[Freeipa-users] Does Solaris 11 work as client to IPA server?
Sigbjorn Lie
sigbjorn at nixtra.com
Fri Dec 28 14:08:10 UTC 2012
How about enabling the firewall, and use tcpdump on the ipa server or snoop on the Solaris box to see where it stops and waits?
Rgds
Siggi
Johan Petersson <Johan.Petersson at sscspace.com> wrote:
>Forgot to add the ports opened in my last message. :)
>
>22 TCP
>80 TCP
>443 TCP
>389 TCP
>636 TCP
>7389 TCP
>88 TCP,UDP
>464 TCP,UDP
>53 TCP,UDP
>123 TCP,UDP
>111 TCP,UDP
>2049 TCP,UDP
>
>Also tried 749,750 and everything kerberos related from Solaris
>/etc/services.
>Solaris.example.com and solaris2.example.com is same machine, just typo
>from me when editing the log for publishing.
>
>Regards,
>Johan
>
>
>
>________________________________
>From: freeipa-users-bounces at redhat.com
>[freeipa-users-bounces at redhat.com] on behalf of Johan Petersson
>[Johan.Petersson at sscspace.com]
>Sent: Friday, December 28, 2012 13:40
>To: Sigbjorn Lie
>Cc: freeipa-users at redhat.com
>Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA
>server?
>
>Hi,
>
>I am getting these messages in my log when setting all instances of
>pam_krb5.so.1 debug in /etc/pam.d/other, /etc/pam.d/login:
>
>Dec 28 12:59:12 solaris.example.com su: [ID 737709 auth.error] unable
>to open connection to ADMIN server (t_error 13)
>Dec 28 12:59:12 solaris2.example.com su: [ID 436431 auth.error]
>PAM-KRB5-AUTOMIGRATE (auth): Error while doing kadm5_init_with_skey:
>Communication failure with server
>
>If i disable the firewall on my IPA Server everything works as fast as
>it should so clearly a firewall issue with iptables.
>However, i have all the ports enabled and Red Hat clients works with
>the firewall on.
>Clearly Solaris is using some secret other port(s) that is not
>mentioned.
>I have tried with 749 and 750 tcp and udp with no difference.
>
>Regards,
>Johan.
>
>________________________________
>From: Sigbjorn Lie [sigbjorn at nixtra.com]
>Sent: Wednesday, December 26, 2012 18:56
>To: Johan Petersson
>Cc: freeipa-users at redhat.com
>Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA
>server?
>
>Cool. :)
>
>What do you see if you turn on pam debugging by touching /etc/pam_debug
>and enabling debug logging in the syslog daemon?
>
>
>Rgds
>Siggi
>
>Johan Petersson <Johan.Petersson at sscspace.com> wrote:
>Of course it was a simple thing like replacing auto.nethome with
>auto_nethome that worked.
>Thank you for that help!
>I did not even think that it was that simple. :)
>
>Now everything works for the more secure client configuration on
>Solaris 11.
>The only thing left to investigate is why there is a delay now for the
>IPA users.
>I get the message : Your Kerberos account/password will expire in 89
>days quickly but then it waits for about 20 seconds until i get a
>prompt.
>
>Regards,
>Johan.
>________________________________
>From: Sigbjorn Lie [sigbjorn at nixtra.com]
>Sent: Wednesday, December 26, 2012 17:10
>To: Johan Petersson
>Cc: freeipa-users at redhat.com
>Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA
>server?
>
>What is the name of the other maps besides auto.master? You should use
>_ instead of . for any additional maps when you need Solaris autofs
>compatibility. This also need to be reflected in the auto.master.
>
>The Linux automounter does not care about . or _ as long as the naming
>is consistent between the additional maps and auto.master. The default
>for Linux is auto.master with a . and auto_master for Solaris. Hence
>the auto.master mapping in the Solaris dua profile.
>
>
>Rgds
>Siggi
>
>Johan Petersson <Johan.Petersson at sscspace.com> wrote:
>
>Got everything except automount to work with Solaris 11 and the more
>secure DUAProfile.
>Verified that i can manually mount with krb5 on Solaris 11, ssh, su and
>console login works (as well as expected with no home directory) and
>automount map works for Red Hat clients.
>I have now tried with another directory for users (/nethome) since when
>trying with /home autofs made local users unavailable. They are
>automounted locally to /home/ from /export/home/ on Solaris for some
>strange reason and autofs then tried finding local users home
>directories on the NFS Server :)
>
>root at solaris2:~# ldapclient list
>NS_LDAP_FILE_VERSION= 2.0
>NS_LDAP_BINDDN= uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=org
>NS_LDAP_BINDPASSWD= {XXX}XXXXXXXXXXXXXX
>NS_LDAP_SERVERS= server.example.org<http://server.example.org>
>NS_LDAP_SEARCH_BAS
> EDN=
>dc=example,dc=org
>NS_LDAP_AUTH= tls:simple
>NS_LDAP_SEARCH_REF= TRUE
>NS_LDAP_SEARCH_SCOPE= one
>NS_LDAP_SEARCH_TIME= 10
>NS_LDAP_CACHETTL= 6000
>NS_LDAP_PROFILE= solaris_authssl1
>NS_LDAP_CREDENTIAL_LEVEL= proxy
>NS_LDAP_SERVICE_SEARCH_DESC=
>passwd:cn=users,cn=accounts,dc=example,dc=org
>NS_LDAP_SERVICE_SEARCH_DESC=
>group:cn=groups,cn=compat,dc=example,dc=org
>NS_LDAP_SERVICE_SEARCH_DESC= netgroup:cn=ng,cn=compat,dc=example,dc=org
>NS_LDAP_SERVICE_SEARCH_DESC=
>ethers:cn=computers,cn=accounts,dc=example,dc=org
>NS_LDAP_SERVICE_SEARCH_DESC=
>automount:cn=default,cn=automount,dc=example,dc=org
>NS_LDAP_SERVICE_SEARCH_DESC=
>auto_master:automountMapName=auto.master,cn=default,cn=automount,dc=example,dc=org
>NS_LDAP_SERVICE_SEARCH_DESC=
>aliases:ou=aliases,ou=test,dc=example,dc=org
>NS_LDAP_SERVICE_SEARCH_DESC=
>printers:ou=printers,ou=test,dc=example,dc=org
>NS_LDAP_BIND_TIME= 5
>NS_LDAP_OBJECTCLASSMAP=
>shadow:shadowAccount=posixAccount
>NS_LDAP_OBJECTCLASSMAP= printers:sunPrinter=printerService
>
>root at solaris2:~# sharectl get autofs
>timeout=600
>automount_verbose=true
>automountd_verbose=true
>nobrowse=false
>trace=2
>environment=
>
>From /var/svc/log/system-filesystem-autofs\:default.log:
>
>t4 LOOKUP REQUEST: Wed Dec 26 12:28:43 2012
>t4 name=user02[] map=auto.nethome opts= path=/nethome direct=0
>t4 getmapent_ldap called
>t4 getmapent_ldap: key=[ user02 ]
>t4 ldap_match called
>t4 ldap_match: key =[ user02 ]
>t4 ldap_match: ldapkey =[ user02 ]
>t4 ldap_match: Requesting list for
>(&(objectClass=automount)(automountKey=user02)) in auto.nethome
>t4 ldap_match: __ns_ldap_list FAILED (2)
>t4 ldap_match: no entries found
>t4 ldap_match called
>t4 ldap_match: key =[ \2a ]
>t4 ldap_match: ldapkey =[ \2a ]
>t4 ldap_match: Requesting list for
>(&(objectClass=automount)(automountKey=\2a)) in auto.nethome
>t4 ldap_match: __ns_ldap_list FAILED (2)
>t4 ldap_match: no entries found
>t4 getmapent_ldap: exiting ...
>t4 do_lookup1: action=2 wildcard=FALSE error=2
>t4 LOOKUP REPLY : status=2
>The automount map is called auto.nethome
>key is: * -rw,soft
>server.example.org<http://server.example.org>:/nethome/&
>
>Is it that Solaris automount dont like asterisk(*) in a automount key?
>
>Regards,
>Johan.
>________________________________
>
>From: Sigbjorn Lie [sigbjorn at nixtra.com]
>Sent: Thursday, December 20, 2012 15:20
>To: Johan Petersson
>Cc: freeipa-users at redhat.com
>Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA
>server?
>
>Thanks.
>
>I'm guessing it's taking such a long time because it's looking trough
>the entire LDAP server for
>your automount maps. The automountmap rules in the DUA profile will
>help w
> ith
>that. You'll
>also
>run into issues if you attempt to have several automount locations
>without having specified which
>one to use with a automountmap rule for auto master.
>
>If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT
>record to your DNS or set
>NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id
>used on your NFS server to
>get rid of the nobody:nobody default mapping and enable mapping between
>the NFS server and the
>client.
>
>
>
>Regards,
>Siggi
>
>
>
>
>On Thu, December 20, 2012 13:40, Johan Petersson wrote:
>Hi,
>
>
>Here is my pam.conf cleaned up a bit.
>
>
>login auth requisite pam_authtok_get.so<http://get.so>.1
>login auth required
>pam_dhkeys.so<
> /a>.1
>login auth sufficien
> t
>pam_<http://dhkeys.so>krb5.so<http://krb5.so>.1 try_first_pass login
>auth required
>pam_unix_cred.so<http://cred.so>.1 login auth required
>pam_unix_auth.so<http://auth.so>.1 login auth required
>pam_dial_auth.so<http://auth.so>.1
>
>gdm-autologin auth required pam_unix_cred.so<http://cred.so>.1
>gdm-autologin auth sufficient pam_allow.so<http://allow.so>.1
>
>other auth requisite pam_authtok_get.so<http://get.so>..1
>other auth required
>pam_dhkeys.so<http://dhkeys.so>.1 other auth required
>pam_unix_cred.so<http://cred.so>.1 other auth sufficient
>pam_krb5.so<http://krb5.so>.1 other auth required
>pam_unix_auth..so<http://auth.so>.1
>
>passwd auth required pam_passwd_auth.so<http://auth.so>.1
>
>gdm-autologin account suffici
> ent
>pam_allow.so<http://allowso>.1
>
>other account requisite pam_roles.so<http://roles.so>.1 other
>account required
>pam_unix_account.so<http://account.so>.1 other account required
> pam_krb5.so<http://krb5.so>.1
>
>other session required
>pam_unix_session.so<http://session.so>.1
>
>other password required pam_dhkeys.so<http://dhkeys.so>.1 other
> password requisite
>pam_authtok_get.so<http://get.so>.1
>
>other password requisite pam_authtok_check.so<http://check.so>.1
>force_check other password sufficient
>pam_krb5.so1 other password required
>pam_authtok_store.so<http://store.so>.1
>
>I am getting one error and it is for
>autofs.
>
>
>/var/adm/messages:
>Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error]
>Object not found
>
>
>/var/svc/log/system.filesystem-autofs:default.log:
>[ Dec 20 12:24:22 Executing start method ("/lib/svc/method/svc-autofs
>start"). ]
>automount: /net mounted
>automount: /nfs4 mounted
>automount: no unmounts
>[ Dec 20 12:24:22 Method "start" exited with status 0. ]
>
>
>ldapclient list NS_LDAP_FILE_VERSION= 2.0
>NS_LDAP_SERVERS= servername
>NS_LDAP_SEARCH_BASEDN= dc=home
>NS_LDAP_AUTH= none
>NS_LDAP_SEARCH_REF= TRUE
>NS_LDAP_SEARCH_TIME= 15
>NS_LDAP_PROFILE= default
>NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home
>NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home
>NS_LDAP_BIND_TIME= 5
>NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount
>
>
>Thinking it has to do with missing automountmap
> in
>default DUAProfile.
>Automount still works though but takes time during login and everything
>is nobody:nobody :)
>
>
>________________________________
>
>From: Sigbjorn Lie
>[sigbjorn at nixtra.com]
>Sent: Thursday, December 20, 2012 10:13
>To: Johan Petersson
>Cc: freeipa-users at redhat.com
>Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA
>server?
>
>
>Hi,
>
>
>This is interesting. When I tested Solaris 11 ssh worked, and su -
>testuser worked. However
>console login did not work giving some PAM errors.
>
>Could you please share your entire pam.conf file?
>
>
>Is this Solaris 11 or Solaris 11.1?
>
>
>
>
>Regards,
>Siggi
>
>
>
>
>On Thu, December 20, 2012 09:40, Johan Petersson wrote:
>
>I have now managed to use a Solaris 11 system as a client to IPA
>Server.
>su - testuser works ssh works and console login works. I get a delay
>before getting the prompt
>through ssh though and maybe from console t
> oo,
>probably something about autofs Going to see if
>i can increase loginformation (Solaris newbie). To get it to work i
>mainly followed Sigbjorn
>Lie's
>instructions for Solaris 10 in earlier posts here. I also used the
>/etc/pam.conf configuration
>example from the Solaris 10 client guide on Free IPA. I stuck with the
>default DUAProfile for
>now and use a NFS4 Kerberos share for home directories with autofs.
>Going to try the other
>DUAProfile
>too from Bug 815515 and hopefully i can get everything working.
>
>________________________________
>
>From: freeipa-users-bounces at redhat.com
>[freeipa-users-bounces at redhat.com] on behalf of Dmitri
>Pal
>[dpal at redhat.com]
>Sent: Tuesday, December 18, 2012 17:50
>To: freeipa-users at redhat.com
>Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA
>server?
>
>
>
>On 12/18/2012 04:06 AM, Sigbjorn Lie wrote:
>
>
>On Tue, December 18, 2012 08:28, Johan Petersson wrote:
>
>
>Hi,
>
>
>
>
>We are implementing IPA Server and are gong to need to be able to
>authenticate properly
>with a number of Solaris 11 servers. I have browsed the archives and
>found a few threads
>mentioning some problems with Solaris 11 and IPA Server. Does anyone
>know if the issue have
>been solved?
>
>
>I don't think there is any problems with Solaris 11 except of nobody
>has yet sat down and
>figured out how to configure it as an IPA client yet.
>
>I had a got at it a while ago (some of the posts you've probably
>found), and found that there
>was enough differences in the LDAP/Kerberos client between Solaris 10
>and Solaris 11 for
>making it work with the setup guide I've
>created for Solaris 10. And there was a need for
>further investigation for finding out how to configure Solaris 11 as an
>IPA client.
>
>I've not looked into this further as we do not use Solaris 11 yet.
>
>
>
>I don't know if anyone else has had time to sit down and have a crack
>at this?
>
>
>
>And we would like to hear about this effort.
>If it produces instructions we would like to put them on the wiki.
>If it produces bugs we would investigate them.
>
>
>
>
>
>Regards,
>Siggi
>
>
>
>
>________________________________
>
>Freeipa-users mailing list
>Freeipa-users at redhat.com
>
>
>https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>--
>Thank y
> ou,
>Dmi
> tri
>Pal
>
>
>
>Sr. Engineering Manager for IdM portfolio
>Red Hat Inc..
>
>
>
>
>________________________________
>
>Looking to carve out IT costs?
>www.redhat.com/carveoutcosts<http://www.redhat.com/carveoutcosts>/
>
>
>
>________________________________
>
>Freeipa-users mailing list
>Freeipa-users at redhat.com
>https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>________________________________
>
>Freeipa-users mailing list
>Freeipa-users at redhat.com
>https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>
>
>
>
>
>
>--
>Sent from my Android phone with K-9 Mail. Please excuse my brevity.
--
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20121228/5bdae061/attachment.htm>
More information about the Freeipa-users
mailing list