[Freeipa-users] Solaris 10 client auth (ssh + kerberos) not working
mohammad sereshki
mohammadsereshki at yahoo.com
Tue Sep 9 19:15:00 UTC 2014
Dear
below must be configured in the pam.conf also each host needs seperate keytab, solaris 11 is same as solaris 10
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth sufficient pam_krb5.so.1 try_first_pass
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1
krlogin auth required pam_unix_cred.so.1
krlogin auth required pam_krb5.so.1
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
krsh auth required pam_unix_cred.so.1
krsh auth required pam_krb5.so.1
ktelnet auth required pam_unix_cred.so.1
ktelnet auth required pam_krb5.so.1
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth sufficient pam_krb5.so.1
other auth required pam_unix_auth.so.1
passwd auth required pam_passwd_auth.so.1
cron account required pam_unix_account.so.1
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
other account sufficient pam_krb5.so.1
other account required pam_tsol_account.so.1
other session required pam_unix_session.so.1
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1 force_check
other password sufficient pam_krb5.so.1
other password required pam_authtok_store.so.1
________________________________
From: Gerardo Padierna <asl.gerardo at gmail.com>
To: mohammad sereshki <mohammadsereshki at yahoo.com>; "freeipa-users at redhat.com" <freeipa-users at redhat.com>
Sent: Tuesday, September 9, 2014 2:49 PM
Subject: Re: [Freeipa-users] Solaris 10 client auth (ssh + kerberos) not working
Hi Mohammad,
This is for Solaris 11; it seems that some of the options for the
pam.conf file are not available in Solaris 10 (I think it was the
following options:
auth definitive pam_user_policy.so.1
account required pam_tsol_account.so.1
password required pam_authtok_store.so.1
... had to remove them from the pam.conf file..)
Still didn't get the ssh auth to work...
This may be a stupid question, but do you know if the keytab file
must be _exactly_ the same as in the IPA server, or does it only
need to contain the entries relevant for the (solaris) client?
According to the link you're pointing me to, it seems to just take
from the server keytab file those entries relevant for the client,
create a new keytab file with that content, and copy it over to the
client. Is such a 'stipped down' keytab file supposed to work for
the client's auth?
Regards,
Gerardo
El 08/09/14 a las #4, mohammad sereshki escribió:
>
>hi
>Please go ahead with below structure, It works!
>
>
>
>
>
>Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
>
>
>
>Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
>[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index] Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
>
>
>View on www.redhat.com Preview by Yahoo
>
>
>
>
>
>
>________________________________
> From: Gerardo Padierna <asl.gerardo at gmail.com>
>To: freeipa-users at redhat.com
>Sent: Monday, September 8, 2014 2:14 PM
>Subject: [Freeipa-users] Solaris 10 client auth (ssh + kerberos) not working
>
>
>
>Hello folks,
>
>I'm setting up an IPA-server instance aimed to be used
primarily for Linux/Unix clients ssh authentication
(with kerberos).
>I've managed to successfully set up debian clients
(via sssd and also on older debians, through libnss
and pam_krb5). But for some reason I can't
authenticate ssh on Solaris10 clients.
>On the Solaris box, I've followed the steps outiined
here:
>http://www.freeipa.org/page/ConfiguringUnixClients
>and the nss part works fine (things like getent [group
| passwd] and id <user> work), but
unfortunaltely, the ssh user authentication fails with
an error:
>sshd auth.error PAM-KRB5 (auth):
krb5_verify_init_creds failed: No such file or
directory
>
>On the solaris clients, does there need to be a keytab
in /etc/krb5/ directory copied over from the IPA
server? (I didn't have to set up a keytab file fo the
legacy debian clients, and in the solaris-clients doc
previously mentioned, there's no mention of it). Well,
since I read somewhere the keytab file need to be
there, I copied it over from the IPA server to the
solaris clients, Then I get a different error:
>PAM-KRB5 (auth): krb5_verify_init_creds failed: Key
table entry not found
>
>This error seems to indicate that there isn't an
matching entry found in the keytab file, so I added an
entry for the solaris client, but I'm still getting
the same 'Key table entry not found' error (it could
be the entry I added is wrong, of course). But, for
now, just want to be sure: On the solaris clients, do
I need an /etc/krb5/krb5.keytab file? (if yes, why
not in the non-sssd Debian hosts then?)
>
>Thanks in advance,
>
>--
>
>Gerardo Padierna Nanclares
>Técnico de Sistemas (grupo ASL) - [Fujitsu / Logware]
>Servicio de Sistemas de la Información (DGTI) - Generalitat Valenciana
>C/.Castan Tobeñas 77 – 46018 Valencia –
Edificio A
>Tel: 961 208973
>Email: asl.gerardo at gmail.com
>--
>Manage your subscription for the Freeipa-users mailing
list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go To http://freeipa.org for more info on the project
>
>
--
Gerardo Padierna Nanclares
Técnico de Sistemas (grupo ASL) - [Fujitsu / Logware]
Servicio de Sistemas de la Información (DGTI) - Generalitat Valenciana
C/.Castan Tobeñas 77 – 46018 Valencia – Edificio A
Tel:
961 208973
Email: asl.gerardo at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140909/95c01c23/attachment.htm>
More information about the Freeipa-users
mailing list