[Freeipa-users] Solaris 11 client
Ian Chapman
packages at amiga-hardware.com
Tue Jan 10 14:46:31 UTC 2012
Hi,
Has anybody successfully setup up a Solaris 11 client (SunOS solaris
5.11 11.0 i86pc i386 i86pc Solaris) with FreeIPA?
I have FreeIPA 2.4.1 running on Fedora 16. I've successfully configured
Fedora, Ubuntu, Mint and FreeBSD clients but for some reason Solaris 11
isn't working.
The Solaris 11 box correctly 'sees' user details for example:
---
root at solaris:~# id exampleuser
uid=2001(exampleuser) gid=2001(exampleuser)
groups=2001(exampleuser),199000001(ipausers)
root at solaris:~# finger exampleuser
Login name: exampleuser In real life: Example User
Directory: /home/exampleuser Shell: /bin/bash
Never logged in.
No unread mail
No Plan.
---
I can successfully obtain a Kerberos ticket for the user. Eg:
---
root at solaris:~# kinit exampleuser
Password for exampleuser at HOME.LAN:
root at solaris:~#
---
And PAM is configured (in /etc/pam.conf) to use Kerberos for authentication.
The Keytab looks normal to me:
---
1 host/solaris.home.lan at HOME.LAN (AES-256 CTS mode with 96-bit SHA-1
HMAC)
1 host/solaris.home.lan at HOME.LAN (AES-128 CTS mode with 96-bit SHA-1
HMAC)
1 host/solaris.home.lan at HOME.LAN (Triple DES cbc mode with HMAC/sha1)
1 host/solaris.home.lan at HOME.LAN (ArcFour with HMAC/md5)
1 nfs/solaris.home.lan at HOME.LAN (AES-256 CTS mode with 96-bit SHA-1
HMAC)
1 nfs/solaris.home.lan at HOME.LAN (AES-128 CTS mode with 96-bit SHA-1
HMAC)
1 nfs/solaris.home.lan at HOME.LAN (Triple DES cbc mode with HMAC/sha1)
1 nfs/solaris.home.lan at HOME.LAN (ArcFour with HMAC/md5)
---
Looking at the server logs I see the following. This looks normal to me,
when running kinit exampleuser
---
Jan 10 22:38:56 rex.home.lan krb5kdc[12595](info): AS_REQ (4 etypes {18
17 16 23}) 192.168.1.56: NEEDED_PREAUTH: exampleuser at HOME.LAN for
krbtgt/HOME.LAN at HOME.LAN, Additional pre-authentication required
Jan 10 22:39:03 rex.home.lan krb5kdc[12591](info): AS_REQ (4 etypes {18
17 16 23}) 192.168.1.56: ISSUE: authtime 1326206343, etypes {rep=18
tkt=18 ses=18}, exampleuser at HOME.LAN for krbtgt/HOME.LAN at HOME.LAN
---
When attempting to authenticate (through the PAM stack) as exampleuser
with the same password I see:
---
Jan 10 22:41:21 rex.home.lan krb5kdc[12592](info): preauth (timestamp)
verify failure: Decrypt integrity check failed
Jan 10 22:41:21 rex.home.lan krb5kdc[12592](info): AS_REQ (4 etypes {18
17 16 23}) 192.168.1.56: PREAUTH_FAILED: exampleuser at HOME.LAN for
krbtgt/HOME.LAN at HOME.LAN, Decrypt integrity check failed
---
This seems to suggest that either the password is wrong, but I know I'm
typing the right password or there is a decryption error. I'm confused
by the fact that kinit works but PAM doesn't. Any ideas?
--
Ian Chapman.
More information about the Freeipa-users
mailing list