[Freeipa-users] Solaris 11 client

Ian Chapman packages at amiga-hardware.com
Tue Jan 10 14:46:31 UTC 2012 

Hi,

Has anybody successfully setup up a Solaris 11 client (SunOS solaris 
5.11 11.0 i86pc i386 i86pc Solaris) with FreeIPA?

I have FreeIPA 2.4.1 running on Fedora 16. I've successfully configured 
Fedora, Ubuntu, Mint and FreeBSD clients but for some reason Solaris 11 
isn't working.

The Solaris 11 box correctly 'sees' user details for example:

---

root at solaris:~# id exampleuser
uid=2001(exampleuser) gid=2001(exampleuser) 
groups=2001(exampleuser),199000001(ipausers)

root at solaris:~# finger exampleuser
Login name: exampleuser                 In real life: Example User
Directory: /home/exampleuser            Shell: /bin/bash
Never logged in.
No unread mail
No Plan.

---

I can successfully obtain a Kerberos ticket for the user. Eg:

---

root at solaris:~# kinit exampleuser
Password for exampleuser at HOME.LAN:
root at solaris:~#

---

And PAM is configured (in /etc/pam.conf) to use Kerberos for authentication.

The Keytab looks normal to me:

---

    1 host/solaris.home.lan at HOME.LAN (AES-256 CTS mode with 96-bit SHA-1 
HMAC)
    1 host/solaris.home.lan at HOME.LAN (AES-128 CTS mode with 96-bit SHA-1 
HMAC)
    1 host/solaris.home.lan at HOME.LAN (Triple DES cbc mode with HMAC/sha1)
    1 host/solaris.home.lan at HOME.LAN (ArcFour with HMAC/md5)
    1 nfs/solaris.home.lan at HOME.LAN (AES-256 CTS mode with 96-bit SHA-1 
HMAC)
    1 nfs/solaris.home.lan at HOME.LAN (AES-128 CTS mode with 96-bit SHA-1 
HMAC)
    1 nfs/solaris.home.lan at HOME.LAN (Triple DES cbc mode with HMAC/sha1)
    1 nfs/solaris.home.lan at HOME.LAN (ArcFour with HMAC/md5)

---

Looking at the server logs I see the following. This looks normal to me, 
when running kinit exampleuser

---

Jan 10 22:38:56 rex.home.lan krb5kdc[12595](info): AS_REQ (4 etypes {18 
17 16 23}) 192.168.1.56: NEEDED_PREAUTH: exampleuser at HOME.LAN for 
krbtgt/HOME.LAN at HOME.LAN, Additional pre-authentication required
Jan 10 22:39:03 rex.home.lan krb5kdc[12591](info): AS_REQ (4 etypes {18 
17 16 23}) 192.168.1.56: ISSUE: authtime 1326206343, etypes {rep=18 
tkt=18 ses=18}, exampleuser at HOME.LAN for krbtgt/HOME.LAN at HOME.LAN

---

When attempting to authenticate (through the PAM stack) as exampleuser 
with the same password I see:

---

Jan 10 22:41:21 rex.home.lan krb5kdc[12592](info): preauth (timestamp) 
verify failure: Decrypt integrity check failed
Jan 10 22:41:21 rex.home.lan krb5kdc[12592](info): AS_REQ (4 etypes {18 
17 16 23}) 192.168.1.56: PREAUTH_FAILED: exampleuser at HOME.LAN for 
krbtgt/HOME.LAN at HOME.LAN, Decrypt integrity check failed

---

This seems to suggest that either the password is wrong, but I know I'm 
typing the right password or there is a decryption error. I'm confused 
by the fact that kinit works but PAM doesn't. Any ideas?


-- 
Ian Chapman.

More information about the Freeipa-users mailing list