[Freeipa-users] Solaris 10 client auth (ssh + kerberos) not working
Gerardo Padierna
asl.gerardo at gmail.com
Mon Sep 8 09:44:10 UTC 2014
Hello folks,
I'm setting up an IPA-server instance aimed to be used primarily for
Linux/Unix clients ssh authentication (with kerberos).
I've managed to successfully set up debian clients (via sssd and also on
older debians, through libnss and pam_krb5). But for some reason I can't
authenticate ssh on Solaris10 clients.
On the Solaris box, I've followed the steps outiined here:
http://www.freeipa.org/page/ConfiguringUnixClients
and the nss part works fine (things like getent [group | passwd] and id
<user> work), but unfortunaltely, the ssh user authentication fails with
an error:
sshd auth.error PAM-KRB5 (auth): krb5_verify_init_creds failed: No such
file or directory
On the solaris clients, does there need to be a keytab in /etc/krb5/
directory copied over from the IPA server? (I didn't have to set up a
keytab file fo the legacy debian clients, and in the solaris-clients doc
previously mentioned, there's no mention of it). Well, since I read
somewhere the keytab file need to be there, I copied it over from the
IPA server to the solaris clients, Then I get a different error:
PAM-KRB5 (auth): krb5_verify_init_creds failed: Key table entry not found
This error seems to indicate that there isn't an matching entry found in
the keytab file, so I added an entry for the solaris client, but I'm
still getting the same 'Key table entry not found' error (it could be
the entry I added is wrong, of course). But, for now, just want to be
sure: On the solaris clients, do I need an /etc/krb5/krb5.keytab file?
(if yes, why not in the non-sssd Debian hosts then?)
Thanks in advance,
--
*Gerardo Padierna Nanclares*
Técnico de Sistemas (grupo ASL) - [Fujitsu / Logware]
Servicio de Sistemas de la Información (DGTI) - Generalitat Valenciana
C/.Castan Tobeñas 77 – 46018 Valencia – Edificio A
Tel: 961 208973
Email: asl.gerardo at gmail.com <mailto:asl.gerardo at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140908/4e7faa31/attachment.htm>
More information about the Freeipa-users
mailing list