[Freeipa-devel] Solaris 10 x86 client

Thu Jan 10 06:34:59 UTC 2008

Simo Sorce wrote:
> On Tue, 2008-01-08 at 23:33 -0500, Rob Crittenden wrote:
>   
>> Trying to get a Solaris 10 x86 client talking to my IPA server makes it 
>> ever so clear why IPA is needed. It took me the better part of a day to 
>> get it sort of working.
>>
>> The steps are still very rough around the edges so I'm not ready to 
>> provide any documentation yet but I did run into some problems that I 
>> need some guidance on.
>>
>> 1. Solaris 10 x86 (at least) doesn't support the key type aes256-cts. By 
>> commenting this out in the IPA kdc.conf I was able to generate a usable 
>> keytab. If this was there I got all sorts of errors. What is the impact, 
>> if any, if we drop this. Or is there some other workaround? I tried 
>> pulling just one enctype into the keytab, perhaps more than 1 is needed.
>>     
>
> ipa-getkeytab should be run on the machine that will get the keytab, as
> it selects only the locally supported encryption types.
> Another way is to use it on a box where you customize the permitted
> encryption types in krb5.conf to match what Solaris supports
>
>   
>> 2. We need to add shadowAccount to the default list of user objectclasses
>>     
>
> No please, why would we ?
>
>   
>> 3. There is no pam_mkhomedir for Solaris. I have a super-ugly hack in 
>> place using the Linux-PAM-0.99.9.0 so it works but has problems like 
>> zero error reporting.
>>     
>
> Not our concern in 1.0
>
>   
>> 4. I'm not entirely certain that the pam.conf I have is doing the right 
>> thing. I'll see about cleaning it up and posting it for review.
>>     
>
> ok
>
>   
>> I run Solaris in a VM so this may be part of the problem but I was 
>> getting an error about a non-matching network address. This was likely 
>> due to some NATing between my Solaris VM and my IPA VM. I worked around 
>> it for the short term by adding no_addresses=true to the Solaris krb5.conf.
>>     
>
> we need to document these tweaks
>   
I'm assuming this is only a Solaris issue? I do all my testing in VMs 
and haven't had an error like that, but so far I've only used F7. I'm 
due to start on Solaris and Mac soon so anything you discover and find 
fixes for the better it'll be for me  :-)
>   
>> I also haven't configured LDAP to use SSL. Right now it does anonymous 
>> searches for things. I also don't have all the mappings in place, just 
>> passwd and group.
>>     
>
> This is ok for now, SSL adds a lot of load and I think we shouldn't
> force people to use it by default for now.
>
>   
>> Anyway, the things that do work:
>>
>> 1. getent passwd and getent group
>> 2. id <user>
>> 3. local user login using Kerberos credentials
>> 4. non-local user login using Kerberos credentials
>> 5. automatic home directory creation (hacky)
>> 6. local user login using local credentails and no Kerberos password 
>> lets me in
>>     
>
> Great, very good job, thanks!
>
> Simo.
>
>   
+1 !  The more you find & fix before I get to it the better I like it  
:) In fact, your first comment prompts me to wait until you smooth out 
the rough edges and have some initial doc for me to play with, since 
I'll be learning Solaris at the same time...

cheers
/dob

-- 

David O'Brien <mailto:daobrien at redhat.com>
RHCT

Red Hat is #1 in value. Again.
http://apac.redhat.com/promo/vendor/