[Freeipa-devel] Solaris 10 x86 client

Simo Sorce ssorce at redhat.com
Wed Jan 9 13:06:51 UTC 2008 

On Tue, 2008-01-08 at 23:33 -0500, Rob Crittenden wrote:
> Trying to get a Solaris 10 x86 client talking to my IPA server makes it 
> ever so clear why IPA is needed. It took me the better part of a day to 
> get it sort of working.
> 
> The steps are still very rough around the edges so I'm not ready to 
> provide any documentation yet but I did run into some problems that I 
> need some guidance on.
> 
> 1. Solaris 10 x86 (at least) doesn't support the key type aes256-cts. By 
> commenting this out in the IPA kdc.conf I was able to generate a usable 
> keytab. If this was there I got all sorts of errors. What is the impact, 
> if any, if we drop this. Or is there some other workaround? I tried 
> pulling just one enctype into the keytab, perhaps more than 1 is needed.

ipa-getkeytab should be run on the machine that will get the keytab, as
it selects only the locally supported encryption types.
Another way is to use it on a box where you customize the permitted
encryption types in krb5.conf to match what Solaris supports

> 2. We need to add shadowAccount to the default list of user objectclasses

No please, why would we ?

> 3. There is no pam_mkhomedir for Solaris. I have a super-ugly hack in 
> place using the Linux-PAM-0.99.9.0 so it works but has problems like 
> zero error reporting.

Not our concern in 1.0

> 4. I'm not entirely certain that the pam.conf I have is doing the right 
> thing. I'll see about cleaning it up and posting it for review.

ok

> I run Solaris in a VM so this may be part of the problem but I was 
> getting an error about a non-matching network address. This was likely 
> due to some NATing between my Solaris VM and my IPA VM. I worked around 
> it for the short term by adding no_addresses=true to the Solaris krb5.conf.

we need to document these tweaks

> I also haven't configured LDAP to use SSL. Right now it does anonymous 
> searches for things. I also don't have all the mappings in place, just 
> passwd and group.

This is ok for now, SSL adds a lot of load and I think we shouldn't
force people to use it by default for now.

> Anyway, the things that do work:
> 
> 1. getent passwd and getent group
> 2. id <user>
> 3. local user login using Kerberos credentials
> 4. non-local user login using Kerberos credentials
> 5. automatic home directory creation (hacky)
> 6. local user login using local credentails and no Kerberos password 
> lets me in

Great, very good job, thanks!

Simo.

-- 
| Simo S Sorce |
| Sr.Soft.Eng. |
| Red Hat, Inc |
| New York, NY |

More information about the Freeipa-devel mailing list