Discussion:
[Freeipa-users] Solaris 10 client auth (ssh + kerberos) not working
Gerardo Padierna
2014-09-08 09:44:10 UTC
Permalink
Hello folks,

I'm setting up an IPA-server instance aimed to be used primarily for
Linux/Unix clients ssh authentication (with kerberos).
I've managed to successfully set up debian clients (via sssd and also on
older debians, through libnss and pam_krb5). But for some reason I can't
authenticate ssh on Solaris10 clients.
On the Solaris box, I've followed the steps outiined here:
http://www.freeipa.org/page/ConfiguringUnixClients
and the nss part works fine (things like getent [group | passwd] and id
<user> work), but unfortunaltely, the ssh user authentication fails with
an error:
sshd auth.error PAM-KRB5 (auth): krb5_verify_init_creds failed: No such
file or directory

On the solaris clients, does there need to be a keytab in /etc/krb5/
directory copied over from the IPA server? (I didn't have to set up a
keytab file fo the legacy debian clients, and in the solaris-clients doc
previously mentioned, there's no mention of it). Well, since I read
somewhere the keytab file need to be there, I copied it over from the
IPA server to the solaris clients, Then I get a different error:
PAM-KRB5 (auth): krb5_verify_init_creds failed: Key table entry not found

This error seems to indicate that there isn't an matching entry found in
the keytab file, so I added an entry for the solaris client, but I'm
still getting the same 'Key table entry not found' error (it could be
the entry I added is wrong, of course). But, for now, just want to be
sure: On the solaris clients, do I need an /etc/krb5/krb5.keytab file?
(if yes, why not in the non-sssd Debian hosts then?)

Thanks in advance,
--
*Gerardo Padierna Nanclares*
Técnico de Sistemas (grupo ASL) - [Fujitsu / Logware]
Servicio de Sistemas de la Información (DGTI) - Generalitat Valenciana
C/.Castan Tobeñas 77 – 46018 Valencia – Edificio A
Tel: 961 208973
Email: ***@gmail.com <mailto:***@gmail.com>
mohammad sereshki
2014-09-08 10:49:31 UTC
Permalink
hi
Please go ahead with below structure, It works!



Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?



Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index] Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
View on www.redhat.com Preview by Yahoo



________________________________
From: Gerardo Padierna <***@gmail.com>
To: freeipa-***@redhat.com
Sent: Monday, September 8, 2014 2:14 PM
Subject: [Freeipa-users] Solaris 10 client auth (ssh + kerberos) not working



Hello folks,

I'm setting up an IPA-server instance aimed to be used primarily for
Linux/Unix clients ssh authentication (with kerberos).
I've managed to successfully set up debian clients (via sssd and
also on older debians, through libnss and pam_krb5). But for some
reason I can't authenticate ssh on Solaris10 clients.
On the Solaris box, I've followed the steps outiined here:
http://www.freeipa.org/page/ConfiguringUnixClients
and the nss part works fine (things like getent [group | passwd] and
id <user> work), but unfortunaltely, the ssh user
authentication fails with an error:
sshd auth.error PAM-KRB5 (auth): krb5_verify_init_creds failed: No
such file or directory

On the solaris clients, does there need to be a keytab in /etc/krb5/
directory copied over from the IPA server? (I didn't have to set up
a keytab file fo the legacy debian clients, and in the
solaris-clients doc previously mentioned, there's no mention of it).
Well, since I read somewhere the keytab file need to be there, I
copied it over from the IPA server to the solaris clients, Then I
get a different error:
PAM-KRB5 (auth): krb5_verify_init_creds failed: Key table entry not
found

This error seems to indicate that there isn't an matching entry
found in the keytab file, so I added an entry for the solaris
client, but I'm still getting the same 'Key table entry not found'
error (it could be the entry I added is wrong, of course). But, for
now, just want to be sure: On the solaris clients, do I need an
/etc/krb5/krb5.keytab file? (if yes, why not in the non-sssd Debian
hosts then?)

Thanks in advance,
--
Gerardo Padierna Nanclares
Técnico de Sistemas (grupo ASL) - [Fujitsu / Logware]
Servicio de Sistemas de la Información (DGTI) - Generalitat Valenciana
C/.Castan Tobeñas 77 – 46018 Valencia – Edificio A
Tel:
961 208973
Email: ***@gmail.com
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Gerardo Padierna
2014-09-09 10:19:37 UTC
Permalink
Hi Mohammad,

This is for Solaris 11; it seems that some of the options for the
pam.conf file are not available in Solaris 10 (I think it was the
following options:
auth definitive pam_user_policy.so.1
account required pam_tsol_account.so.1
password required pam_authtok_store.so.1
... had to remove them from the pam.conf file..)

Still didn't get the ssh auth to work...

This may be a stupid question, but do you know if the keytab file must
be _exactly_ the same as in the IPA server, or does it only need to
contain the entries relevant for the (solaris) client? According to the
link you're pointing me to, it seems to just take from the server keytab
file those entries relevant for the client, create a new keytab file
with that content, and copy it over to the client. Is such a 'stipped
down' keytab file supposed to work for the client's auth?

Regards,
Gerardo
Post by mohammad sereshki
hi
Please go ahead with below structure, It works!
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
<https://www.redhat.com/archives/freeipa-users/2013-January/msg00021.html>
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
<https://www.redhat.com/archives/freeipa-users/2013-January/msg00021.html>
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index]
[Date Index] [Author Index] Re: [Freeipa-users] Does Solaris 11 work
as client to IPA server?
View on www.redhat.com
<https://www.redhat.com/archives/freeipa-users/2013-January/msg00021.html>
Preview by Yahoo
------------------------------------------------------------------------
*Sent:* Monday, September 8, 2014 2:14 PM
*Subject:* [Freeipa-users] Solaris 10 client auth (ssh + kerberos) not
working
Hello folks,
I'm setting up an IPA-server instance aimed to be used primarily for
Linux/Unix clients ssh authentication (with kerberos).
I've managed to successfully set up debian clients (via sssd and also
on older debians, through libnss and pam_krb5). But for some reason I
can't authenticate ssh on Solaris10 clients.
http://www.freeipa.org/page/ConfiguringUnixClients
and the nss part works fine (things like getent [group | passwd] and
id <user> work), but unfortunaltely, the ssh user authentication fails
sshd auth.error PAM-KRB5 (auth): krb5_verify_init_creds failed: No
such file or directory
On the solaris clients, does there need to be a keytab in /etc/krb5/
directory copied over from the IPA server? (I didn't have to set up a
keytab file fo the legacy debian clients, and in the solaris-clients
doc previously mentioned, there's no mention of it). Well, since I
read somewhere the keytab file need to be there, I copied it over from
PAM-KRB5 (auth): krb5_verify_init_creds failed: Key table entry not found
This error seems to indicate that there isn't an matching entry found
in the keytab file, so I added an entry for the solaris client, but
I'm still getting the same 'Key table entry not found' error (it could
be the entry I added is wrong, of course). But, for now, just want to
be sure: On the solaris clients, do I need an /etc/krb5/krb5.keytab
file? (if yes, why not in the non-sssd Debian hosts then?)
Thanks in advance,
--
*Gerardo Padierna Nanclares*
Técnico de Sistemas (grupo ASL) - [Fujitsu / Logware]
Servicio de Sistemas de la Información (DGTI) - Generalitat Valenciana
C/.Castan Tobeñas 77 – 46018 Valencia – Edificio A
Tel: 961 208973
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org <http://freeipa.org/>for more info on the project
--
*Gerardo Padierna Nanclares*
Técnico de Sistemas (grupo ASL) - [Fujitsu / Logware]
Servicio de Sistemas de la Información (DGTI) - Generalitat Valenciana
C/.Castan Tobeñas 77 – 46018 Valencia – Edificio A
Tel: 961 208973
Email: ***@gmail.com <mailto:***@gmail.com>
mohammad sereshki
2014-09-09 19:15:00 UTC
Permalink
Dear

below must be configured in the pam.conf also each host needs seperate keytab, solaris 11 is same as solaris 10





login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth sufficient pam_krb5.so.1 try_first_pass
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1
krlogin auth required pam_unix_cred.so.1
krlogin auth required pam_krb5.so.1
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
krsh auth required pam_unix_cred.so.1
krsh auth required pam_krb5.so.1
ktelnet auth required pam_unix_cred.so.1
ktelnet auth required pam_krb5.so.1
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth sufficient pam_krb5.so.1
other auth required pam_unix_auth.so.1
passwd auth required pam_passwd_auth.so.1
cron account required pam_unix_account.so.1
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
other account sufficient pam_krb5.so.1
other account required pam_tsol_account.so.1
other session required pam_unix_session.so.1
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1 force_check
other password sufficient pam_krb5.so.1
other password required pam_authtok_store.so.1




________________________________
From: Gerardo Padierna <***@gmail.com>
To: mohammad sereshki <***@yahoo.com>; "freeipa-***@redhat.com" <freeipa-***@redhat.com>
Sent: Tuesday, September 9, 2014 2:49 PM
Subject: Re: [Freeipa-users] Solaris 10 client auth (ssh + kerberos) not working



Hi Mohammad,

This is for Solaris 11; it seems that some of the options for the
pam.conf file are not available in Solaris 10 (I think it was the
following options:
auth definitive pam_user_policy.so.1
account required pam_tsol_account.so.1
password required pam_authtok_store.so.1
... had to remove them from the pam.conf file..)

Still didn't get the ssh auth to work...

This may be a stupid question, but do you know if the keytab file
must be _exactly_ the same as in the IPA server, or does it only
need to contain the entries relevant for the (solaris) client?
According to the link you're pointing me to, it seems to just take
from the server keytab file those entries relevant for the client,
create a new keytab file with that content, and copy it over to the
client. Is such a 'stipped down' keytab file supposed to work for
the client's auth?

Regards,
Gerardo
Post by mohammad sereshki
hi
Please go ahead with below structure, It works!
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index] Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
View on www.redhat.com Preview by Yahoo
________________________________
Sent: Monday, September 8, 2014 2:14 PM
Subject: [Freeipa-users] Solaris 10 client auth (ssh + kerberos) not working
Hello folks,
I'm setting up an IPA-server instance aimed to be used
primarily for Linux/Unix clients ssh authentication
(with kerberos).
Post by mohammad sereshki
I've managed to successfully set up debian clients
(via sssd and also on older debians, through libnss
and pam_krb5). But for some reason I can't
authenticate ssh on Solaris10 clients.
Post by mohammad sereshki
On the Solaris box, I've followed the steps outiined
http://www.freeipa.org/page/ConfiguringUnixClients
and the nss part works fine (things like getent [group
| passwd] and id <user> work), but
unfortunaltely, the ssh user authentication fails with
krb5_verify_init_creds failed: No such file or
directory
Post by mohammad sereshki
On the solaris clients, does there need to be a keytab
in /etc/krb5/ directory copied over from the IPA
server? (I didn't have to set up a keytab file fo the
legacy debian clients, and in the solaris-clients doc
previously mentioned, there's no mention of it). Well,
since I read somewhere the keytab file need to be
there, I copied it over from the IPA server to the
Post by mohammad sereshki
PAM-KRB5 (auth): krb5_verify_init_creds failed: Key
table entry not found
Post by mohammad sereshki
This error seems to indicate that there isn't an
matching entry found in the keytab file, so I added an
entry for the solaris client, but I'm still getting
the same 'Key table entry not found' error (it could
be the entry I added is wrong, of course). But, for
now, just want to be sure: On the solaris clients, do
I need an /etc/krb5/krb5.keytab file? (if yes, why
not in the non-sssd Debian hosts then?)
Post by mohammad sereshki
Thanks in advance,
--
Gerardo Padierna Nanclares
Técnico de Sistemas (grupo ASL) - [Fujitsu / Logware]
Servicio de Sistemas de la Información (DGTI) - Generalitat Valenciana
C/.Castan Tobeñas 77 – 46018 Valencia –
Edificio A
Post by mohammad sereshki
Tel: 961 208973
--
Manage your subscription for the Freeipa-users mailing
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
--
Gerardo Padierna Nanclares
Técnico de Sistemas (grupo ASL) - [Fujitsu / Logware]
Servicio de Sistemas de la Información (DGTI) - Generalitat Valenciana
C/.Castan Tobeñas 77 – 46018 Valencia – Edificio A
Tel:
961 208973
Email: ***@gmail.com
Natxo Asenjo
2014-09-09 09:12:25 UTC
Permalink
Post by Gerardo Padierna
Hello folks,
hi,

I'm setting up an IPA-server instance aimed to be used primarily for
Post by Gerardo Padierna
Linux/Unix clients ssh authentication (with kerberos).
I've managed to successfully set up debian clients (via sssd and also on
older debians, through libnss and pam_krb5). But for some reason I can't
authenticate ssh on Solaris10 clients.
http://www.freeipa.org/page/ConfiguringUnixClients
and the nss part works fine (things like getent [group | passwd] and id
<user> work), but unfortunaltely, the ssh user authentication fails with an
sshd auth.error PAM-KRB5 (auth): krb5_verify_init_creds failed: No such
file or directory
On the solaris clients, does there need to be a keytab in /etc/krb5/
directory copied over from the IPA server?
I have integrated omnios (open solaris derivative) with ipa using these
notes:

http://test.asenjo.nl/index.php/Omnios_ipa_client

that info may or may not be useful for solaris 10 as I have zero experiece
with older solaris versions. But in principle, yes, you need a host keytab
to login using kerberos SSO.

HTH.
--
Regards,
natxo
Loading...