<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi Mohammad,<br>
<br>
This is for Solaris 11; it seems that some of the options for the
pam.conf file are not available in Solaris 10 (I think it was the
following options:<br>
auth definitive pam_user_policy.so.1<br>
account required pam_tsol_account.so.1<br>
password required pam_authtok_store.so.1<br>
... had to remove them from the pam.conf file..)<br>
<br>
Still didn't get the ssh auth to work... <br>
<br>
This may be a stupid question, but do you know if the keytab file
must be _exactly_ the same as in the IPA server, or does it only
need to contain the entries relevant for the (solaris) client?
According to the link you're pointing me to, it seems to just take
from the server keytab file those entries relevant for the client,
create a new keytab file with that content, and copy it over to the
client. Is such a 'stipped down' keytab file supposed to work for
the client's auth?<br>
<br>
Regards,<br>
Gerardo<br>
<br>
<br>
<br>
<div class="moz-cite-prefix">El 08/09/14 a las #4, mohammad sereshki
escribió:<br>
</div>
<blockquote
cite="mid:1410173371.15200.YahooMailNeo@web161501.mail.bf1.yahoo.com"
type="cite">
<div style="color:#000; background-color:#fff;
font-family:verdana, helvetica, sans-serif;font-size:10pt">
<div style="" class=""><br style="">
<span style="" class=""></span></div>
<div class="" style="color: rgb(0, 0, 0); font-size: 13.3333px;
font-family: verdana,helvetica,sans-serif; background-color:
transparent; font-style: normal;">hi</div>
<div class="" style="color: rgb(0, 0, 0); font-size: 13.3333px;
font-family: verdana,helvetica,sans-serif; background-color:
transparent; font-style: normal;">Please go ahead with below
structure, It works!<br style="" class="">
<span style="" class=""></span></div>
<div class="" style="color: rgb(0, 0, 0); font-size: 13.3333px;
font-family: verdana,helvetica,sans-serif; background-color:
transparent; font-style: normal;"><br style="" class="">
<span style="" class=""></span></div>
<div class="" style="color: rgb(0, 0, 0); font-size: 13.3333px;
font-family: verdana,helvetica,sans-serif; background-color:
transparent; font-style: normal;"><br style="" class="">
<span style="" class=""></span></div>
<div class="" style="color: rgb(0, 0, 0); font-size: 13.3333px;
font-family: verdana,helvetica,sans-serif; background-color:
transparent; font-style: normal;"><span style="" class=""><a
moz-do-not-send="true" style="" class=""
href="https://www.redhat.com/archives/freeipa-users/2013-January/msg00021.html">Re:
[Freeipa-users] Does Solaris 11 work as client to IPA
server?</a><br style="" class="">
</span></div>
<div style="width:450px; font-family: 'Georgia', 'Times', 'Times
New Roman', 'serif';margin-top:5px; margin-bottom: 5px;"
id="enhancrCard_0" class="link-enhancr-attachment
link-enhancr-element" contenteditable="false">
<table class="link-enhancr-element" style="width:450px;
height:auto; position: relative; display: block;" border="0"
cellpadding="0" cellspacing="0">
<tbody>
<tr class="link-enhancr-element">
<td class="link-enhancr-element" colspan="7"
style="height: 1px; background-color: #e5e5e5;
font-size: 1px; border-collapse: collapse;">
<div class="link-enhancr-element" style="height: 1px;
background-color: #e5e5e5; font-size: 1px;
line-height:0px;"> </div>
</td>
</tr>
<tr class="link-enhancr-element">
<td rowspan="5" class="link-enhancr-element"
style="width: 1px; background-color: #e5e5e5;
font-size: 1pt; border-collapse: collapse;">
<div class="link-enhancr-element" style="width: 1px;
background-color: #e5e5e5; font-size: 1pt;"> </div>
</td>
<td rowspan="5" class="link-enhancr-element"
style="width: 14px; background-color: #ffffff;
font-size: 0pt; border-collapse: collapse;">
<div class="link-enhancr-element" style="width: 14px;
background-color: #ffffff; font-size: 14pt;"> </div>
</td>
<td colspan="2" class="link-enhancr-element"
style="height: 6px; background-color: #ffffff;
font-size: 0pt; border-collapse: collapse;">
<div class="link-enhancr-element" style="height: 6px;
background-color: #ffffff; font-size: 6pt;"> </div>
</td>
<td rowspan="5" class="link-enhancr-element"
style="width: 20px; background-color: #ffffff;
font-size: 0pt; border-collapse: collapse;">
<div class="link-enhancr-element" style="width: 20px;
background-color: #ffffff; font-size: 20pt;"> </div>
</td>
<td class="link-enhancr-element" rowspan="5"
style="width: 1px; background-color: #e5e5e5;
font-size: 1pt; border-collapse: collapse;" width="1">
<div class="link-enhancr-element" style="width: 1px;
background-color: #e5e5e5; font-size: 1pt;"> </div>
</td>
</tr>
<tr>
<td class="link-enhancr-element" colspan="2"
style="width: 100%; vertical-align: middle;
font-family: 'Georgia', 'Times', 'Times New Roman',
'serif';">
<div class="link-enhancr-text-part
link-enhancr-element" style="line-height:16.5px;
background-color: #ffffff; width: 414px;">
<div class="link-enhancr-element" style="word-wrap:
break-word; word-break: break-all;"><span
class="link-enhancr-element icon icon-shrink
link-enhancr-toggle"></span><span
class="link-enhancr-element icon icon-close
link-enhancr-delete"></span><a
moz-do-not-send="true"
href="https://www.redhat.com/archives/freeipa-users/2013-January/msg00021.html"
class="link-enhancr-card-urlWrapper
link-enhancr-element" style="text-decoration:
none !important; color: #000000 !important;
line-height: 100%; font-size: 18px; display:
block;"><span class="link-enhancr-element
link-enhancr-card-title" style="margin: 0;
font-weight: normal;margin-bottom: 3px;
font-size: 18px; line-height: 21px;
max-height: 43px; color: #000000; overflow:
hidden !important; display: inline-block;">Re:
[Freeipa-users] Does Solaris 11 work as client
to IPA server?</span></a>
<div style="font-size: 13px; line-height: 20px;
color: #999999; max-height: 81px; font-family:
'Georgia', 'Times', 'Times New Roman',
'serif';overflow: hidden;"
class="link-enhancr-card-description
link-enhancr-element">[Date Prev][Date Next]
[Thread Prev][Thread Next] [Thread Index]
[Date Index]
[Author Index] Re: [Freeipa-users] Does Solaris
11 work as client to IPA server? </div>
</div>
</div>
</td>
</tr>
<tr>
<td colspan="2" class="link-enhancr-element"
style="height: 6px; background-color: #ffffff;
font-size: 0pt; border-collapse: collapse;"><br>
</td>
</tr>
<tr>
<td class="link-enhancr-element" style="vertical-align:
middle; font-family: 'Arial', 'Helvetica Neue',
'Helvetica', 'sans-serif';">
<div class="link-enhancr-element" style="font-size:
0pt;"><a moz-do-not-send="true"
href="https://www.redhat.com/archives/freeipa-users/2013-January/msg00021.html"
class="link-enhancr-card-url link-enhancr-element"
style="color: black; text-decoration: none
!important;cursor:pointer !important;"
target="_blank"><span class="link-enhancr-element
link-enhancr-view-on" style="display:
inline-block; line-height: 11px; max-width:
314px; min-width: 254px; overflow: hidden;
max-height: 13px; word-break: break-all;"><span
class="link-enhancr-element
link-enhancr-mobile-no-resize"
style="vertical-align:middle; font-size: 9px;
line-height: 11px; color: #999999;
-moz-text-size-adjust: none;
-ms-text-size-adjust: none;
-webkit-text-size-adjust:none;
text-size-adjust:none;">View on <span
style="font-weight: bold"
class="link-enhancr-view-on-domain">www.redhat.com</span></span></span></a></div>
</td>
<td class="link-enhancr-element" style="vertical-align:
middle; width: 100px; font-family: 'Arial', 'Helvetica
Neue', 'Helvetica', 'sans-serif';">
<div class="link-enhancr-element
link-enhancr-preview-wrapper" style="max-width:
100px; min-width: 80px; overflow: hidden;
text-align: right; line-height: 11px; max-height:
13px; font-size: 0pt;"><span
class="link-enhancr-element
link-enhancr-preview-by
link-enhancr-mobile-no-resize"
style="vertical-align:middle; font-size: 9px;
line-height: 11px; color: #999999;
-moz-text-size-adjust: none; -ms-text-size-adjust:
none; -webkit-text-size-adjust:none;
text-size-adjust:none;">Preview by Yahoo</span></div>
</td>
</tr>
<tr>
<td colspan="2" class="link-enhancr-element"
style="height: 9px; background-color: #ffffff;
font-size: 0pt; border-collapse: collapse;"><br>
</td>
</tr>
<tr class="link-enhancr-element">
<td class="link-enhancr-element" colspan="7"
style="height: 1px; background-color: #e5e5e5;
font-size: 1px; border-collapse: collapse;">
<div class="link-enhancr-element" style="height: 1px;
background-color: #e5e5e5; font-size: 1px;
line-height:0px"> </div>
</td>
</tr>
</tbody>
</table>
</div>
<div style="" class=""><br style="" class="">
</div>
<div class="" style="font-family: verdana, helvetica,
sans-serif; font-size: 10pt;">
<div class="" style="font-family: HelveticaNeue, Helvetica
Neue, Helvetica, Arial, Lucida Grande, sans-serif;
font-size: 12pt;">
<div style="" class="" dir="ltr">
<hr style="" class="" size="1"> <font style="" class=""
face="Arial" size="2"> <b style="" class=""><span
class="" style="font-weight:bold;">From:</span></b>
Gerardo Padierna <a class="moz-txt-link-rfc2396E" href="mailto:asl.gerardo@gmail.com"><asl.gerardo@gmail.com></a><br
style="" class="">
<b style="" class=""><span class="" style="font-weight:
bold;">To:</span></b> <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> <br
style="" class="">
<b style="" class=""><span class="" style="font-weight:
bold;">Sent:</span></b> Monday, September 8, 2014
2:14 PM<br style="" class="">
<b style="" class=""><span class="" style="font-weight:
bold;">Subject:</span></b> [Freeipa-users] Solaris
10 client auth (ssh + kerberos) not working<br style=""
class="">
</font> </div>
<div style="" class=""><br style="" class="">
<div style="" class="" id="yiv2696150591">
<div style="" class=""> Hello folks,<br style=""
class="">
<br style="" class="">
I'm setting up an IPA-server instance aimed to be used
primarily for Linux/Unix clients ssh authentication
(with kerberos). <br style="" class="">
I've managed to successfully set up debian clients
(via sssd and also on older debians, through libnss
and pam_krb5). But for some reason I can't
authenticate ssh on Solaris10 clients. <br style=""
class="">
On the Solaris box, I've followed the steps outiined
here: <br style="" class="">
<a moz-do-not-send="true" style="" rel="nofollow"
class="" target="_blank"
href="http://www.freeipa.org/page/ConfiguringUnixClients">http://www.freeipa.org/page/ConfiguringUnixClients</a><br
style="" class="">
and the nss part works fine (things like getent [group
| passwd] and id <user> work), but
unfortunaltely, the ssh user authentication fails with
an error:<br style="" class="">
sshd auth.error PAM-KRB5 (auth):
krb5_verify_init_creds failed: No such file or
directory<br style="" class="">
<br style="" class="">
On the solaris clients, does there need to be a keytab
in /etc/krb5/ directory copied over from the IPA
server? (I didn't have to set up a keytab file fo the
legacy debian clients, and in the solaris-clients doc
previously mentioned, there's no mention of it). Well,
since I read somewhere the keytab file need to be
there, I copied it over from the IPA server to the
solaris clients, Then I get a different error: <br
style="" class="">
PAM-KRB5 (auth): krb5_verify_init_creds failed: Key
table entry not found<br style="" class="">
<br style="" class="">
This error seems to indicate that there isn't an
matching entry found in the keytab file, so I added an
entry for the solaris client, but I'm still getting
the same 'Key table entry not found' error (it could
be the entry I added is wrong, of course). But, for
now, just want to be sure: On the solaris clients, do
I need an /etc/krb5/krb5.keytab file? (if yes, why
not in the non-sssd Debian hosts then?)<br style=""
class="">
<br style="" class="">
Thanks in advance,<br style="" class="">
<div style="" class="">-- <br style="" class="">
<title style="" class=""></title>
<style style="" class="" type="text/css">
<!--
#yiv2696150591 p {color:#000000;}
-->
</style>
<div style="" class=""><font style="" class=""
color="#0000cc"><font style="" class=""
face="Arial, sans-serif"><font class=""
style="font-size:11pt;" size="2"><b style=""
class="">Gerardo Padierna Nanclares</b></font></font></font>
<font style="" class="" face="Arial, sans-serif"><br
style="" class="">
</font><font style="" class="" face="Verdana,
sans-serif"><font class="" style="
font-size:9pt;" size="2">Técnico de Sistemas
(grupo ASL) - </font></font><font style=""
class="" color="#77216f"><font style="" class=""
face="Verdana, sans-serif"><font class=""
style="font-size:9pt;" size="2">[Fujitsu /
Logware]</font></font></font> <br style=""
class="">
<font style="" class="" face="Arial, sans-serif"><font
class="" style="font-size:9pt;" size="2">Servicio
de Sistemas de la Información (DGTI) -
Generalitat Valenciana <br style="" class="">
C/.Castan Tobeñas 77 – 46018 Valencia –
Edificio A <br style="" class="">
Tel: 961 208973 <br style="" class="">
Email: <a moz-do-not-send="true" style=""
class="" rel="nofollow"
ymailto="mailto:asl.gerardo@gmail.com"
target="_blank"
href="mailto:asl.gerardo@gmail.com">asl.gerardo@gmail.com</a></font></font>
</div>
</div>
</div>
</div>
<br style="" class="">
-- <br style="" class="">
Manage your subscription for the Freeipa-users mailing
list:<br style="" class="">
<a moz-do-not-send="true" style="" class=""
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br
style="" class="">
Go To <a moz-do-not-send="true" style="" class=""
href="http://freeipa.org/" target="_blank">http://freeipa.org
</a>for more info on the project<br style="" class="">
<br style="" class="">
</div>
</div>
</div>
</div>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<title></title>
<meta name="generator" content="LibreOffice 4.2.3.3 (Linux)">
<meta name="created" content="20140516;0">
<meta name="changed" content="20140516;141206408329958">
<style type="text/css">
<!--
p { color: #000000 }
-->
</style>
<p><font color="#0000cc"><font face="Arial, sans-serif"><font
style="font-size: 11pt" size="2"><b>Gerardo
Padierna Nanclares</b></font></font></font> <font
face="Arial, sans-serif"><br>
</font><font face="Verdana, sans-serif"><font style="font-size:
9pt" size="2">Técnico
de Sistemas (grupo ASL) - </font></font><font
color="#77216f"><font face="Verdana, sans-serif"><font
style="font-size: 9pt" size="2">[Fujitsu
/ Logware]</font></font></font> <br>
<font face="Arial, sans-serif"><font style="font-size: 9pt"
size="2">Servicio
de Sistemas de la Información (DGTI) - Generalitat
Valenciana
<br>
C/.Castan Tobeñas 77 – 46018 Valencia – Edificio A <br>
Tel:
961 208973 <br>
Email: <a href="mailto:asl.gerardo@gmail.com">asl.gerardo@gmail.com</a></font></font>
</p>
</div>
</body>
</html>