[Freeipa-users] Does Solaris 11 work as client to IPA server?
Dmitri Pal
dpal at redhat.com
Tue Dec 25 15:52:38 UTC 2012
On 12/24/2012 05:27 PM, Johan Petersson wrote:
> Here is a step by step instruction for a Solaris 11 machine as client to a IPA server based on the default DUAProfile.
> Console login works, su - and ssh.
> Home directories automounted have the correct permissions.
> The automount does not use wildcards since i had issues of the whole /home being grabbed by autofs and thus making local users home directories unavalable.
> This can probably be solved by someone with more extensive experience of Solaris autofs.
> I am working on a instruction based on Sigbjorn Lie's DUAProfile and added security and will post it too shortly.
>
> First make sure that the Solaris 11 machine are using the proper DNS and NTP servers.
>
> On the IPA server or Client run:
>
> ipa host-add --force --ip-address=192.168.0.1 solaris.example.com
>
> ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k /tmp/solaris.keytab
>
> Move the keytab to the Solaris machine /etc/krb5/krb5.keytab
>
> Make sure it have the proper owner and permissions:
>
> chown root:sys /etc/krb5/krb5.keytab
> chmod 700 /etc/krb5/krb5.keytab
>
> Edit /etc/nsswitch.ldap, replace "ldap" with "dns" from the "hosts" and "ipnodes" lines:
>
> hosts: files dns
> ipnodes: files dns
>
> Edit /etc/krb5/krb5.conf:
>
> [libdefaults]
> default_realm = EXAMPLE.COM
> verify_ap_req_nofail = false
> [realms]
> EXAMPLE.COM = {
> kdc = ipaserver.example.com
> admin_server = ipaserver.example.com
> }
>
> [domain_realm]
> example.com = EXAMPLE.COM
> .example.com = EXAMPLE.COM
>
>
> Run the ldapclient with the default DUAProfile.
> The -a domainName= example.com is needed so that ldapclient does not stop and complain about missing nisdomain name.
>
> ldapclient -v init -a profilename=default -a domainName=example.com ipaserver.example.com
>
> In Solaris 11.1 the pam configuration have changed but for simplicity i still use the /etc/pam.conf:
>
> login auth requisite pam_authtok_get.so.1
> login auth required pam_dhkeys.so.1
> login auth required pam_unix_cred.so.1
> login auth sufficient pam_krb5.so.1 try_first_pass
> login auth required pam_unix_auth.so.1
> login auth required pam_dial_auth.so.1
>
> other auth requisite pam_authtok_get.so.1
> other auth required pam_dhkeys.so.1
> other auth required pam_unix_cred.so.1
> other auth sufficient pam_krb5.so.1
> other auth required pam_unix_auth.so.1
>
> other account requisite pam_roles.so.1
> other account required pam_unix_account.so.1
> other account required pam_krb5.so.1
>
> other password requisite pam_authtok_check.so.1 force_check
> other password sufficient pam_krb5.so.1
> other password required pam_authtok_store.so.1
>
> For NFS and automount to work:
>
> In /etc/nfssec.conf enable these:
>
> krb5 390003 kerberos_v5 default - # RPCSEC_GSS
> krb5i 390004 kerberos_v5 default integrity # RPCSEC_GSS
> krb5p 390005 kerberos_v5 default privacy # RPCSEC_GSS
>
> sharectl set -p nfsmapid_domain=example.com nfs
>
> If autofs is not on:
>
> svcadm enable system/filesystem/autofs:default
>
> In /etc/auto_home:
>
> testuser ipaserver.example.com:/home/testuser
Thank you!
Dmitri
More information about the Freeipa-users
mailing list