[Freeipa-users] FreeIPA 3.3 and Solaris 10 Client Integration:

Traiano Welcome traiano at gmail.com
Wed Sep 24 11:06:33 UTC 2014 

Hi List

I'm currently running IPA 3.3 on Centos 7, and successfully authenticating
Linux clients (Centos 6.5).

I'd like to setup Solaris 10 as an IPA client, but this seems
problematic. I am following this guide:

http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10

I have the following setup:

Solaris client:

- Solaris 10u11 (SunOS  5.10 Generic_147148-26 i86pc i386 i86pc)

IdM Server:

- Linux kwtpocipa001.orion.local 3.10.0-123.el7.x86_64 #1 SMP Mon Jun 30
12:09:22 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux



Going through the steps in the guide: at step 3 ("Create the cn=proxyagent
account"), ldapadd fails with the following error:



"ldapadd: invalid format (line 6) entry:
"cn=proxyagent,ou=profile,dc=orion,dc=local""

---

[root at kwtpocipa001 ~]# ldapadd -h 172.16.107.102 -p 389 -D "cn=directory
manager" -w Cr4ckM0nk3y
dn: cn=proxyagent,ou=profile,dc=orion,dc=local
objectClass: top
objectClass: person
sn: proxyagent
cn: proxyagent
userPassword::
e1NTSEF9Mm53KytGeU81Z1dka1FLNUZlaDdXOHJkK093TEppY2NjRmt6Wnc9PQ=

ldapadd: invalid format (line 6) entry:
"cn=proxyagent,ou=profile,dc=orion,dc=local"
---

I've made the assumption that  the extra ":" is a typo in the documentation
and removed it, so the command runs successfully as follows:


---
[root at kwtpocipa001 ~]# ldapadd -h 172.16.107.102 -p 389 -D "cn=directory
manager" -w Cr4ckM0nk3y

dn: cn=proxyagent,ou=profile,dc=orion,dc=local
objectClass: top
objectClass: person
sn: proxyagent
cn: proxyagent
userPassword:
e1NTSEF9Mm53KytGeU81Z1dka1FLNUZlaDdXOHJkK093TEppY2NjRmt6Wnc9PQ=
adding new entry "cn=proxyagent,ou=profile,dc=orion,dc=local"
---


At step 9 (Configure NFS ), I get an error, seems to indicate the
"des-cbc-crc" encryption type is unsupported:

---
[root at kwtpocipa001 ~]# ipa-getkeytab -s kwtpocipa001.orion.local -p
nfs/kwtpocipasol10u11.orion.local -k /tmp/kwtpocipasol10u11.keytab -e
des-cbc-crc
Operation failed! All enctypes provided are unsupported
[root at kwtpocipa001 ~]#
---

(Question: How would I add support for des-cbc-crc encryption  in
freeipa?). I've now worked around this by not specifying any encryption
type:

---
[root at kwtpocipa001 ~]# ipa-getkeytab -s kwtpocipa001.orion.local -p
nfs/kwtpocipasol10u11.orion.local -k /tmp/kwtpocipasol10u11.keytab
Keytab successfully retrieved and stored in: /tmp/kwtpocipasol10u11.keytab
[root at kwtpocipa001 ~]#
---

Testing that I can see nfs mounts on the centos IPA server from the solaris
machine:

---
bash-3.2# showmount -e kwtpocipa001.orion.local
export list for kwtpocipa001.orion.local:
/data/centos-repo 172.16.0.0/24
bash-3.2#
----


Checking we can kinit:

---
bash-3.2#
bash-3.2# kinit admin
Password for admin at ORION.LOCAL:
bash-3.2#
bash-3.2#
bash-3.2# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin at ORION.LOCAL
Valid starting                Expires                Service principal
09/24/14 11:20:36  09/24/14 12:20:36  krbtgt/ORION.LOCAL at ORION.LOCAL
        renew until 10/01/14 11:20:36
bash-3.2#
bash-3.2#
bash-3.2#
bash-3.2# uname -a
SunOS kwtpocipasol10u11 5.10 Generic_147148-26 i86pc i386 i86pc
bash-3.2#
---

Testing I can mount the remote FS (without Kerberos auth). This is
successful (when not using kerberos5 authentication):

---
bash-3.2# mount -F nfs 172.16.107.102:/data/centos-repo /remote/
bash-3.2# mount |grep remote
/remote on 172.16.107.102:/data/centos-repo
remote/read/write/setuid/devices/rstchown/xattr/dev=4f0000a on Wed Sep 24
13:45:32 2014
bash-3.2#
---

Testing with KRB5:

---
bash-3.2# mount -F nfs -o sec=krb5 172.16.107.102:/data/centos-repo /remote/
nfs mount: mount: /remote: Permission denied
bash-3.2#
---

Looking at the krbkdc logs on the IPA master server, I get the following
error:

---
Sep 24 13:48:17 kwtpocipa001.orion.local krb5kdc[2371](info): AS_REQ (6
etypes {18 17 16 23 3 1}) 172.16.107.107: NEEDED_PREAUTH:
host/kwtpocipasol10u11.orion.local at ORION.LOCAL for
krbtgt/ORION.LOCAL at ORION.LOCAL, Additional pre-authentication required
Sep 24 13:48:17 kwtpocipa001.orion.local krb5kdc[2373](info): DISPATCH:
repeated (retransmitted?) request from 172.16.107.107, resending previous
response
Sep 24 13:48:17 kwtpocipa001.orion.local krb5kdc[2374](info): DISPATCH:
repeated (retransmitted?) request from 172.16.107.107, resending previous
response
.
.
.
Sep 24 13:48:18 kwtpocipa001.orion.local krb5kdc[2373](info): AS_REQ (6
etypes {18 17 16 23 3 1}) 172.16.107.107: CLIENT_NOT_FOUND:
root/kwtpocipasol10u11.orion.local at ORION.LOCAL for
krbtgt/ORION.LOCAL at ORION.LOCAL, Client not found in Kerberos database

---

So it seems the host is not correctly registered.

NOTE: Via the interface ,I can see the solaris client is
not properly enrolled (" Kerberos Key Not Present"), however the
documentation doesn't seem to indicate clearly how this should be done for
a Solaris client. I have regenerated the certificate though, so it shows
"valid certificate present".

My question is: Is the process described in this guide still
correct/functional for integrating Solaris 10 clients?
If so, is there some way I could debug further to pinpoint why the solaris
client is not being registered in the Kerberos DB?

Many thanks in advance!
Traiano
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140924/ad4eb59e/attachment.htm>

More information about the Freeipa-users mailing list