[Freeipa-users] Solaris 11 client
Sigbjorn Lie
sigbjorn at nixtra.com
Mon Apr 23 08:44:36 UTC 2012
>> Perform step 1-5 in the docs:
>> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Conf
>> iguring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10
>>
>> Please note that there is a default DUAProfile with IPA that allows you
>> to skip the manual configuration of ldapclient, and just do "ldapclient init ipa-server-fqdn". I
>> don't understand why the documentation says to do a manual configuration of ldapclient. The
>> example provided also does a lot of unnecessary attribute mapping.
>
> The documentation includes a manual configuration so one can do it if
> desired.
>
The documentation includes only the manual configuration. Using a DUAProfile is easier both for
installing, and maintaining the Solaris clients as they will re-read configuration from the DUA
profile periodically. Manual configuration should be avoided if possible.
Do you want me to open a DOC BUG to have this changed?
AND include a more functional DUAProfile by default configuring the clients for ethers and
automount support as well.
Do you want me to open a ticket for this? the profile I send in the previous email can be used as
a template.
>> However I cannot log on to the console. Enabling debugging on pam tells me:
>>
>>
>> Apr 22 22:54:03 solaris11 login: [ID 179272 auth.debug] PAM-KRB5 (auth):
>> attempt_krb5_auth: krb5_get_init_creds_password returns: Decrypt
>> integrity check failed
>>
>> There was an issue on Solaris 10 with incorrect configuration to allow
>> aes256 support, only aes128 and downwars we're enabled by default. This does not seem to be the
>> case for Solaris 11.
>>
>> Does anyone else get the same decrypt failed issue?
>>
>
> I tested Solaris 10 x86 many moons ago and IIRC console login worked for me.
>
Yes, Solaris 10 works just fine for console login, both x86 and sparc. This seem to be an issue in
Solaris 11. It could be a configuration error, I just haven't had time to look into it yet. We do
not use Solaris 11 in production as per today.
Regards,
Siggi
More information about the Freeipa-users
mailing list