Hi,
Here is my pam.conf cleaned up a bit.
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth sufficient pam_krb5.so.1 try_first_pass
login auth required pam_unix_cred.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
gdm-autologin auth required pam_unix_cred.so.1
gdm-autologin auth sufficient pam_allow.so.1
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth sufficient pam_krb5.so.1
other auth required pam_unix_auth.so.1
passwd auth required pam_passwd_auth.so.1
gdm-autologin account sufficient pam_allow.so.1
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
other account required pam_krb5.so.1
other session required pam_unix_session.so.1
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1 force_check
other password sufficient pam_krb5.so.1
other password required pam_authtok_store.so.1
I am getting one error and it is for autofs.
/var/adm/messages:
Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object not
found
/var/svc/log/system.filesystem-autofs:default.log:
[ Dec 20 12:24:22 Executing start method ("/lib/svc/method/svc-autofs start"). ]
automount: /net mounted
automount: /nfs4 mounted
automount: no unmounts
[ Dec 20 12:24:22 Method "start" exited with status 0. ]
ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= servername
NS_LDAP_SEARCH_BASEDN= dc=home
NS_LDAP_AUTH= none
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SEARCH_TIME= 15
NS_LDAP_PROFILE= default
NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home
NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home
NS_LDAP_BIND_TIME= 5
NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount
Thinking it has to do with missing automountmap in default DUAProfile.
Automount still works though but takes time during login and everything is
nobody:nobody :)
________________________________________
From: Sigbjorn Lie [sigbj...@nixtra.com]
Sent: Thursday, December 20, 2012 10:13
To: Johan Petersson
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Hi,
This is interesting. When I tested Solaris 11 ssh worked, and su - testuser
worked. However
console login did not work giving some PAM errors.
Could you please share your entire pam.conf file?
Is this Solaris 11 or Solaris 11.1?
Regards,
Siggi
On Thu, December 20, 2012 09:40, Johan Petersson wrote:
> I have now managed to use a Solaris 11 system as a client to IPA Server.
> su - testuser works ssh works and console login works. I get a delay before
> getting the prompt
> through ssh though and maybe from console too, probably something about
> autofs. Going to see if i
> can increase loginformation (Solaris newbie). To get it to work i mainly
> followed Sigbjorn Lie's
> instructions for Solaris 10 in earlier posts here. I also used the
> /etc/pam.conf configuration
> example from the Solaris 10 client guide on Free IPA. I stuck with the
> default DUAProfile for now
> and use a NFS4 Kerberos share for home directories with autofs. Going to try
> the other DUAProfile
> too from Bug 815515 and hopefully i can get everything working.
>
> ________________________________________
> From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on
> behalf of Dmitri Pal
> [d...@redhat.com]
> Sent: Tuesday, December 18, 2012 17:50
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
>
>
> On 12/18/2012 04:06 AM, Sigbjorn Lie wrote:
>
>> On Tue, December 18, 2012 08:28, Johan Petersson wrote:
>>
>>> Hi,
>>>
>>>
>>>
>>> We are implementing IPA Server and are gong to need to be able to
>>> authenticate properly with
>>> a number of Solaris 11 servers. I have browsed the archives and found a few
>>> threads mentioning
>>> some problems with Solaris 11 and IPA Server. Does anyone know if the issue
>>> have been solved?
>>>
>>>
>> I don't think there is any problems with Solaris 11 except of nobody has yet
>> sat down and
>> figured out how to configure it as an IPA client yet.
>>
>> I had a got at it a while ago (some of the posts you've probably found), and
>> found that there
>> was enough differences in the LDAP/Kerberos client between Solaris 10 and
>> Solaris 11 for making
>> it work with the setup guide I've created for Solaris 10. And there was a
>> need for further
>> investigation for finding out how to configure Solaris 11 as an IPA client.
>>
>> I've not looked into this further as we do not use Solaris 11 yet.
>>
>>
>> I don't know if anyone else has had time to sit down and have a crack at
>> this?
>>
>
> And we would like to hear about this effort.
> If it produces instructions we would like to put them on the wiki.
> If it produces bugs we would investigate them.
>
>
>>
>>
>> Regards,
>> Siggi
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
>
> --
> Thank you,
> Dmitri Pal
>
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
