[Freeipa-users] FreeIPA 3.3 and Solaris 10 Client Integration:
Simo Sorce
ssorce at redhat.com
Fri Sep 26 14:07:24 UTC 2014
On Fri, 26 Sep 2014 09:17:36 +0200
Martin Kosek <mkosek at redhat.com> wrote:
> On 09/25/2014 05:35 PM, Traiano Welcome wrote:
> > Hi Martin
> >
> > On Wed, Sep 24, 2014 at 2:18 PM, Martin Kosek <mkosek at redhat.com
> > <mailto:mkosek at redhat.com>> wrote:
> >
> > On 09/24/2014 01:06 PM, Traiano Welcome wrote:
> > > Hi List
> > >
> > > I'm currently running IPA 3.3 on Centos 7, and successfully
> > > authenticating Linux clients (Centos 6.5).
> > >
> > > I'd like to setup Solaris 10 as an IPA client, but this seems
> > > problematic. I am following this guide:
> > >
> > >
> > http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10
> > >
> > > I have the following setup:
> > >
> > > Solaris client:
> > >
> > > - Solaris 10u11 (SunOS 5.10 Generic_147148-26 i86pc i386
> > > i86pc)
> > >
> > > IdM Server:
> > >
> > > - Linux kwtpocipa001.orion.local 3.10.0-123.el7.x86_64 #1
> > > SMP Mon Jun 30 12:09:22 UTC 2014 x86_64 x86_64 x86_64
> > > GNU/Linux
> > >
> > >
> > >
> > > Going through the steps in the guide: at step 3 ("Create the
> > > cn=proxyagent account"), ldapadd fails with the following
> > > error:
> > >
> > >
> > >
> > > "ldapadd: invalid format (line 6) entry:
> > > "cn=proxyagent,ou=profile,dc=orion,dc=local""
> > >
> > > ---
> > >
> > > [root at kwtpocipa001 ~]# ldapadd -h 172.16.107.102 -p 389 -D
> > > "cn=directory manager" -w Cr4ckM0nk3y
> > > dn: cn=proxyagent,ou=profile,dc=orion,dc=local
> > > objectClass: top
> > > objectClass: person
> > > sn: proxyagent
> > > cn: proxyagent
> > > userPassword::
> > > e1NTSEF9Mm53KytGeU81Z1dka1FLNUZlaDdXOHJkK093TEppY2NjRmt6Wnc9PQ=
> > >
> > > ldapadd: invalid format (line 6) entry:
> > > "cn=proxyagent,ou=profile,dc=orion,dc=local"
> > > ---
> > >
> > > I've made the assumption that the extra ":" is a typo in
> > > the documentation and removed it, so the command runs
> > > successfully as follows:
> > >
> > >
> > > ---
> > > [root at kwtpocipa001 ~]# ldapadd -h 172.16.107.102 -p 389 -D
> > > "cn=directory manager" -w Cr4ckM0nk3y
> > >
> > > dn: cn=proxyagent,ou=profile,dc=orion,dc=local
> > > objectClass: top
> > > objectClass: person
> > > sn: proxyagent
> > > cn: proxyagent
> > > userPassword:
> > > e1NTSEF9Mm53KytGeU81Z1dka1FLNUZlaDdXOHJkK093TEppY2NjRmt6Wnc9PQ=
> > > adding new entry "cn=proxyagent,ou=profile,dc=orion,dc=local"
> > > ---
> > >
> > >
> > > At step 9 (Configure NFS ), I get an error, seems to
> > > indicate the "des-cbc-crc" encryption type is unsupported:
> > >
> > > ---
> > > [root at kwtpocipa001 ~]# ipa-getkeytab -s
> > > kwtpocipa001.orion.local -p
> > > nfs/kwtpocipasol10u11.orion.local
> > > -k /tmp/kwtpocipasol10u11.keytab -e des-cbc-crc Operation
> > > failed! All enctypes provided are unsupported
> > > [root at kwtpocipa001 ~]# ---
> > >
> > > (Question: How would I add support for des-cbc-crc
> > > encryption in freeipa?). I've now worked around this by not
> > > specifying any encryption type:
> > >
> > > ---
> > > [root at kwtpocipa001 ~]# ipa-getkeytab -s
> > > kwtpocipa001.orion.local -p
> > > nfs/kwtpocipasol10u11.orion.local
> > > -k /tmp/kwtpocipasol10u11.keytab Keytab successfully
> > > retrieved and stored in: /tmp/kwtpocipasol10u11.keytab
> > > [root at kwtpocipa001 ~]# ---
> > >
> > > Testing that I can see nfs mounts on the centos IPA server
> > > from the solaris machine:
> > >
> > > ---
> > > bash-3.2# showmount -e kwtpocipa001.orion.local
> > > export list for kwtpocipa001.orion.local:
> > > /data/centos-repo 172.16.0.0/24 <http://172.16.0.0/24>
> > > bash-3.2#
> > > ----
> > >
> > >
> > > Checking we can kinit:
> > >
> > > ---
> > > bash-3.2#
> > > bash-3.2# kinit admin
> > > Password for admin at ORION.LOCAL:
> > > bash-3.2#
> > > bash-3.2#
> > > bash-3.2# klist
> > > Ticket cache: FILE:/tmp/krb5cc_0
> > > Default principal: admin at ORION.LOCAL
> > > Valid starting Expires Service
> > > principal 09/24/14 11:20:36 09/24/14 12:20:36
> > > krbtgt/ORION.LOCAL at ORION.LOCAL renew until 10/01/14 11:20:36
> > > bash-3.2#
> > > bash-3.2#
> > > bash-3.2#
> > > bash-3.2# uname -a
> > > SunOS kwtpocipasol10u11 5.10 Generic_147148-26 i86pc i386
> > > i86pc bash-3.2#
> > > ---
> > >
> > > Testing I can mount the remote FS (without Kerberos auth).
> > > This is successful (when not using kerberos5 authentication):
> > >
> > > ---
> > > bash-3.2# mount -F nfs
> > > 172.16.107.102:/data/centos-repo /remote/ bash-3.2# mount
> > > |grep remote /remote on 172.16.107.102:/data/centos-repo
> > > remote/read/write/setuid/devices/rstchown/xattr/dev=4f0000a
> > > on Wed Sep 24 13:45:32 2014
> > > bash-3.2#
> > > ---
> > >
> > > Testing with KRB5:
> > >
> > > ---
> > > bash-3.2# mount -F nfs -o sec=krb5
> > > 172.16.107.102:/data/centos-repo /remote/ nfs mount:
> > > mount: /remote: Permission denied bash-3.2#
> > > ---
> > >
> > > Looking at the krbkdc logs on the IPA master server, I get
> > > the following error:
> > >
> > > ---
> > > Sep 24 13:48:17 kwtpocipa001.orion.local
> > > krb5kdc[2371](info): AS_REQ (6 etypes {18 17 16 23 3 1})
> > > 172.16.107.107 <http://172.16.107.107>:
> > NEEDED_PREAUTH:
> > > host/kwtpocipasol10u11.orion.local at ORION.LOCAL for
> > > krbtgt/ORION.LOCAL at ORION.LOCAL, Additional
> > > pre-authentication required Sep 24 13:48:17
> > > kwtpocipa001.orion.local krb5kdc[2373](info): DISPATCH:
> > > repeated (retransmitted?) request from 172.16.107.107,
> > > resending previous response Sep 24 13:48:17
> > > kwtpocipa001.orion.local krb5kdc[2374](info): DISPATCH:
> > > repeated (retransmitted?) request from 172.16.107.107,
> > > resending previous response .
> > > .
> > > .
> > > Sep 24 13:48:18 kwtpocipa001.orion.local
> > > krb5kdc[2373](info): AS_REQ (6 etypes {18 17 16 23 3 1})
> > > 172.16.107.107 <http://172.16.107.107>:
> > CLIENT_NOT_FOUND:
> > > root/kwtpocipasol10u11.orion.local at ORION.LOCAL for
> > > krbtgt/ORION.LOCAL at ORION.LOCAL, Client not found in Kerberos
> > > database
> > >
> > > ---
> > >
> > > So it seems the host is not correctly registered.
> > >
> > > NOTE: Via the interface ,I can see the solaris client is
> > > not properly enrolled (" Kerberos Key Not Present"), however
> > > the documentation doesn't seem to indicate clearly how this
> > > should be done for a Solaris client. I have regenerated the
> > > certificate though, so it shows "valid certificate present".
> > >
> > > My question is: Is the process described in this guide still
> > > correct/functional for integrating Solaris 10 clients?
> > > If so, is there some way I could debug further to pinpoint
> > > why the solaris client is not being registered in the
> > > Kerberos DB?
> > >
> > > Many thanks in advance!
> > > Traiano
> >
> > Hello Traiano,
> >
> > This part of the documentation is wrong, as reported by
> > ldapadd, userpassword is not correct.
> >
> > If you specify the entry with clear text password, it would
> > work. I.e.:
> >
> > dn: cn=proxyagent,ou=profile,dc=orion,dc=local
> > objectClass: top
> > objectClass: person
> > sn: proxyagent
> > cn: proxyagent
> > userPassword: agentpassword
> >
> > Note that Solaris related documentation is (unfortunately)
> > known to be off: https://fedorahosted.org/freeipa/ticket/3731
> >
> > Also please note that the guide you are referring to is also
> > pretty old (from Fedora 18 times) and not updated. There is a
> > related thread:
> >
> > https://www.redhat.com/archives/freeipa-users/2014-September/msg00357.html
> >
> > Indeed. There are some minor errata as well like the use of the
> > "-t" flag with Solaris' version of the mount command:
> > bash-3.2# mount -t nfs -o sec=krb5
> > 172.16.107.102:/data/centos-repo /remote/ mount: illegal option -- t
> > "-F" works.
> > I've adjusted the steps I've used to include the changes you
> > mentioned in https://fedorahosted.org/freeipa/ticket/3731, attached
> > is a step by step listing of the process with my output up to step
> > 9, where mounting NFS fails. Hopefully by a process of iteration I
> > can document the updated process for configuring Solaris 10 clients.
>
> Thank you, that helps - I would hand over the updated steps to
> downstream RHEL guide maintainer.
>
> > Here is what I'm seeing at step 9 (referencing the old Fedora 18
> > docs with adjusted steps)L
> > h) Mount the NFS share. [FAILS]
> > ---
> > bash-3.2# mount -F nfs -o sec=krb5
> > 172.16.107.102:/data/centos-repo /remote/ nfs mount:
> > mount: /remote: Permission denied bash-3.2#
> > ---
> > /var/log/krbkdc.Log entries:
> > ---
> > krb5kdc: Cannot determine realm for numeric host address - unable
> > to find realm of host
> > Sep 25 18:18:20 kwtpocipa001.orion.local krb5kdc[2373](info):
> > TGS_REQ (6 etypes {18 17 16 23 3 1}) 172.16.107.107
> > <http://172.16.107.107>: LOOKING_UP_SERVER: authtime 0,
> > admin at ORION.LOCAL <mailto:admin at ORION.LOCAL> for <unknown server>,
> > Server not found in Kerberos database
> > Sep 25 18:18:20 kwtpocipa001.orion.local krb5kdc[2373](info):
> > TGS_REQ (6 etypes {18 17 16 23 3 1}) 172.16.107.107
> > <http://172.16.107.107>: LOOKING_UP_SERVER: authtime 0,
> > admin at ORION.LOCAL <mailto:admin at ORION.LOCAL> for <unknown server>,
> > Server not found in Kerberos database
> > krb5kdc: Cannot determine realm for numeric host address - unable
> > to find realm of host
> > Sep 25 18:18:20 kwtpocipa001.orion.local krb5kdc[2373](info):
> > TGS_REQ (6 etypes {18 17 16 23 3 1}) 172.16.107.107
> > <http://172.16.107.107>: LOOKING_UP_SERVER: authtime 0,
> > admin at ORION.LOCAL <mailto:admin at ORION.LOCAL> for <unknown server>,
> > Server not found in Kerberos database
> > Sep 25 18:18:20 kwtpocipa001.orion.local krb5kdc[2373](info):
> > TGS_REQ (6 etypes {18 17 16 23 3 1}) 172.16.107.107
> > <http://172.16.107.107>: LOOKING_UP_SERVER: authtime 0,
> > admin at ORION.LOCAL <mailto:admin at ORION.LOCAL> for <unknown server>,
> > Server not found in Kerberos database
> > krb5kdc: Cannot determine realm for numeric host address - unable
> > to find realm of host
> > Sep 25 18:18:20 kwtpocipa001.orion.local krb5kdc[2373](info):
> > TGS_REQ (6 etypes {18 17 16 23 3 1}) 172.16.107.107
> > <http://172.16.107.107>: LOOKING_UP_SERVER: authtime 0,
> > admin at ORION.LOCAL <mailto:admin at ORION.LOCAL> for <unknown server>,
> > Server not found in Kerberos database
> > Sep 25 18:18:20 kwtpocipa001.orion.local krb5kdc[2373](info):
> > TGS_REQ (6 etypes {18 17 16 23 3 1}) 172.16.107.107
> > <http://172.16.107.107>: LOOKING_UP_SERVER: authtime 0,
> > admin at ORION.LOCAL <mailto:admin at ORION.LOCAL> for <unknown server>,
> > Server not found in Kerberos database
> > ---
> >
> > However DNS forward and reverse records DO seem to resolve:
> > ---
> > [root at kwtpocipa001 ~]# host 172.16.107.107
> > 107.107.16.172.in-addr.arpa domain name pointer
> > kwtpocipasol10u11.orion.local. [root at kwtpocipa001 ~]# host
> > kwtpocipasol10u11.orion.local kwtpocipasol10u11.orion.local has
> > address 172.16.107.107 ---
>
> I assume this is being run from your IPA server - it looks OK.
>
> >
> > And we can kinit and get a ticket:
> > ---
> > bash-3.2# kinit admin at ORION.LOCAL <mailto:admin at ORION.LOCAL>
> > Password for admin at ORION.LOCAL <mailto:admin at ORION.LOCAL>:
> > bash-3.2#
> > bash-3.2#
> > bash-3.2# klist
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: admin at ORION.LOCAL <mailto:admin at ORION.LOCAL>
> > Valid starting Expires Service
> > principal 09/25/14 18:31:49 09/25/14 19:31:49
> > krbtgt/ORION.LOCAL at ORION.LOCAL
> > <mailto:krbtgt/ORION.LOCAL at ORION.LOCAL> renew until 10/02/14
> > 18:31:49 bash-3.2#
> > ---
> > Regards,
> > Traiano
>
> Hmm, not sure what is the problem. Simo, do you know?
Use a fully qualified name of the nfs server on the mount command, not
an IP address.
> I would just make sure that /etc/krb5.keytab on the NFS server (klist
> -kt /etc/krb5.keytab) has keys for both NFS and host service and all
> use the right fully qualified hostname.
Yes, having a nfs/fqdn at REALM key on the client is recommended and
necessary in some cases.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list