<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 04/10/2014 12:18 PM, quest monger
wrote:<br>
</div>
<blockquote
cite="mid:CAO-=208xp-T0CC73k6FyzjR2yj=oQwjqVrxqipWqaeqOOfw8qg@mail.gmail.com"
type="cite">
<div dir="ltr">Sorry about that. So I am Looking at the Solaris 10
client documentation here - <a moz-do-not-send="true"
href="http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html">http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html</a>
<div>
<br>
</div>
<div>It says do the following on Solaris client - <br>
</div>
<div>
<div><br>
</div>
</div>
<blockquote style="margin:0px 0px 0px
40px;border:none;padding:0px">
<div>
<div>ldapclient manual</div>
</div>
<div>
<div><span class="" style="white-space:pre"> </span> ...</div>
</div>
<div>
<div><span class="" style="white-space:pre"> </span> -a
proxyPassword={NS1}fbc123a92116812</div>
</div>
<div>
<div><span class="" style="white-space:pre"> </span> ...</div>
</div>
</blockquote>
<div><br>
</div>
<div>Whats that proxyPassword for? </div>
<div><br>
</div>
</div>
</blockquote>
<br>
I suspect that it is a password that corresponds to the proxy user.<br>
The client component on Solaris (pure speculation on my side) seems
to use proxy user to connect to LDAP server and do some operations
for the host. It is similar to SSSD but SSSD does not use passwords,
it uses keytabs if talks to IPA.<br>
Solaris uses passwords but to prevent them from being stored in
configuration in clear the are "obfuscated" with the NS1 method<br>
<a class="moz-txt-link-freetext" href="http://stuff.iain.cx/2008/05/03/ns103eb2365be169abbe3a45088a10a/">http://stuff.iain.cx/2008/05/03/ns103eb2365be169abbe3a45088a10a/</a><br>
I suspect there should be some tool on Solaris that takes password
and creates an obfuscated string like this.<br>
<br>
Thanks<br>
Dmitri<br>
<br>
<blockquote
cite="mid:CAO-=208xp-T0CC73k6FyzjR2yj=oQwjqVrxqipWqaeqOOfw8qg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>Thanks.</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Thu, Apr 10, 2014 at 12:09 PM,
Dmitri Pal <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div class="">
<div>On 04/10/2014 11:41 AM, quest monger wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Thanks Rob, those bug reports help.<br>
One more question, in the official Solaris 10
documentation, i see this stuff - <br>
<br>
<pre>-a <span>proxyPassword=</span><span>{NS1}</span><b>fbc123a92116812</b></pre>
<pre>userPassword:: <b>e1NTSEF9Mm53KytGeU81Z1dka1FLNUZlaDdXOHJkK093TEppY2NjRmt6Wnc9PQ</b>=</pre>
<div><br>
</div>
<div>Is there a way to generate that password hash
for a new password. I think that should be part of
the documentation, dont want all Solaris IPA users
to be using the same password and corresponding
hash.</div>
<div><br>
</div>
</div>
</blockquote>
</div>
Can you rephrase the question?<br>
It is unclear what hash you are asking about.<br>
If you are using IPA you do not need local password
hashes.<br>
<br>
<br>
<blockquote type="cite">
<div class="">
<div dir="ltr">
<div>Thanks.</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Wed, Apr 9, 2014 at 4:36
PM, Rob Crittenden <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:rcritten@redhat.com"
target="_blank">rcritten@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0
0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div>
<div>quest monger wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex"> <br>
I have read through the official
documentation here for Solaris-10 -<br>
<a moz-do-not-send="true"
href="http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html"
target="_blank">http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html</a><br>
I have found a few web posts on how to
make it work for Solaris-11.<br>
Have any of you tried adding a Solaris-11
host to an existing IPA<br>
server? If so, do you have any
documentation/how-tos/instructions that i<br>
could use to do the same. Any help is
appreciated.<br>
I am trying to do this to so I can
centralize SSH authentication for all<br>
my Solaris-11 and Linux hosts.<br>
</blockquote>
<br>
</div>
</div>
That is pretty much all we've got. There is a
bug open with some documentation updates, <a
moz-do-not-send="true"
href="https://bugzilla.redhat.com/show_bug.cgi?id=815533"
target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=815533</a>
and some more in <a moz-do-not-send="true"
href="https://bugzilla.redhat.com/show_bug.cgi?id=801883"
target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=801883</a><br>
<br>
We use sssd to help with centralized SSH auth so
it probably won't work as smoothly on Solaris as
it does on sssd-based Linux systems. See
sss_ssh_authorizedkeys(1) and
sss_ssh_knownhostsproxy(8).<br>
<br>
This document describes how it works in IPA<br>
<a moz-do-not-send="true"
href="http://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf"
target="_blank">http://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf</a><span><font
color="#888888"><br>
<br>
rob<br>
</font></span></blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
<pre>_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
<span class="HOEnZb"><font color="#888888"> </font></span></blockquote>
<span class="HOEnZb"><font color="#888888"> <br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</font></span></div>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a moz-do-not-send="true"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>