Re: [Freeipa-users] Solaris Clients
On Mar 14, 2013, at 7:08 AM, Luke Kearney wrote:
>
> On Mar 14, 2013, at 6:38 AM, KodaK wrote:
>
>> On Wed, Mar 13, 2013 at 3:39 PM, Luke Kearney wrote:
>>> Hello,
>>>
>>> I have recently been working on integrating our solaris 10 fleet with
>>> FreeIPA. The first 'test' host went relatively smoothly and we recently
>>> created a new test host. Only this time it was more challenging to get the
>>> system working.
>>>
>>> On our original test installation every step went almost exactly as per the
>>> documentation [
>>> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html
>>> ]
>>>
>>> On the second install we found that whilst we were able to retrieve user
>>> account information via LDAP we could not login via ssh and kerberos for
>>> any amount of trying. This was overcome by inserting the following line
>>> into pam.conf
>>>
>>> other accountsufficient pam_ldap.so.1
>>>
>>> Where is had not been needed on test host1.
>>>
>>> To the extent it works and doesn't break something else this is all fine. I
>>> understand why it works as the information in ldap is needed to open the
>>> terminal session, why would one need this stanza but not the other?
>>>
>>
>> IIRC, the instructions have you pulling information from Kerberos.
>> This explicitly allows ldap -- I would suspect that Kerberos isn't
>> working correctly on the second host. Check time first.
>>
>
> Thanks for that - NTP reports that both the kerberos master and the solaris
> client are indeed in sync. In all other respects kerberos seems to be working
> properly, a user can obtain a ticket and can use that same ticket to ssh to
> another host.
There is no doubt this is somehow borked when I remove pam_ldap from the
pam.conf file kerberos logins fail. On the KDC I see
Mar 16 02:56:19 tamachi.hq.meibin.net krb5kdc[3362](info): TGS_REQ (7 etypes
{18 17 16 23 1 3 2}) 192.168.12.254: ISSUE: authtime 1363370170, etypes {rep=18
tkt=17 ses=17}, lu...@hq.meibin.net for host/oiran.hq.meibin@hq.meibin.net
pam on the client tells me
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.info] Connection from
192.168.12.254 port 51616
Mar 16 02:56:19 oiran sshd[526]: [ID 800047 auth.debug] debug1: Forked child
788.
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: Client protocol
version 2.0; client software version OpenSSH_5.3
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: match:
OpenSSH_5.3 pat OpenSSH*
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: Enabling
compatibility mode for protocol 2.0
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: Local version
string SSH-2.0-Sun_SSH_1.1
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1:
list_hostkey_types: ssh-rsa,ssh-dss
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1:
SSH2_MSG_KEXINIT sent
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1:
SSH2_MSG_KEXINIT received
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: kex:
client->server aes128-ctr hmac-md5 none
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: kex:
server->client aes128-ctr hmac-md5 none
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: Peer sent
proposed langtags, ctos:
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: Peer sent
proposed langtags, stoc:
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: We proposed
langtags, ctos: i-default
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: We proposed
langtags, stoc: i-default
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1:
SSH2_MSG_KEX_DH_GEX_REQUEST received
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1:
SSH2_MSG_KEX_DH_GEX_GROUP sent
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: dh_gen_key:
priv key bits set: 127/256
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: bits set:
503/1024
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: expecting
SSH2_MSG_KEX_DH_GEX_INIT
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: bits set:
513/1024
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1:
SSH2_MSG_KEX_DH_GEX_REPLY sent
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: newkeys: mode 1
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1:
SSH2_MSG_NEWKEYS sent
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: expecting
SSH2_MSG_NEWKEYS
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: newkeys: mode 0
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1:
SSH2_MSG_NEWKEYS received
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1: KEX done
Mar 16 02:56:19 oiran sshd[788]: [ID 800047 auth.debug] debug1:
userauth-request for user lukek service ssh-connection method none
Mar 16 02:56:19 oiran s
Re: [Freeipa-users] Solaris Clients
On Mar 14, 2013, at 6:38 AM, KodaK wrote: > On Wed, Mar 13, 2013 at 3:39 PM, Luke Kearney wrote: >> Hello, >> >> I have recently been working on integrating our solaris 10 fleet with >> FreeIPA. The first 'test' host went relatively smoothly and we recently >> created a new test host. Only this time it was more challenging to get the >> system working. >> >> On our original test installation every step went almost exactly as per the >> documentation [ >> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html >> ] >> >> On the second install we found that whilst we were able to retrieve user >> account information via LDAP we could not login via ssh and kerberos for any >> amount of trying. This was overcome by inserting the following line into >> pam.conf >> >> other accountsufficient pam_ldap.so.1 >> >> Where is had not been needed on test host1. >> >> To the extent it works and doesn't break something else this is all fine. I >> understand why it works as the information in ldap is needed to open the >> terminal session, why would one need this stanza but not the other? >> > > IIRC, the instructions have you pulling information from Kerberos. > This explicitly allows ldap -- I would suspect that Kerberos isn't > working correctly on the second host. Check time first. > Thanks for that - NTP reports that both the kerberos master and the solaris client are indeed in sync. In all other respects kerberos seems to be working properly, a user can obtain a ticket and can use that same ticket to ssh to another host. > > -- > The government is going to read our mail anyway, might as well make it > tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Solaris Clients
I'm not sure if this will help (not being a Solaris shop), but when we rolled out IPA in our environment, I had some trouble with ssh and kerberos auth working correctly. As it turned out, the fix was adding reverse lookup records (PTR) in the DNS for all the servers. -Mike -Original Message- >From: Luke Kearney >Sent: Mar 13, 2013 4:39 PM >To: Freeipa-users@redhat.com >Subject: [Freeipa-users] Solaris Clients > >Hello, > >I have recently been working on integrating our solaris 10 fleet with FreeIPA. >The first 'test' host went relatively smoothly and we recently created a new >test host. Only this time it was more challenging to get the system working. > >On our original test installation every step went almost exactly as per the >documentation [ >http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html > ] > >On the second install we found that whilst we were able to retrieve user >account information via LDAP we could not login via ssh and kerberos for any >amount of trying. This was overcome by inserting the following line into >pam.conf > >other accountsufficient pam_ldap.so.1 > >Where is had not been needed on test host1. > >To the extent it works and doesn't break something else this is all fine. I >understand why it works as the information in ldap is needed to open the >terminal session, why would one need this stanza but not the other? > >If anyone can shed any light on this I would be most appreciative. > >Thanks > >___ >Freeipa-users mailing list >Freeipa-users@redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Solaris Clients
On Wed, Mar 13, 2013 at 3:39 PM, Luke Kearney wrote: > Hello, > > I have recently been working on integrating our solaris 10 fleet with > FreeIPA. The first 'test' host went relatively smoothly and we recently > created a new test host. Only this time it was more challenging to get the > system working. > > On our original test installation every step went almost exactly as per the > documentation [ > http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html > ] > > On the second install we found that whilst we were able to retrieve user > account information via LDAP we could not login via ssh and kerberos for any > amount of trying. This was overcome by inserting the following line into > pam.conf > > other accountsufficient pam_ldap.so.1 > > Where is had not been needed on test host1. > > To the extent it works and doesn't break something else this is all fine. I > understand why it works as the information in ldap is needed to open the > terminal session, why would one need this stanza but not the other? > IIRC, the instructions have you pulling information from Kerberos. This explicitly allows ldap -- I would suspect that Kerberos isn't working correctly on the second host. Check time first. -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Solaris Clients
Hello, I have recently been working on integrating our solaris 10 fleet with FreeIPA. The first 'test' host went relatively smoothly and we recently created a new test host. Only this time it was more challenging to get the system working. On our original test installation every step went almost exactly as per the documentation [ http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html ] On the second install we found that whilst we were able to retrieve user account information via LDAP we could not login via ssh and kerberos for any amount of trying. This was overcome by inserting the following line into pam.conf other accountsufficient pam_ldap.so.1 Where is had not been needed on test host1. To the extent it works and doesn't break something else this is all fine. I understand why it works as the information in ldap is needed to open the terminal session, why would one need this stanza but not the other? If anyone can shed any light on this I would be most appreciative. Thanks ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
