Hi List I'm currently running IPA 3.3 on Centos 7, and successfully authenticating Linux clients (Centos 6.5).
I'd like to setup Solaris 10 as an IPA client, but this seems problematic. I am following this guide: http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10 I have the following setup: Solaris client: - Solaris 10u11 (SunOS 5.10 Generic_147148-26 i86pc i386 i86pc) IdM Server: - Linux kwtpocipa001.orion.local 3.10.0-123.el7.x86_64 #1 SMP Mon Jun 30 12:09:22 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux Going through the steps in the guide: at step 3 ("Create the cn=proxyagent account"), ldapadd fails with the following error: "ldapadd: invalid format (line 6) entry: "cn=proxyagent,ou=profile,dc=orion,dc=local"" --- [root@kwtpocipa001 ~]# ldapadd -h 172.16.107.102 -p 389 -D "cn=directory manager" -w Cr4ckM0nk3y dn: cn=proxyagent,ou=profile,dc=orion,dc=local objectClass: top objectClass: person sn: proxyagent cn: proxyagent userPassword:: e1NTSEF9Mm53KytGeU81Z1dka1FLNUZlaDdXOHJkK093TEppY2NjRmt6Wnc9PQ= ldapadd: invalid format (line 6) entry: "cn=proxyagent,ou=profile,dc=orion,dc=local" --- I've made the assumption that the extra ":" is a typo in the documentation and removed it, so the command runs successfully as follows: --- [root@kwtpocipa001 ~]# ldapadd -h 172.16.107.102 -p 389 -D "cn=directory manager" -w Cr4ckM0nk3y dn: cn=proxyagent,ou=profile,dc=orion,dc=local objectClass: top objectClass: person sn: proxyagent cn: proxyagent userPassword: e1NTSEF9Mm53KytGeU81Z1dka1FLNUZlaDdXOHJkK093TEppY2NjRmt6Wnc9PQ= adding new entry "cn=proxyagent,ou=profile,dc=orion,dc=local" --- At step 9 (Configure NFS ), I get an error, seems to indicate the "des-cbc-crc" encryption type is unsupported: --- [root@kwtpocipa001 ~]# ipa-getkeytab -s kwtpocipa001.orion.local -p nfs/kwtpocipasol10u11.orion.local -k /tmp/kwtpocipasol10u11.keytab -e des-cbc-crc Operation failed! All enctypes provided are unsupported [root@kwtpocipa001 ~]# --- (Question: How would I add support for des-cbc-crc encryption in freeipa?). I've now worked around this by not specifying any encryption type: --- [root@kwtpocipa001 ~]# ipa-getkeytab -s kwtpocipa001.orion.local -p nfs/kwtpocipasol10u11.orion.local -k /tmp/kwtpocipasol10u11.keytab Keytab successfully retrieved and stored in: /tmp/kwtpocipasol10u11.keytab [root@kwtpocipa001 ~]# --- Testing that I can see nfs mounts on the centos IPA server from the solaris machine: --- bash-3.2# showmount -e kwtpocipa001.orion.local export list for kwtpocipa001.orion.local: /data/centos-repo 172.16.0.0/24 bash-3.2# ---- Checking we can kinit: --- bash-3.2# bash-3.2# kinit admin Password for [email protected]: bash-3.2# bash-3.2# bash-3.2# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 09/24/14 11:20:36 09/24/14 12:20:36 krbtgt/[email protected] renew until 10/01/14 11:20:36 bash-3.2# bash-3.2# bash-3.2# bash-3.2# uname -a SunOS kwtpocipasol10u11 5.10 Generic_147148-26 i86pc i386 i86pc bash-3.2# --- Testing I can mount the remote FS (without Kerberos auth). This is successful (when not using kerberos5 authentication): --- bash-3.2# mount -F nfs 172.16.107.102:/data/centos-repo /remote/ bash-3.2# mount |grep remote /remote on 172.16.107.102:/data/centos-repo remote/read/write/setuid/devices/rstchown/xattr/dev=4f0000a on Wed Sep 24 13:45:32 2014 bash-3.2# --- Testing with KRB5: --- bash-3.2# mount -F nfs -o sec=krb5 172.16.107.102:/data/centos-repo /remote/ nfs mount: mount: /remote: Permission denied bash-3.2# --- Looking at the krbkdc logs on the IPA master server, I get the following error: --- Sep 24 13:48:17 kwtpocipa001.orion.local krb5kdc[2371](info): AS_REQ (6 etypes {18 17 16 23 3 1}) 172.16.107.107: NEEDED_PREAUTH: host/[email protected] for krbtgt/[email protected], Additional pre-authentication required Sep 24 13:48:17 kwtpocipa001.orion.local krb5kdc[2373](info): DISPATCH: repeated (retransmitted?) request from 172.16.107.107, resending previous response Sep 24 13:48:17 kwtpocipa001.orion.local krb5kdc[2374](info): DISPATCH: repeated (retransmitted?) request from 172.16.107.107, resending previous response . . . Sep 24 13:48:18 kwtpocipa001.orion.local krb5kdc[2373](info): AS_REQ (6 etypes {18 17 16 23 3 1}) 172.16.107.107: CLIENT_NOT_FOUND: root/[email protected] for krbtgt/[email protected], Client not found in Kerberos database --- So it seems the host is not correctly registered. NOTE: Via the interface ,I can see the solaris client is not properly enrolled (" Kerberos Key Not Present"), however the documentation doesn't seem to indicate clearly how this should be done for a Solaris client. I have regenerated the certificate though, so it shows "valid certificate present". My question is: Is the process described in this guide still correct/functional for integrating Solaris 10 clients? If so, is there some way I could debug further to pinpoint why the solaris client is not being registered in the Kerberos DB? Many thanks in advance! Traiano
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
