[Freeipa-users] [Solaris 10] Cannot login through console or ssh with ipa users
nathan at nathanpeters.com
nathan at nathanpeters.com
Fri Feb 27 20:08:22 UTC 2015
> root is not an ipa managed user so it is purely your pam configuration.
> I thought we were trying to figure out why your ipa users are not
> handled properly.
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
I would like to thank you guys for your help in troubleshooting this. I
managed to fix the issue. We had a custom jumpstart file creating our
Solaris images and it made some configuration changes that broke the
pam/kerberos interaction. I still don't know what exactly was the cause,
but I re-installed on a Fresh Solaris 10 8/11 image and was able to get an
ipa user to log in.
For reference, here are the complete steps I had to take from installation
of the machine to get it working. Hopefully someone else finds this
useful or you can add it to your docs.
This instructions assume a minimal console only Solaris install so we have
to add some packages first.
#pkgadd -d . SUNWbash
#pkgadd -d . SUNWuiu8
#pkgadd -d . SUNWwgetr
#pkgadd -d . SUNWwgetu
#pkgadd -d . SUNWbind
#pkgadd -d . SUNWntpr
#pkgadd -d . SUNWntpu
#pkgadd -d . SUNWman
#pkgadd -d . SUNWdoc
#pkgadd -d . SUNWtexi
#pkgadd -d . SUNWsfdoc
#pkgadd -d . SUNWsfman
#pkgadd -d . SUNWsfinf
#pkgadd -d . SUNWgcmn
#pkgadd -d . SUNWsshcu
#pkgadd -d . SUNWsshdr
#pkgadd -d . SUNWsshdu
#pkgadd -d . SUNWsshr
#pkgadd -d . SUNWsshu
Fix IP Setup
#rm /etc/dhcp.e1000g0
#chmod u+w /etc/hosts
#echo "10.21.19.17 ipaclient6-sandbox-atdev-van.ipadomain.net
ipaclient6-sandbox-atdev-van loghost" >> /etc/hosts
#echo "10.21.19.17 netmask 255.255.0.0" > /etc/hostname.e1000g0
#echo "ipaclient6-sandbox-atdev-van.ipadomain.net" > /etc/nodename
#echo "ipadomain.net" > /etc/defaultdomain
#echo "10.21.0.1" /etc/defaultrouter
DNS Configuration
This DNS configuration needs to be done no matter whether you used
jumpstart or not.
#vi /etc/resolv.conf
Remove all existing lines and Set the following values
domain ipadomain.net
nameserver 10.21.19.20
Reboot to get the updated hostname and domainname and ip settings
#reboot
Enable SSH daemon
#/lib/svc/method/sshd -c
#svcadm enable ssh
NSSwitch Configuration
edit /etc/nsswitch.conf and make sure the following lines are set
passwd: files ldap
group: files ldap
hosts: dns files
Edit /etc/nsswitch.ldap and make sure the same following lines are set
passwd: files ldap
group: files ldap
hosts: dns files
Configure Client
edit /etc/krb5/krb5.conf and set the following values
--- snip ---
[libdefaults]
default_realm = IPADOMAIN.NET
dns_lookup_kdc = true
[realms]
IPADOMAIN.NET = {
kdc = ipadc1.ipadomain.net
admin_server = ipadc1.ipadomain.net
}
[domain_realm]
.ipadomain.net = IPADOMAIN.NET
ipadomain.net = IPADOMAIN.NET
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
# How often to rotate kdc.log. Logs will get rotated no more
# often than the period, and less often if the KDC is not used# frequently.
period = 1d
# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...)
version = 10
}
[appdefaults]
kinit = {
renewable = true
forwardable= true
}
--- snip ---
First, synchronize the date on the Solaris client
bash-3.00# ntpdate ipadc1.ipadomain.net
On the Solaris machine setup the ldap configuration
# ldapclient -v init -a domainName=ipadomain.net ipadc1.ipadomain.net
On the freeIPA domain controller, enroll the host
[root at ipadc1 ~]# ipa host-add --force --ip-address=10.21.19.17
ipaclient6-sandbox-atdev-van.ipadomain.net
On the IPA server, get the keytab and copy it to the Solaris machine
#rm /tmp/solaris.keytab
[root at ipadc1 tmp]# ipa-getkeytab -s ipadc1 -p
host/ipaclient6-sandbox-atdev-van.ipadomain.net -k /tmp/solaris.keytab
[root at ipadc1 tmp]# scp solaris.keytab root at 10.21.19.17:/etc/krb5/krb5.keytab
After all this, I was able to login to my Solaris machine using one of my
ipa user accounts
More information about the Freeipa-users
mailing list