[Freeipa-users] AD trust users cannot login to Solaris
nathan at nathanpeters.com
nathan at nathanpeters.com
Mon Mar 16 20:21:35 UTC 2015
>and put IPA's ca.crt (available on any IPA machine at /etc/ipa/ca.crt)
>into /var/ldap's database with certutil:
> # certutil -A -a -i ca.crt -n CA -t CT -d /var/ldap
Ok, following your advice I installed the SUNWtlsu package (prepares rant
about how the top 3 pages of google results didn't tell me which darn
package certutil was actually in) and now I have certutil on the system.
I copied the ca.crt file from my FreeIPA controller to the /tmp directory
on Solaris, and then ran
#certutil -A -a -i /tmp/ca.crt -n CA -t CT -d /var/ldap
It worked! The difference was that running that certutil command creates
/var/ldap/secmod.db. secmod.db is required for tls to work. Without
secmod.db existing, you can use simple, but not tls:simple.
So I can now login with both AD and FreeIPA users on this machine, get the
correct shell, correct home directory, and the ability to sudo.
However...
I can only do this through SSH. I have run into some really strange
Solaris behavior when I try to login through console. I added the
following entries to my /etc/pam.conf
login auth sufficient pam_ldap.so.1
login auth sufficient pam_krb5.so.1
Apparently, Solaris has a total name limit of 31 characters, that only
applies to the [login] section and not to the [other] section.
So if I ssh I can login with a user named
'someusernames at subdomain1.topleveldom.net' (AD user)
However, if I console login, my pam logs indicate that it is being chopped
down to 'someusernames at subdomain1.toplev' before being passed onto ldap.
This causes ldap to throw the following error:
/usr/lib/security/pam_ldap.so.1 returned System error
I created a really short AD username called
'abc at subdomain1.topleveldom.net' which just barely fit in 31 characters
and it could login fine.
So my next question is (and I know you guys are not Solaris experts, but
any help is appreciated) : Is there a way to set the default domain so
that AD users do not have to type their domain suffix? Currently, it is
backward and ipa users can login as 'ipauser1' without a suffix, but AD
users have to type their suffix.
I know this can be done in Linux with sssd.conf and I have that working
for Linux clients, but with no sssd on Solaris, I'm pulling my hair out
trying to figure out how to do this.
I have already tried setting the default_domain and default_realm flags in
/etc/krb5/krb5.conf but that doesn't work at all because AD users are
authenticated through LDAP. I also tried the ldapclient init with ' -a
domainName=addomain.net' but that did not work either.
Is there even a way to do this in Solaris for LDAP users? Without the
ability to skip the domain name for AD users, I am stuck with either no
console login for AD for having all AD users with only 3 character names
due to the length of the fqdn.
More information about the Freeipa-users
mailing list