[Freeipa-users] AD trust users cannot login to Solaris

[nathan at nathanpeters.com]

>and put IPA's ca.crt (available on any IPA machine at /etc/ipa/ca.crt)
>into /var/ldap's database with certutil:
>    # certutil -A -a -i ca.crt -n CA -t CT -d /var/ldap

Ok, following your advice I installed the SUNWtlsu package (prepares rant
about how the top 3 pages of google results didn't tell me which darn
package certutil was actually in) and now I have certutil on the system. 
I copied the ca.crt file from my FreeIPA controller to the /tmp directory
on Solaris, and then ran
#certutil -A -a -i /tmp/ca.crt -n CA -t CT -d /var/ldap

It worked!  The difference was that running that certutil command creates
/var/ldap/secmod.db.  secmod.db is required for tls to work.  Without
secmod.db existing, you can use simple, but not tls:simple.

So I can now login with both AD and FreeIPA users on this machine, get the
correct shell, correct home directory, and the ability to sudo.

However...

I can only do this through SSH.  I have run into some really strange
Solaris behavior when I try to login through console. I added the
following entries to my /etc/pam.conf

login   auth sufficient         pam_ldap.so.1
login   auth sufficient         pam_krb5.so.1

Apparently, Solaris has a total name limit of 31 characters, that only
applies to the [login] section and not to the [other] section.

So if I ssh I can login with a user named
'someusernames at subdomain1.topleveldom.net' (AD user)

However, if I console login, my pam logs indicate that it is being chopped
down to 'someusernames at subdomain1.toplev' before being passed onto ldap. 
This causes ldap to throw the following error:

/usr/lib/security/pam_ldap.so.1 returned System error

I created a really short AD username called
'abc at subdomain1.topleveldom.net' which just barely fit in 31 characters
and it could login fine.

So my next question is (and I know you guys are not Solaris experts, but
any help is appreciated) : Is there a way to set the default domain so
that AD users do not have to type their domain suffix?  Currently, it is
backward and ipa users can login as 'ipauser1' without a suffix, but AD
users have to type their suffix.

I know this can be done in Linux with sssd.conf and I have that working
for Linux clients, but with no sssd on Solaris, I'm pulling my hair out
trying to figure out how to do this.

I have already tried setting the default_domain and default_realm flags in
/etc/krb5/krb5.conf but that doesn't work at all because AD users are
authenticated through LDAP.  I also tried the ldapclient init with ' -a
domainName=addomain.net' but that did not work either.

Is there even a way to do this in Solaris for LDAP users?  Without the
ability to skip the domain name for AD users, I am stuck with either no
console login for AD for having all AD users with only 3 character names
due to the length of the fqdn.