[Freeipa-users] IPA client installation for Solaris 11.
quest monger
quest.monger at gmail.com
Mon Apr 14 08:07:03 UTC 2014
Hi Johan,
Wow, that worked. Thank you for all the info.
I have a few more questions -
Sudo - How do I get sudo working. I have not changed anything on the server
side (default FreeIPA install config). Do I need to setup or add sudo
policies to the usr/group on the server side?
Home Dir - On my CentOS clients, I got it configured such that a home Dir
is created the first time a user has a successful login (used
ipa-client-install --mkhomedir). Can we do the same for Solaris servers?
Again, thank you for this info. I can verify that these instructions worked
on a Oracle Solaris 11.1 SPARC machine.
Once I have everything nailed out, i will respond to this thread with all
the steps
Thanks.
On Thu, Apr 10, 2014 at 1:37 PM, Johan Petersson <
Johan.Petersson at sscspace.com> wrote:
> Proxy user is only necessary if you disable anonymous bind on the IPA LDAP.
>
> Example configuration for making Solaris 11 work as an IPA client.
> If you want autofs of shared NFS home directory too, let me know and i can
> provide it.
> I will add this and more to IPA Wiki when i can find the time to go
> through it properly and polish away some rough edges.
> I hope it can provide some help.
>
> Solaris 11.1 IPA lient configuration.
>
> First make sure that the Solaris 11 machine are using the proper DNS and
> NTP servers.
>
> On the IPA server or Client run:
>
> ipa host-add --force --ip-address=192.168.0.1 solaris.example.com
>
> ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k
> /tmp/solaris.keytab
>
> Move the keytab to the Solaris machine /etc/krb5/krb5.keytab
>
> Make sure it have the proper owner and permissions:
>
> chown root:sys /etc/krb5/krb5.keytab
> chmod 700 /etc/krb5/krb5.keytab
>
> Edit /etc/nsswitch.ldap, replace "ldap" with "dns" from the "hosts" and
> "ipnodes" lines:
>
> hosts: files dns
> ipnodes: files dns
>
> Edit /etc/krb5/krb5.conf:
>
> [libdefaults]
> default_realm = EXAMPLE.COM
> verify_ap_req_nofail = false
> [realms]
> EXAMPLE.COM = {
> kdc = ipaserver.example.com
> admin_server = ipaserver.example.com
> }
>
> [domain_realm]
> example.com = EXAMPLE.COM
> .example.com = EXAMPLE.COM
>
>
> Run the ldapclient with the default DUAProfile.
> The "-a domainName= example.com" is needed so that ldapclient does not
> stop and complain about missing nisdomain name.
>
> ldapclient -v init -a profilename=default -a domainName=example.com
> ipaserver.example.com
>
> In Solaris 11.1 the pam configuration have changed but for simplicity i
> still use the /etc/pam.conf:
>
> login auth requisite pam_authtok_get.so.1
> login auth required pam_dhkeys.so.1
> login auth required pam_unix_cred.so.1
> login auth sufficient pam_krb5.so.1
> login auth required pam_unix_auth.so.1
> login auth required pam_dial_auth.so.1
>
> other auth requisite pam_authtok_get.so.1
> other auth required pam_dhkeys.so.1
> other auth required pam_unix_cred.so.1
> other auth sufficient pam_krb5.so.1
> other auth required pam_unix_auth.so.1
>
> other account requisite pam_roles.so.1
> other account required pam_unix_account.so.1
> other account required pam_krb5.so.1
>
> other password requisite pam_authtok_check.so.1 force_check
> other password sufficient pam_krb5.so.1
> other password required pam_authtok_store.so.1
>
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com]
> on behalf of Rob Crittenden [rcritten at redhat.com]
> Sent: Thursday, April 10, 2014 19:04
> To: dpal at redhat.com; quest monger
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] IPA client installation for Solaris 11.
>
> Dmitri Pal wrote:
> > On 04/10/2014 12:18 PM, quest monger wrote:
> >> Sorry about that. So I am Looking at the Solaris 10 client
> >> documentation here -
> >>
> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html
> >>
> >>
> >> It says do the following on Solaris client -
> >>
> >> ldapclient manual
> >> ...
> >> -a proxyPassword={NS1}fbc123a92116812
> >> ...
> >>
> >>
> >> Whats that proxyPassword for?
> >>
> >
> > I suspect that it is a password that corresponds to the proxy user.
> > The client component on Solaris (pure speculation on my side) seems to
> > use proxy user to connect to LDAP server and do some operations for the
> > host. It is similar to SSSD but SSSD does not use passwords, it uses
> > keytabs if talks to IPA.
>
> There are a number of different profile levels available, see
>
> http://docs.oracle.com/cd/E23824_01/html/821-1455/ldapsecure-66.html#ldapsecure-74
>
> proxy is usually a shared account that the Solaris box uses to
> authenticate to the LDAP server.
>
> > Solaris uses passwords but to prevent them from being stored in
> > configuration in clear the are "obfuscated" with the NS1 method
> > http://stuff.iain.cx/2008/05/03/ns103eb2365be169abbe3a45088a10a/
> > I suspect there should be some tool on Solaris that takes password and
> > creates an obfuscated string like this.
>
> I didn't experiment using a proxy password inside a profile. I'll bet
> that if you manually enroll a client then you can dig out the password
> on that local system and store that in the profile.
>
> There is also a self level which uses Kerberos. I've never used it
> myself (it may be newer than my experience with Solaris) but there are
> some fairly detailed docs on it at
> http://docs.oracle.com/cd/E23824_01/html/821-1455/clientsetup-49.html#gdzpl
>
> rob
> >
> > Thanks
> > Dmitri
> >
> >> Thanks.
> >>
> >>
> >>
> >> On Thu, Apr 10, 2014 at 12:09 PM, Dmitri Pal <dpal at redhat.com
> >> <mailto:dpal at redhat.com>> wrote:
> >>
> >> On 04/10/2014 11:41 AM, quest monger wrote:
> >>> Thanks Rob, those bug reports help.
> >>> One more question, in the official Solaris 10 documentation, i
> >>> see this stuff -
> >>>
> >>> -aproxyPassword={NS1}*fbc123a92116812*
> >>>
> userPassword::*e1NTSEF9Mm53KytGeU81Z1dka1FLNUZlaDdXOHJkK093TEppY2NjRmt6Wnc9PQ*=
> >>>
> >>> Is there a way to generate that password hash for a new password.
> >>> I think that should be part of the documentation, dont want all
> >>> Solaris IPA users to be using the same password and corresponding
> >>> hash.
> >>>
> >> Can you rephrase the question?
> >> It is unclear what hash you are asking about.
> >> If you are using IPA you do not need local password hashes.
> >>
> >>
> >>> Thanks.
> >>>
> >>>
> >>>
> >>>
> >>> On Wed, Apr 9, 2014 at 4:36 PM, Rob Crittenden
> >>> <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
> >>>
> >>> quest monger wrote:
> >>>
> >>>
> >>> I have read through the official documentation here for
> >>> Solaris-10 -
> >>>
> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html
> >>> I have found a few web posts on how to make it work for
> >>> Solaris-11.
> >>> Have any of you tried adding a Solaris-11 host to an
> >>> existing IPA
> >>> server? If so, do you have any
> >>> documentation/how-tos/instructions that i
> >>> could use to do the same. Any help is appreciated.
> >>> I am trying to do this to so I can centralize SSH
> >>> authentication for all
> >>> my Solaris-11 and Linux hosts.
> >>>
> >>>
> >>> That is pretty much all we've got. There is a bug open with
> >>> some documentation updates,
> >>> https://bugzilla.redhat.com/show_bug.cgi?id=815533 and some
> >>> more in https://bugzilla.redhat.com/show_bug.cgi?id=801883
> >>>
> >>> We use sssd to help with centralized SSH auth so it probably
> >>> won't work as smoothly on Solaris as it does on sssd-based
> >>> Linux systems. See sss_ssh_authorizedkeys(1) and
> >>> sss_ssh_knownhostsproxy(8).
> >>>
> >>> This document describes how it works in IPA
> >>>
> http://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf
> >>>
> >>> rob
> >>>
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> Freeipa-users mailing list
> >>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> >>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>
> >>
> >> --
> >> Thank you,
> >> Dmitri Pal
> >>
> >> Sr. Engineering Manager IdM portfolio
> >> Red Hat, Inc.
> >>
> >>
> >> _______________________________________________
> >> Freeipa-users mailing list
> >> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>
> >>
> >
> >
> > --
> > Thank you,
> > Dmitri Pal
> >
> > Sr. Engineering Manager IdM portfolio
> > Red Hat, Inc.
> >
> >
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> >
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
> This e-mail is private and confidential between the sender and the
> addressee.
> In the event of misdirection, the recipient is prohibited from using,
> copying or disseminating it or any information in it. Please notify the
> above if any misdirection.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140414/07852826/attachment.htm>
More information about the Freeipa-users
mailing list