On Mon, Jun 04, 2012 at 11:51:47PM -0400, Rob Crittenden wrote:
> free...@noboost.org wrote:
> >Hi All,
> >
> >I'm sooo close to getting my Solaris 10 (SPARC) client to work with IPA
> >
> >Server:
> >- Red Hat Enterprise Linux Server release 6.2
> >ipa-admintools-2.1.3-9.el6.x86_64
> >ipa-client-2.1.3-9.el6.x86_64
> >ipa-pki-ca-theme-9.0.3-7.el6.noarch
> >ipa-pki-common-theme-9.0.3-7.el6.noarch
> >ipa-python-2.1.3-9.el6.x86_64
> >ipa-server-2.1.3-9.el6.x86_64
> >ipa-server-selinux-2.1.3-9.el6.x86_64
> >
> >
> >Client:
> >Solaris 10 - Sparc
> >SunOS lyra 5.10 Generic_141414-02 sun4u sparc SUNW,Sun-Fire-V210
> >
> >
> >Issue:
> >On ssh login, /var/log/authlog reports "user not found"
> >
> >
> >FILE: /var/log/authlog
> >Jun 5 12:07:11 lyra sshd[1250]: [ID 525286 auth.debug] PAM-KRB5 (auth):
> >end: Success
> >Jun 5 12:07:11 lyra sshd[1250]: [ID 896952 auth.debug] pam_unix_auth:
> >entering pam_sm_authenticate()
> >Jun 5 12:07:11 lyra sshd[1250]: [ID 219349 auth.debug] pam_unix_auth:
> >user craig not found
> >Jun 5 12:07:11 lyra sshd[1250]: [ID 800047 auth.info]
> >Keyboard-interactive (PAM) userauth failed[13] while authenticating: No
> >account present for user
> >Jun 5 12:07:11 lyra sshd[1250]: [ID 800047 auth.notice] Failed
> >keyboard-interactive for craig from 192.168.0.103 port 48658 ssh2
> >
> >
> >- Additionally, I can log in via "su - craig" from a root account, but not
> >when auth is required.
> >
> >-bash-3.00$ su - craig
> >Password:
> >su: Unknown id: craig
> >
> >getent even works;
> ># getent passwd craig
> >craig:*:343:135:Craig:/home/craig:/bin/bash
> >
> >Plus kerberos works, when simply running `kinit craig`.
> >
> >
> >
> >Any tips??
>
> What have you done so far to configure the machine?
>
> rob
I've just done my best to follow the IPA manual;
=
# cat /var/ldap/ldap_client_file
#
# Do not edit this file manually; your changes will be lost.Please use
# ldapclient (1M) instead.
#
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= 192.168.0.214
NS_LDAP_SEARCH_BASEDN= dc=example,dc=com
NS_LDAP_AUTH= none
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= anonymous
NS_LDAP_SERVICE_SEARCH_DESC=
passwd:cn=users,cn=accounts,dc=example,dc=com
NS_LDAP_SERVICE_SEARCH_DESC=
group:cn=groups,cn=accounts,dc=example,dc=com
NS_LDAP_ATTRIBUTEMAP= shadow:userpassword=userPassword
NS_LDAP_ATTRIBUTEMAP= passwd:loginshell=loginShell
NS_LDAP_ATTRIBUTEMAP= passwd:homedirectory=homeDirectory
NS_LDAP_ATTRIBUTEMAP= passwd:uidnumber=uidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:gidnumber=gidNumber
NS_LDAP_ATTRIBUTEMAP= group:gidnumber=gidNumber
NS_LDAP_ATTRIBUTEMAP= group:memberuid=memberUid
NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixaccount
NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=posixaccount
NS_LDAP_OBJECTCLASSMAP= group:posixGroup=posixgroup
--
# cat /etc/krb5/krb5.conf
[libdefaults]
default_realm = EXAMPLE.COM
verify_ap_req_nofail = false
[realms]
EXAMPLE.COM = {
kdc = sysvm-ipa.example.com
admin_server = sysvm-ipa.example.com
}
[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
[appdefaults]
kinit = {
renewable = true
forwardable= true
}
--
bash-3.00# grep krb /etc/pam.conf
login auth sufficient pam_krb5.so.1 try_first_pass debug
other auth sufficient pam_krb5.so.1 debug
other account requiredpam_krb5.so.1 debug
other password sufficient pam_krb5.so.1 debug
--
=
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users