[Freeipa-users] Solaris 10 client auth (ssh + kerberos) not working

Mon Sep 8 10:49:31 UTC 2014

hi
Please go ahead with below structure, It works!

Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?

Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
[Date Prev][Date Next]   [Thread Prev][Thread Next]   
[Thread Index]
[Date Index]
[Author Index] Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?   
View on www.redhat.com Preview by Yahoo  

________________________________
 From: Gerardo Padierna <asl.gerardo at gmail.com>
To: freeipa-users at redhat.com 
Sent: Monday, September 8, 2014 2:14 PM
Subject: [Freeipa-users] Solaris 10 client auth (ssh + kerberos) not working

Hello folks,

I'm setting up an IPA-server instance aimed to be used primarily for
    Linux/Unix clients ssh authentication (with kerberos). 
I've managed to successfully set up debian clients (via sssd and
    also on older debians, through libnss and pam_krb5). But for some
    reason I can't authenticate ssh on Solaris10 clients. 
On the Solaris box, I've followed the steps outiined here: 
http://www.freeipa.org/page/ConfiguringUnixClients
and the nss part works fine (things like getent [group | passwd] and
    id <user> work), but unfortunaltely, the ssh user
    authentication fails with an error:
sshd auth.error PAM-KRB5 (auth): krb5_verify_init_creds failed: No
    such file or directory

On the solaris clients, does there need to be a keytab in /etc/krb5/
    directory copied over from the IPA server? (I didn't have to set up
    a keytab file fo the legacy debian clients, and in the
    solaris-clients doc previously mentioned, there's no mention of it).
    Well, since I read somewhere the keytab file need to be there, I
    copied it over from the IPA server to the solaris clients, Then I
    get a different error: 
PAM-KRB5 (auth): krb5_verify_init_creds failed: Key table entry not
    found

This error seems to indicate that there isn't an matching entry
    found in the keytab file, so I added an entry for the solaris
    client, but I'm still getting the same 'Key table entry not found'
    error (it could be the entry I added is wrong, of course). But, for
    now, just want to be sure: On the solaris clients, do I need an
    /etc/krb5/krb5.keytab file?  (if yes, why not in the non-sssd Debian
    hosts then?)

Thanks in advance,

-- 

Gerardo Padierna Nanclares 
Técnico de Sistemas (grupo ASL) - [Fujitsu / Logware] 
Servicio de Sistemas de la Información (DGTI) - Generalitat Valenciana 
C/.Castan Tobeñas 77 – 46018 Valencia – Edificio A 
Tel:
            961 208973 
Email: asl.gerardo at gmail.com 
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140908/fcff9ba3/attachment.htm>