[Freeipa-users] Does Solaris 11 work as client to IPA server?
Johan Petersson
Johan.Petersson at sscspace.com
Mon Dec 24 22:27:58 UTC 2012
Here is a step by step instruction for a Solaris 11 machine as client to a IPA server based on the default DUAProfile.
Console login works, su - and ssh.
Home directories automounted have the correct permissions.
The automount does not use wildcards since i had issues of the whole /home being grabbed by autofs and thus making local users home directories unavalable.
This can probably be solved by someone with more extensive experience of Solaris autofs.
I am working on a instruction based on Sigbjorn Lie's DUAProfile and added security and will post it too shortly.
First make sure that the Solaris 11 machine are using the proper DNS and NTP servers.
On the IPA server or Client run:
ipa host-add --force --ip-address=192.168.0.1 solaris.example.com
ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k /tmp/solaris.keytab
Move the keytab to the Solaris machine /etc/krb5/krb5.keytab
Make sure it have the proper owner and permissions:
chown root:sys /etc/krb5/krb5.keytab
chmod 700 /etc/krb5/krb5.keytab
Edit /etc/nsswitch.ldap, replace "ldap" with "dns" from the "hosts" and "ipnodes" lines:
hosts: files dns
ipnodes: files dns
Edit /etc/krb5/krb5.conf:
[libdefaults]
default_realm = EXAMPLE.COM
verify_ap_req_nofail = false
[realms]
EXAMPLE.COM = {
kdc = ipaserver.example.com
admin_server = ipaserver.example.com
}
[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM
Run the ldapclient with the default DUAProfile.
The -a domainName= example.com is needed so that ldapclient does not stop and complain about missing nisdomain name.
ldapclient -v init -a profilename=default -a domainName=example.com ipaserver.example.com
In Solaris 11.1 the pam configuration have changed but for simplicity i still use the /etc/pam.conf:
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth sufficient pam_krb5.so.1 try_first_pass
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth sufficient pam_krb5.so.1
other auth required pam_unix_auth.so.1
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
other account required pam_krb5.so.1
other password requisite pam_authtok_check.so.1 force_check
other password sufficient pam_krb5.so.1
other password required pam_authtok_store.so.1
For NFS and automount to work:
In /etc/nfssec.conf enable these:
krb5 390003 kerberos_v5 default - # RPCSEC_GSS
krb5i 390004 kerberos_v5 default integrity # RPCSEC_GSS
krb5p 390005 kerberos_v5 default privacy # RPCSEC_GSS
sharectl set -p nfsmapid_domain=example.com nfs
If autofs is not on:
svcadm enable system/filesystem/autofs:default
In /etc/auto_home:
testuser ipaserver.example.com:/home/testuser
________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Johan Petersson [Johan.Petersson at sscspace.com]
Sent: Saturday, December 22, 2012 13:14
To: dpal at redhat.com; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Hi,
yes of course i can document it properly as soon as i have checked everything.
I will send it to you so you can review it.
Regards,
Johan.
________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
Sent: Friday, December 21, 2012 23:39
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
On 12/20/2012 07:13 PM, Johan Petersson wrote:
> Hi,
>
> Was your example of a new DUAProfile ever added to Fedora or RHEL?
> If so i can't find any reference to it or a fix of the documentation. If not, is there a way to add it myself for my configuration?
> There is always the manual way otherwise i guess.
> Are Red Hat going to support RHEL clients only in IPA Server?
> We will have several Linux flavours, Solaris, Windows 7/8 + Server 2012 and Mac OS X so the answer to that question is kind of interesting. :)
> Regards,
> Johan
Johan,
Would you mind summarizing your Solaris 11 experience in a step by step
procedure so that we can add it to wiki or Fedora docs?
Thanks
Dmitri
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Johan Petersson [Johan.Petersson at sscspace.com]
> Sent: Thursday, December 20, 2012 19:03
> To: Sigbjorn Lie
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
>
> Hi,
>
> Thank you for the tip about NFSMAPID_DOMAIN
>
> It was not set properly.
> sharectl get nfs
>
> nfsmapid_domain=
>
> And by using:
> sharectl set -p nfsmapid_domain=servername nfs
>
> It was properly set.
> I must add that i prefer editing files instead of sharectl,svccfg and so on. :)
>
> I also made a auto.home map in IPA Server to set the homedirectory automounts right.
>
> And i almost forgot my Solaris version is 11 11/11.
>
> Regards,
> Johan.
> ________________________________________
> From: Sigbjorn Lie [sigbjorn at nixtra.com]
> Sent: Thursday, December 20, 2012 15:20
> To: Johan Petersson
> Cc: freeipa-users at redhat.com
> Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server?
>
> Thanks.
>
> I'm guessing it's taking such a long time because it's looking trough the entire LDAP server for
> your automount maps. The automountmap rules in the DUA profile will help with that. You'll also
> run into issues if you attempt to have several automount locations without having specified which
> one to use with a automountmap rule for auto master.
>
> If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to your DNS or set
> NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used on your NFS server to
> get rid of the nobody:nobody default mapping and enable mapping between the NFS server and the
> client.
>
>
>
> Regards,
> Siggi
>
>
>
>
> On Thu, December 20, 2012 13:40, Johan Petersson wrote:
>> Hi,
>>
>>
>> Here is my pam.conf cleaned up a bit.
>>
>>
>> login auth requisite pam_authtok_get.so.1 login auth required
>> pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1 try_first_pass login auth required
>> pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required
>> pam_dial_auth.so.1
>>
>> gdm-autologin auth required pam_unix_cred.so.1 gdm-autologin auth sufficient pam_allow.so.1
>>
>> other auth requisite pam_authtok_get.so.1 other auth required
>> pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient
>> pam_krb5.so.1 other auth required pam_unix_auth.so.1
>>
>> passwd auth required pam_passwd_auth.so.1
>>
>> gdm-autologin account sufficient pam_allow.so.1
>>
>> other account requisite pam_roles.so.1 other account required
>> pam_unix_account.so.1 other account required pam_krb5.so.1
>>
>> other session required pam_unix_session.so.1
>>
>> other password required pam_dhkeys.so.1 other password requisite
>> pam_authtok_get.so.1
>>
>> other password requisite pam_authtok_check.so.1 force_check other password sufficient
>> pam_krb5.so.1 other password required pam_authtok_store.so.1
>>
>> I am getting one error and it is for autofs.
>>
>>
>> /var/adm/messages:
>> Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object not found
>>
>>
>> /var/svc/log/system.filesystem-autofs:default.log:
>> [ Dec 20 12:24:22 Executing start method ("/lib/svc/method/svc-autofs start"). ]
>> automount: /net mounted
>> automount: /nfs4 mounted
>> automount: no unmounts
>> [ Dec 20 12:24:22 Method "start" exited with status 0. ]
>>
>>
>> ldapclient list NS_LDAP_FILE_VERSION= 2.0
>> NS_LDAP_SERVERS= servername
>> NS_LDAP_SEARCH_BASEDN= dc=home
>> NS_LDAP_AUTH= none
>> NS_LDAP_SEARCH_REF= TRUE
>> NS_LDAP_SEARCH_TIME= 15
>> NS_LDAP_PROFILE= default
>> NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home
>> NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home
>> NS_LDAP_BIND_TIME= 5
>> NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount
>>
>>
>> Thinking it has to do with missing automountmap in default DUAProfile.
>> Automount still works though but takes time during login and everything is nobody:nobody :)
>>
>>
>> ________________________________________
>> From: Sigbjorn Lie [sigbjorn at nixtra.com]
>> Sent: Thursday, December 20, 2012 10:13
>> To: Johan Petersson
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
>>
>>
>> Hi,
>>
>>
>> This is interesting. When I tested Solaris 11 ssh worked, and su - testuser worked. However
>> console login did not work giving some PAM errors.
>>
>> Could you please share your entire pam.conf file?
>>
>>
>> Is this Solaris 11 or Solaris 11.1?
>>
>>
>>
>>
>> Regards,
>> Siggi
>>
>>
>>
>>
>> On Thu, December 20, 2012 09:40, Johan Petersson wrote:
>>
>>> I have now managed to use a Solaris 11 system as a client to IPA Server.
>>> su - testuser works ssh works and console login works. I get a delay before getting the prompt
>>> through ssh though and maybe from console too, probably something about autofs Going to see if
>>> i can increase loginformation (Solaris newbie). To get it to work i mainly followed Sigbjorn
>>> Lie's
>>> instructions for Solaris 10 in earlier posts here. I also used the /etc/pam.conf configuration
>>> example from the Solaris 10 client guide on Free IPA. I stuck with the default DUAProfile for
>>> now and use a NFS4 Kerberos share for home directories with autofs. Going to try the other
>>> DUAProfile
>>> too from Bug 815515 and hopefully i can get everything working.
>>>
>>> ________________________________________
>>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri
>>> Pal
>>> [dpal at redhat.com]
>>> Sent: Tuesday, December 18, 2012 17:50
>>> To: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
>>>
>>>
>>>
>>> On 12/18/2012 04:06 AM, Sigbjorn Lie wrote:
>>>
>>>
>>>> On Tue, December 18, 2012 08:28, Johan Petersson wrote:
>>>>
>>>>
>>>>> Hi,
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> We are implementing IPA Server and are gong to need to be able to authenticate properly
>>>>> with a number of Solaris 11 servers. I have browsed the archives and found a few threads
>>>>> mentioning some problems with Solaris 11 and IPA Server. Does anyone know if the issue have
>>>>> been solved?
>>>>>
>>>>>
>>>> I don't think there is any problems with Solaris 11 except of nobody has yet sat down and
>>>> figured out how to configure it as an IPA client yet.
>>>>
>>>> I had a got at it a while ago (some of the posts you've probably found), and found that there
>>>> was enough differences in the LDAP/Kerberos client between Solaris 10 and Solaris 11 for
>>>> making it work with the setup guide I've created for Solaris 10. And there was a need for
>>>> further investigation for finding out how to configure Solaris 11 as an IPA client.
>>>>
>>>> I've not looked into this further as we do not use Solaris 11 yet.
>>>>
>>>>
>>>>
>>>> I don't know if anyone else has had time to sit down and have a crack at this?
>>>>
>>>>
>>> And we would like to hear about this effort.
>>> If it produces instructions we would like to put them on the wiki.
>>> If it produces bugs we would investigate them.
>>>
>>>
>>>
>>>>
>>>> Regards,
>>>> Siggi
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>>
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>>
>>>
>>> --
>>> Thank you,
>>> Dmitri Pal
>>>
>>>
>>>
>>> Sr. Engineering Manager for IdM portfolio
>>> Red Hat Inc.
>>>
>>>
>>>
>>>
>>> -------------------------------
>>> Looking to carve out IT costs?
>>> www.redhat.com/carveoutcosts/
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>>
>>
>>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list