[Freeipa-users] Solaris Clients

[Luke Kearney]

On Mar 14, 2013, at 6:38 AM, KodaK wrote:

> On Wed, Mar 13, 2013 at 3:39 PM, Luke Kearney <luke at kearney.jp> wrote:
>> Hello,
>> 
>> I have recently been working on integrating our solaris 10 fleet with FreeIPA. The first 'test' host went relatively smoothly and we recently created a new test host. Only this time it was more challenging to get the system working.
>> 
>> On our original test installation every step went almost exactly as per the documentation [ http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html ]
>> 
>> On the second install we found that whilst we were able to retrieve user account information via LDAP we could not login via ssh and kerberos for any amount of trying. This was overcome by inserting the following line into pam.conf
>> 
>> other         account            sufficient              pam_ldap.so.1
>> 
>> Where is had not been needed on test host1.
>> 
>> To the extent it works and doesn't break something else this is all fine. I understand why it works as the information in ldap is needed to open the terminal session, why would one need this stanza but not the other?
>> 
> 
> IIRC, the instructions have you pulling information from Kerberos.
> This explicitly allows ldap -- I would suspect that Kerberos isn't
> working correctly on the second host.  Check time first.
> 

Thanks for that - NTP reports that both the kerberos master and the solaris client are indeed in sync. In all other respects kerberos seems to be working properly, a user can obtain a ticket and can use that same ticket to ssh to another host. 


> 
> -- 
> The government is going to read our mail anyway, might as well make it
> tough for them.  GPG Public key ID:  B6A1A7C6