[Freeipa-users] AD trust users cannot login to Solaris
Dmitri Pal
dpal at redhat.com
Mon Mar 16 22:14:51 UTC 2015
On 03/16/2015 04:21 PM, nathan at nathanpeters.com wrote:
>> and put IPA's ca.crt (available on any IPA machine at /etc/ipa/ca.crt)
>> into /var/ldap's database with certutil:
>> # certutil -A -a -i ca.crt -n CA -t CT -d /var/ldap
> Ok, following your advice I installed the SUNWtlsu package (prepares rant
> about how the top 3 pages of google results didn't tell me which darn
> package certutil was actually in) and now I have certutil on the system.
> I copied the ca.crt file from my FreeIPA controller to the /tmp directory
> on Solaris, and then ran
> #certutil -A -a -i /tmp/ca.crt -n CA -t CT -d /var/ldap
>
> It worked! The difference was that running that certutil command creates
> /var/ldap/secmod.db. secmod.db is required for tls to work. Without
> secmod.db existing, you can use simple, but not tls:simple.
>
> So I can now login with both AD and FreeIPA users on this machine, get the
> correct shell, correct home directory, and the ability to sudo.
>
> However...
>
> I can only do this through SSH. I have run into some really strange
> Solaris behavior when I try to login through console. I added the
> following entries to my /etc/pam.conf
>
> login auth sufficient pam_ldap.so.1
> login auth sufficient pam_krb5.so.1
>
> Apparently, Solaris has a total name limit of 31 characters, that only
> applies to the [login] section and not to the [other] section.
>
> So if I ssh I can login with a user named
> 'someusernames at subdomain1.topleveldom.net' (AD user)
>
> However, if I console login, my pam logs indicate that it is being chopped
> down to 'someusernames at subdomain1.toplev' before being passed onto ldap.
> This causes ldap to throw the following error:
>
> /usr/lib/security/pam_ldap.so.1 returned System error
>
> I created a really short AD username called
> 'abc at subdomain1.topleveldom.net' which just barely fit in 31 characters
> and it could login fine.
>
> So my next question is (and I know you guys are not Solaris experts, but
> any help is appreciated) : Is there a way to set the default domain so
> that AD users do not have to type their domain suffix? Currently, it is
> backward and ipa users can login as 'ipauser1' without a suffix, but AD
> users have to type their suffix.
>
> I know this can be done in Linux with sssd.conf and I have that working
> for Linux clients, but with no sssd on Solaris, I'm pulling my hair out
> trying to figure out how to do this.
>
> I have already tried setting the default_domain and default_realm flags in
> /etc/krb5/krb5.conf but that doesn't work at all because AD users are
> authenticated through LDAP. I also tried the ldapclient init with ' -a
> domainName=addomain.net' but that did not work either.
>
> Is there even a way to do this in Solaris for LDAP users? Without the
> ability to skip the domain name for AD users, I am stuck with either no
> console login for AD for having all AD users with only 3 character names
> due to the length of the fqdn.
>
>
The only hack that comes to mind is to add a new attribute in the
compatibility tree (cn=compat) via slapi-nis plugin that will expose
short names and then point your Solaris box to that attribute as uid.
This is a hack because:
- you will have duplicates and this is up to you how to deal with them
- you would have to figure out how to do this transformation with
slapi-nis using its stock capabilities (I think it is possible but would
require some research)
- you would have to change the configuration on all replicas you have in
the similar way
May be others have better ideas.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
More information about the Freeipa-users
mailing list