[Freeipa-devel] Solaris 10 x86 client
Simo Sorce
ssorce at redhat.com
Wed Jan 9 13:06:51 UTC 2008
On Tue, 2008-01-08 at 23:33 -0500, Rob Crittenden wrote:
> Trying to get a Solaris 10 x86 client talking to my IPA server makes it
> ever so clear why IPA is needed. It took me the better part of a day to
> get it sort of working.
>
> The steps are still very rough around the edges so I'm not ready to
> provide any documentation yet but I did run into some problems that I
> need some guidance on.
>
> 1. Solaris 10 x86 (at least) doesn't support the key type aes256-cts. By
> commenting this out in the IPA kdc.conf I was able to generate a usable
> keytab. If this was there I got all sorts of errors. What is the impact,
> if any, if we drop this. Or is there some other workaround? I tried
> pulling just one enctype into the keytab, perhaps more than 1 is needed.
ipa-getkeytab should be run on the machine that will get the keytab, as
it selects only the locally supported encryption types.
Another way is to use it on a box where you customize the permitted
encryption types in krb5.conf to match what Solaris supports
> 2. We need to add shadowAccount to the default list of user objectclasses
No please, why would we ?
> 3. There is no pam_mkhomedir for Solaris. I have a super-ugly hack in
> place using the Linux-PAM-0.99.9.0 so it works but has problems like
> zero error reporting.
Not our concern in 1.0
> 4. I'm not entirely certain that the pam.conf I have is doing the right
> thing. I'll see about cleaning it up and posting it for review.
ok
> I run Solaris in a VM so this may be part of the problem but I was
> getting an error about a non-matching network address. This was likely
> due to some NATing between my Solaris VM and my IPA VM. I worked around
> it for the short term by adding no_addresses=true to the Solaris krb5.conf.
we need to document these tweaks
> I also haven't configured LDAP to use SSL. Right now it does anonymous
> searches for things. I also don't have all the mappings in place, just
> passwd and group.
This is ok for now, SSL adds a lot of load and I think we shouldn't
force people to use it by default for now.
> Anyway, the things that do work:
>
> 1. getent passwd and getent group
> 2. id <user>
> 3. local user login using Kerberos credentials
> 4. non-local user login using Kerberos credentials
> 5. automatic home directory creation (hacky)
> 6. local user login using local credentails and no Kerberos password
> lets me in
Great, very good job, thanks!
Simo.
--
| Simo S Sorce |
| Sr.Soft.Eng. |
| Red Hat, Inc |
| New York, NY |
More information about the Freeipa-devel
mailing list