[Freeipa-users] Solaris 10 client auth (ssh + kerberos) not working

mohammad sereshki mohammadsereshki at yahoo.com
Tue Sep 9 19:15:00 UTC 2014 



Dear 

below must be configured in the pam.conf  also each host needs seperate keytab, solaris 11 is same as solaris 10





login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_cred.so.1
login   auth sufficient         pam_krb5.so.1   try_first_pass
login   auth required           pam_unix_auth.so.1
login   auth required           pam_dial_auth.so.1
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth required           pam_unix_cred.so.1
rlogin  auth required           pam_unix_auth.so.1
krlogin auth required           pam_unix_cred.so.1
krlogin auth required           pam_krb5.so.1
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_unix_cred.so.1
krsh    auth required           pam_unix_cred.so.1
krsh    auth required           pam_krb5.so.1
ktelnet auth required           pam_unix_cred.so.1
ktelnet auth required           pam_krb5.so.1
ppp     auth requisite          pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_unix_cred.so.1
ppp     auth required           pam_unix_auth.so.1
ppp     auth required           pam_dial_auth.so.1
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_cred.so.1
other   auth sufficient         pam_krb5.so.1
other   auth required           pam_unix_auth.so.1
passwd  auth required           pam_passwd_auth.so.1
cron    account required        pam_unix_account.so.1
other   account requisite       pam_roles.so.1
other   account required        pam_unix_account.so.1
other   account sufficient      pam_krb5.so.1
other   account required        pam_tsol_account.so.1
other   session required        pam_unix_session.so.1
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1 force_check
other   password sufficient     pam_krb5.so.1
other   password required       pam_authtok_store.so.1




________________________________
 From: Gerardo Padierna <asl.gerardo at gmail.com>
To: mohammad sereshki <mohammadsereshki at yahoo.com>; "freeipa-users at redhat.com" <freeipa-users at redhat.com> 
Sent: Tuesday, September 9, 2014 2:49 PM
Subject: Re: [Freeipa-users] Solaris 10 client auth (ssh + kerberos) not working
 


Hi Mohammad,

This is for Solaris 11; it seems that some of the options for the
    pam.conf file are not available in Solaris 10 (I think it was the
    following options:
auth definitive         pam_user_policy.so.1
account required        pam_tsol_account.so.1
password required       pam_authtok_store.so.1
... had to remove them from the pam.conf file..)

Still didn't get the ssh auth to work... 

This may be a stupid question, but do you know if the keytab file
    must be _exactly_ the same as in the IPA server, or does it only
    need to contain the entries relevant for the (solaris) client?
    According to the link you're pointing me to, it seems to just take
    from the server keytab file those entries relevant for the client,
    create a new keytab file with that content, and copy it over to the
    client. Is such a 'stipped down' keytab file supposed to work for
    the client's auth?

Regards,
Gerardo




El 08/09/14 a las #4, mohammad sereshki escribió:


>
>hi
>Please go ahead with below structure, It works!
>
>
>
>
>
>Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
>
>  
>          
>Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? 
>[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?  
>
> 
>View on www.redhat.com Preview by Yahoo 
>
> 
>  
>
>
>
>________________________________
> From: Gerardo Padierna <asl.gerardo at gmail.com>
>To: freeipa-users at redhat.com 
>Sent: Monday, September 8, 2014 2:14 PM
>Subject: [Freeipa-users] Solaris 10 client auth (ssh + kerberos) not working
> 
>
>
>Hello folks,
>
>I'm setting up an IPA-server instance aimed to be used
                  primarily for Linux/Unix clients ssh authentication
                  (with kerberos). 
>I've managed to successfully set up debian clients
                  (via sssd and also on older debians, through libnss
                  and pam_krb5). But for some reason I can't
                  authenticate ssh on Solaris10 clients. 
>On the Solaris box, I've followed the steps outiined
                  here: 
>http://www.freeipa.org/page/ConfiguringUnixClients
>and the nss part works fine (things like getent [group
                  | passwd] and id <user> work), but
                  unfortunaltely, the ssh user authentication fails with
                  an error:
>sshd auth.error PAM-KRB5 (auth):
                  krb5_verify_init_creds failed: No such file or
                  directory
>
>On the solaris clients, does there need to be a keytab
                  in /etc/krb5/ directory copied over from the IPA
                  server? (I didn't have to set up a keytab file fo the
                  legacy debian clients, and in the solaris-clients doc
                  previously mentioned, there's no mention of it). Well,
                  since I read somewhere the keytab file need to be
                  there, I copied it over from the IPA server to the
                  solaris clients, Then I get a different error: 
>PAM-KRB5 (auth): krb5_verify_init_creds failed: Key
                  table entry not found
>
>This error seems to indicate that there isn't an
                  matching entry found in the keytab file, so I added an
                  entry for the solaris client, but I'm still getting
                  the same 'Key table entry not found' error (it could
                  be the entry I added is wrong, of course). But, for
                  now, just want to be sure: On the solaris clients, do
                  I need an /etc/krb5/krb5.keytab file?  (if yes, why
                  not in the non-sssd Debian hosts then?)
>
>Thanks in advance,
>
>-- 
>  
>Gerardo Padierna Nanclares 
>Técnico de Sistemas (grupo ASL) - [Fujitsu / Logware] 
>Servicio de Sistemas de la Información (DGTI) - Generalitat Valenciana 
>C/.Castan Tobeñas 77 – 46018 Valencia –
                          Edificio A 
>Tel: 961 208973 
>Email: asl.gerardo at gmail.com 
>-- 
>Manage your subscription for the Freeipa-users mailing
              list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go To http://freeipa.org for more info on the project
>
>

-- 
  
Gerardo Padierna Nanclares 
Técnico de Sistemas (grupo ASL) - [Fujitsu / Logware] 
Servicio de Sistemas de la Información (DGTI) - Generalitat Valenciana 
C/.Castan Tobeñas 77 – 46018 Valencia – Edificio A 
Tel:
            961 208973 
Email: asl.gerardo at gmail.com 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140909/95c01c23/attachment.htm>

More information about the Freeipa-users mailing list