[Freeipa-users] IPA client installation for Solaris 11.
Rob Crittenden
rcritten at redhat.com
Thu Apr 10 17:04:09 UTC 2014
Dmitri Pal wrote:
> On 04/10/2014 12:18 PM, quest monger wrote:
>> Sorry about that. So I am Looking at the Solaris 10 client
>> documentation here -
>> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html
>>
>>
>> It says do the following on Solaris client -
>>
>> ldapclient manual
>> ...
>> -a proxyPassword={NS1}fbc123a92116812
>> ...
>>
>>
>> Whats that proxyPassword for?
>>
>
> I suspect that it is a password that corresponds to the proxy user.
> The client component on Solaris (pure speculation on my side) seems to
> use proxy user to connect to LDAP server and do some operations for the
> host. It is similar to SSSD but SSSD does not use passwords, it uses
> keytabs if talks to IPA.
There are a number of different profile levels available, see
http://docs.oracle.com/cd/E23824_01/html/821-1455/ldapsecure-66.html#ldapsecure-74
proxy is usually a shared account that the Solaris box uses to
authenticate to the LDAP server.
> Solaris uses passwords but to prevent them from being stored in
> configuration in clear the are "obfuscated" with the NS1 method
> http://stuff.iain.cx/2008/05/03/ns103eb2365be169abbe3a45088a10a/
> I suspect there should be some tool on Solaris that takes password and
> creates an obfuscated string like this.
I didn't experiment using a proxy password inside a profile. I'll bet
that if you manually enroll a client then you can dig out the password
on that local system and store that in the profile.
There is also a self level which uses Kerberos. I've never used it
myself (it may be newer than my experience with Solaris) but there are
some fairly detailed docs on it at
http://docs.oracle.com/cd/E23824_01/html/821-1455/clientsetup-49.html#gdzpl
rob
>
> Thanks
> Dmitri
>
>> Thanks.
>>
>>
>>
>> On Thu, Apr 10, 2014 at 12:09 PM, Dmitri Pal <dpal at redhat.com
>> <mailto:dpal at redhat.com>> wrote:
>>
>> On 04/10/2014 11:41 AM, quest monger wrote:
>>> Thanks Rob, those bug reports help.
>>> One more question, in the official Solaris 10 documentation, i
>>> see this stuff -
>>>
>>> -aproxyPassword={NS1}*fbc123a92116812*
>>> userPassword::*e1NTSEF9Mm53KytGeU81Z1dka1FLNUZlaDdXOHJkK093TEppY2NjRmt6Wnc9PQ*=
>>>
>>> Is there a way to generate that password hash for a new password.
>>> I think that should be part of the documentation, dont want all
>>> Solaris IPA users to be using the same password and corresponding
>>> hash.
>>>
>> Can you rephrase the question?
>> It is unclear what hash you are asking about.
>> If you are using IPA you do not need local password hashes.
>>
>>
>>> Thanks.
>>>
>>>
>>>
>>>
>>> On Wed, Apr 9, 2014 at 4:36 PM, Rob Crittenden
>>> <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
>>>
>>> quest monger wrote:
>>>
>>>
>>> I have read through the official documentation here for
>>> Solaris-10 -
>>> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html
>>> I have found a few web posts on how to make it work for
>>> Solaris-11.
>>> Have any of you tried adding a Solaris-11 host to an
>>> existing IPA
>>> server? If so, do you have any
>>> documentation/how-tos/instructions that i
>>> could use to do the same. Any help is appreciated.
>>> I am trying to do this to so I can centralize SSH
>>> authentication for all
>>> my Solaris-11 and Linux hosts.
>>>
>>>
>>> That is pretty much all we've got. There is a bug open with
>>> some documentation updates,
>>> https://bugzilla.redhat.com/show_bug.cgi?id=815533 and some
>>> more in https://bugzilla.redhat.com/show_bug.cgi?id=801883
>>>
>>> We use sssd to help with centralized SSH auth so it probably
>>> won't work as smoothly on Solaris as it does on sssd-based
>>> Linux systems. See sss_ssh_authorizedkeys(1) and
>>> sss_ssh_knownhostsproxy(8).
>>>
>>> This document describes how it works in IPA
>>> http://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf
>>>
>>> rob
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IdM portfolio
>> Red Hat, Inc.
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
More information about the Freeipa-users
mailing list