On 01/07/2015 06:36 AM, Ben .T.George wrote:
HI
If i check IPA client machine enrolled with ipa-client, the krb5.conf
file looks like below:
[root@kwttestmrbs001 krb5.include.d]# more /etc/krb5.conf
#File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = SOLIPA.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
SOLIPA.LOCAL = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.solipa.local = SOLIPA.LOCAL
solipa.local = SOLIPA.LOCAL
and the includedir /var/lib/sss/pubconf/krb5.include.d/ is including :
[root@kwttestmrbs001 krb5.include.d]# more domain_realm_solipa_local
[domain_realm]
.kwttestdc.com <http://kwttestdc.com> = KWTTESTDC.COM
<http://KWTTESTDC.COM>
kwttestdc.com <http://kwttestdc.com> = KWTTESTDC.COM
<http://KWTTESTDC.COM>
anyone please help me to prepare proper krb5.conf file for solaris box
IPA Server is : kwtpocpbis01.solipa.local
Solaris (client) : kwttestsolaris10.solipa.local
Active Directory: kwttestdc001.kwttestdc.com
<http://kwttestdc001.kwttestdc.com>
Regards,
Ben
On Wed, Jan 7, 2015 at 2:11 PM, Ben .T.George <[email protected]
<mailto:[email protected]>> wrote:
Hi List
correct me if i am wrong.
currently my client krb5.conf holding AD details. and my client is
Solaris
here is my file.
bash-3.2# more /etc/krb5/krb5.conf
[libdefaults]
default_realm = KWTTESTDC.COM <http://KWTTESTDC.COM>
[realms]
KWTTESTDC.COM <http://KWTTESTDC.COM> = {
kdc = kwttestdc001.kwttestdc.com:88
<http://kwttestdc001.kwttestdc.com:88>
admin_server = kwttestdc001.kwttestdc.com:749
<http://kwttestdc001.kwttestdc.com:749>
}
[domain_realm]
.kwttestdc.com <http://kwttestdc.com> = KWTTESTDC.COM
<http://KWTTESTDC.COM>
kwttestdc.com <http://kwttestdc.com> = KWTTESTDC.COM
<http://KWTTESTDC.COM>
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
period = 1d
versions = 10
}
[appdefaults]
kinit = {
renewable = true
forwardable= true
}
please anyone varify this is right or wrong
Regards,
Ben
OK, there seems to be a confusion at least on my side.
I see several option in this situation.
Option 1: You use your Solaris box with AD directly.
I do not think this is what you are trying to do. AFAIR you are trying
to connect it to IPA and use trusts. But direct connection should be
possible.
Option 2: Connect Solaris to IPA while it is in trust with AD
In this case you need to use LDAP for authentication and identity lookup
and point your client to compat tree. You can't use Kerberos. Kerberos
on Solaris does not know anything about the trust. If you make it use
Kerberos from IPA then you would be able to use only users from IPA. If
you need to use kerberos then we return to option 1.
Option 3. Create a split brain configuration: authentication using
kerberos will go to AD directly while identity will come from IPA's
compat tree.
This is potentially possible but this is an uncharted and not
recommended territory.
Option 4: Try to build SSSD for Solaris.
If it were easy we would have done it ourselves but patches are always
welcome . :-)
Option 5: Stop using Solaris.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
