[Freeipa-users] Also attempting to integrate Solaris 10 clients with freeipa

Tue Apr 28 21:33:14 UTC 2015

On 28/04/2015 19:23, Dmitri Pal wrote:
> On 04/28/2015 02:12 PM, Roderick Johnstone wrote:
>> On 23/04/15 14:14, Rob Crittenden wrote:
>>> Roderick Johnstone wrote:
>>>> On 23/04/15 04:25, Rob Crittenden wrote:
>>>>> Roderick Johnstone wrote:
>>>>>> On 22/04/15 14:30, Dmitri Pal wrote:
>>>>>>> On 04/21/2015 01:13 PM, Roderick Johnstone wrote:
>>>>>>>> Hi
>>>>>>>>
>>>>>>>> I also need to integrate Solaris 10 clients with freeipa servers.
>>>>>>>>
>>>>>>>> I've been round many resources, eg freeipa wiki, Fedora and Red Hat
>>>>>>>> manuals, various bug trackers and the freeipa-users mailing list.
>>>>>>>>
>>>>>>>> It looks to me as if this:
>>>>>>>> https://www.redhat.com/archives/freeipa-users/2013-January/msg00030.html
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> might be the best guide available, although I'm not sure what
>>>>>>>> changes
>>>>>>>> I might need to make because I'm actually on Solaris 10 rather than
>>>>>>>> 11.
>>>>>>>>
>>>>>>>> Can anyone advise please?
>>>>>>>>
>>>>>>>> There is a comment in the above post:
>>>>>>>> "Make sure that the automount maps in ipaserver is named auto_* and
>>>>>>>> NOT auto.* so they are compatible with Solaris name standards."
>>>>>>>>
>>>>>>>> My automount maps are already called eg auto.master, auto.home
>>>>>>>> on my
>>>>>>>> ipa server and I'm sure I've seen a post somewhere suggesting an
>>>>>>>> attributeMap can fix this issue, but I can't find it now, so
>>>>>>>> maybe I
>>>>>>>> am mistaken.
>>>>>>>>
>>>>>>>> Am I on the right track? Is anyone familiar with that fix.
>>>>>>>>
>>>>>>>> Thanks
>>>>>>>>
>>>>>>>> Roderick Johnstone
>>>>>>>>
>>>>>>> We are not strong in Solaris so you really need to search user
>>>>>>> archives
>>>>>>> or wait for someone who accomplished Solaris integration to chime in
>>>>>>> here on the list.
>>>>>>>
>>>>>>
>>>>>> Dmitri
>>>>>>
>>>>>> I had gathered that from previous postings to the list and was indeed
>>>>>> hoping that one of the Solaris experts might comment.
>>>>>>
>>>>>> By the way, there are various suggestions on the list of putting the
>>>>>> best Solaris instructions on the wiki. Is that still a
>>>>>> possibility? I'd
>>>>>> be happy to help, but I'm not experienced with connecting Solaris
>>>>>> to ipa
>>>>>> yet!
>>>>>>
>>>>>> Roderick
>>>>>>
>>>>>
>>>>> A few weeks back I added what I thought were the most relevant threads
>>>>> and pointers. The mailing list thread you refer to was converted into
>>>>> some documentation bugs and tickets. I referenced those at
>>>>> http://www.freeipa.org/page/ConfiguringUnixClients#Additional_Resources
>>>>>
>>>>>
>>>>> If there is anything I can improve here just let me know.
>>>>
>>>> Rob
>>>>
>>>> This page has expanded since I was searching a few weeks ago. Thanks
>>>> for
>>>> that. I understand that the project has no direct Solaris expertise.
>>>>
>>>> There are some things that could be made easier to follow and others
>>>> that seem inconsistent with the mailing list thread that I found. Maybe
>>>> some are just different ways of doing the same thing.
>>>>
>>>> I started to point some some differences in this email, but its
>>>> probably
>>>> best if I go through the mailing list link that I found and the web
>>>> page
>>>> you referenced, systematically, and list what the differences are. I'll
>>>> be in touch when I have done that.
>>>>
>>>> In the meantime I noticed a few of small html link issues on the web
>>>> page you referenced...
>>>>
>>>> 1) Under the section Solaris 8/9/10 / Configuring Client Authentication
>>>> the link to the reference files in /var/ldap
>>>> (http://www.freeipa.com/page/ConfiguringUnixClients#Client_Configuration_Files),
>>>>
>>>> for me,  resolves to the top level "Open Source Community page"
>>>> http://community.redhat.com/software/. I do however see the files
>>>> correctly linked from the section "Client Configuration Files" at
>>>> bottom
>>>> of the page.
>>>
>>> Fixed.
>>>
>>>>
>>>> 2) There is the same issue for the links to the nsswitch.conf and
>>>> pam.conf files linked in items 2 and 4 below the above - sorry, its
>>>> hard
>>>> to describe well where these links are.
>>>
>>> Fixed, and fixed a couple of similar issues in other OS's.
>>>
>>>> And it would be good if the patch ("Patch to update Solaris
>>>> documentation") that is referred to in Solaris 8/9/10 / Additional
>>>> resources could be applied to the original document and the patched
>>>> document made available, or at least the information in it.
>>>
>>> Unfortunately the upstream doc project that this is patched against was
>>> discontinued. The patch is mostly interesting for the two tickets it
>>> links to.
>>>
>>> rob
>>>
>>
>> Rob
>>
>> Sorry to be slow getting back on this.
>>
>> Thanks for fixing those links in the existing web page.
>>
>> It seems that the existing page and the mailing list thread that I
>> found are doing slightly different things in rather different ways.
>> The mailing list thread is more focused on using the DUAprofile and
>> tls encrypted connections to the ldap server as well as filling in
>> some more details of other parts of the Solaris configuration that are
>> necessary for other features.
>>
>> I think it would be good to have the prescription from the mailing
>> list also in the wiki to help others that come along. I'll not be in a
>> position to try to join a Solaris host to my ipa server until next
>> week at the earliest, but it is a priority for me, so when other
>> things stop getting in the way I'll definitely be doing this.
>>
>> I'll document what I do following the prescription in the mailing
>> list, for myself, and maybe this can all be made this into a new wiki
>> page. I would be happy to lead on writing the page (and giving
>> references where appropriate) if I had access, but realise that I
>> might not be able to get that access.
>
> We can arrange that and give you permissions. Thank you for your desire
> to document this. It is really appreciated.

Not at all. I can't contribute much on the tech side here, but if I can 
at least make it easier for someone later to follow I'm happy to do that.

> Please send me an email off list to set things up when you are ready.

Will do.

Thanks

Roderick