<div dir="ltr">Hi Johan,<div>Wow, that worked. Thank you for all the info.</div><div> </div><div>I have a few more questions - </div><div>Sudo - How do I get sudo working. I have not changed anything on the server side (default FreeIPA install config). Do I need to setup or add sudo policies to the usr/group on the server side?</div> <div>Home Dir - On my CentOS clients, I got it configured such that a home Dir is created the first time a user has a successful login (used ipa-client-install --mkhomedir). Can we do the same for Solaris servers?</div><div> </div><div>Again, thank you for this info. I can verify that these instructions worked on a Oracle Solaris 11.1 SPARC machine.</div><div>Once I have everything nailed out, i will respond to this thread with all the steps</div> <div> </div><div>Thanks.</div><div> </div></div><div class="gmail_extra"> <div class="gmail_quote">On Thu, Apr 10, 2014 at 1:37 PM, Johan Petersson <<a href="mailto:Johan.Petersson@sscspace.com" target="_blank">Johan.Petersson@sscspace.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Proxy user is only necessary if you disable anonymous bind on the IPA LDAP. Example configuration for making Solaris 11 work as an IPA client. If you want autofs of shared NFS home directory too, let me know and i can provide it. I will add this and more to IPA Wiki when i can find the time to go through it properly and polish away some rough edges. I hope it can provide some help. Solaris 11.1 IPA lient configuration. First make sure that the Solaris 11 machine are using the proper DNS and NTP servers. On the IPA server or Client run: ipa host-add --force --ip-address=192.168.0.1 <a href="http://solaris.example.com" target="_blank">solaris.example.com</a> ipa-getkeytab -s <a href="http://ipaserver.example.com" target="_blank">ipaserver.example.com</a> -p host/<a href="http://solaris.example.com" target="_blank">solaris.example.com</a> -k /tmp/solaris.keytab Move the keytab to the Solaris machine /etc/krb5/krb5.keytab Make sure it have the proper owner and permissions: chown root:sys /etc/krb5/krb5.keytab chmod 700 /etc/krb5/krb5.keytab Edit /etc/nsswitch.ldap, replace "ldap" with "dns" from the "hosts" and "ipnodes" lines: hosts: files dns ipnodes: files dns Edit /etc/krb5/krb5.conf: [libdefaults] default_realm = <a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a> verify_ap_req_nofail = false [realms] <a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a> = { kdc = <a href="http://ipaserver.example.com" target="_blank">ipaserver.example.com</a> admin_server = <a href="http://ipaserver.example.com" target="_blank">ipaserver.example.com</a> } [domain_realm] <a href="http://example.com" target="_blank">example.com</a> = <a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a> .<a href="http://example.com" target="_blank">example.com</a> = <a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a> Run the ldapclient with the default DUAProfile. The "-a domainName= <a href="http://example.com" target="_blank">example.com</a>" is needed so that ldapclient does not stop and complain about missing nisdomain name. ldapclient -v init -a profilename=default -a domainName=<a href="http://example.com" target="_blank">example.com</a> <a href="http://ipaserver.example.com" target="_blank">ipaserver.example.com</a> In Solaris 11.1 the pam configuration have changed but for simplicity i still use the /etc/pam.conf: login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth sufficient pam_krb5.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_auth.so.1 other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 other account required pam_krb5.so.1 other password requisite pam_authtok_check.so.1 force_check other password sufficient pam_krb5.so.1 other password required pam_authtok_store.so.1 ________________________________________ From: <a href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a> [<a href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a>] on behalf of Rob Crittenden [<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>] Sent: Thursday, April 10, 2014 19:04 To: <a href="mailto:dpal@redhat.com">dpal@redhat.com</a>; quest monger Cc: <a href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> Subject: Re: [Freeipa-users] IPA client installation for Solaris 11. <div><div class="h5"> Dmitri Pal wrote: > On 04/10/2014 12:18 PM, quest monger wrote: >> Sorry about that. So I am Looking at the Solaris 10 client >> documentation here - >> <a href="http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html" target="_blank">http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html</a> >> >> >> It says do the following on Solaris client - >> >> ldapclient manual >> ... >> -a proxyPassword={NS1}fbc123a92116812 >> ... >> >> >> Whats that proxyPassword for? >> > > I suspect that it is a password that corresponds to the proxy user. > The client component on Solaris (pure speculation on my side) seems to > use proxy user to connect to LDAP server and do some operations for the > host. It is similar to SSSD but SSSD does not use passwords, it uses > keytabs if talks to IPA. There are a number of different profile levels available, see <a href="http://docs.oracle.com/cd/E23824_01/html/821-1455/ldapsecure-66.html#ldapsecure-74" target="_blank">http://docs.oracle.com/cd/E23824_01/html/821-1455/ldapsecure-66.html#ldapsecure-74</a> proxy is usually a shared account that the Solaris box uses to authenticate to the LDAP server. > Solaris uses passwords but to prevent them from being stored in > configuration in clear the are "obfuscated" with the NS1 method > <a href="http://stuff.iain.cx/2008/05/03/ns103eb2365be169abbe3a45088a10a/" target="_blank">http://stuff.iain.cx/2008/05/03/ns103eb2365be169abbe3a45088a10a/</a> > I suspect there should be some tool on Solaris that takes password and > creates an obfuscated string like this. I didn't experiment using a proxy password inside a profile. I'll bet that if you manually enroll a client then you can dig out the password on that local system and store that in the profile. There is also a self level which uses Kerberos. I've never used it myself (it may be newer than my experience with Solaris) but there are some fairly detailed docs on it at <a href="http://docs.oracle.com/cd/E23824_01/html/821-1455/clientsetup-49.html#gdzpl" target="_blank">http://docs.oracle.com/cd/E23824_01/html/821-1455/clientsetup-49.html#gdzpl</a> rob > > Thanks > Dmitri > >> Thanks. >> >> >> >> On Thu, Apr 10, 2014 at 12:09 PM, Dmitri Pal <<a href="mailto:dpal@redhat.com">dpal@redhat.com</a> >> <mailto:<a href="mailto:dpal@redhat.com">dpal@redhat.com</a>>> wrote: >> >> On 04/10/2014 11:41 AM, quest monger wrote: >>> Thanks Rob, those bug reports help. >>> One more question, in the official Solaris 10 documentation, i >>> see this stuff - >>> >>> -aproxyPassword={NS1}*fbc123a92116812* >>> userPassword::*e1NTSEF9Mm53KytGeU81Z1dka1FLNUZlaDdXOHJkK093TEppY2NjRmt6Wnc9PQ*= >>> >>> Is there a way to generate that password hash for a new password. >>> I think that should be part of the documentation, dont want all >>> Solaris IPA users to be using the same password and corresponding >>> hash. >>> >> Can you rephrase the question? >> It is unclear what hash you are asking about. >> If you are using IPA you do not need local password hashes. >> >> >>> Thanks. >>> >>> >>> >>> >>> On Wed, Apr 9, 2014 at 4:36 PM, Rob Crittenden >>> <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>> wrote: >>> >>> quest monger wrote: >>> >>> >>> I have read through the official documentation here for >>> Solaris-10 - >>> <a href="http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html" target="_blank">http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html</a> >>> I have found a few web posts on how to make it work for >>> Solaris-11. >>> Have any of you tried adding a Solaris-11 host to an >>> existing IPA >>> server? If so, do you have any >>> documentation/how-tos/instructions that i >>> could use to do the same. Any help is appreciated. >>> I am trying to do this to so I can centralize SSH >>> authentication for all >>> my Solaris-11 and Linux hosts. >>> >>> >>> That is pretty much all we've got. There is a bug open with >>> some documentation updates, >>> <a href="https://bugzilla.redhat.com/show_bug.cgi?id=815533" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=815533</a> and some >>> more in <a href="https://bugzilla.redhat.com/show_bug.cgi?id=801883" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=801883</a> >>> >>> We use sssd to help with centralized SSH auth so it probably >>> won't work as smoothly on Solaris as it does on sssd-based >>> Linux systems. See sss_ssh_authorizedkeys(1) and >>> sss_ssh_knownhostsproxy(8). >>> >>> This document describes how it works in IPA >>> <a href="http://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf" target="_blank">http://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf</a> >>> >>> rob >>> >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>> >>> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IdM portfolio >> Red Hat, Inc. >> >> >> _______________________________________________ >> Freeipa-users mailing list >> <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>> >> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> >> >> > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > > > _______________________________________________ > Freeipa-users mailing list > <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > _______________________________________________ Freeipa-users mailing list <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> </div></div>This e-mail is private and confidential between the sender and the addressee. In the event of misdirection, the recipient is prohibited from using, copying or disseminating it or any information in it. Please notify the above if any misdirection. </blockquote></div> </div>