[Freeipa-users] Does Solaris 11 work as client to IPA server?

Johan Petersson Johan.Petersson at sscspace.com
Fri Jan 4 10:27:40 UTC 2013 

Hi,

Here is the instructions for a IPA Server Solaris 11 client configuration with secure bind and a custom DUAProfile.
Everything works as far as i have been able to test. Console login works, su - and ssh.

Configuration done on the IPA Server.

Create a DUAConfigProfile	solaris_authssl.ldif

dn: cn=solaris_authssl,ou=profile,dc=example,dc=com
objectClass: top
objectClass: DUAConfigProfile
cn: solaris_authssl
authenticationMethod: tls:simple
bindTimeLimit: 5
credentialLevel: proxy
defaultSearchBase: dc=example,dc=com
defaultSearchScope: one
defaultServerList: ipaserver.example.com
followReferrals: TRUE
objectclassMap: shadow:shadowAccount=posixAccount
objectclassMap: printers:sunPrinter=printerService
profileTTL: 6000
searchTimeLimit: 10
serviceSearchDescriptor: passwd:cn=users,cn=accounts,dc=example,dc=com
serviceSearchDescriptor: group:cn=groups,cn=compat,dc=example,dc=com
serviceSearchDescriptor: netgroup:cn=ng,cn=compat,dc=example,dc=com
serviceSearchDescriptor: ethers:cn=computers,cn=accounts,dc=example,dc=com
serviceSearchDescriptor: automount:cn=default,cn=automount,dc=example,dc=com
serviceSearchDescriptor:auto_master:automountMapName=auto.master,cn=default,cn=automount,dc=example,dc=com

Add the ldif to ipaserver:

ldapadd -h ipaserver.example.com -x -W -D "cn=Directory Manager" -vvv -f solaris_authssl.ldif

Create an account to use for authentication:

ldapmodify -a -h ipaserver.example.com -D "cn=Directory Manager" -W

dn: uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=com
objectClass: account
objectClass: simpleSecurityObject
objectClass: top
uid: solaris
userPassword: setyourpasswordhere

ipa host-add --force --ip-address=192.168.0.1 solaris.example.com

ipa host-add-managedby --host ipaserver.example.com solaris.example.com

ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k /tmp/solaris.keytab

Make sure that the automount maps in ipaserver is named auto_* and NOT auto.* so they are compatible with Solaris name standards.

certutil -N -d .

openssl x509 -in /etc/ipa/ca.crt -outform pem -out /etc/ipa/ca.pem

certutil -A -n "ca-cert" -i /etc/ipa/ca.pem -a -t CT -d /(directory of generated cert8.db and key3.db)

scp the keytab to the solaris host /etc/krb5/krb5.keytab and scp the *.db to the solaris host /var/ldap/



Solaris host configuration:

Make sure to secure the krb5.keytab properly.
chown root:sys krb5.keytab
chmod 600 krb5.keytab

Secure the *.db files created by certutil on IPA Server earlier.

chown root:staff /var/ldap/*.db
chmod 444 /var/ldap/*.db

Edit /etc/nsswitch.ldap, replace "ldap" with "dns" from the "hosts" and "ipnodes" lines:

hosts:          files dns 
ipnodes:	files dns

ldapclient -v init \
-a profileName=solaris_authssl \
-a domainName=example.com \
-a proxyDN="uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=com" \
-a proxyPassword="setyourpasswordhere" \
-D uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=com \
-w yourpasswordagain \
ipaserver.example.com

Enable ntp client:

Add serverlist to /etc/inet/ntp.client and rename it to ntp.conf

Example:
server ipaserver.example.com iburst

svcadm restart ntp

To see it is running properly:

svcs ntp 

To see what servers you are using:

ntpq -p 

Edit /etc/krb5/krb5.conf:

krb5.conf:

[libdefaults]
        default_realm = EXAMPLE.COM
        verify_ap_req_nofail = false
[realms]
        EXAMPLE.COM = {
                kdc = ipaserver.example.com
                admin_server = ipaserver.example.com

[domain_realm]
        example.com = EXAMPLE.COM
        .example.com = EXAMPLE.COM


Pam configuration changed slightly in Solaris 11.1.
It is still possible to use /etc/pam.conf as before if preferable.

Pam configuration in /etc/pam.d/

login:

login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_cred.so.1
login   auth sufficient         pam_krb5.so.1 try_first_pass
login   auth required           pam_unix_auth.so.1
login   auth required           pam_dial_auth.so.1


other:

auth definitive         pam_user_policy.so.1
auth requisite          pam_authtok_get.so.1
auth required           pam_dhkeys.so.1
auth required           pam_unix_cred.so.1
auth sufficient         pam_krb5.so.1
auth required           pam_unix_auth.so.1

account requisite       pam_roles.so.1
account definitive      pam_user_policy.so.1
account required        pam_unix_account.so.1
account required        pam_krb5.so.1
account required        pam_tsol_account.so.1

password include        pam_authtok_common
password sufficient     pam_krb5.so.1
password required       pam_authtok_store.so.1


For NFS:

/etc/nfssec.conf enable these:

krb5            390003  kerberos_v5     default -               # RPCSEC_GSS
krb5i           390004  kerberos_v5     default integrity       # RPCSEC_GSS
krb5p           390005  kerberos_v5     default privacy         # RPCSEC_GSS

Do not forget to set nfsmapid_domain to your domain to avoid nobody:nobody permission issues with NFS.

sharectl set -p nfsmapid_domain=home nfs

To see if it is properly set:
sharectl get nfs

Regards,
Johan.

________________________________________
From: Dmitri Pal [dpal at redhat.com]
Sent: Tuesday, December 25, 2012 16:52
To: Johan Petersson
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?

On 12/24/2012 05:27 PM, Johan Petersson wrote:
> Here is a step by step instruction for a Solaris 11 machine as client to a IPA server based on the default DUAProfile.
> Console login works, su - and ssh.
> Home directories automounted have the correct permissions.
> The automount does not use wildcards since i had issues of the whole /home being grabbed by autofs and thus making local users home directories unavalable.
> This can probably be solved by someone with more extensive experience of Solaris autofs.
> I am working on a instruction based on Sigbjorn Lie's DUAProfile and added security and will post it too shortly.
>
> First make sure that the Solaris 11 machine are using the proper DNS and NTP servers.
>
> On the IPA server or Client run:
>
> ipa host-add --force --ip-address=192.168.0.1 solaris.example.com
>
> ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k /tmp/solaris.keytab
>
> Move the keytab to the Solaris machine /etc/krb5/krb5.keytab
>
> Make sure it have the proper owner and permissions:
>
> chown root:sys /etc/krb5/krb5.keytab
> chmod 700 /etc/krb5/krb5.keytab
>
> Edit /etc/nsswitch.ldap, replace "ldap" with "dns" from the "hosts" and "ipnodes" lines:
>
> hosts:          files dns
> ipnodes:      files dns
>
> Edit /etc/krb5/krb5.conf:
>
> [libdefaults]
>         default_realm = EXAMPLE.COM
>         verify_ap_req_nofail = false
> [realms]
>         EXAMPLE.COM = {
>                 kdc = ipaserver.example.com
>                 admin_server = ipaserver.example.com
>         }
>
> [domain_realm]
>         example.com = EXAMPLE.COM
>         .example.com = EXAMPLE.COM
>
>
> Run the ldapclient with the default DUAProfile.
> The -a domainName= example.com is needed so that ldapclient does not stop and complain about missing nisdomain name.
>
> ldapclient -v init -a profilename=default -a domainName=example.com ipaserver.example.com
>
> In Solaris 11.1 the pam configuration have changed but for simplicity i still use the /etc/pam.conf:
>
> login   auth requisite          pam_authtok_get.so.1
> login   auth required           pam_dhkeys.so.1
> login auth required           pam_unix_cred.so.1
> login   auth sufficient         pam_krb5.so.1 try_first_pass
> login   auth required           pam_unix_auth.so.1
> login   auth required           pam_dial_auth.so.1
>
> other   auth requisite          pam_authtok_get.so.1
> other   auth required           pam_dhkeys.so.1
> other   auth required           pam_unix_cred.so.1
> other   auth sufficient         pam_krb5.so.1
> other   auth required           pam_unix_auth.so.1
>
> other   account requisite       pam_roles.so.1
> other   account required        pam_unix_account.so.1
> other   account required        pam_krb5.so.1
>
> other   password requisite      pam_authtok_check.so.1 force_check
> other   password sufficient     pam_krb5.so.1
> other   password required       pam_authtok_store.so.1
>
> For NFS and automount to work:
>
> In /etc/nfssec.conf enable these:
>
> krb5            390003  kerberos_v5     default -               # RPCSEC_GSS
> krb5i           390004  kerberos_v5     default integrity       # RPCSEC_GSS
> krb5p           390005  kerberos_v5     default privacy         # RPCSEC_GSS
>
> sharectl set -p nfsmapid_domain=example.com nfs
>
> If autofs is not on:
>
> svcadm enable system/filesystem/autofs:default
>
> In /etc/auto_home:
>
> testuser      ipaserver.example.com:/home/testuser

Thank you!
Dmitri

More information about the Freeipa-users mailing list