[Freeipa-users] Solaris 11 client

Sigbjorn Lie sigbjorn at nixtra.com
Mon Apr 23 19:25:17 UTC 2012 

On 04/23/2012 03:00 PM, Simo Sorce wrote:
> On Mon, 2012-04-23 at 10:44 +0200, Sigbjorn Lie wrote:
>>>> Perform step 1-5 in the docs:
>>>> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Conf
>>>> iguring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10
>>>>
>>>> Please note that there is a default DUAProfile with IPA that allows you
>>>> to skip the manual configuration of ldapclient, and just do "ldapclient init ipa-server-fqdn". I
>>>> don't understand why the documentation says to do a manual configuration of ldapclient. The
>>>> example provided also does a lot of unnecessary attribute mapping.
>>> The documentation includes a manual configuration so one can do it if
>>> desired.
>>>
>> The documentation includes only the manual configuration. Using a DUAProfile is easier both for
>> installing, and maintaining the Solaris clients as they will re-read configuration from the DUA
>> profile periodically. Manual configuration should be avoided if possible.
>>
>> Do you want me to open a DOC BUG to have this changed?
> Please do.
>
Please see: https://bugzilla.redhat.com/show_bug.cgi?id=815533

>> AND include a more functional DUAProfile by default configuring the clients for ethers and
>> automount support as well.
>>
>> Do you want me to open a ticket for this? the profile I send in the previous email can be used as
>> a template.
> Yes please.

Please see: https://bugzilla.redhat.com/show_bug.cgi?id=815515


>
>>>> However I cannot log on to the console. Enabling debugging on pam tells me:
>>>>
>>>>
>>>> Apr 22 22:54:03 solaris11 login: [ID 179272 auth.debug] PAM-KRB5 (auth):
>>>> attempt_krb5_auth: krb5_get_init_creds_password returns: Decrypt
>>>> integrity check failed
>>>>
>>>> There was an issue on Solaris 10 with incorrect configuration to allow
>>>> aes256 support, only aes128 and downwars we're enabled by default. This does not seem to be the
>>>> case for Solaris 11.
>>>>
>>>> Does anyone else get the same decrypt failed issue?
>>>>
>>> I tested Solaris 10 x86 many moons ago and IIRC console login worked for me.
>>>
>> Yes, Solaris 10 works just fine for console login, both x86 and sparc. This seem to be an issue in
>> Solaris 11. It could be a configuration error, I just haven't had time to look into it yet. We do
>> not use Solaris 11 in production as per today.
> Do you see anything special on the KDC side when you get that error in
> the console ?
>
> Do you play with enctypes when you obtain the system keytab ?

I did not look at the KDC logs. And yes, I did try to limit the enc 
types to 3des and below, it still did not work.

I will have to visit this again later.



Rgds,
Siggi

More information about the Freeipa-users mailing list