<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 01/04/2013 05:27 AM, Johan Petersson wrote:
<blockquote
cite="mid:558C15177F5E714F83334217C9A197DF5DB83674@SSC-MBX2.ssc.internal"
type="cite">
<pre wrap="">Here is the instructions for a IPA Server Solaris 11 client configuration with secure bind and a custom DUAProfile.
Everything works as far as i have been able to test. Console login works, su - and ssh.</pre>
</blockquote>
<br>
Thank you Johan!<br>
We will put it onto the wiki.<br>
It seems that it is a good opportunity to refine our client
configuration guide a bit.<br>
<br>
Thanks<br>
Dmitri<br>
<br>
<blockquote
cite="mid:558C15177F5E714F83334217C9A197DF5DB83674@SSC-MBX2.ssc.internal"
type="cite">
<pre wrap="">
Configuration done on the IPA Server.
Create a DUAConfigProfile solaris_authssl.ldif
dn: cn=solaris_authssl,ou=profile,dc=example,dc=com
objectClass: top
objectClass: DUAConfigProfile
cn: solaris_authssl
authenticationMethod: tls:simple
bindTimeLimit: 5
credentialLevel: proxy
defaultSearchBase: dc=example,dc=com
defaultSearchScope: one
defaultServerList: ipaserver.example.com
followReferrals: TRUE
objectclassMap: shadow:shadowAccount=posixAccount
objectclassMap: printers:sunPrinter=printerService
profileTTL: 6000
searchTimeLimit: 10
serviceSearchDescriptor: passwd:cn=users,cn=accounts,dc=example,dc=com
serviceSearchDescriptor: group:cn=groups,cn=compat,dc=example,dc=com
serviceSearchDescriptor: netgroup:cn=ng,cn=compat,dc=example,dc=com
serviceSearchDescriptor: ethers:cn=computers,cn=accounts,dc=example,dc=com
serviceSearchDescriptor: automount:cn=default,cn=automount,dc=example,dc=com
serviceSearchDescriptor:auto_master:automountMapName=auto.master,cn=default,cn=automount,dc=example,dc=com
Add the ldif to ipaserver:
ldapadd -h ipaserver.example.com -x -W -D "cn=Directory Manager" -vvv -f solaris_authssl.ldif
Create an account to use for authentication:
ldapmodify -a -h ipaserver.example.com -D "cn=Directory Manager" -W
dn: uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=com
objectClass: account
objectClass: simpleSecurityObject
objectClass: top
uid: solaris
userPassword: setyourpasswordhere
ipa host-add --force --ip-address=192.168.0.1 solaris.example.com
ipa host-add-managedby --host ipaserver.example.com solaris.example.com
ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k /tmp/solaris.keytab
Make sure that the automount maps in ipaserver is named auto_* and NOT auto.* so they are compatible with Solaris name standards.
certutil -N -d .
openssl x509 -in /etc/ipa/ca.crt -outform pem -out /etc/ipa/ca.pem
certutil -A -n "ca-cert" -i /etc/ipa/ca.pem -a -t CT -d /(directory of generated cert8.db and key3.db)
scp the keytab to the solaris host <i class="moz-txt-slash"><span class="moz-txt-tag">/</span>etc/krb5/krb5.keytab and scp the *.db to the solaris host /var/ldap<span class="moz-txt-tag">/</span></i>
Solaris host configuration:
Make sure to secure the krb5.keytab properly.
chown root:sys krb5.keytab
chmod 600 krb5.keytab
Secure the *.db files created by certutil on IPA Server earlier.
chown root:staff <i class="moz-txt-slash"><span class="moz-txt-tag">/</span>var/ldap<span class="moz-txt-tag">/</span></i>*.db
chmod 444 <i class="moz-txt-slash"><span class="moz-txt-tag">/</span>var/ldap<span class="moz-txt-tag">/</span></i>*.db
Edit /etc/nsswitch.ldap, replace "ldap" with "dns" from the "hosts" and "ipnodes" lines:
hosts: files dns
ipnodes: files dns
ldapclient -v init \
-a profileName=solaris_authssl \
-a domainName=example.com \
-a proxyDN="uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=com" \
-a proxyPassword="setyourpasswordhere" \
-D uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=com \
-w yourpasswordagain \
ipaserver.example.com
Enable ntp client:
Add serverlist to /etc/inet/ntp.client and rename it to ntp.conf
Example:
server ipaserver.example.com iburst
svcadm restart ntp
To see it is running properly:
svcs ntp
To see what servers you are using:
ntpq -p
Edit /etc/krb5/krb5.conf:
krb5.conf:
[libdefaults]
default_realm = EXAMPLE.COM
verify_ap_req_nofail = false
[realms]
EXAMPLE.COM = {
kdc = ipaserver.example.com
admin_server = ipaserver.example.com
[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM
Pam configuration changed slightly in Solaris 11.1.
It is still possible to use /etc/pam.conf as before if preferable.
Pam configuration in <i class="moz-txt-slash"><span class="moz-txt-tag">/</span>etc/pam.d<span class="moz-txt-tag">/</span></i>
login:
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth sufficient pam_krb5.so.1 try_first_pass
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
other:
auth definitive pam_user_policy.so.1
auth requisite pam_authtok_get.so.1
auth required pam_dhkeys.so.1
auth required pam_unix_cred.so.1
auth sufficient pam_krb5.so.1
auth required pam_unix_auth.so.1
account requisite pam_roles.so.1
account definitive pam_user_policy.so.1
account required pam_unix_account.so.1
account required pam_krb5.so.1
account required pam_tsol_account.so.1
password include pam_authtok_common
password sufficient pam_krb5.so.1
password required pam_authtok_store.so.1
For NFS:
/etc/nfssec.conf enable these:
krb5 390003 kerberos_v5 default - # RPCSEC_GSS
krb5i 390004 kerberos_v5 default integrity # RPCSEC_GSS
krb5p 390005 kerberos_v5 default privacy # RPCSEC_GSS
Do not forget to set nfsmapid_domain to your domain to avoid nobody:nobody permission issues with NFS.
sharectl set -p nfsmapid_domain=home nfs
To see if it is properly set:
sharectl get nfs</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>