On 09/14/2012 01:34 AM, Mullen, Jonathan W. wrote: > Hello All, > > I'm in the process of setting up a ZFS file server that authenticates against > our freeipa infrastructure. I'm running into a few issues, and ALOT of > confusion between discrepancies in the documentation. Specifically between > (http://freeipa.com/page/ConfiguringSolarisClients) and > (http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html)
Hope those comments help https://bugzilla.redhat.com/show_bug.cgi?id=815533 https://bugzilla.redhat.com/show_bug.cgi?id=815515 > userA is a freeipa user > > SSH with kerberos ticket already acquired: > > CLIENT:~ userA$ ssh server.domain -l userA > Last login: Thu Sep 13 22:43:42 2012 from IP > OpenIndiana (powered by illumos) SunOS 5.11 oi_151a5 June 2012 > -bash-4.0$ passwd > passwd: Changing password for userA > Enter existing login password: > Unexpected failure. Password file/table unchanged. > -bash-4.0$ su > Password: > # passwd userA > Enter userA's password: > passwd: userA does not exist. > Permission denied > # exit > exit > > SSH With password login (notice the LACK of 'passwd: userA does not exist.' > as apposed to with kerberos: > > CLIENT:~ userA$ ssh server.domain -l userA > Password: > Last login: Thu Sep 13 22:59:02 2012 from IP > OpenIndiana (powered by illumos) SunOS 5.11 oi_151a5 June 2012 > -bash-4.0$ passwd > passwd: Changing password for userA > Enter existing login password: > Unexpected failure. Password file/table unchanged. > -bash-4.0$ > > > Here is my pam.conf, you can see the comments showing the various > configurations. The current one works the "best" in that BOTH "getent passwd" > and "getent passwd userA". Some configurations only "getetn passwd userA" > would work, and not "getent passwd". No > > My aim here is to get password changes working so I can capture smb passwords > for SMB/CIFS. > > Does any one have a working OpenIndiana and freeIPA setup for SMB shares. If > so would you be so kind as to help me with some sample configs? > > <PAM CONFIG> > # Authentication management > # > # login service (explicit because of pam_dial_auth) > # > login auth requisite pam_authtok_get.so.1 > login auth required pam_dhkeys.so.1 > #login auth sufficient pam_krb5.so.1 try_first_pass > login auth required pam_unix_cred.so.1 > login auth required pam_unix_auth.so.1 use_first_pass > login auth required pam_dial_auth.so.1 > # > # rlogin service (explicit because of pam_rhost_auth) > # > rlogin auth sufficient pam_rhosts_auth.so.1 > rlogin auth requisite pam_authtok_get.so.1 > rlogin auth required pam_dhkeys.so.1 > rlogin auth required pam_unix_cred.so.1 > rlogin auth required pam_unix_auth.so.1 > # > # Kerberized rlogin service > # > krlogin auth required pam_unix_cred.so.1 > krlogin auth required pam_krb5.so.1 > # > # rsh service (explicit because of pam_rhost_auth, > # and pam_unix_auth for meaningful pam_setcred) > # > rsh auth sufficient pam_rhosts_auth.so.1 > rsh auth required pam_unix_cred.so.1 > # > # Kerberized rsh service > # > krsh auth required pam_unix_cred.so.1 > krsh auth required pam_krb5.so.1 > # > # Kerberized telnet service > # > ktelnet auth required pam_unix_cred.so.1 > ktelnet auth required pam_krb5.so.1 > # > # PPP service (explicit because of pam_dial_auth) > # > ppp auth requisite pam_authtok_get.so.1 > ppp auth required pam_dhkeys.so.1 > ppp auth required pam_unix_cred.so.1 > ppp auth required pam_unix_auth.so.1 > ppp auth required pam_dial_auth.so.1 > # > # GDM Autologin (explicit because of pam_allow). These need to be > # here as there is no mechanism for packages to amend pam.conf as > # they are installed. > # > gdm-autologin auth required pam_unix_cred.so.1 > gdm-autologin auth sufficient pam_allow.so.1 > # > # Default definitions for Authentication management > # Used when service name is not explicitly mentioned for authentication > # > other auth requisite pam_authtok_get.so.1 > other auth required pam_dhkeys.so.1 > other auth required pam_unix_cred.so.1 > other auth sufficient pam_krb5.so.1 > other auth required pam_unix_auth.so.1 > # > # passwd command (explicit because of a different authentication module) > # > #passwd auth required pam_passwd_auth.so.1 > passwd auth binding pam_passwd_auth.so.1 server_policy > passwd auth required pam_ldap.so.1 > # > # cron service (explicit because of non-usage of pam_roles.so.1) > # > cron account required pam_unix_account.so.1 > # > # cups service (explicit because of non-usage of pam_roles.so.1) > # > cups account required pam_unix_account.so.1 > # > # GDM Autologin (explicit because of pam_allow) This needs to be here > # as there is no mechanism for packages to amend pam.conf as they are > # installed. > # > gdm-autologin account sufficient pam_allow.so.1 > # > # Default definition for Account management > # Used when service name is not explicitly mentioned for account management > # > #other account requisite pam_roles.so.1 > #other account optional pam_unix_account.so.1 > #other account optional pam_krb5.so.1 debug > other account requisite pam_roles.so.1 > other account binding pam_unix_account.so.1 server_policy > other account required pam_ldap.so.1 > # > # Default definition for Session management > # Used when service name is not explicitly mentioned for session management > # > other session required pam_unix_session.so.1 > # > # Default definition for Password management > # Used when service name is not explicitly mentioned for password management > # > other password required pam_dhkeys.so.1 > other password requisite pam_authtok_get.so.1 > other password requisite pam_authtok_check.so.1 > other password required pam_authtok_store.so.1 server_policy > #other password sufficient pam_krb5.so.1 > #other password required pam_authtok_store.so.1 > # > # Support for Kerberos V5 authentication and example configurations can > # be found in the pam_krb5(5) man page under the "EXAMPLES" section. > # > > other password required pam_smb_passwd.so.1 nowarn > </PAM CONFIG> > > Jonathan Mullen > jonat...@ou.edu > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users