On Mar 14, 2013, at 6:38 AM, KodaK wrote: > On Wed, Mar 13, 2013 at 3:39 PM, Luke Kearney <[email protected]> wrote: >> Hello, >> >> I have recently been working on integrating our solaris 10 fleet with >> FreeIPA. The first 'test' host went relatively smoothly and we recently >> created a new test host. Only this time it was more challenging to get the >> system working. >> >> On our original test installation every step went almost exactly as per the >> documentation [ >> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html >> ] >> >> On the second install we found that whilst we were able to retrieve user >> account information via LDAP we could not login via ssh and kerberos for any >> amount of trying. This was overcome by inserting the following line into >> pam.conf >> >> other account sufficient pam_ldap.so.1 >> >> Where is had not been needed on test host1. >> >> To the extent it works and doesn't break something else this is all fine. I >> understand why it works as the information in ldap is needed to open the >> terminal session, why would one need this stanza but not the other? >> > > IIRC, the instructions have you pulling information from Kerberos. > This explicitly allows ldap -- I would suspect that Kerberos isn't > working correctly on the second host. Check time first. >
Thanks for that - NTP reports that both the kerberos master and the solaris client are indeed in sync. In all other respects kerberos seems to be working properly, a user can obtain a ticket and can use that same ticket to ssh to another host. > > -- > The government is going to read our mail anyway, might as well make it > tough for them. GPG Public key ID: B6A1A7C6 _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
