<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 01/07/2015 06:36 AM, Ben .T.George
wrote:<br>
</div>
<blockquote
cite="mid:CA+C_GOXZW2KyG7dZBgahg6NuWM-BrGut2zB-yko=Zp8ae7y6Dw@mail.gmail.com"
type="cite">
<div dir="ltr">HI
<div><br>
</div>
<div>If i check IPA client machine enrolled with ipa-client, the
krb5.conf file looks like below:</div>
<div><br>
</div>
<div>
<div>[root@kwttestmrbs001 krb5.include.d]# more /etc/krb5.conf</div>
<div>#File modified by ipa-client-install</div>
<div><br>
</div>
<div>includedir /var/lib/sss/pubconf/krb5.include.d/</div>
<div><br>
</div>
<div>[libdefaults]</div>
<div> default_realm = SOLIPA.LOCAL</div>
<div> dns_lookup_realm = true</div>
<div> dns_lookup_kdc = true</div>
<div> rdns = false</div>
<div> ticket_lifetime = 24h</div>
<div> forwardable = yes</div>
<div><br>
</div>
<div>[realms]</div>
<div> SOLIPA.LOCAL = {</div>
<div> pkinit_anchors = <a class="moz-txt-link-freetext" href="FILE:/etc/ipa/ca.crt">FILE:/etc/ipa/ca.crt</a></div>
<div> }</div>
<div><br>
</div>
<div>[domain_realm]</div>
<div> .solipa.local = SOLIPA.LOCAL</div>
<div> solipa.local = SOLIPA.LOCAL</div>
<div><br>
</div>
<div><br>
</div>
<div>and the includedir /var/lib/sss/pubconf/krb5.include.d/
is including :</div>
<div><br>
</div>
<div>
<div>[root@kwttestmrbs001 krb5.include.d]# more
domain_realm_solipa_local</div>
<div>[domain_realm]</div>
<div>.<a moz-do-not-send="true" href="http://kwttestdc.com">kwttestdc.com</a>
= <a moz-do-not-send="true" href="http://KWTTESTDC.COM">KWTTESTDC.COM</a></div>
<div><a moz-do-not-send="true" href="http://kwttestdc.com">kwttestdc.com</a>
= <a moz-do-not-send="true" href="http://KWTTESTDC.COM">KWTTESTDC.COM</a></div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>anyone please help me to prepare proper krb5.conf file
for solaris box</div>
<div><br>
</div>
<div>IPA Server is : kwtpocpbis01.solipa.local</div>
<div>Solaris (client) : kwttestsolaris10.solipa.local</div>
<div>Active Directory: <a moz-do-not-send="true"
href="http://kwttestdc001.kwttestdc.com">kwttestdc001.kwttestdc.com</a></div>
<div><br>
</div>
<div><br>
</div>
<div>Regards,</div>
<div>Ben</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Jan 7, 2015 at 2:11 PM, Ben
.T.George <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:bentech4you@gmail.com" target="_blank">bentech4you@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div dir="ltr">Hi List
<div><br>
</div>
<div>correct me if i am wrong. </div>
<div><br>
</div>
<div>currently my client krb5.conf holding AD details.
and my client is Solaris</div>
<div><br>
</div>
<div>here is my file. </div>
<div><br>
</div>
<div>
<div>bash-3.2# more /etc/krb5/krb5.conf</div>
<div>[libdefaults]</div>
<div>default_realm = <a moz-do-not-send="true"
href="http://KWTTESTDC.COM" target="_blank">KWTTESTDC.COM</a></div>
<div><br>
</div>
<div>[realms]</div>
<div><a moz-do-not-send="true"
href="http://KWTTESTDC.COM" target="_blank">KWTTESTDC.COM</a>
= {</div>
<div>kdc = <a moz-do-not-send="true"
href="http://kwttestdc001.kwttestdc.com:88"
target="_blank">kwttestdc001.kwttestdc.com:88</a></div>
<div>admin_server = <a moz-do-not-send="true"
href="http://kwttestdc001.kwttestdc.com:749"
target="_blank">kwttestdc001.kwttestdc.com:749</a></div>
<div>}</div>
<div><br>
</div>
<div>[domain_realm]</div>
<div>.<a moz-do-not-send="true"
href="http://kwttestdc.com" target="_blank">kwttestdc.com</a>
= <a moz-do-not-send="true"
href="http://KWTTESTDC.COM" target="_blank">KWTTESTDC.COM</a></div>
<div><a moz-do-not-send="true"
href="http://kwttestdc.com" target="_blank">kwttestdc.com</a>
= <a moz-do-not-send="true"
href="http://KWTTESTDC.COM" target="_blank">KWTTESTDC.COM</a></div>
<div><br>
</div>
<div>[logging]</div>
<div>default = <a class="moz-txt-link-freetext" href="FILE:/var/krb5/kdc.log">FILE:/var/krb5/kdc.log</a></div>
<div>kdc = <a class="moz-txt-link-freetext" href="FILE:/var/krb5/kdc.log">FILE:/var/krb5/kdc.log</a></div>
<div>kdc_rotate = {</div>
<div> period = 1d</div>
<div> versions = 10</div>
<div> }</div>
<div><br>
</div>
<div>[appdefaults]</div>
<div>kinit = {</div>
<div>renewable = true</div>
<div>forwardable= true</div>
<div>}</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>please anyone varify this is right or wrong</div>
<div><br>
</div>
<div>Regards,</div>
<div>Ben</div>
<div>
<div><br>
</div>
<div>
<div dir="ltr">
<div><span style="border-collapse:collapse"><font
size="1" face="'courier new', monospace"><font
color="#ff9900"><br>
</font></font></span></div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
OK, there seems to be a confusion at least on my side.<br>
I see several option in this situation.<br>
<br>
Option 1: You use your Solaris box with AD directly.<br>
I do not think this is what you are trying to do. AFAIR you are
trying to connect it to IPA and use trusts. But direct connection
should be possible.<br>
<br>
Option 2: Connect Solaris to IPA while it is in trust with AD<br>
In this case you need to use LDAP for authentication and identity
lookup and point your client to compat tree. You can't use Kerberos.
Kerberos on Solaris does not know anything about the trust. If you
make it use Kerberos from IPA then you would be able to use only
users from IPA. If you need to use kerberos then we return to option
1.<br>
<br>
Option 3. Create a split brain configuration: authentication using
kerberos will go to AD directly while identity will come from IPA's
compat tree.<br>
This is potentially possible but this is an uncharted and not
recommended territory.<br>
<br>
Option 4: Try to build SSSD for Solaris.<br>
If it were easy we would have done it ourselves but patches are
always welcome . :-)<br>
<br>
Option 5: Stop using Solaris.<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>