[Freeipa-users] AD trust users cannot login to Solaris
Alexander Bokovoy
abokovoy at redhat.com
Tue Mar 17 04:25:11 UTC 2015
On Mon, 16 Mar 2015, nathan at nathanpeters.com wrote:
>>and put IPA's ca.crt (available on any IPA machine at /etc/ipa/ca.crt)
>>into /var/ldap's database with certutil:
>> # certutil -A -a -i ca.crt -n CA -t CT -d /var/ldap
>
>Ok, following your advice I installed the SUNWtlsu package (prepares rant
>about how the top 3 pages of google results didn't tell me which darn
>package certutil was actually in) and now I have certutil on the system.
>I copied the ca.crt file from my FreeIPA controller to the /tmp directory
>on Solaris, and then ran
>#certutil -A -a -i /tmp/ca.crt -n CA -t CT -d /var/ldap
>
>It worked! The difference was that running that certutil command creates
>/var/ldap/secmod.db. secmod.db is required for tls to work. Without
>secmod.db existing, you can use simple, but not tls:simple.
>
>So I can now login with both AD and FreeIPA users on this machine, get the
>correct shell, correct home directory, and the ability to sudo.
>
>However...
>
>I can only do this through SSH. I have run into some really strange
>Solaris behavior when I try to login through console. I added the
>following entries to my /etc/pam.conf
>
>login auth sufficient pam_ldap.so.1
>login auth sufficient pam_krb5.so.1
>
>Apparently, Solaris has a total name limit of 31 characters, that only
>applies to the [login] section and not to the [other] section.
>
>So if I ssh I can login with a user named
>'someusernames at subdomain1.topleveldom.net' (AD user)
>
>However, if I console login, my pam logs indicate that it is being chopped
>down to 'someusernames at subdomain1.toplev' before being passed onto ldap.
>This causes ldap to throw the following error:
>
>/usr/lib/security/pam_ldap.so.1 returned System error
>
>I created a really short AD username called
>'abc at subdomain1.topleveldom.net' which just barely fit in 31 characters
>and it could login fine.
>
>So my next question is (and I know you guys are not Solaris experts, but
>any help is appreciated) : Is there a way to set the default domain so
>that AD users do not have to type their domain suffix? Currently, it is
>backward and ipa users can login as 'ipauser1' without a suffix, but AD
>users have to type their suffix.
>
>I know this can be done in Linux with sssd.conf and I have that working
>for Linux clients, but with no sssd on Solaris, I'm pulling my hair out
>trying to figure out how to do this.
>
>I have already tried setting the default_domain and default_realm flags in
>/etc/krb5/krb5.conf but that doesn't work at all because AD users are
>authenticated through LDAP. I also tried the ldapclient init with ' -a
>domainName=addomain.net' but that did not work either.
>
>Is there even a way to do this in Solaris for LDAP users? Without the
>ability to skip the domain name for AD users, I am stuck with either no
>console login for AD for having all AD users with only 3 character names
>due to the length of the fqdn.
The best collection of Solaris bug numbers in this area is this blog
post by Casper Dik who is member of Solaris engineering team:
https://blogs.oracle.com/casper/entry/solaris_11_2_no_limits
We don't have much space in the compat tree here to handle name aliases
because in SSSD case there is SSSD at the client that can unwrap the
name to its fully qualified form before asking IPA master for the name
resolution. In the compat tree we get what we get from a client in the
form of an LDAP request.
Theoretically there is possibility that short names would work with
FreeIPA 4.1 where we have support for ID views -- one could define ID
override for AD user in a solaris-specific ID view but this is only
possible in RHEL7.1 and Fedora 21.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list