On 12/24/2012 05:27 PM, Johan Petersson wrote:
> Here is a step by step instruction for a Solaris 11 machine as client to a 
> IPA server based on the default DUAProfile.
> Console login works, su - and ssh. 
> Home directories automounted have the correct permissions.
> The automount does not use wildcards since i had issues of the whole /home 
> being grabbed by autofs and thus making local users home directories 
> unavalable.
> This can probably be solved by someone with more extensive experience of 
> Solaris autofs.
> I am working on a instruction based on Sigbjorn Lie's DUAProfile and added 
> security and will post it too shortly.
>
> First make sure that the Solaris 11 machine are using the proper DNS and NTP 
> servers.
>
> On the IPA server or Client run:
>
> ipa host-add --force --ip-address=192.168.0.1 solaris.example.com
>
> ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k 
> /tmp/solaris.keytab
>
> Move the keytab to the Solaris machine /etc/krb5/krb5.keytab
>
> Make sure it have the proper owner and permissions:
>
> chown root:sys /etc/krb5/krb5.keytab
> chmod 700 /etc/krb5/krb5.keytab
>
> Edit /etc/nsswitch.ldap, replace "ldap" with "dns" from the "hosts" and 
> "ipnodes" lines:
>
> hosts:          files dns 
> ipnodes:      files dns
>
> Edit /etc/krb5/krb5.conf:
>
> [libdefaults]
>         default_realm = EXAMPLE.COM
>         verify_ap_req_nofail = false
> [realms]
>         EXAMPLE.COM = {
>                 kdc = ipaserver.example.com
>                 admin_server = ipaserver.example.com
>         }
>
> [domain_realm]
>         example.com = EXAMPLE.COM
>         .example.com = EXAMPLE.COM
>
>
> Run the ldapclient with the default DUAProfile.
> The -a domainName= example.com is needed so that ldapclient does not stop and 
> complain about missing nisdomain name.
>
> ldapclient -v init -a profilename=default -a domainName=example.com 
> ipaserver.example.com
>
> In Solaris 11.1 the pam configuration have changed but for simplicity i still 
> use the /etc/pam.conf:
>
> login   auth requisite          pam_authtok_get.so.1
> login   auth required           pam_dhkeys.so.1
> login auth required           pam_unix_cred.so.1
> login   auth sufficient         pam_krb5.so.1 try_first_pass
> login   auth required           pam_unix_auth.so.1
> login   auth required           pam_dial_auth.so.1
>
> other   auth requisite          pam_authtok_get.so.1
> other   auth required           pam_dhkeys.so.1
> other   auth required           pam_unix_cred.so.1
> other   auth sufficient         pam_krb5.so.1
> other   auth required           pam_unix_auth.so.1
>
> other   account requisite       pam_roles.so.1
> other   account required        pam_unix_account.so.1
> other   account required        pam_krb5.so.1
>
> other   password requisite      pam_authtok_check.so.1 force_check
> other   password sufficient     pam_krb5.so.1
> other   password required       pam_authtok_store.so.1
>
> For NFS and automount to work:
>
> In /etc/nfssec.conf enable these:
>
> krb5            390003  kerberos_v5     default -               # RPCSEC_GSS
> krb5i           390004  kerberos_v5     default integrity       # RPCSEC_GSS
> krb5p           390005  kerberos_v5     default privacy         # RPCSEC_GSS
>
> sharectl set -p nfsmapid_domain=example.com nfs
>
> If autofs is not on:
>
> svcadm enable system/filesystem/autofs:default
>
> In /etc/auto_home:
>
> testuser      ipaserver.example.com:/home/testuser

Thank you!
Dmitri

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to