Hi Mohammad,
This is for Solaris 11; it seems that some of the options for the
pam.conf file are not available in Solaris 10 (I think it was the
following options:
auth definitive pam_user_policy.so.1
account required pam_tsol_account.so.1
password required pam_authtok_store.so.1
... had to remove them from the pam.conf file..)
Still didn't get the ssh auth to work...
This may be a stupid question, but do you know if the keytab file must
be _exactly_ the same as in the IPA server, or does it only need to
contain the entries relevant for the (solaris) client? According to the
link you're pointing me to, it seems to just take from the server keytab
file those entries relevant for the client, create a new keytab file
with that content, and copy it over to the client. Is such a 'stipped
down' keytab file supposed to work for the client's auth?
Regards,
Gerardo
El 08/09/14 a las #4, mohammad sereshki escribió:
hi
Please go ahead with below structure, It works!
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
<https://www.redhat.com/archives/freeipa-users/2013-January/msg00021.html>
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
<https://www.redhat.com/archives/freeipa-users/2013-January/msg00021.html>
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index]
[Date Index] [Author Index] Re: [Freeipa-users] Does Solaris 11 work
as client to IPA server?
View on www.redhat.com
<https://www.redhat.com/archives/freeipa-users/2013-January/msg00021.html>
Preview by Yahoo
------------------------------------------------------------------------
*From:* Gerardo Padierna <asl.gera...@gmail.com>
*To:* freeipa-users@redhat.com
*Sent:* Monday, September 8, 2014 2:14 PM
*Subject:* [Freeipa-users] Solaris 10 client auth (ssh + kerberos) not
working
Hello folks,
I'm setting up an IPA-server instance aimed to be used primarily for
Linux/Unix clients ssh authentication (with kerberos).
I've managed to successfully set up debian clients (via sssd and also
on older debians, through libnss and pam_krb5). But for some reason I
can't authenticate ssh on Solaris10 clients.
On the Solaris box, I've followed the steps outiined here:
http://www.freeipa.org/page/ConfiguringUnixClients
and the nss part works fine (things like getent [group | passwd] and
id <user> work), but unfortunaltely, the ssh user authentication fails
with an error:
sshd auth.error PAM-KRB5 (auth): krb5_verify_init_creds failed: No
such file or directory
On the solaris clients, does there need to be a keytab in /etc/krb5/
directory copied over from the IPA server? (I didn't have to set up a
keytab file fo the legacy debian clients, and in the solaris-clients
doc previously mentioned, there's no mention of it). Well, since I
read somewhere the keytab file need to be there, I copied it over from
the IPA server to the solaris clients, Then I get a different error:
PAM-KRB5 (auth): krb5_verify_init_creds failed: Key table entry not found
This error seems to indicate that there isn't an matching entry found
in the keytab file, so I added an entry for the solaris client, but
I'm still getting the same 'Key table entry not found' error (it could
be the entry I added is wrong, of course). But, for now, just want to
be sure: On the solaris clients, do I need an /etc/krb5/krb5.keytab
file? (if yes, why not in the non-sssd Debian hosts then?)
Thanks in advance,
--
*Gerardo Padierna Nanclares*
Técnico de Sistemas (grupo ASL) - [Fujitsu / Logware]
Servicio de Sistemas de la Información (DGTI) - Generalitat Valenciana
C/.Castan Tobeñas 77 – 46018 Valencia – Edificio A
Tel: 961 208973
Email: asl.gera...@gmail.com <mailto:asl.gera...@gmail.com>
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org <http://freeipa.org/>for more info on the project
--
*Gerardo Padierna Nanclares*
Técnico de Sistemas (grupo ASL) - [Fujitsu / Logware]
Servicio de Sistemas de la Información (DGTI) - Generalitat Valenciana
C/.Castan Tobeñas 77 – 46018 Valencia – Edificio A
Tel: 961 208973
Email: asl.gera...@gmail.com <mailto:asl.gera...@gmail.com>
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
