[Freeipa-users] AD trust users cannot login to Solaris

Dmitri Pal dpal at redhat.com
Mon Mar 16 22:14:51 UTC 2015 

On 03/16/2015 04:21 PM, nathan at nathanpeters.com wrote:
>> and put IPA's ca.crt (available on any IPA machine at /etc/ipa/ca.crt)
>> into /var/ldap's database with certutil:
>>     # certutil -A -a -i ca.crt -n CA -t CT -d /var/ldap
> Ok, following your advice I installed the SUNWtlsu package (prepares rant
> about how the top 3 pages of google results didn't tell me which darn
> package certutil was actually in) and now I have certutil on the system.
> I copied the ca.crt file from my FreeIPA controller to the /tmp directory
> on Solaris, and then ran
> #certutil -A -a -i /tmp/ca.crt -n CA -t CT -d /var/ldap
>
> It worked!  The difference was that running that certutil command creates
> /var/ldap/secmod.db.  secmod.db is required for tls to work.  Without
> secmod.db existing, you can use simple, but not tls:simple.
>
> So I can now login with both AD and FreeIPA users on this machine, get the
> correct shell, correct home directory, and the ability to sudo.
>
> However...
>
> I can only do this through SSH.  I have run into some really strange
> Solaris behavior when I try to login through console. I added the
> following entries to my /etc/pam.conf
>
> login   auth sufficient         pam_ldap.so.1
> login   auth sufficient         pam_krb5.so.1
>
> Apparently, Solaris has a total name limit of 31 characters, that only
> applies to the [login] section and not to the [other] section.
>
> So if I ssh I can login with a user named
> 'someusernames at subdomain1.topleveldom.net' (AD user)
>
> However, if I console login, my pam logs indicate that it is being chopped
> down to 'someusernames at subdomain1.toplev' before being passed onto ldap.
> This causes ldap to throw the following error:
>
> /usr/lib/security/pam_ldap.so.1 returned System error
>
> I created a really short AD username called
> 'abc at subdomain1.topleveldom.net' which just barely fit in 31 characters
> and it could login fine.
>
> So my next question is (and I know you guys are not Solaris experts, but
> any help is appreciated) : Is there a way to set the default domain so
> that AD users do not have to type their domain suffix?  Currently, it is
> backward and ipa users can login as 'ipauser1' without a suffix, but AD
> users have to type their suffix.
>
> I know this can be done in Linux with sssd.conf and I have that working
> for Linux clients, but with no sssd on Solaris, I'm pulling my hair out
> trying to figure out how to do this.
>
> I have already tried setting the default_domain and default_realm flags in
> /etc/krb5/krb5.conf but that doesn't work at all because AD users are
> authenticated through LDAP.  I also tried the ldapclient init with ' -a
> domainName=addomain.net' but that did not work either.
>
> Is there even a way to do this in Solaris for LDAP users?  Without the
> ability to skip the domain name for AD users, I am stuck with either no
> console login for AD for having all AD users with only 3 character names
> due to the length of the fqdn.
>
>
The only hack that comes to mind is to add a new attribute in the 
compatibility tree (cn=compat) via slapi-nis plugin that will expose 
short names and then point your Solaris box to that attribute as uid. 
This is a hack because:
- you will have duplicates and this is up to you how to deal with them
- you would have to figure out how to do this transformation with 
slapi-nis using its stock capabilities (I think it is possible but would 
require some research)
- you would have to change the configuration on all replicas you have in 
the similar way

May be others have better ideas.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list