[Freeipa-users] Does Solaris 11 work as client to IPA server?
Johan Petersson
Johan.Petersson at sscspace.com
Sun Dec 30 14:37:44 UTC 2012
Tried that, on a new environment this time.
First on the secured Solaris box but did not get so much information, most by port 636.
I only have NFS 4 enabled as alternative on both IPA Server and on Solaris with port 2049 open TCP/UDP.
All ports defined for IPA Server opened, both TCP and UDP (and a bunch more for kerberos error checking)
I get the same delay on the Solaris with default DUAProfile as with secure DUAprofile
I used snoop on the Solaris machine.
On the Solaris configured with the default DUAProfile i managed to get this (spam varning):
First with iptables enabled on IPA Server (server.home.hup):
9 0.00562 solaris1.home.hup -> server.home.hup LDAP C port=45876 Search Request derefAlways
10 0.00072 server.home.hup -> solaris1.home.hup LDAP R port=45876 Search ResDone Success
11 0.00069 solaris1.home.hup -> server.home.hup LDAP C port=45876 Search Request derefAlways
12 0.00060 server.home.hup -> solaris1.home.hup LDAP R port=45876 Search ResDone No Such Object
13 0.00016 solaris1.home.hup -> server.home.hup LDAP C port=45876 Search Request derefAlways
14 0.00053 server.home.hup -> solaris1.home.hup LDAP R port=45876 Search ResDone No Such Object
15 0.00427 solaris1.home.hup -> server.home.hup TCP D=2049 S=1022 Syn Seq=202740719 Len=0 Win=32804 Options=<mss 1460,sackOK,tstamp 78545 0,nop,wscale 5>
16 0.00018 server.home.hup -> solaris1.home.hup TCP D=1022 S=2049 Syn Ack=202740720 Seq=26969365 Len=0 Win=14480 Options=<mss 1460,sackOK,tstamp 537585245 78545,nop,wscale 7>
17 0.00001 solaris1.home.hup -> server.home.hup TCP D=2049 S=1022 Ack=26969366 Seq=202740720 Len=0 Win=32806 Options=<nop,nop,tstamp 78545 537585245>
18 0.00006 solaris1.home.hup -> server.home.hup NFS C 4 (access ) PUTFH FH=6D78 ACCESS rd,lk,mo,ext,dl GETATTR 10011a b0a23a
19 0.00023 server.home.hup -> solaris1.home.hup TCP D=1022 S=2049 Ack=202740900 Seq=26969366 Len=0 Win=122 Options=<nop,nop,tstamp 537585246 78545>
20 0.00014 server.home.hup -> solaris1.home.hup NFS R 4 (access ) NFS4_OK PUTFH NFS4_OK ACCESS NFS4_OK Supp=rd,lk,mo,ext,dl Allow=rd,lk,mo,ext,dl GETATTR NFS4_OK
21 0.00001 solaris1.home.hup -> server.home.hup TCP D=2049 S=1022 Ack=26969618 Seq=202740900 Len=0 Win=32806 Options=<nop,nop,tstamp 78545 537585246>
22 0.00371 solaris1.home.hup -> server.home.hup NFS C 4 (lookup ) PUTFH FH=6D78 SAVEFH LOOKUP .hushlogin GETFH GETATTR 10011a b0a23a RESTOREFH NVERIFY GETATTR 1001...
23 0.00045 server.home.hup -> solaris1.home.hup NFS R 4 (lookup ) NFS4ERR_NOENT PUTFH NFS4_OK SAVEFH NFS4_OK LOOKUP NFS4ERR_NOENT
24 0.00001 solaris1.home.hup -> server.home.hup TCP D=2049 S=1022 Ack=26969694 Seq=202741156 Len=0 Win=32806 Options=<nop,nop,tstamp 78546 537585250>
25 0.00863 solaris1.home.hup -> server.home.hup DNS C server.home.hup. Internet AAAA ?
26 0.00180 server.home.hup -> solaris1.home.hup DNS R
27 0.00006 solaris1.home.hup -> server.home.hup DNS C server.home.hup.home.hup. Internet AAAA ?
28 0.00155 server.home.hup -> solaris1.home.hup DNS R Error: 3(Name Error)
29 0.00006 solaris1.home.hup -> server.home.hup DNS C server.home.hup. Internet Addr ?
30 0.00038 server.home.hup -> solaris1.home.hup DNS R server.home.hup. Internet Addr 192.168.0.111
31 0.00045 solaris1.home.hup -> server.home.hup PORTMAP C GETPORT prog=100011 (RQUOTA) vers=1 proto=UDP
32 0.00041 server.home.hup -> solaris1.home.hup PORTMAP R GETPORT port=875
33 0.00007 solaris1.home.hup -> server.home.hup RQUOTA C GETACTIVE Uid=27200004 Path=/nethome/user02
34 0.00026 server.home.hup -> solaris1.home.hup ICMP Destination unreachable (Host administratively prohibited)
35 0.03349 solaris1.home.hup -> server.home.hup LDAP C port=45876
69 0.32692 solaris1.home.hup -> server.home.hup RQUOTA C GETACTIVE Uid=27200004 Path=/nethome/user02 (retransmit)
70 0.00036 server.home.hup -> solaris1.home.hup ICMP Destination unreachable (Host administratively prohibited)
82 0.06871 server.home.hup -> * ARP C Who is 192.168.0.210, solaris1.home.hup ?
83 0.00001 solaris1.home.hup -> server.home.hup ARP R 192.168.0.210, solaris1.home.hup is 8:0:27:1c:dc:a8
85 0.00202 solaris1.home.hup -> server.home.hup NFS C 4 (lookup ) PUTFH FH=6D78 SAVEFH LOOKUP .profile GETFH GETATTR 10011a b0a23a RESTOREFH NVERIFY GETATTR 10011a...
86 0.00041 server.home.hup -> solaris1.home.hup NFS R 4 (lookup ) NFS4ERR_NOENT PUTFH NFS4_OK SAVEFH NFS4_OK LOOKUP NFS4ERR_NOENT
87 0.00009 solaris1.home.hup -> server.home.hup NFS C 4 (lookup valid) PUTFH FH=6D78 NVERIFY GETATTR 10011a b0a23a ACCESS rd,lk,mo,ext,dl LOOKUP .profile GETFH GETATTR ...
88 0.00041 server.home.hup -> solaris1.home.hup NFS R 4 (lookup valid) NFS4ERR_SAME PUTFH NFS4_OK NVERIFY NFS4ERR_SAME
89 0.00081 solaris1.home.hup -> server.home.hup NFS C 4 (lookup ) PUTFH FH=6D78 SAVEFH LOOKUP .kshrc GETFH GETATTR 10011a b0a23a RESTOREFH NVERIFY GETATTR 10011a b...
90 0.00032 server.home.hup -> solaris1.home.hup NFS R 4 (lookup ) NFS4ERR_NOENT PUTFH NFS4_OK SAVEFH NFS4_OK LOOKUP NFS4ERR_NOENT
91 0.00017 solaris1.home.hup -> server.home.hup NFS C 4 (access ) PUTFH FH=6993 ACCESS rd,mo,ext,exc GETATTR 10011a b0a23a
92 0.00030 server.home.hup -> solaris1.home.hup NFS R 4 (access ) NFS4_OK PUTFH NFS4_OK ACCESS NFS4_OK Supp=rd,mo,ext,exc Allow=rd,mo,ext GETATTR NFS4_OK
93 0.00008 solaris1.home.hup -> server.home.hup NFS C 4 (open ) PUTFH FH=6D78 OPEN .sh_history OT=NC SQ=4 CT=N AC=RW DN=N OO=0012 GETFH GETATTR 10011a b0a23a
94 0.00036 server.home.hup -> solaris1.home.hup NFS R 4 (open ) NFS4ERR_EXPIRED PUTFH NFS4_OK OPEN NFS4ERR_EXPIRED
95 0.00009 solaris1.home.hup -> server.home.hup NFS C 4 (setclientid ) PUTROOTFH GETATTR 400 0 SETCLIENTID Prog=1073741824 ID=tcp Addr=127.0.0.1.204.217 CBID=1073741824
96 0.00043 server.home.hup -> solaris1.home.hup NFS R 4 (setclientid ) NFS4_OK PUTROOTFH NFS4_OK GETATTR NFS4_OK SETCLIENTID NFS4_OK CL=b05de503f000000 CFV=1948E0503E000000
97 0.00004 solaris1.home.hup -> server.home.hup NFS C 4 (sclntid_conf) SETCLIENTID_CONFIRM CL=b05de503f000000 CFV=1948E0503E000000
98 0.00031 server.home.hup -> solaris1.home.hup NFS R 4 (sclntid_conf) NFS4_OK SETCLIENTID_CONFIRM NFS4_OK
99 0.00592 solaris1.home.hup -> server.home.hup NFS C 4 (open ) PUTFH FH=6D78 OPEN .sh_history OT=NC SQ=5 CT=N AC=RW DN=N OO=0012 GETFH GETATTR 10011a b0a23a
100 0.00040 server.home.hup -> solaris1.home.hup NFS R 4 (open ) NFS4_OK PUTFH NFS4_OK OPEN NFS4_OK ST=110C:0 RF=CF,PL DT=N GETFH NFS4_OK FH=6993 GETATTR NFS4_OK
101 0.00006 solaris1.home.hup -> server.home.hup NFS C 4 (open_confirm) PUTFH FH=6993 OPEN_CONFIRM SQ=6 OST=110C:0
102 0.02607 server.home.hup -> solaris1.home.hup NFS R 4 (open_confirm) NFS4_OK PUTFH NFS4_OK OPEN_CONFIRM NFS4_OK OST=110C:1
103 0.00015 solaris1.home.hup -> server.home.hup NFS C 4 (read ) PUTFH FH=6993 READ ST=110C:1 at 0 for 4096
104 0.00049 server.home.hup -> solaris1.home.hup NFS R 4 (read ) NFS4_OK PUTFH NFS4_OK READ NFS4_OK (388 bytes) EOF
And then without any iptables on the IPA Server:
9 0.00342 solaris1.home.hup -> server.home.hup LDAP C port=45876 Search Request derefAlways
10 0.00098 server.home.hup -> solaris1.home.hup LDAP R port=45876 Search ResDone Success
11 0.00198 solaris1.home.hup -> server.home.hup LDAP C port=45876 Search Request derefAlways
12 0.00092 server.home.hup -> solaris1.home.hup LDAP R port=45876 Search ResDone Success
13 0.00028 solaris1.home.hup -> server.home.hup LDAP C port=45876 Search Request derefAlways
14 0.00049 server.home.hup -> solaris1.home.hup LDAP R port=45876 Search ResDone Success
15 0.00059 solaris1.home.hup -> server.home.hup LDAP C port=45876 Search Request derefAlways
16 0.00051 server.home.hup -> solaris1.home.hup LDAP R port=45876 Search ResDone No Such Object
17 0.00018 solaris1.home.hup -> server.home.hup LDAP C port=45876 Search Request derefAlways
18 0.00064 server.home.hup -> solaris1.home.hup LDAP R port=45876 Search ResDone Success
19 0.00023 solaris1.home.hup -> server.home.hup LDAP C port=45876 Search Request derefAlways
20 0.00046 server.home.hup -> solaris1.home.hup LDAP R port=45876 Search ResDone No Such Object
21 0.00555 solaris1.home.hup -> server.home.hup LDAP C port=45876 Search Request derefAlways
22 0.00071 server.home.hup -> solaris1.home.hup LDAP R port=45876 Search ResDone Success
23 0.00019 solaris1.home.hup -> server.home.hup LDAP C port=45876 Search Request derefAlways
24 0.00054 server.home.hup -> solaris1.home.hup LDAP R port=45876 Search ResDone Success
25 0.00988 solaris1.home.hup -> server.home.hup DNS C server.home.hup. Internet Addr ?
26 0.00151 server.home.hup -> solaris1.home.hup DNS R server.home.hup. Internet Addr 192.168.0.111
27 0.00041 solaris1.home.hup -> server.home.hup TCP D=2049 S=41914 Syn Seq=115340402 Len=0 Win=64240 Options=<mss 1460,sackOK,tstamp 42991 0,nop,wscale 1>
28 0.00020 server.home.hup -> solaris1.home.hup TCP D=41914 S=2049 Syn Ack=115340403 Seq=1993365625 Len=0 Win=14480 Options=<mss 1460,sackOK,tstamp 537229802 42991,nop,wscale 7>
29 0.00001 solaris1.home.hup -> server.home.hup TCP D=2049 S=41914 Ack=1993365626 Seq=115340403 Len=0 Win=64436 Options=<nop,nop,tstamp 42991 537229802>
30 0.00012 solaris1.home.hup -> server.home.hup NFS C NULL4
31 0.00019 server.home.hup -> solaris1.home.hup TCP D=41914 S=2049 Ack=115340447 Seq=1993365626 Len=0 Win=114 Options=<nop,nop,tstamp 537229802 42991>
32 0.00000 server.home.hup -> solaris1.home.hup NFS R NULL4
33 0.00002 solaris1.home.hup -> server.home.hup TCP D=2049 S=41914 Ack=1993365654 Seq=115340447 Len=0 Win=64436 Options=<nop,nop,tstamp 42991 537229803>
34 0.00013 solaris1.home.hup -> server.home.hup TCP D=2049 S=41914 Fin Ack=1993365654 Seq=115340447 Len=0 Win=64436 Options=<nop,nop,tstamp 42991 537229803>
35 0.00018 server.home.hup -> solaris1.home.hup TCP D=41914 S=2049 Fin Ack=115340448 Seq=1993365654 Len=0 Win=114 Options=<nop,nop,tstamp 537229803 42991>
36 0.00000 solaris1.home.hup -> server.home.hup TCP D=2049 S=41914 Ack=1993365655 Seq=115340448 Len=0 Win=64436 Options=<nop,nop,tstamp 42991 537229803>
37 0.00094 solaris1.home.hup -> server.home.hup TCP D=2049 S=41351 Syn Seq=115473283 Len=0 Win=64240 Options=<mss 1460,sackOK,tstamp 42991 0,nop,wscale 1>
38 0.00026 server.home.hup -> solaris1.home.hup TCP D=41351 S=2049 Syn Ack=115473284 Seq=2502274248 Len=0 Win=14480 Options=<mss 1460,sackOK,tstamp 537229804 42991,nop,wscale 7>
39 0.00002 solaris1.home.hup -> server.home.hup TCP D=2049 S=41351 Ack=2502274249 Seq=115473284 Len=0 Win=64436 Options=<nop,nop,tstamp 42991 537229804>
40 0.00008 solaris1.home.hup -> server.home.hup NFS C NULL4
41 0.00024 server.home.hup -> solaris1.home.hup TCP D=41351 S=2049 Ack=115473328 Seq=2502274249 Len=0 Win=114 Options=<nop,nop,tstamp 537229804 42991>
42 0.00000 server.home.hup -> solaris1.home.hup NFS R NULL4
43 0.00002 solaris1.home.hup -> server.home.hup TCP D=2049 S=41351 Ack=2502274277 Seq=115473328 Len=0 Win=64436 Options=<nop,nop,tstamp 42991 537229804>
44 0.00006 solaris1.home.hup -> server.home.hup TCP D=2049 S=41351 Fin Ack=2502274277 Seq=115473328 Len=0 Win=64436 Options=<nop,nop,tstamp 42991 537229804>
45 0.00019 server.home.hup -> solaris1.home.hup TCP D=41351 S=2049 Fin Ack=115473329 Seq=2502274277 Len=0 Win=114 Options=<nop,nop,tstamp 537229805 42991>
46 0.00000 solaris1.home.hup -> server.home.hup TCP D=2049 S=41351 Ack=2502274278 Seq=115473329 Len=0 Win=64436 Options=<nop,nop,tstamp 42991 537229805>
47 0.03045 solaris1.home.hup -> server.home.hup LDAP C port=45876
48 0.04452 solaris1.home.hup -> server.home.hup TCP D=2049 S=1023 Syn Seq=115627513 Len=0 Win=32804 Options=<mss 1460,sackOK,tstamp 42999 0,nop,wscale 5>
49 0.00023 server.home.hup -> solaris1.home.hup TCP D=1023 S=2049 Syn Ack=115627514 Seq=609303438 Len=0 Win=14480 Options=<mss 1460,sackOK,tstamp 537229880 42999,nop,wscale 7>
50 0.00003 solaris1.home.hup -> server.home.hup TCP D=2049 S=1023 Ack=609303439 Seq=115627514 Len=0 Win=32806 Options=<nop,nop,tstamp 42999 537229880>
51 0.00009 solaris1.home.hup -> server.home.hup NFS C 4 (secinfo ) PUTROOTFH LOOKUP nethome SECINFO user02
52 0.00018 server.home.hup -> solaris1.home.hup TCP D=1023 S=2049 Ack=115627658 Seq=609303439 Len=0 Win=122 Options=<nop,nop,tstamp 537229881 42999>
53 0.00030 server.home.hup -> solaris1.home.hup NFS R 4 (secinfo ) NFS4_OK PUTROOTFH NFS4_OK LOOKUP NFS4_OK SECINFO NFS4_OK AUTH_SYS RPCSEC_GSS RPCSEC_GSS RPCSEC_GSS
54 0.00001 solaris1.home.hup -> server.home.hup TCP D=2049 S=1023 Ack=609303607 Seq=115627658 Len=0 Win=32806 Options=<nop,nop,tstamp 42999 537229881>
55 0.00057 solaris1.home.hup -> server.home.hup NFS C 4 (mount ) PUTROOTFH GETFH LOOKUP nethome GETFH GETATTR c8000167 0 LOOKUP user02 GETFH GETATTR c8000167 0 OP...
56 0.00033 server.home.hup -> solaris1.home.hup NFS R 4 (mount ) NFS4ERR_NOTSUPP PUTROOTFH NFS4_OK GETFH NFS4_OK FH=0015 LOOKUP NFS4_OK GETFH NFS4_OK FH=458E GETATTR NFS4_OK LOOK...
57 0.00001 solaris1.home.hup -> server.home.hup TCP D=2049 S=1023 Ack=609303975 Seq=115627874 Len=0 Win=32806 Options=<nop,nop,tstamp 42999 537229882>
58 0.00734 solaris1.home.hup -> server.home.hup NFS C 4 (setclientid ) PUTROOTFH GETATTR 400 0 SETCLIENTID Prog=1073741824 ID=tcp Addr=127.0.0.1.204.217 CBID=1073741824
59 0.00041 server.home.hup -> solaris1.home.hup NFS R 4 (setclientid ) NFS4_OK PUTROOTFH NFS4_OK GETATTR NFS4_OK SETCLIENTID NFS4_OK CL=b05de503e000000 CFV=A246E0503D000000
60 0.00011 solaris1.home.hup -> server.home.hup NFS C 4 (sclntid_conf) SETCLIENTID_CONFIRM CL=b05de503e000000 CFV=A246E0503D000000
61 0.00028 server.home.hup -> solaris1.home.hup NFS R 4 (sclntid_conf) NFS4_OK SETCLIENTID_CONFIRM NFS4_OK
62 0.00707 solaris1.home.hup -> server.home.hup NFS C 4 (fsinfo ) PUTFH FH=6D78 GETATTR 20e00000 1c00
63 0.00037 server.home.hup -> solaris1.home.hup NFS R 4 (fsinfo ) NFS4_OK PUTFH NFS4_OK GETATTR NFS4_OK
64 0.00870 solaris1.home.hup -> server.home.hup NFS C 4 (getattr ) PUTFH FH=6D78 GETATTR 10011a b0a23a
65 0.00028 server.home.hup -> solaris1.home.hup NFS R 4 (getattr ) NFS4_OK PUTFH NFS4_OK GETATTR NFS4_OK
66 0.01016 solaris1.home.hup -> server.home.hup NFS C 4 (access ) PUTFH FH=6D78 ACCESS rd,lk,mo,ext,dl GETATTR 10011a b0a23a
67 0.00029 server.home.hup -> solaris1.home.hup NFS R 4 (access ) NFS4_OK PUTFH NFS4_OK ACCESS NFS4_OK Supp=rd,lk,mo,ext,dl Allow=rd,lk,mo,ext,dl GETATTR NFS4_OK
68 0.00353 solaris1.home.hup -> server.home.hup NFS C 4 (lookup ) PUTFH FH=6D78 SAVEFH LOOKUP .hushlogin GETFH GETATTR 10011a b0a23a RESTOREFH NVERIFY GETATTR 1001...
69 0.00031 server.home.hup -> solaris1.home.hup NFS R 4 (lookup ) NFS4ERR_NOENT PUTFH NFS4_OK SAVEFH NFS4_OK LOOKUP NFS4ERR_NOENT
70 0.00830 solaris1.home.hup -> server.home.hup PORTMAP C GETPORT prog=100011 (RQUOTA) vers=1 proto=UDP
71 0.00041 server.home.hup -> solaris1.home.hup PORTMAP R GETPORT port=875
72 0.00041 solaris1.home.hup -> server.home.hup RQUOTA C GETACTIVE Uid=27200004 Path=/nethome/user02
73 0.00051 server.home.hup -> solaris1.home.hup RQUOTA R GETACTIVE No quota
74 0.01358 solaris1.home.hup -> server.home.hup LDAP C port=45876 Search Request derefAlways
75 0.00058 server.home.hup -> solaris1.home.hup LDAP R port=45876 Search ResDone Success
76 0.00082 solaris1.home.hup -> server.home.hup LDAP C port=45876 Search Request derefAlways
78 0.00002 server.home.hup -> solaris1.home.hup LDAP R port=45876 Search ResDone Success
80 0.00018 solaris1.home.hup -> server.home.hup LDAP C port=45876 Search Request derefAlways
81 0.00038 server.home.hup -> solaris1.home.hup LDAP R port=45876 Search ResDone Success
82 0.00149 solaris1.home.hup -> server.home.hup LDAP C port=45876 Search Request derefAlways
83 0.00017 solaris1.home.hup -> server.home.hup NFS C 4 (lookup ) PUTFH FH=6D78 SAVEFH LOOKUP .profile GETFH GETATTR 10011a b0a23a RESTOREFH NVERIFY GETATTR 10011a...
84 0.00016 server.home.hup -> solaris1.home.hup LDAP R port=45876 Search ResDone Success
85 0.00006 server.home.hup -> solaris1.home.hup NFS R 4 (lookup ) NFS4ERR_NOENT PUTFH NFS4_OK SAVEFH NFS4_OK LOOKUP NFS4ERR_NOENT
86 0.00023 solaris1.home.hup -> server.home.hup NFS C 4 (lookup valid) PUTFH FH=6D78 NVERIFY GETATTR 10011a b0a23a ACCESS rd,lk,mo,ext,dl LOOKUP .profile GETFH GETATTR ...
87 0.00028 server.home.hup -> solaris1.home.hup NFS R 4 (lookup valid) NFS4ERR_SAME PUTFH NFS4_OK NVERIFY NFS4ERR_SAME
88 0.13450 solaris1.home.hup -> server.home.hup TCP D=2049 S=1023 Ack=609304987 Seq=115629546 Len=0 Win=32806 Options=<nop,nop,tstamp 43019 537229948>
89 0.00005 solaris1.home.hup -> server.home.hup LDAP C port=45876
90 0.00391 solaris1.home.hup -> server.home.hup NFS C 4 (lookup ) PUTFH FH=6D78 SAVEFH LOOKUP .kshrc GETFH GETATTR 10011a b0a23a RESTOREFH NVERIFY GETATTR 10011a b...
91 0.00025 server.home.hup -> solaris1.home.hup NFS R 4 (lookup ) NFS4ERR_NOENT PUTFH NFS4_OK SAVEFH NFS4_OK LOOKUP NFS4ERR_NOENT
92 0.00071 solaris1.home.hup -> server.home.hup NFS C 4 (lookup ) PUTFH FH=6D78 SAVEFH LOOKUP .sh_history GETFH GETATTR 10011a b0a23a RESTOREFH NVERIFY GETATTR 100...
94 0.00026 server.home.hup -> solaris1.home.hup NFS R 4 (lookup ) NFS4_OK PUTFH NFS4_OK SAVEFH NFS4_OK LOOKUP NFS4_OK GETFH NFS4_OK FH=6993 GETATTR NFS4_OK RESTOREFH NFS4_...
95 0.00043 solaris1.home.hup -> server.home.hup LDAP C port=45876 Search Request derefAlways
96 0.00062 server.home.hup -> solaris1.home.hup LDAP R port=45876 Search ResDone Success
97 0.00094 solaris1.home.hup -> server.home.hup NFS C 4 (access ) PUTFH FH=6993 ACCESS rd,mo,ext,exc GETATTR 10011a b0a23a
98 0.00026 server.home.hup -> solaris1.home.hup NFS R 4 (access ) NFS4_OK PUTFH NFS4_OK ACCESS NFS4_OK Supp=rd,mo,ext,exc Allow=rd,mo,ext GETATTR NFS4_OK
99 0.00005 solaris1.home.hup -> server.home.hup NFS C 4 (open ) PUTFH FH=6D78 OPEN .sh_history OT=NC SQ=1 CT=N AC=RW DN=N OO=0012 GETFH GETATTR 10011a b0a23a
100 0.00037 server.home.hup -> solaris1.home.hup NFS R 4 (open ) NFS4_OK PUTFH NFS4_OK OPEN NFS4_OK ST=1103:0 RF=CF,PL DT=N GETFH NFS4_OK FH=6993 GETATTR NFS4_OK
101 0.00004 solaris1.home.hup -> server.home.hup NFS C 4 (open_confirm) PUTFH FH=6993 OPEN_CONFIRM SQ=2 OST=1103:0
102 0.01161 server.home.hup -> solaris1.home.hup NFS R 4 (open_confirm) NFS4_OK PUTFH NFS4_OK OPEN_CONFIRM NFS4_OK OST=1103:1
103 0.00017 solaris1.home.hup -> server.home.hup NFS C 4 (read ) PUTFH FH=6993 READ ST=1103:1 at 0 for 4096
104 0.00035 server.home.hup -> solaris1.home.hup NFS R 4 (read ) NFS4_OK PUTFH NFS4_OK READ NFS4_OK (382 bytes) EOF
106 0.04916 solaris1.home.hup -> server.home.hup TCP D=2049 S=1023 Ack=609306715 Seq=115630838 Len=0 Win=32806 Options=<nop,nop,tstamp 43027 537230103>
107 0.00008 solaris1.home.hup -> server.home.hup LDAP C port=45876
Regards,
Johan.
________________________________
From: Sigbjorn Lie [sigbjorn at nixtra.com]
Sent: Friday, December 28, 2012 15:08
To: Johan Petersson
Cc: freeipa-users at redhat.com
Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server?
How about enabling the firewall, and use tcpdump on the ipa server or snoop on the Solaris box to see where it stops and waits?
Rgds
Siggi
Johan Petersson <Johan.Petersson at sscspace.com> wrote:
Forgot to add the ports opened in my last message. :)
22 TCP
80 TCP
443 TCP
389 TCP
636 TCP
7389 TCP
88 TCP,UDP
464 TCP,UDP
53 TCP,UDP
123 TCP,UDP
111 TCP,UDP
2049 TCP,UDP
Also tried 749,750 and everything kerberos related from Solaris /etc/services.
Solaris.example.com and solaris2.example.com is same machine, just typo from me when editing the log for publishing.
Regards,
Johan
________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Johan Petersson [Johan.Petersson at sscspace.com]
Sent: Friday, December 28, 2012 13:40
To: Sigbjorn Lie
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Hi,
I am getting these messages in my log when setting all instances of pam_krb5.so.1 debug in /etc/pam.d/other, /etc/pam.d/login:
Dec 28 12:59:12 solaris.example.com su: [ID 737709 auth.error] unable to open connection to ADMIN server (t_error 13)
Dec 28 12:59:12 solaris2.example.com su: [ID 436431 auth.error] PAM-KRB5-AUTOMIGRATE (auth): Error while doing kadm5_init_with_skey: Communication failure with server
If i disable the firewall on my IPA Server everything works as fast as it should so clearly a firewall issue with iptables.
However, i have all the ports enabled and Red Hat clients works with the firewall on.
Clearly Solaris is using some secret other port(s) that is not mentioned.
I have tried with 749 and 750 tcp and udp with no difference.
Regards,
Johan.
________________________________
From: Sigbjorn Lie [sigbjorn at nixtra.com]
Sent: Wednesday, December 26, 2012 18:56
To: Johan Petersson
Cc: freeipa-users at redhat.com
Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Cool. :)
What do you see if you turn on pam debugging by touching /etc/pam_debug and enabling debug logging in the syslog daemon?
Rgds
Siggi
Johan Petersson <Johan.Petersson at sscspace.com> wrote:
Of course it was a simple thing like replacing auto.nethome with auto_nethome that worked.
Thank you for that help!
I did not even think that it was that simple. :)
Now everything works for the more secure client configuration on Solaris 11.
The only thing left to investigate is why there is a delay now for the IPA users.
I get the message : Your Kerberos account/password will expire in 89 days quickly but then it waits for about 20 seconds until i get a prompt.
Regards,
Johan.
________________________________
From: Sigbjorn Lie [sigbjorn at nixtra.com]
Sent: Wednesday, December 26, 2012 17:10
To: Johan Petersson
Cc: freeipa-users at redhat.com
Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server?
What is the name of the other maps besides auto.master? You should use _ instead of . for any additional maps when you need Solaris autofs compatibility. This also need to be reflected in the auto.master.
The Linux automounter does not care about . or _ as long as the naming is consistent between the additional maps and auto.master. The default for Linux is auto.master with a . and auto_master for Solaris. Hence the auto.master mapping in the Solaris dua profile.
Rgds
Siggi
Johan Petersson <Johan.Petersson at sscspace.com> wrote:
Got everything except automount to work with Solaris 11 and the more secure DUAProfile.
Verified that i can manually mount with krb5 on Solaris 11, ssh, su and console login works (as well as expected with no home directory) and automount map works for Red Hat clients.
I have now tried with another directory for users (/nethome) since when trying with /home autofs made local users unavailable. They are automounted locally to /home/ from /export/home/ on Solaris for some strange reason and autofs then tried finding local users home directories on the NFS Server :)
root at solaris2:~# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=org
NS_LDAP_BINDPASSWD= {XXX}XXXXXXXXXXXXXX
NS_LDAP_SERVERS= server.example.org<http://server.example.org>
NS_LDAP_SEARCH_BAS
EDN=
dc=example,dc=org
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 10
NS_LDAP_CACHETTL= 6000
NS_LDAP_PROFILE= solaris_authssl1
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC= netgroup:cn=ng,cn=compat,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC= ethers:cn=computers,cn=accounts,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC= automount:cn=default,cn=automount,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC= auto_master:automountMapName=auto.master,cn=default,cn=automount,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC= aliases:ou=aliases,ou=test,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC= printers:ou=printers,ou=test,dc=example,dc=org
NS_LDAP_BIND_TIME= 5
NS_LDAP_OBJECTCLASSMAP=
shadow:shadowAccount=posixAccount
NS_LDAP_OBJECTCLASSMAP= printers:sunPrinter=printerService
root at solaris2:~# sharectl get autofs
timeout=600
automount_verbose=true
automountd_verbose=true
nobrowse=false
trace=2
environment=
>From /var/svc/log/system-filesystem-autofs\:default.log:
t4 LOOKUP REQUEST: Wed Dec 26 12:28:43 2012
t4 name=user02[] map=auto.nethome opts= path=/nethome direct=0
t4 getmapent_ldap called
t4 getmapent_ldap: key=[ user02 ]
t4 ldap_match called
t4 ldap_match: key =[ user02 ]
t4 ldap_match: ldapkey =[ user02 ]
t4 ldap_match: Requesting list for (&(objectClass=automount)(automountKey=user02)) in auto.nethome
t4 ldap_match: __ns_ldap_list FAILED (2)
t4 ldap_match: no entries found
t4 ldap_match called
t4 ldap_match: key =[ \2a ]
t4 ldap_match: ldapkey =[ \2a ]
t4 ldap_match: Requesting list for
(&(objectClass=automount)(automountKey=\2a)) in auto.nethome
t4 ldap_match: __ns_ldap_list FAILED (2)
t4 ldap_match: no entries found
t4 getmapent_ldap: exiting ...
t4 do_lookup1: action=2 wildcard=FALSE error=2
t4 LOOKUP REPLY : status=2
The automount map is called auto.nethome
key is: * -rw,soft server.example.org<http://server.example.org>:/nethome/&
Is it that Solaris automount dont like asterisk(*) in a automount key?
Regards,
Johan.
________________________________
From: Sigbjorn Lie [sigbjorn at nixtra.com]
Sent: Thursday, December 20, 2012 15:20
To: Johan Petersson
Cc: freeipa-users at redhat.com
Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Thanks.
I'm guessing it's taking such a long time because it's looking trough the entire LDAP server for
your automount maps. The automountmap rules in the DUA profile will help w
ith
that. You'll
also
run into issues if you attempt to have several automount locations without having specified which
one to use with a automountmap rule for auto master.
If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to your DNS or set
NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used on your NFS server to
get rid of the nobody:nobody default mapping and enable mapping between the NFS server and the
client.
Regards,
Siggi
On Thu, December 20, 2012 13:40, Johan Petersson wrote:
Hi,
Here is my pamconf cleaned up a bit.
login auth requisite pam_authtok_get.so<http://get.so>.1 login auth required
pam_dhkeys.so&l
t;
/a>.1
login auth sufficien
t
pam_<http://dhkeys.so>krb5.so<http://krb5.so>.1 try_first_pass login auth required
pam_unix_cred.so<http://cred.so>1 login auth required pam_unix_auth.so<http://auth.so>.1 login auth required
pam_dial_auth.so<http://auth.so>.1
gdm-autologin auth required pam_unix_cred.so<http://cred.so>1 gdm-autologin auth sufficient pam_allow.so<http://allow.so>.1
other auth requisite pam_authtok_get.so<http://get.so>..1 other auth required
pam_dhkeys.so<http://dhkeys.so>.1 other auth required pam_unix_cred.so<http://cred.so>.1 other auth sufficient
pam_krb5.so<http://krb5.so>.1 other auth required pam_unix_auth..so<http://auth.so>.1
passwd auth required pam_passwd_auth.so<http://auth.so>.1
gdm-autologin account suffici
ent
pam_allow.so<http://allowso>.1
other account requisite pam_roles.so<http://roles.so>.1 other account required
pam_unix_account.so<http://account.so>.1 other account required pam_krb5.so<http://krb5.so>.1
other session required pam_unix_session.so<http://session.so>.1
other password required pam_dhkeys.so<http://dhkeys.so>.1 other password requisite
pam_authtok_get.so<http://get.so>.1
other password requisite pam_authtok_check.so<http://check.so>.1 force_check other password sufficient
pam_krb5.so1 other password required pam_authtok_store.so<http://store.so>.1
I am getting one error and it is for
autofs.
/var/adm/messages:
Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object not found
/var/svc/log/system.filesystem-autofs:default.log:
[ Dec 20 12:24:22 Executing start method ("/lib/svc/method/svc-autofs start"). ]
automount: /net mounted
automount: /nfs4 mounted
automount: no unmounts
[ Dec 20 12:24:22 Method "start" exited with status 0. ]
ldapclient list NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= servername
NS_LDAP_SEARCH_BASEDN= dc=home
NS_LDAP_AUTH= none
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SEARCH_TIME= 15
NS_LDAP_PROFILE= default
NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home
NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home
NS_LDAP_BIND_TIME= 5
NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount
Thinking it has to do with missing automountmap
in
default DUAProfile.
Automount still works though but takes time during login and everything is nobody:nobody :)
________________________________
From: Sigbjorn Lie
[sigbjorn at nixtra.com]
Sent: Thursday, December 20, 2012 10:13
To: Johan Petersson
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Hi,
This is interesting. When I tested Solaris 11 ssh worked, and su - testuser worked. However
console login did not work giving some PAM errors.
Could you please share your entire pam.conf file?
Is this Solaris 11 or Solaris 11.1?
Regards,
Siggi
On Thu, December 20, 2012 09:40, Johan Petersson wrote:
I have now managed to use a Solaris 11 system as a client to IPA Server.
su - testuser works ssh works and console login works. I get a delay before getting the prompt
through ssh though and maybe from console t
oo,
probably something about autofs Going to see if
i can increase loginformation (Solaris newbie). To get it to work i mainly followed Sigbjorn
Lie's
instructions for Solaris 10 in earlier posts here. I also used the /etc/pam.conf configuration
example from the Solaris 10 client guide on Free IPA. I stuck with the default DUAProfile for
now and use a NFS4 Kerberos share for home directories with autofs. Going to try the other
DUAProfile
too from Bug 815515 and hopefully i can get everything working.
________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri
Pal
[dpal at redhat.com]
Sent: Tuesday, December 18, 2012 17:50
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
On 12/18/2012 04:06 AM, Sigbjorn Lie wrote:
On Tue, December 18, 2012 08:28, Johan Petersson wrote:
Hi,
We are implementing IPA Server and are gong to need to be able to authenticate properly
with a number of Solaris 11 servers. I have browsed the archives and found a few threads
mentioning some problems with Solaris 11 and IPA Server. Does anyone know if the issue have
been solved?
I don't think there is any problems with Solaris 11 except of nobody has yet sat down and
figured out how to configure it as an IPA client yet.
I had a got at it a while ago (some of the posts you've probably found), and found that there
was enough differences in the LDAP/Kerberos client between Solaris 10 and Solaris 11 for
making it work with the setup guide I've
created for Solaris 10. And there was a need for
further investigation for finding out how to configure Solaris 11 as an IPA client.
I've not looked into this further as we do not use Solaris 11 yet.
I don't know if anyone else has had time to sit down and have a crack at this?
And we would like to hear about this effort.
If it produces instructions we would like to put them on the wiki.
If it produces bugs we would investigate them.
Regards,
Siggi
________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank y
ou,
Dmi
tri
Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc...
________________________________
Looking to carve out IT costs?
www.redhat.com/carveoutcosts<http://www.redhat.com/carveoutcosts>/
________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20121230/c14a7185/attachment.htm>
More information about the Freeipa-users
mailing list