[Freeipa-users] Installing IPA on Solaris 10

Rob Crittenden rcritten at redhat.com
Fri Feb 26 13:49:05 UTC 2010 

Andy Singleton wrote:
> Hi Rob,
> 
> I should have mentioned that, yes it's all ssh.
> 
> For defaultServerList's, I guess it depends on the timeout values. If every operation suddenly gets a 4 second delay, I don't think that's going to work. 
> 
> For the associatedDomain issue, that's not really a problem for us. I just wanted to flag it up as something that could limit a deployment for someone else.
> 
> For the dirsrv log, yes that’s the only thing logged.
> Nothing in the krb5kdc.log, and only the pam error in the clients /var/adm/messages
> 
> If there's any more information I can provide, let me know.

Andy, I opened a couple of bugs to track these:

Solaris 10 nss passwd db not working 
https://bugzilla.redhat.com/show_bug.cgi?id=568087

I'll look at the login problem as part of 568087 as it may be related.

In Solaris 10 LDAP configuration replicas aren't added to server list 
https://bugzilla.redhat.com/show_bug.cgi?id=568104

rob

> 
> Cheers
> Andy
> 
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com] 
> Sent: 24 February 2010 14:47
> To: Andy Singleton
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Installing IPA on Solaris 10
> 
> Andy Singleton wrote:
>> Hi Rob,
>>
>> Some notes on my attempts to integrate my Solaris 10 client into freeipa 1.2.2:
>>
>> We still have an issue that ipa users cannot log on to our Solaris 10 client. ("800047 auth.error: pam Authentication failed")
> 
> Can't log in via console, ssh?
> 
>> Currently I can get a ticket with "kinit", and can see the ipa users/groups with "getent". "ldapclient init" worked eventually.
>> However, there was some hoop jumping to get to this state:
>>
>> I changed the following parts of the freeipa schema contents:
>>
>> 1) The "passwd" serviceSearchDescriptor pointed to cn=accounts instead of cn=compat. I am not sure if this is deliberately set or not. "getent passwd" would refused to work otherwise.
>> "dn: cn=default,ou=profile,dc=live,dc=tipp24,dc=net"
>> serviceSearchDescriptor: passwd:cn=users,cn=compat,dc=live,dc=tipp24,dc=net
> 
> Yeah, I need to investigate this further. It should work without having 
> to go through compat. There is some VLV problem I need to figure out.
> 
>> 2) The defaultServerList defaults to the master server, which was not reachable from the clients subnet. (the linux clients rely on two slaves in this subnet)
>> "dn: cn=default,ou=profile,dc=live,dc=tipp24,dc=net"
>> defaultServerList: [slave].live.tipp24.net
> 
> Hmm, I think we can probably add in the replicas to this list when they 
> are installed. Would that be an acceptable solution? Assuming of course 
> that Solaris will skip to the next entry if one is not accessible.
> 
>> 3) Our install covers three separate domains, and solaris appears to require that nisDomain and associatedDomain conform to the clients specific domain only.
>> "dn: dc=live,dc=tipp24,dc=net"
>> nisDomain: live.tipp24.net
>> associatedDomain: live.tipp24.net
> 
> That is a limitation of the Solaris ldap client. associatedDomain needs 
> to match the client domain. I don't think there is a workaround for this.
> 
>> Finally, when users attempt to connect, the dirsrv log on the slave has the following contents:
>> [24/Feb/2010:11:53:45 +0100] conn=4672696 fd=389 slot=389 connection from [client IP] to [slave IP]
>> [24/Feb/2010:11:53:45 +0100] conn=4672696 op=0 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedSASLMechanisms"
>> [24/Feb/2010:11:53:45 +0100] conn=4672696 op=0 RESULT err=0 tag=101 nentries=1 etime=0
>> [24/Feb/2010:11:53:45 +0100] conn=4672696 op=1 UNBIND
>> [24/Feb/2010:11:53:45 +0100] conn=4672696 op=1 fd=389 closed - U1
> 
> Clients attempt to connect and fail right? Are you saying this is the 
> only thing logged in that case?
> 
> rob
> 
>>
>> Any comments/advice would be appreciated.
>>
>> Thanks
>> Andy
>>
>> -----Original Message-----
>> From: Rob Crittenden [mailto:rcritten at redhat.com] 
>> Sent: 05 February 2010 16:58
>> To: Andy Singleton
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Installing IPA on Solaris 10
>>
>> Andy Singleton wrote:
>>> Hi Rob,
>>>
>>> Ok ive switched on the compat plugin.
>>> Incidentally, does this need to be done separately for all replicas?
>> Yes. The plugin configuration of each 389-ds is not replicated.
>>
>>> However, when I run ldapclient init <ipa_server>, I get this message:
>>> "Failed to find defaultSearchBase for domain"
>> Hmm, can you look in the DS logs to see what queries it is making/ 
>> (/var/log/dirsrv/slapd-YOUR-INSTANCE/access).
>>
>> Probably a good idea to ensure you have the Solaris default profile set 
>> up too:
>>
>> ldapsearch -x -b "cn=default,ou=profile,dc=example,dc=com"
>>
>> rob
>>
>>> Cheers
>>> Andy
>>>
>>>
>>> -----Original Message-----
>>> From: Rob Crittenden [mailto:rcritten at redhat.com] 
>>> Sent: 03 February 2010 17:34
>>> To: Andy Singleton; freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] Installing IPA on Solaris 10
>>>
>>> Andy Singleton wrote:
>>>> Hi Rob,
>>>>
>>>> Neither of the commands give any results.
>>> /me smacks head
>>>
>>> Ok, sorry I didn't see this the first go-round.
>>>
>>> The Solaris nss_ldap doesn't use /etc/ldap.conf.
>>>
>>> What you want to do is something like:
>>>
>>> # ldapclient init ipa.example.com
>>>
>>> This should set everything up for you on the Solaris side assuming 
>>> you're running freeIPA 1.2.2.
>>>
>>> You'll also need to enable the compat schema on the IPA side by running 
>>> ipa-compat-manage enable and restarting the DS (if you haven't done so 
>>> already).
>>>
>>> Note that the Solaris LDAP client assumes that if you want to use LDAP 
>>> for anything then you want to use it for EVERYTHING, so you'll want to 
>>> fix up /etc/nsswitch.conf, at least setting files and ipnodes back to 
>>> dns from ldap.
>>>
>>> rob
>>>> Andy
>>>>
>>>> -----Original Message-----
>>>> From: Rob Crittenden [mailto:rcritten at redhat.com] 
>>>> Sent: 03 February 2010 16:11
>>>> To: Andy Singleton
>>>> Cc: freeipa-users at redhat.com
>>>> Subject: Re: [Freeipa-users] Installing IPA on Solaris 10
>>>>
>>>> Andy Singleton wrote:
>>>>> Hi rob,
>>>>>
>>>>> Glad you caught up with this problem.
>>>>>
>>>>> The nsswitch.conf is set up as per the install document. So:
>>>>>  passwd:     files ldap[NOTFOUND=return]
>>>>>  group:    files ldap[NOTFOUND=return]
>>>>>
>>>>> The system uses the standard solaris nss_ldap package.
>>>> Ok, can you see if you can get a specific user and group:
>>>>
>>>> getent passwd admin
>>>> getent group ipausers
>>>>
>>>> rob
>>>>
>>>>> Cheers
>>>>> Andy
>>>>>
>>>>> ----- Original Message -----
>>>>> From: Rob Crittenden <rcritten at redhat.com>
>>>>> To: Andy Singleton
>>>>> Cc: freeipa-users at redhat.com <freeipa-users at redhat.com>
>>>>> Sent: Tue Feb 02 21:01:33 2010
>>>>> Subject: Re: [Freeipa-users] Installing IPA on Solaris 10
>>>>>
>>>>> Andy Singleton wrote:
>>>>>  > Hi guys,
>>>>>  >
>>>>>  > 
>>>>>  >
>>>>>  > I am installing IPA 1.2.2 client installation on one of our Solaris
>>>>>  > servers, and I cant seem to get the system to see the IPA users. “getent
>>>>>  > passwd” only returns local users, and no traffic is leaving the client
>>>>>  > for the IPA server for ldap.
>>>>>  >
>>>>>  > 
>>>>>  >
>>>>>  > I have followed the instructions from the documentation, but I
>>>>>  > definitely get the feeling that something is missing.
>>>>>  >
>>>>>  > All the various configuration files are populated, and the Kerberos
>>>>>  > portion works correctly because I can obtain a ticket.
>>>>>  >
>>>>>  > So possibly there is a problem with the nss_ldap part, or the ldap.conf
>>>>>  > itself.
>>>>>  >
>>>>>  > 
>>>>>  >
>>>>>  > Does anyone know common problems that might have this result on 
>>>>> Solaris 10?
>>>>>  >
>>>>>  > 
>>>>>  >
>>>>>  > For reference, here is the /etc/ldap.conf file:
>>>>>  >
>>>>>  > 
>>>>>  >
>>>>>  > ldap_version 3
>>>>>  >
>>>>>  > base cn=compat,dc=live,dc=tipp24,dc=net
>>>>>  >
>>>>>  > nss_base_passwd cn=users,cn=compat,dc=live,dc=tipp24,dc=net?sub
>>>>>  >
>>>>>  > nss_base_group cn=groups,cn=compat,dc=live,dc=tipp24,dc=net?sub
>>>>>  >
>>>>>  > nss_schema rfc2307bis
>>>>>  >
>>>>>  > nss_map_objectclass shadowAccount posixAccount
>>>>>  >
>>>>>  > nss_map_attribute uniqueMember member
>>>>>  >
>>>>>  > nss_initgroups_ignoreusers root,dirsrv,oracle
>>>>>  >
>>>>>  > nss_reconnect_maxsleeptime 8
>>>>>  >
>>>>>  > nss_reconnect_sleeptime 1
>>>>>  >
>>>>>  > bind_timelimit 2
>>>>>  >
>>>>>  > timelimit 4
>>>>>  >
>>>>>  > nss_srv_domain live.tipp24.net
>>>>>  >
>>>>>  > uri ldap://ipaserver1.live.tipp24.net ldap://ipaserver2.live.tipp24.net
>>>>>  >
>>>>>  > 
>>>>>  >
>>>>>  > Thanks
>>>>>  >
>>>>>  > Andy
>>>>>
>>>>> Sorry, missed this one last week..
>>>>>
>>>>> What does /etc/nsswitch.conf read? Is it configured to use ldap?
>>>>>
>>>>> You might also try killing nscd in case it is interfering.
>>>>>
>>>>> rob
>>>>>
>

More information about the Freeipa-users mailing list