I have finally gotten all of my Solaris servers to accept AD users but the behavior is inconsistent.
In my FreeIPA domain, I can login to a Linux server and then ssh to the Solaris server and I am automatically logged in because of my Kerberos ticket (I assume). But when I ssh from the first Solaris machine to the 2nd I am prompted for a password instead of being automatically signed in. The strange thing is that it doesn't matter which machine I login to first, it's only the 2nd hop that asks for a password. Below are my console recording. ipaclient1 is Linux, ipaclient5 and ipaclient6 are Solaris. Login from Linux -> Solaris 1 works without password Login from Linux -> Solaris 2 works without password Login from Solaris 1 -> Solaris 2 prompts Login from Solaris 2 -> Solaris 1 prompts. Any ideas? ---- snip ---- login as: nathan.peters nathan.peters@10.21.19.12's password: Last login: Thu Mar 19 16:42:27 2015 from 10.5.5.57 [nathan.pet...@datacenter.mydomain.net@ipaclient1-sandbox-atdev-van ~]$ klist Ticket cache: FILE:/tmp/krb5cc_1539201103_L8tfu1 Default principal: nathan.pet...@datacenter.mydomain.net Valid starting Expires Service principal 03/19/15 16:44:27 03/20/15 02:44:16 krbtgt/datacenter.mydomain....@datacenter.mydomain.net renew until 03/20/15 16:44:27 [nathan.pet...@datacenter.mydomain.net@ipaclient1-sandbox-atdev-van ~]$ ssh ipaclient5-sandbox-atdev-van Last login: Thu Mar 19 23:43:24 2015 from 10.21.19.12 Oracle Corporation SunOS 5.10 Generic Patch January 2005 [11:45 PM] ipaclient5-sandbox-atdev-van:~$ klist Ticket cache: FILE:/tmp/krb5cc_1539201103 Default principal: nathan.pet...@datacenter.mydomain.net Valid starting Expires Service principal 03/19/15 23:40:06 03/20/15 09:39:23 krbtgt/datacenter.mydomain....@datacenter.mydomain.net renew until 03/26/15 23:40:06 [11:45 PM] ipaclient5-sandbox-atdev-van:~$ ssh ipaclient6-sandbox-atdev-van Password: Last login: Thu Mar 19 16:40:49 2015 from ipaclient5-sand Oracle Corporation SunOS 5.10 Generic Patch January 2005 -bash-3.00$ klist klist: No credentials cache file found (ticket cache FILE:/tmp/krb5cc_1539201103) -bash-3.00$ exit logout Connection to ipaclient6-sandbox-atdev-van closed. [11:48 PM] ipaclient5-sandbox-atdev-van:~$ exit logout Connection to ipaclient5-sandbox-atdev-van closed. [nathan.pet...@datacenter.mydomain.net@ipaclient1-sandbox-atdev-van ~]$ ssh ipaclient6-sandbox-atdev-van Last login: Thu Mar 19 16:45:50 2015 from ipaclient5-sand Oracle Corporation SunOS 5.10 Generic Patch January 2005 -bash-3.00$ klist klist: No credentials cache file found (ticket cache FILE:/tmp/krb5cc_1539201103) -bash-3.00$ ssh ipaclient5-sandbox-atdev-van The authenticity of host 'ipaclient5-sandbox-atdev-van (10.21.19.16)' can't be established. RSA key fingerprint is b0:65:8d:c6:82:78:c2:7f:60:16:d0:6a:30:c0:09:a1. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'ipaclient5-sandbox-atdev-van,10.21.19.16' (RSA) to the list of known hosts. Password: Last login: Thu Mar 19 23:45:19 2015 from 10.21.19.12 Oracle Corporation SunOS 5.10 Generic Patch January 2005 [11:49 PM] ipaclient5-sandbox-atdev-van:~$ -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project