb5.so.1 password required pam_authtok_store.so.1 server_policy /etc/pam.d/login auth requisite pam_authtok_get.so.1 auth required pam_dhkeys.so.1 auth required pam_unix_cred.so.1 auth sufficient pam_krb5.so.1 try_first_pass auth required pam_unix_auth.so.1 use_first_pass auth required pam_dial_auth.so.1 # ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= uid=solaris,cn=sysaccounts,cn=etc,dc=ipa,dc=example,dc=com NS_LDAP_BINDPASSWD= removed NS_LDAP_SERVERS= pentl01.ipa.example.com, pentl02.ipa.example.com, pentl03.ipa.example.com, sentl01.ipa.example.com, sentl02.ipa.example.com, sentl03.ipa.example.com NS_LDAP_SEARCH_BASEDN= dc=ipa,dc=example,dc=com NS_LDAP_AUTH= tls:simple NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_TIME= 15 NS_LDAP_CACHETTL= 6000 NS_LDAP_PROFILE= default solaris_authssl NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=ipa,dc=example,dc=com NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=compat,dc=ipa,dc=example,dc=com NS_LDAP_SERVICE_SEARCH_DESC= netgroup:cn=ng,cn=compat,dc=ipa,dc=example,dc=com NS_LDAP_SERVICE_SEARCH_DESC= ethers:cn=computers,cn=accounts,dc=ipa,dc=example,dc=com NS_LDAP_SERVICE_SEARCH_DESC= sudoers:ou=sudoers,dc=ipa,dc=example,dc=com NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=posixaccount NS_LDAP_OBJECTCLASSMAP= group:posixGroup=posixgroup nsswitch changes: passwd: files ldap [NOTFOUND=return] group: files ldap [NOTFOUND=return] This is what I looked at: https://www.redhat.com/archives/freeipa-users/2013-January/msg00021.html https://www.redhat.com/archives/freeipa-users/2015-January/msg00017.html http://etcfstab.com/oraclelinux/solaris_n_freeipa.html https://mkosek.fedorapeople.org/publican_site/en-US/FreeIPA/3.3/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html Anyone have better experience or any documentation that could help? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org