[Freeipa-users] IPA client installation for Solaris 11.
Dmitri Pal
dpal at redhat.com
Thu Apr 10 17:39:25 UTC 2014
On 04/10/2014 01:37 PM, Johan Petersson wrote:
> Proxy user is only necessary if you disable anonymous bind on the IPA LDAP.
>
> Example configuration for making Solaris 11 work as an IPA client.
> If you want autofs of shared NFS home directory too, let me know and i can provide it.
> I will add this and more to IPA Wiki when i can find the time to go through it properly and polish away some rough edges.
> I hope it can provide some help.
>
> Solaris 11.1 IPA lient configuration.
>
> First make sure that the Solaris 11 machine are using the proper DNS and NTP servers.
>
> On the IPA server or Client run:
>
> ipa host-add --force --ip-address=192.168.0.1 solaris.example.com
>
> ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k /tmp/solaris.keytab
>
> Move the keytab to the Solaris machine /etc/krb5/krb5.keytab
>
> Make sure it have the proper owner and permissions:
>
> chown root:sys /etc/krb5/krb5.keytab
> chmod 700 /etc/krb5/krb5.keytab
>
> Edit /etc/nsswitch.ldap, replace "ldap" with "dns" from the "hosts" and "ipnodes" lines:
>
> hosts: files dns
> ipnodes: files dns
>
> Edit /etc/krb5/krb5.conf:
>
> [libdefaults]
> default_realm = EXAMPLE.COM
> verify_ap_req_nofail = false
> [realms]
> EXAMPLE.COM = {
> kdc = ipaserver.example.com
> admin_server = ipaserver.example.com
> }
>
> [domain_realm]
> example.com = EXAMPLE.COM
> .example.com = EXAMPLE.COM
>
>
> Run the ldapclient with the default DUAProfile.
> The "-a domainName= example.com" is needed so that ldapclient does not stop and complain about missing nisdomain name.
>
> ldapclient -v init -a profilename=default -a domainName=example.com ipaserver.example.com
>
> In Solaris 11.1 the pam configuration have changed but for simplicity i still use the /etc/pam.conf:
>
> login auth requisite pam_authtok_get.so.1
> login auth required pam_dhkeys.so.1
> login auth required pam_unix_cred.so.1
> login auth sufficient pam_krb5.so.1
> login auth required pam_unix_auth.so.1
> login auth required pam_dial_auth.so.1
>
> other auth requisite pam_authtok_get.so.1
> other auth required pam_dhkeys.so.1
> other auth required pam_unix_cred.so.1
> other auth sufficient pam_krb5.so.1
> other auth required pam_unix_auth.so.1
>
> other account requisite pam_roles.so.1
> other account required pam_unix_account.so.1
> other account required pam_krb5.so.1
>
> other password requisite pam_authtok_check.so.1 force_check
> other password sufficient pam_krb5.so.1
> other password required pam_authtok_store.so.1
I smell a HowTo wiki page...
>
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Rob Crittenden [rcritten at redhat.com]
> Sent: Thursday, April 10, 2014 19:04
> To: dpal at redhat.com; quest monger
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] IPA client installation for Solaris 11.
>
> Dmitri Pal wrote:
>> On 04/10/2014 12:18 PM, quest monger wrote:
>>> Sorry about that. So I am Looking at the Solaris 10 client
>>> documentation here -
>>> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html
>>>
>>>
>>> It says do the following on Solaris client -
>>>
>>> ldapclient manual
>>> ...
>>> -a proxyPassword={NS1}fbc123a92116812
>>> ...
>>>
>>>
>>> Whats that proxyPassword for?
>>>
>> I suspect that it is a password that corresponds to the proxy user.
>> The client component on Solaris (pure speculation on my side) seems to
>> use proxy user to connect to LDAP server and do some operations for the
>> host. It is similar to SSSD but SSSD does not use passwords, it uses
>> keytabs if talks to IPA.
> There are a number of different profile levels available, see
> http://docs.oracle.com/cd/E23824_01/html/821-1455/ldapsecure-66.html#ldapsecure-74
>
> proxy is usually a shared account that the Solaris box uses to
> authenticate to the LDAP server.
>
>> Solaris uses passwords but to prevent them from being stored in
>> configuration in clear the are "obfuscated" with the NS1 method
>> http://stuff.iain.cx/2008/05/03/ns103eb2365be169abbe3a45088a10a/
>> I suspect there should be some tool on Solaris that takes password and
>> creates an obfuscated string like this.
> I didn't experiment using a proxy password inside a profile. I'll bet
> that if you manually enroll a client then you can dig out the password
> on that local system and store that in the profile.
>
> There is also a self level which uses Kerberos. I've never used it
> myself (it may be newer than my experience with Solaris) but there are
> some fairly detailed docs on it at
> http://docs.oracle.com/cd/E23824_01/html/821-1455/clientsetup-49.html#gdzpl
>
> rob
>> Thanks
>> Dmitri
>>
>>> Thanks.
>>>
>>>
>>>
>>> On Thu, Apr 10, 2014 at 12:09 PM, Dmitri Pal <dpal at redhat.com
>>> <mailto:dpal at redhat.com>> wrote:
>>>
>>> On 04/10/2014 11:41 AM, quest monger wrote:
>>>> Thanks Rob, those bug reports help.
>>>> One more question, in the official Solaris 10 documentation, i
>>>> see this stuff -
>>>>
>>>> -aproxyPassword={NS1}*fbc123a92116812*
>>>> userPassword::*e1NTSEF9Mm53KytGeU81Z1dka1FLNUZlaDdXOHJkK093TEppY2NjRmt6Wnc9PQ*=
>>>>
>>>> Is there a way to generate that password hash for a new password.
>>>> I think that should be part of the documentation, dont want all
>>>> Solaris IPA users to be using the same password and corresponding
>>>> hash.
>>>>
>>> Can you rephrase the question?
>>> It is unclear what hash you are asking about.
>>> If you are using IPA you do not need local password hashes.
>>>
>>>
>>>> Thanks.
>>>>
>>>>
>>>>
>>>>
>>>> On Wed, Apr 9, 2014 at 4:36 PM, Rob Crittenden
>>>> <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
>>>>
>>>> quest monger wrote:
>>>>
>>>>
>>>> I have read through the official documentation here for
>>>> Solaris-10 -
>>>> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html
>>>> I have found a few web posts on how to make it work for
>>>> Solaris-11.
>>>> Have any of you tried adding a Solaris-11 host to an
>>>> existing IPA
>>>> server? If so, do you have any
>>>> documentation/how-tos/instructions that i
>>>> could use to do the same. Any help is appreciated.
>>>> I am trying to do this to so I can centralize SSH
>>>> authentication for all
>>>> my Solaris-11 and Linux hosts.
>>>>
>>>>
>>>> That is pretty much all we've got. There is a bug open with
>>>> some documentation updates,
>>>> https://bugzilla.redhat.com/show_bug.cgi?id=815533 and some
>>>> more in https://bugzilla.redhat.com/show_bug.cgi?id=801883
>>>>
>>>> We use sssd to help with centralized SSH auth so it probably
>>>> won't work as smoothly on Solaris as it does on sssd-based
>>>> Linux systems. See sss_ssh_authorizedkeys(1) and
>>>> sss_ssh_knownhostsproxy(8).
>>>>
>>>> This document describes how it works in IPA
>>>> http://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf
>>>>
>>>> rob
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>> --
>>> Thank you,
>>> Dmitri Pal
>>>
>>> Sr. Engineering Manager IdM portfolio
>>> Red Hat, Inc.
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IdM portfolio
>> Red Hat, Inc.
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
> This e-mail is private and confidential between the sender and the addressee.
> In the event of misdirection, the recipient is prohibited from using, copying or disseminating it or any information in it. Please notify the above if any misdirection.
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
More information about the Freeipa-users
mailing list