<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> On 01/04/2013 05:27 AM, Johan Petersson wrote: <blockquote cite="mid:558C15177F5E714F83334217C9A197DF5DB83674@SSC-MBX2.ssc.internal" type="cite"> <pre wrap="">Here is the instructions for a IPA Server Solaris 11 client configuration with secure bind and a custom DUAProfile. Everything works as far as i have been able to test. Console login works, su - and ssh.</pre> </blockquote> Thank you Johan! We will put it onto the wiki. It seems that it is a good opportunity to refine our client configuration guide a bit. Thanks Dmitri <blockquote cite="mid:558C15177F5E714F83334217C9A197DF5DB83674@SSC-MBX2.ssc.internal" type="cite"> <pre wrap=""> Configuration done on the IPA Server. Create a DUAConfigProfile solaris_authssl.ldif dn: cn=solaris_authssl,ou=profile,dc=example,dc=com objectClass: top objectClass: DUAConfigProfile cn: solaris_authssl authenticationMethod: tls:simple bindTimeLimit: 5 credentialLevel: proxy defaultSearchBase: dc=example,dc=com defaultSearchScope: one defaultServerList: ipaserver.example.com followReferrals: TRUE objectclassMap: shadow:shadowAccount=posixAccount objectclassMap: printers:sunPrinter=printerService profileTTL: 6000 searchTimeLimit: 10 serviceSearchDescriptor: passwd:cn=users,cn=accounts,dc=example,dc=com serviceSearchDescriptor: group:cn=groups,cn=compat,dc=example,dc=com serviceSearchDescriptor: netgroup:cn=ng,cn=compat,dc=example,dc=com serviceSearchDescriptor: ethers:cn=computers,cn=accounts,dc=example,dc=com serviceSearchDescriptor: automount:cn=default,cn=automount,dc=example,dc=com serviceSearchDescriptor:auto_master:automountMapName=auto.master,cn=default,cn=automount,dc=example,dc=com Add the ldif to ipaserver: ldapadd -h ipaserver.example.com -x -W -D "cn=Directory Manager" -vvv -f solaris_authssl.ldif Create an account to use for authentication: ldapmodify -a -h ipaserver.example.com -D "cn=Directory Manager" -W dn: uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=com objectClass: account objectClass: simpleSecurityObject objectClass: top uid: solaris userPassword: setyourpasswordhere ipa host-add --force --ip-address=192.168.0.1 solaris.example.com ipa host-add-managedby --host ipaserver.example.com solaris.example.com ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k /tmp/solaris.keytab Make sure that the automount maps in ipaserver is named auto_* and NOT auto.* so they are compatible with Solaris name standards. certutil -N -d . openssl x509 -in /etc/ipa/ca.crt -outform pem -out /etc/ipa/ca.pem certutil -A -n "ca-cert" -i /etc/ipa/ca.pem -a -t CT -d /(directory of generated cert8.db and key3.db) scp the keytab to the solaris host /etc/krb5/krb5.keytab and scp the *.db to the solaris host /var/ldap/ Solaris host configuration: Make sure to secure the krb5.keytab properly. chown root:sys krb5.keytab chmod 600 krb5.keytab Secure the *.db files created by certutil on IPA Server earlier. chown root:staff /var/ldap/*.db chmod 444 /var/ldap/*.db Edit /etc/nsswitch.ldap, replace "ldap" with "dns" from the "hosts" and "ipnodes" lines: hosts: files dns ipnodes: files dns ldapclient -v init \ -a profileName=solaris_authssl \ -a domainName=example.com \ -a proxyDN="uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=com" \ -a proxyPassword="setyourpasswordhere" \ -D uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=com \ -w yourpasswordagain \ ipaserver.example.com Enable ntp client: Add serverlist to /etc/inet/ntp.client and rename it to ntp.conf Example: server ipaserver.example.com iburst svcadm restart ntp To see it is running properly: svcs ntp To see what servers you are using: ntpq -p Edit /etc/krb5/krb5.conf: krb5.conf: [libdefaults] default_realm = EXAMPLE.COM verify_ap_req_nofail = false [realms] EXAMPLE.COM = { kdc = ipaserver.example.com admin_server = ipaserver.example.com [domain_realm] example.com = EXAMPLE.COM .example.com = EXAMPLE.COM Pam configuration changed slightly in Solaris 11.1. It is still possible to use /etc/pam.conf as before if preferable. Pam configuration in /etc/pam.d/ login: login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth sufficient pam_krb5.so.1 try_first_pass login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 other: auth definitive pam_user_policy.so.1 auth requisite pam_authtok_get.so.1 auth required pam_dhkeys.so.1 auth required pam_unix_cred.so.1 auth sufficient pam_krb5.so.1 auth required pam_unix_auth.so.1 account requisite pam_roles.so.1 account definitive pam_user_policy.so.1 account required pam_unix_account.so.1 account required pam_krb5.so.1 account required pam_tsol_account.so.1 password include pam_authtok_common password sufficient pam_krb5.so.1 password required pam_authtok_store.so.1 For NFS: /etc/nfssec.conf enable these: krb5 390003 kerberos_v5 default - # RPCSEC_GSS krb5i 390004 kerberos_v5 default integrity # RPCSEC_GSS krb5p 390005 kerberos_v5 default privacy # RPCSEC_GSS Do not forget to set nfsmapid_domain to your domain to avoid nobody:nobody permission issues with NFS. sharectl set -p nfsmapid_domain=home nfs To see if it is properly set: sharectl get nfs</pre> </blockquote> <pre class="moz-signature" cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a> </pre> </body> </html>