[Freeipa-devel] Solaris 10 x86 client

[Rob Crittenden]

Simo Sorce wrote:
> On Wed, 2008-01-09 at 10:25 -0500, Rob Crittenden wrote:
>> Simo Sorce wrote:
>>> On Tue, 2008-01-08 at 23:33 -0500, Rob Crittenden wrote:
>>>> Trying to get a Solaris 10 x86 client talking to my IPA server makes it 
>>>> ever so clear why IPA is needed. It took me the better part of a day to 
>>>> get it sort of working.
>>>>
>>>> The steps are still very rough around the edges so I'm not ready to 
>>>> provide any documentation yet but I did run into some problems that I 
>>>> need some guidance on.
>>>>
>>>> 1. Solaris 10 x86 (at least) doesn't support the key type aes256-cts. By 
>>>> commenting this out in the IPA kdc.conf I was able to generate a usable 
>>>> keytab. If this was there I got all sorts of errors. What is the impact, 
>>>> if any, if we drop this. Or is there some other workaround? I tried 
>>>> pulling just one enctype into the keytab, perhaps more than 1 is needed.
>>> ipa-getkeytab should be run on the machine that will get the keytab, as
>>> it selects only the locally supported encryption types.
>>> Another way is to use it on a box where you customize the permitted
>>> encryption types in krb5.conf to match what Solaris supports
>> Ok, so practically does this mean we'll need to install ipa-admintools 
>> on all client machines? Or how will we provide an automated way to 
>> provide keytabs to new client machines?
> 
> I think the keytab util is in the client tools, I put it there on
> purpose.

Ok I see it now. Unfortunately it doesn't build on a stock Solaris 10 
machine. It seems to require some MIT kerberos headers that aren't 
available.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080109/881bc565/attachment.bin>