<html><head/><body><html dir="ltr"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><style type="text/css" id="owaParaStyle"></style></head><body fpstyle="1" ocsi="0">Cool. :) What do you see if you turn on pam debugging by touching /etc/pam_debug and enabling debug logging in the syslog daemon? Rgds Siggi <div class="gmail_quote">Johan Petersson <Johan.Petersson@sscspace.com> wrote:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"> <div style="direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;">Of course it was a simple thing like replacing auto.nethome with auto_nethome that worked. <div>Thank you for that help!</div> <div>I did not even think that it was that simple. :)</div> <div> </div> <div>Now everything works for the more secure client configuration on Solaris 11.</div> <div>The only thing left to investigate is why there is a delay now for the IPA users.</div> <div>I get the message : Your Kerberos account/password will expire in 89 days quickly but then it waits for about 20 seconds until i get a prompt.</div> <div> </div> <div>Regards,</div> <div>Johan.</div> <div style="font-family: Times New Roman; color: #000000; font-size: 16px"> <hr tabindex="-1" /> <div id="divRpF170230" style="direction: ltr;">From: Sigbjorn Lie [sigbjorn@nixtra.com] Sent: Wednesday, December 26, 2012 17:10 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? </div> <div></div> <div>What is the name of the other maps besides auto.master? You should use _ instead of . for any additional maps when you need Solaris autofs compatibility. This also need to be reflected in the auto.master. The Linux automounter does not care about . or _ as long as the naming is consistent between the additional maps and auto.master. The default for Linux is auto.master with a . and auto_master for Solaris. Hence the auto.master mapping in the Solaris dua profile. Rgds Siggi <div class="gmail_quote">Johan Petersson <Johan.Petersson@sscspace.com> wrote: <blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex; border-left:1px solid rgb(204,204,204); padding-left:1ex"> <pre style="white-space:pre-wrap; word-wrap:break-word; font-family:sans-serif; margin-top:0px">Got everything except automount to work with Solaris 11 and the more secure DUAProfile. Verified that i can manually mount with krb5 on Solaris 11, ssh, su and console login works (as well as expected with no home directory) and automount map works for Red Hat clients. I have now tried with another directory for users (/nethome) since when trying with /home autofs made local users unavailable. They are automounted locally to /home/ from /export/home/ on Solaris for some strange reason and autofs then tried finding local users home directories on the NFS Server :) root@solaris2:~# ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=org NS_LDAP_BINDPASSWD= {XXX}XXXXXXXXXXXXXX NS_LDAP_SERVERS= <a href="http://server.example.org" target="_blank">server.example.org</a> NS_LDAP_SEARCH_BAS EDN= dc=example,dc=org NS_LDAP_AUTH= tls:simple NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_SCOPE= one NS_LDAP_SEARCH_TIME= 10 NS_LDAP_CACHETTL= 6000 NS_LDAP_PROFILE= solaris_authssl1 NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= netgroup:cn=ng,cn=compat,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= ethers:cn=computers,cn=accounts,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= automount:cn=default,cn=automount,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= auto_master:automountMapName=auto.master,cn=default,cn=automount,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= aliases:ou=aliases,ou=test,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= printers:ou=printers,ou=test,dc=example,dc=org NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount NS_LDAP_OBJECTCLASSMAP= printers:sunPrinter=printerService root@solaris2:~# sharectl get autofs timeout=600 automount_verbose=true automountd_verbose=true nobrowse=false trace=2 environment= From /var/svc/log/system-filesystem-autofs\:default.log: t4 LOOKUP REQUEST: Wed Dec 26 12:28:43 2012 t4 name=user02[] map=auto.nethome opts= path=/nethome direct=0 t4 getmapent_ldap called t4 getmapent_ldap: key=[ user02 ] t4 ldap_match called t4 ldap_match: key =[ user02 ] t4 ldap_match: ldapkey =[ user02 ] t4 ldap_match: Requesting list for (&(objectClass=automount)(automountKey=user02)) in auto.nethome t4 ldap_match: __ns_ldap_list FAILED (2) t4 ldap_match: no entries found t4 ldap_match called t4 ldap_match: key =[ \2a ] t4 ldap_match: ldapkey =[ \2a ] t4 ldap_match: Requesting list for (&(objectClass=automount)(automountKey=\2a)) in auto.nethome t4 ldap_match: __ns_ldap_list FAILED (2) t4 ldap_match: no entries found t4 getmapent_ldap: exiting ... t4 do_lookup1: action=2 wildcard=FALSE error=2 t4 LOOKUP REPLY : status=2 The automount map is called auto.nethome key is: * -rw,soft <a href="http://server.example.org" target="_blank">server.example.org</a>:/nethome/& Is it that Solaris automount dont like asterisk(*) in a automount key? Regards, Johan. <hr /> From: Sigbjorn Lie [sigbjorn@nixtra.com] Sent: Thursday, December 20, 2012 15:20 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? Thanks. I'm guessing it's taking such a long time because it's looking trough the entire LDAP server for your automount maps. The automountmap rules in the DUA profile will help w ith that. You'll also run into issues if you attempt to have several automount locations without having specified which one to use with a automountmap rule for auto master. If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to your DNS or set NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used on your NFS server to get rid of the nobody:nobody default mapping and enable mapping between the NFS server and the client. Regards, Siggi On Thu, December 20, 2012 13:40, Johan Petersson wrote: <blockquote class="gmail_quote" style="margin:0pt 0pt 1ex 0.8ex; border-left:1px solid #729fcf; padding-left:1ex">Hi, Here is my pam.conf cleaned up a bit. login auth requisite pam_authtok_<a href="http://get.so" target="_blank">get.so</a>.1 login auth required pam_<a href="http://dhkeys.so" target="_blank">dhkeys.so< /a>.1 login auth sufficien t pam_<a href="http://krb5.so" target="_blank">krb5.so</a>.1 try_first_pass login auth required pam_unix_<a href="http://cred.so" target="_blank">cred.so</a>.1 login auth required pam_unix_<a href="http://auth.so" target="_blank">auth.so</a>.1 login auth required pam_dial_<a href="http://auth.so" target="_blank">auth.so</a>.1 gdm-autologin auth required pam_unix_<a href="http://cred.so" target="_blank">cred.so</a>.1 gdm-autologin auth sufficient pam_<a href="http://allow.so" target="_blank">allow.so</a>.1 other auth requisite pam_authtok_<a href="http://get.so" target="_blank">get.so</a>..1 other auth required pam_<a href="http://dhkeys.so" target="_blank">dhkeys.so</a>.1 other auth required pam_unix_<a href="http://cred.so" target="_blank">cred.so</a>.1 other auth sufficient pam_<a href="http://krb5.so" target="_blank">krb5.so</a>.1 other auth required pam_unix_<a href="http://auth.so" target="_blank">auth..so</a>.1 passwd auth required pam_passwd_<a href="http://auth.so" target="_blank">auth.so</a>.1 gdm-autologin account suffici ent pam_<a href="http://allowso" target="_blank">allow.so</a>.1 other account requisite pam_<a href="http://roles.so" target="_blank">roles.so</a>.1 other account required pam_unix_<a href="http://account.so" target="_blank">account.so</a>.1 other account required pam_<a href="http://krb5.so" target="_blank">krb5.so</a>.1 other session required pam_unix_<a href="http://session.so" target="_blank">session.so</a>.1 other password required pam_<a href="http://dhkeys.so" target="_blank">dhkeys.so</a>.1 other password requisite pam_authtok_<a href="http://get.so" target="_blank">get.so</a>.1 other password requisite pam_authtok_<a href="http://check.so" target="_blank">check.so</a>.1 force_check other password sufficient pam_krb5.so1 other password required pam_authtok_<a href="http://store.so" target="_blank">store.so</a>.1 I am getting one error and it is for autofs. /var/adm/messages: Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object not found /var/svc/log/system.filesystem-autofs:default.log: [ Dec 20 12:24:22 Executing start method ("/lib/svc/method/svc-autofs start"). ] automount: /net mounted automount: /nfs4 mounted automount: no unmounts [ Dec 20 12:24:22 Method "start" exited with status 0. ] ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= servername NS_LDAP_SEARCH_BASEDN= dc=home NS_LDAP_AUTH= none NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_TIME= 15 NS_LDAP_PROFILE= default NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount Thinking it has to do with missing automountmap in default DUAProfile. Automount still works though but takes time during login and everything is nobody:nobody :) <hr /> From: Sigbjorn Lie [sigbjorn@nixtra.com] Sent: Thursday, December 20, 2012 10:13 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Hi, This is interesting. When I tested Solaris 11 ssh worked, and su - testuser worked. However console login did not work giving some PAM errors. Could you please share your entire pam.conf file? Is this Solaris 11 or Solaris 11.1? Regards, Siggi On Thu, December 20, 2012 09:40, Johan Petersson wrote: <blockquote class="gmail_quote" style="margin:0pt 0pt 1ex 0.8ex; border-left:1px solid #ad7fa8; padding-left:1ex">I have now managed to use a Solaris 11 system as a client to IPA Server. su - testuser works ssh works and console login works. I get a delay before getting the prompt through ssh though and maybe from console t oo, probably something about autofs Going to see if i can increase loginformation (Solaris newbie). To get it to work i mainly followed Sigbjorn Lie's instructions for Solaris 10 in earlier posts here. I also used the /etc/pam.conf configuration example from the Solaris 10 client guide on Free IPA. I stuck with the default DUAProfile for now and use a NFS4 Kerberos share for home directories with autofs. Going to try the other DUAProfile too from Bug 815515 and hopefully i can get everything working. <hr /> From: freeipa-users-bounces@redhat.com [freeipa-users-bounces@redhat.com] on behalf of Dmitri Pal [dpal@redhat.com] Sent: Tuesday, December 18, 2012 17:50 To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? On 12/18/2012 04:06 AM, Sigbjorn Lie wrote: <blockquote class="gmail_quote" style="margin:0pt 0pt 1ex 0.8 ex; border-left:1px solid #8ae234; padding-left:1ex">On Tue, December 18, 2012 08:28, Johan Petersson wrote: <blockquote class="gmail_quote" style="margin:0pt 0pt 1ex 0.8ex; border-left:1px solid #fcaf3e; padding-left:1ex">Hi, We are implementing IPA Server and are gong to need to be able to authenticate properly with a number of Solaris 11 servers. I have browsed the archives and found a few threads mentioning some problems with Solaris 11 and IPA Server. Does anyone know if the issue have been solved?</blockquote> I don't think there is any problems with Solaris 11 except of nobody has yet sat down and figured out how to configure it as an IPA client yet. I had a got at it a while ago (some of the posts you've probably found), and found that there was enough differences in the LDAP/Kerberos client between Solaris 10 and Solaris 11 for making it work with the setup guide I've created for Solaris 10. And there was a need for further investigation for finding out how to configure Solaris 11 as an IPA client. I've not looked into this further as we do not use Solaris 11 yet. I don't know if anyone else has had time to sit down and have a crack at this?</blockquote> And we would like to hear about this effort. If it produces instructions we would like to put them on the wiki. If it produces bugs we would investigate them. <blockquote class="gmail_quote" style="margin:0pt 0pt 1ex 0.8ex; border-left:1px solid #8ae234; padding-left:1ex">Regards, Siggi <hr /> Freeipa-users mailing list Freeipa-users@redhat.com <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></blockquote> -- Thank y ou, Dmi tri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc.. <hr /> Looking to carve out IT costs? <a href="http://www.redhat.com/carveoutcosts" target="_blank">www.redhat.com/carveoutcosts</a>/ <hr /> Freeipa-users mailing list Freeipa-users@redhat.com <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> <hr /> Freeipa-users mailing list Freeipa-users@redhat.com <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></blockquote> </blockquote></pre> </blockquote> </div> </div></div></div></blockquote></div> -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.</body></html></body></html>